------------------------------------------------------------
[BUG/PRB.] VFP 9.0 FIX - EXTENDED PROPERTIES
April 2026
------------------------------------------------------------
CCB
1. BUG:
In vfp9, sometimes vfp will crash when reading extended properties.
The bug occurs when the length of the value of the extended property = the length of the data buffer (the initial length is 0x208).
it does not occur when the length of the value of the extended property < 0x208.
The bug occurs in the following commands:
CREATE CLASS command
CREATE FORM command
CREATE LABEL command
CREATE REPORT command
MODIFY CLASS command
MODIFY FORM command
MODIFY LABEL command
MODIFY REPORT command
DO FORM command
LABEL FORM command
REPORT FORM command
The bug was reported by Fabiano Araujo Frigodutra.
2. CAUSE:
If the length of the value of the property > 0x100 (for example, _MemberData, KeyFieldList, UpdatableFieldList, UpdateNameList, etc.),
vfp will save the property as an extended property.
If the length of the value of the extended property < the length of the data buffer (the initial length is 0x208),
vfp will write the value of the extended property to the data buffer,
and then it will write the null character (CHR(0)) to the data buffer, there is no problem.
In vfp9, if the length of the value of the extended property > the length of the data buffer (the initial length is 0x208),
it will resize the data buffer to the length of the value of the extended property + 1 (for the null character (CHR(0))),
and then it will write the value of the extended property to the data buffer,
and then it will write the null character (CHR(0)) to the data buffer, there is no problem.
In vfp9, if the length of the value of the extended property = the length of the data buffer (the initial length is 0x208),
it will write the value of the extended property to the data buffer,
and then it will write the null character (CHR(0)) to the data buffer, buffer overflow!!!
In Advanced, if the length of the value of the extended property >= the length of the data buffer (the initial length is 0x208),
it will resize the data buffer to the length of the value of the extended property + 1 (for the null character (CHR(0))),
and then it will write the value of the extended property to the data buffer,
and then it will write the null character (CHR(0)) to the data buffer, there is no problem.
There are some BUGs in the following code.
3. RESOLUTION:
We can write some code to fix the BUG.
Label4be0b7 ::
cmp byte ptr [ esi + 1 ] , al ;0x004be0b7 : 384601
jne Label4f90f2 ;0x004be0ba : 0f8532b00300
and dword ptr [ ebp - 4 ] , 00h ;0x004be0c0 : 8365fc00
Label4be0c4 ::
inc dword ptr [ ebp - 4 ] ;0x004be0c4 : ff45fc
inc esi ;0x004be0c7 : 46
cmp byte ptr [esi] , 01h ;0x004be0c8 : 803e01
je Label4be0c4 ;0x004be0cb : 74f7
cmp dword ptr [ ebp - 4 ] , 0205h ;0x004be0cd : 817dfc05020000
jne Label5dfac5 ;0x004be0d4 : 0f85eb191200
lea eax , dword ptr [ ebp - 4 ] ;0x004be0da : 8d45fc
push eax ;0x004be0dd : 50
pushd 08h ;0x004be0de : 6a08
pop eax ;0x004be0e0 : 58
mov ecx , esi ;0x004be0e1 : 8bce
call Fun41e99a ;0x004be0e3 : e8b208f6ff
test eax , eax ;0x004be0e8 : 85c0
je Label5dfacf ;0x004be0ea : 0f84df191200
mov ebx , dword ptr [ ebp + 8 ] ;0x004be0f0 : 8b5d08
mov eax , dword ptr [ebx] ;0x004be0f3 : 8b03
mov ecx , dword ptr [eax] ;0x004be0f5 : 8b08
mov ecx , dword ptr [ ecx - 4 ] ;0x004be0f7 : 8b49fc
mov edi , dword ptr [ ebp - 4 ] ;0x004be0fa : 8b7dfc
sub ecx , 08h ;0x004be0fd : 83e908
add esi , 08h ;0x004be100 : 83c608
;
; -------------------------------------------------
; VFP 9.0 FIX - EXTENDED PROPERTIES
; April 2026
; -------------------------------------------------
; CCB
;
; Sometimes vfp will crash when reading extended properties.
;
; 2026/4/8, by ccb
;
; cmp ecx , edi ;0x004be103 : 3bcf
lea edx , dword ptr [ edi + 1 ]
cmp ecx , edx
jnb Label4be115 ;0x004be105 : 730e
pushd 01000h ;0x004be107 : 6800100000
lea ecx , dword ptr [ edi + 1 ] ;0x004be10c : 8d4f01
push eax ;0x004be10f : 50
call Fun42c2c4 ;0x004be110 : e8afe1f6ff
Label4be115 ::
mov eax , dword ptr [ebx] ;0x004be115 : 8b03
mov ecx , dword ptr [eax] ;0x004be117 : 8b08
push edi ;0x004be119 : 57
mov edx , esi ;0x004be11a : 8bd6
call Fun42c19b ;0x004be11c : e87ae0f6ff
mov eax , dword ptr [ebx] ;0x004be121 : 8b03
mov eax , dword ptr [eax] ;0x004be123 : 8b00
add esi , edi ;0x004be125 : 03f7
mov byte ptr [ edi + eax ] , 00h ;0x004be127 : c6040700
mov eax , esi ;0x004be12b : 8bc6
lea ecx , dword ptr [ eax + 1 ] ;0x004be12d : 8d4801
Label4be130 ::
mov dl , byte ptr [eax] ;0x004be130 : 8a10
inc eax ;0x004be132 : 40
test dl , dl ;0x004be133 : 84d2
jne Label4be130 ;0x004be135 : 75f9
sub eax , ecx ;0x004be137 : 2bc1
mov dword ptr [ ebp - 4 ] , eax ;0x004be139 : 8945fc
jmp Label4f9119 ;0x004be13c : e9d8af0300
4. APPLIES TO:
VFP 9.0.0.2412
VFP 9.0.0.3504 (SP1)
VFP 9.0.0.4611 (SP2)
VFP 9.0.0.5015 (SP2)
VFP 9.0.0.5411 (SP2)
VFP 9.0.0.5721 (SP2)
VFP 9.0.0.5815 (SP2)
VFP 9.0.0.6303 (SP2)
VFP 9.0.0.6602 (SP2)
VFP 9.0.0.7423 (SP2)
The bug has been fixed in VFP Advanced.
5. REFERENCE WEBSITES:
1, baiyujia.com:
http://www.baiyujia.com
6. OTHER:
For reference only, there is no guarantees.
Any questions or suggestions, please send me an email at ccb2000@163.com.
|