------------------------------------------------------------
[BUG/PRB.] VFP 9.0 FIX - STRCONV() FUNCTION
January 2024
------------------------------------------------------------
CCB
1. BUG:
In vfp9 (and vfp8), sometimes vfp will crash when calling the STRCONV(cExpression,14) function.
There is the bug for STRCONV(cExpression,14) function, there is no the bug for other STRCONV() functions.
There is a test program:
*PROC teststrconvfunction
x1=STRCONV(REPLICATE("a",0x3000)+"b",13)
x2=STRCONV(LEFT(x1,0x4000+1),14)
RETURN
* END OF PROC TESTSTRCONVFUNCTION.
2. CAUSE:
For example, for the code:
x1=STRCONV(REPLICATE("a",0x3000)+"b",13)
vfp will allocate INT((0x3000+1)/3)*4 + 4 = 0x4004 bytes memory to save the returned result.
x2=STRCONV(LEFT(x1,0x4000+1),14)
In vfp9 (and vfp8), it will allocate ROUND((0x4000+1)/4,0)*3 = 0x3000 bytes memory to save the returned result,
but it needs 0x3001 bytes memory to save the returned result, buffer overflow!!!
In VFP Advanced, it will allocate ROUND((0x4000+1)/4,0)*3 + 3 = 0x3003 bytes memory to save the returned result,
so there is no the bug.
There are some BUGs in the following code.
3. RESOLUTION:
We can write some code to fix the BUG.
Label782678 ::
mov dword ptr [ ebp - 16 ] , 0200h ;0x00782678 : c745f000020000
Label78267f ::
cmp dword ptr [ ebp + 12 ] , edi ;0x0078267f : 397d0c
je Label7826c7 ;0x00782682 : 7443
cmp dword ptr [ ebp + 12 ] , 07D0h ;0x00782684 : 817d0cd0070000
ja Label7826b5 ;0x0078268b : 7728
xor eax , eax ;0x0078268d : 33c0
call Fun42c118 ;0x0078268f : e8849acaff
mov eax , esp ;0x00782694 : 8bc4
sub eax , dword ptr [ Data9370c4 ] ;0x00782696 : 2b05c4709300
cmp eax , dword ptr [ ebp + 12 ] ;0x0078269c : 3b450c
jle Label7826b1 ;0x0078269f : 7e10
mov eax , dword ptr [ ebp + 12 ] ;0x007826a1 : 8b450c
;
; -------------------------------------------------
; VFP 9.0 FIX - STRCONV() FUNCTION
; December 2022
; -------------------------------------------------
; CCB
;
; Sometimes vfp will crash when calling the STRCONV() function.
;
; 2022/12/12, by ccb
;
cmp ebx , 0Eh
jne Label7826a4
add eax , 03h
Label7826a4 ::
add eax , 03h ;0x007826a4 : 83c003
and eax , 0FFFFFFFCh ;0x007826a7 : 83e0fc
call Fun42c118 ;0x007826aa : e8699acaff
mov edi , esp ;0x007826af : 8bfc
Label7826b1 ::
test edi , edi ;0x007826b1 : 85ff
jne Label7826c7 ;0x007826b3 : 7512
Label7826b5 ::
mov eax , dword ptr [ ebp + 12 ] ;0x007826b5 : 8b450c
;
; -------------------------------------------------
; VFP 9.0 FIX - STRCONV() FUNCTION
; December 2022
; -------------------------------------------------
; CCB
;
; Sometimes vfp will crash when calling the STRCONV() function.
;
; 2022/12/12, by ccb
;
cmp ebx , 0Eh
jne Label7826b8
add eax , 03h
Label7826b8 ::
pushd 01008h ;0x007826b8 : 6808100000
call Fun42bf2a ;0x007826bd : e86898caff
mov edi , dword ptr [eax] ;0x007826c2 : 8b38
mov dword ptr [ ebp - 24 ] , eax ;0x007826c4 : 8945e8
Label7826c7 ::
cmp ebx , 0Dh ;0x007826c7 : 83fb0d
jg Label782774 ;0x007826ca : 0f8fa4000000
je Label78274f ;0x007826d0 : 747d
mov eax , ebx ;0x007826d2 : 8bc3
sub eax , 05h ;0x007826d4 : 83e805
je Label782730 ;0x007826d7 : 7457
dec eax ;0x007826d9 : 48
je Label782713 ;0x007826da : 7437
sub eax , 04h ;0x007826dc : 83e804
je Label7826fd ;0x007826df : 741c
dec eax ;0x007826e1 : 48
dec eax ;0x007826e2 : 48
jne Label782781 ;0x007826e3 : 0f8598000000
mov eax , dword ptr [ ebp + 12 ] ;0x007826e9 : 8b450c
shr eax , 1 ;0x007826ec : d1e8
push eax ;0x007826ee : 50
push edi ;0x007826ef : 57
push esi ;0x007826f0 : 56
push dword ptr [ ebp + 8 ] ;0x007826f1 : ff7508
pushd 00h ;0x007826f4 : 6a00
pushd 0FDE9h ;0x007826f6 : 68e9fd0000
jmp Label782740 ;0x007826fb : eb43
Label7826fd ::
xor eax , eax ;0x007826fd : 33c0
push eax ;0x007826ff : 50
push eax ;0x00782700 : 50
push dword ptr [ ebp + 12 ] ;0x00782701 : ff750c
shr esi , 1 ;0x00782704 : d1ee
push edi ;0x00782706 : 57
push esi ;0x00782707 : 56
push dword ptr [ ebp + 8 ] ;0x00782708 : ff7508
push eax ;0x0078270b : 50
pushd 0FDE9h ;0x0078270c : 68e9fd0000
jmp Label782725 ;0x00782711 : eb12
Label782713 ::
xor eax , eax ;0x00782713 : 33c0
push eax ;0x00782715 : 50
push eax ;0x00782716 : 50
push dword ptr [ ebp + 12 ] ;0x00782717 : ff750c
shr esi , 1 ;0x0078271a : d1ee
push edi ;0x0078271c : 57
push esi ;0x0078271d : 56
push dword ptr [ ebp + 8 ] ;0x0078271e : ff7508
push eax ;0x00782721 : 50
push dword ptr [ ebp - 20 ] ;0x00782722 : ff75ec
Label782725 ::
call WideCharToMultiByte ;0x00782725 : ff1598719100
jmp Label7827d6 ;0x0078272b : e9a6000000
Label782730 ::
mov eax , dword ptr [ ebp + 12 ] ;0x00782730 : 8b450c
shr eax , 1 ;0x00782733 : d1e8
push eax ;0x00782735 : 50
push edi ;0x00782736 : 57
push esi ;0x00782737 : 56
push dword ptr [ ebp + 8 ] ;0x00782738 : ff7508
pushd 01h ;0x0078273b : 6a01
push dword ptr [ ebp - 20 ] ;0x0078273d : ff75ec
Label782740 ::
call MultiByteToWideChar ;0x00782740 : ff15d4719100
mov esi , eax ;0x00782746 : 8bf0
shl esi , 1 ;0x00782748 : d1e6
jmp Label7827d8 ;0x0078274a : e989000000
Label78274f ::
test edi , edi ;0x0078274f : 85ff
jne Label782767 ;0x00782751 : 7514
lea eax , dword ptr [ esi + 2 ] ;0x00782753 : 8d4602
pushd 03h ;0x00782756 : 6a03
xor edx , edx ;0x00782758 : 33d2
pop ecx ;0x0078275a : 59
div ecx ;0x0078275b : f7f1
mov esi , eax ;0x0078275d : 8bf0
shl esi , 02h ;0x0078275f : c1e602
jmp Label7827ed ;0x00782762 : e986000000
Label782767 ::
mov edx , dword ptr [ ebp + 8 ] ;0x00782767 : 8b5508
push edi ;0x0078276a : 57
mov eax , esi ;0x0078276b : 8bc6
call Fun7821ae ;0x0078276d : e83cfaffff
jmp Label7827d6 ;0x00782772 : eb62
Label782774 ::
mov eax , ebx ;0x00782774 : 8bc3
sub eax , 0Eh ;0x00782776 : 83e80e
je Label7827cb ;0x00782779 : 7450
dec eax ;0x0078277b : 48
je Label7827b6 ;0x0078277c : 7438
dec eax ;0x0078277e : 48
je Label7827a7 ;0x0078277f : 7426
Label782781 ::
cmp dword ptr [ ebp + 20 ] , 00h ;0x00782781 : 837d1400
jne Label78279d ;0x00782785 : 7516
push dword ptr [ ebp + 12 ] ;0x00782787 : ff750c
push edi ;0x0078278a : 57
push esi ;0x0078278b : 56
push dword ptr [ ebp + 8 ] ;0x0078278c : ff7508
push dword ptr [ ebp - 16 ] ;0x0078278f : ff75f0
push dword ptr [ ebp + 16 ] ;0x00782792 : ff7510
call LCMapStringA ;0x00782795 : ff1568709100
jmp Label7827d6 ;0x0078279b : eb39
Label78279d ::
mov ecx , 0385h ;0x0078279d : b985030000
call Fun544742 ;0x007827a2 : e89b1fdcff
Label7827a7 ::
mov eax , dword ptr [ ebp + 8 ] ;0x007827a7 : 8b4508
pushd 01h ;0x007827aa : 6a01
push edi ;0x007827ac : 57
mov ecx , esi ;0x007827ad : 8bce
call Fun78249c ;0x007827af : e8e8fcffff
jmp Label7827d6 ;0x007827b4 : eb20
Label7827b6 ::
test edi , edi ;0x007827b6 : 85ff
jne Label7827be ;0x007827b8 : 7504
add esi , esi ;0x007827ba : 03f6
jmp Label7827ed ;0x007827bc : eb2f
Label7827be ::
mov ecx , dword ptr [ ebp + 8 ] ;0x007827be : 8b4d08
push edi ;0x007827c1 : 57
mov eax , esi ;0x007827c2 : 8bc6
call Fun78244e ;0x007827c4 : e885fcffff
jmp Label7827d6 ;0x007827c9 : eb0b
Label7827cb ::
mov ecx , dword ptr [ ebp + 8 ] ;0x007827cb : 8b4d08
push edi ;0x007827ce : 57
mov eax , esi ;0x007827cf : 8bc6
call Fun782299 ;0x007827d1 : e8c3faffff
Label7827d6 ::
mov esi , eax ;0x007827d6 : 8bf0
Label7827d8 ::
test edi , edi ;0x007827d8 : 85ff
je Label7827ed ;0x007827da : 7411
cmp dword ptr [ ebp + 12 ] , 00h ;0x007827dc : 837d0c00
je Label7827ed ;0x007827e0 : 740b
mov ecx , dword ptr [ ebp + 8 ] ;0x007827e2 : 8b4d08
push esi ;0x007827e5 : 56
mov edx , edi ;0x007827e6 : 8bd7
call Fun42c19b ;0x007827e8 : e8ae99caff
Label7827ed ::
mov ecx , dword ptr [ ebp - 24 ] ;0x007827ed : 8b4de8
test ecx , ecx ;0x007827f0 : 85c9
je Label7827f9 ;0x007827f2 : 7405
call Fun42c1e2 ;0x007827f4 : e8e999caff
Label7827f9 ::
mov eax , esi ;0x007827f9 : 8bc6
lea esp , dword ptr [ ebp - 64 ] ;0x007827fb : 8d65c0
mov ecx , dword ptr [ ebp - 4 ] ;0x007827fe : 8b4dfc
call Fun42bf1d ;0x00782801 : e81797caff
pop edi ;0x00782806 : 5f
pop esi ;0x00782807 : 5e
leave ;0x00782808 : c9
ret 010h ;0x00782809 : c21000
4. APPLIES TO:
VFP 8.0.0.2521
VFP 8.0.0.3117 (SP1)
VFP 9.0.0.2412
VFP 9.0.0.3504 (SP1)
VFP 9.0.0.4611 (SP2)
VFP 9.0.0.5015 (SP2)
VFP 9.0.0.5411 (SP2)
VFP 9.0.0.5721 (SP2)
VFP 9.0.0.5815 (SP2)
VFP 9.0.0.6303 (SP2)
VFP 9.0.0.6602 (SP2)
VFP 9.0.0.7423 (SP2)
The bug has been fixed in VFP Advanced.
5. REFERENCE WEBSITES:
1, baiyujia.com:
http://www.baiyujia.com
2, foxite.com:
https://www.foxite.com/archives/base64-0000492043.htm
6. OTHER:
For reference only, there is no guarantees.
Any questions or suggestions, please send me an email at ccb2000@163.com.
|