The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,391 other followers

Delphi and C++ Builder VCL Library Buffer Overflow

Posted by jpluimers on 2014/08/19

Since this did not make it to DelphiFeeds yet: I’ve seen the function PaletteFromDIBColorTable in Graphics.pas go back as far at least until Delphi 2006, and references on the web as far back as Delphi 4.

So: this bug is old, but as it is a security one, make sure you patch soon.

For Delphi XE6, download 29913 BMP Buffer Overflow hotfix – Delphi, C++Builder, RAD Studio XE6.

For older Delphi versions, read this piece that was adapted from the EDN article Delphi and C++ Builder VCL Library Buffer Overflow:

For users of prior versions of Delphi and C++Builder: these steps should be followed to modify the VCL source code and add it to your application.

For each application:

  1. Add the modified Edit Vcl.Graphics.pas or Graphics.pas or Borland.Vcl.Graphics.pas to your project
  2. For C++Builder: Under Project | Options | Packages | Runtime Packages, set “Link with runtime packages” to false
  3. Rebuild your application

Once for the native VCL and .NET VCL:

  • Note: Variable names and scoping might be slightly different depending on your product version.
  1. Edit Vcl.Graphics.pas or Graphics.pas or Borland.Vcl.Graphics.pas
  2. Locate the function PaletteFromDIBColorTable.
  3. Add the following code just before the line assigning a value to Pal.palNumEntries when the DIBHandle = 0
    if ColorCount > 256 then 
      InvalidGraphic{$IFNDEF CLR}@{$ENDIF}SInvalidBitmap;;


via Delphi and C++ Builder VCL Library Buffer Overflow.

5 Responses to “Delphi and C++ Builder VCL Library Buffer Overflow”

  1. […] the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them […]

  2. Joseph G. Mitzen said

    I can’t believe they’re not issuing a security patch for older versions of Delphi. Even a diff file would be something.

    • jpluimers said

      I can.

      One of the reasons I’m not active on QC any more is that the only secure way to reach it is through the QC web front-client (which severely impacts my abilities to report issues and respond to them). The QC clients are too much of a security risk. Embarcadero won’t fix QC or the clients, as they have been moving to JIRA for like 5 years now.

      They also don’t take security on their forums server seriously. The SSL certificate expired like almost 5 years (coincidence?) ago: and that certificate still points to the CodeGear servers:

      I cannot access these forums any more as these certificates are blocked by the gateway. With good reason.

      Taking a while to migrate something is OK, but not fixing known security issues (they know about both) in this age of time is unforgivable.

  3. You have to rebuild all of your third-party components as well, if they have any relations with this module.
    Also, i got massage that my jpeg unit was built with the different version of VCL.Graphics

    • jpluimers said

      That depends if you ship components as binaries that include the RTL and VCL. There is far less risk for developers that have control the incoming stream of bitmaps.

      BTW: It would be sooo nice if Embarcaro could document how to rebuild the RTL+VCL for a current Delphi installation so design-time components could make sure of the fix.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: