BuyLog In
Bug Report T717080
Visible to All Users

Memory corruption can occur on parsing a custom cell formatting pattern with a date and/or time macro

created 6 years ago (modified 6 years ago)

There appears to be a bug in the dxSpreadSheetNumberFormatParser.pas module in the v18.2.4 release (haven't checked earlier versions).

This is the method that's been crashing for us:

Delphi
procedure TdxNumberFormatParser.OnSecond;  
var  
  AElement: TdxNumberFormatElement;  
  I: Integer;  
begin  
  // try convert month to minute  
  for I := FElements.Count - 1 downto 0 do  
  begin  
    AElement := FElements[I];  
    if AElement is TdxNumberFormatElementDateBase then  
    begin  
      if AElement is TdxNumberFormatElementMonth then  
        FElements[I] := TdxNumberFormatElementMinutes.Create(TdxNumberFormatElementMonth(AElement).Count, False);  
      if not (AElement is TdxNumberFormatElementAmPm) then  
        Break;  
    end;  
  end;  
  FElements.Add(TdxNumberFormatElementSeconds.Create(IfThen(GetDateTimeBlockLength > 1, 2, 1), False));  
end;

The FElements field is dereived from TObjectList and owns the objects held in it so if/when the "if AElement is TdxNumberFormatElementMonth then" condition executes, the previously held item in FElements[I] is freed when the reassignment to the element's made.

The local variable AElement is holding a reference to that previous item, so becomes stale at that point and potentially crashes when the immediately following "is TdxNumberFormatElementAmPm" test's applied.

Updating AElement after the FElement[I] assignment seems to fix this:

Delphi
procedure TdxNumberFormatParser.OnSecond;  
var  
  AElement: TdxNumberFormatElement;  
  I: Integer;  
begin  
  // try convert month to minute  
  for I := FElements.Count - 1 downto 0 do  
  begin  
    AElement := FElements[I];  
    if AElement is TdxNumberFormatElementDateBase then  
    begin  
      if AElement is TdxNumberFormatElementMonth then begin  
        FElements[I] := TdxNumberFormatElementMinutes.Create(TdxNumberFormatElementMonth(AElement).Count, False);  
        AElement := FElements[I]; // New line, with aooompanying begin/end block  
      end ;  
      if not (AElement is TdxNumberFormatElementAmPm) then  
        Break;  
    end;  
  end;  
  FElements.Add(TdxNumberFormatElementSeconds.Create(IfThen(GetDateTimeBlockLength > 1, 2, 1), False));  
end;

This does seem to work, but please let me know if I've missed somethng and have misunderstood the problem/fix.

Cheers,
Ian

Comments (2)
DevExpress Support Team 6 years ago

    Hello Ian,

    We've examine your situation. However, we need to replicate the issue on our side. Would you please provide us with a small test project that demonstrates the problematic behavior?

    DevExpress Support Team 6 years ago

      Thank you for the example. We will examine it.

      Sign in to comment on this post

      Answers approved by DevExpress Support

      created 6 years ago

      We have fixed the issue described in this ticket and will include the fix in our next maintenance update. To apply this solution before the official update, request a hotfix by clicking the corresponding link for product versions you require.

      Note: Hotfixes may be unavailable for beta versions and updates that are about to be released.

        Sign in to comment on this post

        Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

        Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.