This issue tracker is now in read-only mode. We migrated all our old bug reports to our bitbucket issue tracker
Please use our new issue tracker to report bugs. You can easily find all mantis tickets on our new issue tracker by selecting the appropriate bitbucket repo (CEGUI/CEED/Silly) and searching for the mantis ticket ID number.

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000376CEGUICore library (CEGUIBase)public2010-06-30 08:282010-08-02 08:48
Assigned ToCrazyEddie 
PlatformOSOS Version
Product Version0.7.1 
Target VersionFixed in VersionMercurial: default branch 
Summary0000376: CEGUI::String.erase() can perform buffer overrun
Descriptionif idx is equal to d_cplength then the memmove below will become -len which is a size_t value and becomes a potential huge memmove.

change condition to:

if (d_cplength <= idx) throw....

String& erase(size_type idx, size_type len = npos)
        if (d_cplength < idx)
            throw std::out_of_range("Index is out of range foe Cube::String");

        if (len == npos)
            len = d_cplength - idx;

        size_type newsz = d_cplength - len;

        memmove(&ptr()[idx], &ptr()[idx + len], (d_cplength - idx - len) * sizeof(utf32));
        return *this;
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
CrazyEddie (administrator)
2010-08-02 08:48

Fixed in branches/v0-7 r2573. Thanks :)

- Issue History
Date Modified Username Field Change
2010-06-30 08:28 gring New Issue
2010-07-01 08:39 CrazyEddie Status new => assigned
2010-07-01 08:39 CrazyEddie Assigned To => CrazyEddie
2010-08-02 08:37 CrazyEddie Status assigned => confirmed
2010-08-02 08:48 CrazyEddie Note Added: 0000471
2010-08-02 08:48 CrazyEddie Status confirmed => resolved
2010-08-02 08:48 CrazyEddie Fixed in Version 0.8.3 => Mercurial: default branch
2010-08-02 08:48 CrazyEddie Resolution open => fixed
Get Crazy Eddies GUI System at SourceForge.net. Fast, secure and Free Open Source software downloads

Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker