On Sun, 07 Nov 2010 12:16:40 +0200 Kalle Olavi Niemitalo <kon@xxxxxx> wrote: > Hilton Medeiros <medeiros.hilton@xxxxxxxxx> writes: > > > I'm trying to use the libRocket library for my projects but I > > stumbled upon a bug I can't figure out why it is happening. > > It is a buffer overflow. On amd64, sizeof(String) is 24 because > it contains two pointers and a size_t and each of those is 8 bytes. > This does not fit in Rocket::Core::Variant::DataBlock::data, > which is char[16]. The DataBlock constructor makes data_ptr > point to the data array, and Variant::NewDataBlock then constructs > the String there. > > You can: > - Make the data array larger, at least char[sizeof(String)]. > Note this does not guarantee correct alignment. > - Add a runtime check so that, if the data array is not large > enough for the desired type, then either DataBlock::DataBlock > or Variant::NewDataBlock changes DataBlock::data_ptr to point > to separately allocated memory. DataBlock::~DataBlock would > then have to free this memory if data_ptr != data. Ahh you figured it out! I can't believe it, thanks a _lot_ for testing and debugging it! Sad thing is that I was far from this answer... :'(. It is a very interesting behavior: no errors, just a weird behavior. I will never forget this. Now I know the library has not been tested much in amd64, and I will keep an eye out for others like this. I learnt a lot here, thank you again, Hilton
