Buffer overflow in GuiTextEditCtrl
by Claude-Alain Fournier · in Torque Game Engine Advanced · 07/24/2006 (1:20 am) · 3 replies
Got some very strange memory problems and ugly crash when trying to display my game login panel, I found out it's linked to the following code in GuiTextEditCtrl::drawText (GuiTextEditCtrl.cpp)
The problem is in the loop, if mTextBuffer.length() return 0 (it may if password is not initialised) as length() return a U32 integer, 0 - 1 = 4294967296 that's 4 giga of * in the buffer as result ;)
Whatever that - 1was there for ? it make the string one character short anyway.
Correct code :
In the same method after the this code you should use only textBuffer and not mTextBuffer. That's the reason why it does not show the password mask "*" instead of the clear text password.
if (mPasswordText)
{
for (U32 i = 0; i < mTextBuffer.length() [b]- 1 [/b]; i++)
textBuffer.append(StringBuffer(mPasswordMask));
}The problem is in the loop, if mTextBuffer.length() return 0 (it may if password is not initialised) as length() return a U32 integer, 0 - 1 = 4294967296 that's 4 giga of * in the buffer as result ;)
Whatever that - 1was there for ? it make the string one character short anyway.
Correct code :
if (mPasswordText)
{
for (U32 i = 0; i < mTextBuffer.length(); i++)
textBuffer.append(StringBuffer(mPasswordMask));
}In the same method after the this code you should use only textBuffer and not mTextBuffer. That's the reason why it does not show the password mask "*" instead of the clear text password.
#2
Here is what length return :
I am too old a C developer to be forgetting this potential problem :P
07/25/2006 (8:56 am)
I am aware of this, I checked the length() implementation before correcting ;) Here is what length return :
return mBuffer.size() - 1; // Don't count the NULL of course.
I am too old a C developer to be forgetting this potential problem :P
#3
07/25/2006 (11:25 am)
Looks like the person who wrote the original code didn't check the definition of .length() then. 
Torque 3D Owner Mark Dynna
if (mPasswordText [b]&& mTextBuffer.length() > 0[/b]) { for (U32 i = 0; i < mTextBuffer.length() - 1 ; i++) textBuffer.append(StringBuffer(mPasswordMask)); }