Security Updates
The team at Perforce Stingray is committed to the highest possible standard of security in our GUI development tools for Windows. Which is why we are continually updating our platform to mitigate security risks and provide a best-in-class GUI development solution for customers. Upgrade to the latest version of Stingray and view the previous security updates below.
| Update | Description | Fixed |
|---|---|---|
Integer Overflow Fix | A possible integer overflow occurs in jmemmgr.cpp when the environment variable JPEGMEM is defined which causes a code path to compute the maximum memory to use. When computing the value it is possible to end up with a value of 1,000,000,000,000 which has a length larger than a long maximum value. The issue was resolved by properly clipping the range and notifying the user if this has occurred. | 2022.2 Release |
VeraCode Buffer Overrun Reported Fix | VeraCode static analysis reports possible buffer overrun in gx_range_to_text in a call to _stprintf. Code was added to clip the range and ensure the length of the buffer is not overrun. | 2022.2 Release |
Memory Leak Fix | Use of Stingray Grid causes memory consumption to grow due to memory leaks in code. The code in Grid was fixed to reclaim dynamic memory and stop memory consumption growth, mitigating significant memory leak flaws. | 2022.1 Release |
Replace Unsafe CRT Functions With Safe CRT Functions | Visual Studio compiler and customers scanning Stingray code with Veracode note use of functions such as 'wcscpy' which are considered unsafe for copying memory. They should be replaced with 'wcscpy_s' functions instead. Stingray's code was changed to use proper memory copy routines to ensure safe and secure handling of memory. | 2021.1 Release |
Eliminate Potential Buffer Overflow Error | Veracode code scanner reports possible buffer overflow issues in Stingray code which could result in an attacker taking control of the data written into a buffer and resulting in arbitrary execution of code. The suspect code was rewritten to avoid any possible buffer overflow issues and verified with a code scanning tool. | 2021.1 Release |
Improper Use of sscanf Makes Code Vulnerable to Buffer Overflow Attacks | Veracode code scanner reports use of sscanf to scan input into a buffer. The function sscanf is considered unsafe and the function sscanf_s should be used instead to eliminate possible buffer overflow attacks. Use of scanf was replaced with the safe sscanf_s function instead. | 2021.1 Release |
Buffer Overrun With a Long Face Name of a Font | The length of an incoming font name string was not checked when copied to an internal buffer and results in the buffer being overrun. This is a security vulnerability and could result in data being written into other memory and executed. The code was fixed to ensure the buffer size was adequate and use of secure memory copy routines were utilized. | 2021.1 Release |
Buffer Overflow in SRGraphTitle::ComputeLineBreaks | Function SRGraphTitle::ComputeLineBreaks will overflow a memory buffer when more than 31 line breaks are in the provided text to it. The resulting buffer was enlarged and proper checks were put in place to ensure it is not overwritten. | 2021.1 Release |
Upgrade Use of 3rd-Party Open Source Package Libtiff | Stingray was using an outdated version of libtiff which contained security vulnerabilities. Upgraded use of version 3.3 libtiff to the latest version. High Severity security vulnerabilities resolved: CVE-2011-1167 | 2021.1 Release |
Memory Leak Fix | Stingray Grid is not properly releasing allocated memory after dialog creation. The code in Grid was fixed to reclaim dynamic memory used during dialog creation. | 2020.1 Release |
Use /DYNAMICBASE Option Instead of Specifying Base Address for Executables | For security reasons Microsoft recommends using the /DYNAMICBASE option when creating executables rather than specifying the base address. Using the same base address makes it easy for hackers to know where your code is loaded into memory when it is run. Stingray's executable creation process was modified to use the /DYNAMICBASE option so that the location it is loaded into memory is different each time. | 2019 Release |
Upgrade to the Latest Stingray Version
Upgrade to the latest Stingray version for best GUI development for Windows security outcomes.