security - Buffer overflow vulnerability in Delphi

Question

I'm interested to know, is Delphi vulnerable to Buffer overflow attack? I read some pages which mentioned Delphi is secure to that vuln because "Delphi can use Pascal strings as well as generic windows strings (PChar). When interfacing with Win API there is no other option except using Pchar". is that true? thanks

question from:https://stackoverflow.com/questions/65621454/buffer-overflow-vulnerability-in-delphi

Answer 1

is Delphi vulnerable to Buffer overflow attack?

MOST languages are susceptible to buffer overflow attacks. A buffer overflow is a coding bug, not a language defect. For example, in Delphi:

var
  buf: array[0..0] of Byte;
  i: Integer;
begin
  Move(buf, i, sizeof(i)); // buffer overflow!
  PInteger(@buf)^ := i;    // buffer overflow!
end;

MOST languages will let you shoot yourself in the foot, if you are not careful. There is only so much hand-holding a compiler can do. Not everything can be avoided at compile-time. Programming is not just about writing code that compiles, but also about writing code that acts correctly and responsibly at runtime.

SOME languages may wrap buffers in such a way that bounds checking is performed at runtime, mitigating the risk of buffer overflows. Delphi is not one of those languages, since it allows you to operate directly on raw memory, so you can pretty much do whatever you want (well, whatever the underlying OS lets you do, anyway). And this is certainly true for Pascal strings.

I read some pages which mentioned Delphi is secure to that vuln because "Delphi can use Pascal strings as well as generic windows strings (PChar).

Delphi has no features to avoid all possible kinds of buffer overflows. But, if you write your code to use buffers correctly and sanely, overflows are not likely to happen. This is not limited to just strings, either.

When interfacing with Win API there is no other option except using Pchar". is that true?

It depends on the particular API. Most use simple null-terminated PChar strings, yes. But some use UNICODE_STRING records instead, which use WideChar buffers that are not guaranteed to be null-terminated. Some use ActiveX/COM BSTR (Delphi WideString) strings instead.