Hilton Medeiros <medeiros.hilton@xxxxxxxxx> writes: > I'm trying to use the libRocket library for my projects but I stumbled > upon a bug I can't figure out why it is happening. It is a buffer overflow. On amd64, sizeof(String) is 24 because it contains two pointers and a size_t and each of those is 8 bytes. This does not fit in Rocket::Core::Variant::DataBlock::data, which is char[16]. The DataBlock constructor makes data_ptr point to the data array, and Variant::NewDataBlock then constructs the String there. You can: - Make the data array larger, at least char[sizeof(String)]. Note this does not guarantee correct alignment. - Add a runtime check so that, if the data array is not large enough for the desired type, then either DataBlock::DataBlock or Variant::NewDataBlock changes DataBlock::data_ptr to point to separately allocated memory. DataBlock::~DataBlock would then have to free this memory if data_ptr != data.
