Re: Delphi and buffer overflows

[Valdis.Kletnieks () vt edu]

On Mon, 20 Oct 2003 01:33:10 -0000, ellostron () yahoo com  said:
> Hi,i looked all over the web but i couldnt find information about buffer overflows in delphi programs.

It's one of several things:

1) Delphi isn't used enough to make attacking it interesting.
2) Delphi is mostly secure against buffer overflows.
3) Delphi leaks like a sieve in other respects, and there's no need to do a buffer
overflow when abusing the quoting rules works.

I *cant* actually speak to the truth of any of those 3, but those are the top
three *possible* reasons (at least to my thinking).  Devising a way to test
each hypothesis is left as an exercise for the vuln-dev community ;)

> I think that as far as delphi uses pascal style strings,programs made in delp
hi are much safer than those made in c/c++.

> 1)Is really delphi much safer?

Presumably it's safer against character-array buffer overflows.  This does not
imply that the language is overall safer - there could very well be significant
brain damage elsewhere, and char-based overflows are only one attack method.

And I'm *positive* that the average Delphi program is just as prone to the
same sort of "failure to filter" bugs that cause every other language to be
vulnerable to XSS, SQL injection, and similar.

Sorry I couldn't answer the question directly, but hopefully I've pointed you
in a productive direction....

Attachment: _bin
Description: