stackoom
  简体   繁体   中英

tstream is buffer overflow proof?

 原文  2011-09-15 15:01:09       delphi/ delphi-2009/ buffer-overflow/ tstream

Question

TStream is an abstract class.

However about its implementations, are they buffer overflow proof?

If I'm fetching a stream from the internet, from a source that is not me, how do I verify that it is not corrupted and cause buffer overflow?

Lets say that the stream is an xml file.

edit: all the answers indicate you need to check for buffer overflow. could you demonstrate how to check a buffer overflow on an input file, where we know that a stream could be infinite by its definition?

4 answers

solution1
 5 ACCPTED  2011-09-15 15:07:12

TStream and its various RTL descendents do not have any bugs that result in buffer overruns, to the best of my knowledge.

However, your code using Delphi streams could easily overrun a buffer.

solution2
 5  2011-09-15 22:13:00

TStream reads into whatever buffer the caller supplies. It is the caller's responsibility to make sure the supplied buffer and its size are valid.

solution3
 1  2011-09-15 16:30:17

Normally, you should depend on the Size property of the presented stream to set the size of your own buffer before filling it. The only reason for that Size property not delivering the real size would be a wrong implementation of either Seek methods. Unless that method determines the size of the stream on weird boundary assumptions, a single test should rule out any problems.

In any case, whether the stream contains corrupted data or not, it should néver run into a buffer overflow on your side if you just not download more than the size of your own buffer.

You could also request the type of the presented stream and verify if it is a standard Delphi stream. If so, then you need not be worried.

solution4
 1  2011-09-16 04:37:16

No, TStream descendants are not 'overflow proof'. But if you follow the advice of Remy and NGLN, you will write code that is as safe as possible with Delphi streams.

If you are afraid of something malicious, handle it within a try/except and/or try/finally block and clean up any potential damage.

Correct usage of 'try' is the key to SAFE Delphi programming - there are no silver bullets. That is the price you pay when you use a compiled language than allows you to get 'close to the metal'.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question String to TStream Buffer overflow vulnerability in Delphi TStream.Position compared to TStream.Seek TStream as an object inside StringList TClientDataSet : TStream to VarBinary TStream warning in delphi Convert TByteDynArray to TStream in Delphi How to save a TObjectList in a Tstream TStream Read single byte Convert TStream to String?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM