2

I'm interested to know, is Delphi vulnerable to Buffer overflow attack? I read some pages which mentioned Delphi is secure to that vuln because "Delphi can use Pascal strings as well as generic windows strings (PChar). When interfacing with Win API there is no other option except using Pchar". is that true? thanks

Improve this question
3
  • 2
    You should find a better site to use for learning Delphi. And no, we cannot suggest one for you, because that would be against this site's guidelines. Commented Jan 8, 2021 at 0:23
  • Delphi compiler can generate "special" code that can detect some cases of buffer overflow. Read about Range Checking and also Overflow Checking. Commented Apr 11, 2024 at 6:19
  • Also see this extended discussion: en.delphipraxis.net/topic/… Commented Apr 16, 2024 at 6:57

3 Answers 3

Reset to default
8

is Delphi vulnerable to Buffer overflow attack?

MOST languages are susceptible to buffer overflow attacks. A buffer overflow is a coding bug, not a language defect. For example, in Delphi:

var
  buf: array[0..0] of Byte;
  i: Integer;
begin
  Move(buf, i, sizeof(i)); // buffer overflow!
  PInteger(@buf)^ := i;    // buffer overflow!
end;

MOST languages will let you shoot yourself in the foot, if you are not careful. There is only so much hand-holding a compiler can do. Not everything can be avoided at compile-time. Programming is not just about writing code that compiles, but also about writing code that acts correctly and responsibly at runtime.

SOME languages may wrap buffers in such a way that bounds checking is performed at runtime, mitigating the risk of buffer overflows. Delphi is not one of those languages, since it allows you to operate directly on raw memory, so you can pretty much do whatever you want (well, whatever the underlying OS lets you do, anyway). And this is certainly true for Pascal strings.

I read some pages which mentioned Delphi is secure to that vuln because "Delphi can use Pascal strings as well as generic windows strings (PChar).

Delphi has no features to avoid all possible kinds of buffer overflows. But, if you write your code to use buffers correctly and sanely, overflows are not likely to happen. This is not limited to just strings, either.

When interfacing with Win API there is no other option except using Pchar". is that true?

It depends on the particular API. Most use simple null-terminated PChar strings, yes. But some use UNICODE_STRING records instead, which use WideChar buffers that are not guaranteed to be null-terminated. Some use ActiveX/COM BSTR (Delphi WideString) strings instead.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

thanks. my main concern is about turning on the "Control Flow Guard (CFG)" flag in Delphi language. I have a .exe application and I wanna turn on CFG for that. this flag is created to combat memory corruption vulnerabilities.
@hanahosseinabadi AFAIK, Delphi does not support CFG at this time. And even if it did, CFG is only used for blocking the execution of functions from illegitimate sources. Buffer overflows can be used for that, but are not the only way. And CFG does not protect from buffer overflows themselves, which can cause other problems than just illegitimate function calls.
That's low level Delphi. Beginners will rarely write code like this. Writing "higher" level code would prevent buffer overflow. Of course, you would have to trade speed for safety :)
Are you aware that is very low level Delphi? Normally, you rarely write code like this. Usually is required when you "go outside" of Delphi and interact with MS API. And if you write code like this, (probably) you know what you are doing. Writing "standard" code would totally prevent buffer overflow. Of course, you would have to trade speed for safety :) But, when you compare Delphi against JS, R, Python, Julia, PHP, DotNiet... who cares about a bit slower code...
4

Delphi as IDE? Maybe. As language? Sure. Judge for yourself:

var
  s: String;
  i: Integer;
begin
  s:= 'four';  // Length of string: 4 characters
  for i:= 1 to 1138 do begin  // This loop goes WAY beyond the String's buffer
    write( s[i] );  // What will it access after i=4?
  end;
end;

PChar is needed because the WinAPI is not constructed for Pascal, so Pascal needs to bend for APIs. Buffer overflows are a problem, but it's not like PChar is radioactive and String is Jesus - it's up to the programmer to not be overly stupid.

Improve this answer

6 Comments

That code is totally safe with {$Q+} and {$R+}. A nice exception will pop-up at runtime to remind the programmer how stupid he is :)
That code uses magic numbers (1138). A good programmer would use Length(s) instead of 1138 (or Low() and High() for arrays). So, this is a good example of bad code written by a newbie.
@IceCold So choosing non-descriptive variable names like i and s is okay for you? That's not the point in this example - the arbitrary loop condition was on purpose and you know that. What you don't seem to know: you can edit comments so you don't have to mistake this as chat to submit multiple comments; likewise you can delete existing ones and add a new/better/combined one. Also consider using formattings in comments.
My point first point was that Delphi has good checks against some kind of buffer overflows. Your code will not pass those checks. Therefore, it is not good enough to be used as an example.
My second point was that, this buffer overflow is not even the core problem. If the code had been used Lenght(), the programmer would not have been in the place to generate a buffer overflow. In other words, in your example above, "String" is literary Jesus, if Range Checking is on.
|
1

Buffer overflow attack is not related to any specific language. Those attacks are only possible when the developer wrongly coded his application.

To make it short, it is your responsibility as the developer to write all tests when memory is being written with data from the outside. You have to ALWAYS check if the data length is correct to fit when you write it.

For Delphi, there are tools that helps detect buffer overflow (or underflow and many other bugs). For example madExcept. This tool won't prevent buffer overflow, it will immediately if your program overflow a dynamically allocated buffer. This is a test tool that should not be delivered in released version.

Improve this answer

4 Comments

Yes and no. Much of the code in a Delphi program is rtl/vcl code that is outside the control of the developer
Before moving data to/from rtl/vcl/library/component code, the developer has the responsibility to check for validity to avoid any buffer overflow and other kind of errors. The developer should also look at the rtl/vcl source code to search how that code could be vulnerable to any attack. Developing a secure application can be complex and time consuming.
@DavidHeffernan - You are right that the rtl/vcl is outside developer's control, but at the same time it passed the test of time. I haven't encountered (yet) a buffer overflow in there :)
@IceCold There was a very famous one in TBitmap

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.