Security Updates

The team at Stingray by Perforce is committed to the highest possible standard of security in our GUI development tools for Windows. Which is why we are continually updating our platform to mitigate security risks and provide a best-in-class GUI development solution for customers. Upgrade to the latest version of Stingray and view the previous security updates below. 

UpdateDescriptionFixed
Integer Overflow Fix
A possible integer overflow occurs in jmemmgr.cpp when the environment variable JPEGMEM is defined which causes a code path to compute the maximum memory to use.  When computing the value it is possible to end up with a value of 1,000,000,000,000 which has a length larger than a long maximum value.  The issue was resolved by properly clipping the range and notifying the user if this has occurred.2022.2 Release
VeraCode Buffer Overrun Reported Fix
VeraCode static analysis reports possible buffer overrun in gx_range_to_text in a call to _stprintf. Code was added to clip the range and ensure the length of the buffer is not overrun.2022.2 Release
Memory Leak Fix
Use of Stingray Grid causes memory consumption to grow due to memory leaks in code. The code in Grid was fixed to reclaim dynamic memory and stop memory consumption growth, mitigating significant memory leak flaws.2022.1 Release
Replace Unsafe CRT Functions With Safe CRT Functions
Visual Studio compiler and customers scanning Stingray code with Veracode note use of functions such as 'wcscpy' which are considered unsafe for copying memory. They should be replaced with 'wcscpy_s' functions instead. Stingray's code was changed to use proper memory copy routines to ensure safe and secure handling of memory.2021.1 Release
Eliminate Potential Buffer Overflow Error
Veracode code scanner reports possible buffer overflow issues in Stingray code which could result in an attacker taking control of the data written into a buffer and resulting in arbitrary execution of code. The suspect code was rewritten to avoid any possible buffer overflow issues and verified with a code scanning tool.2021.1 Release
Improper Use of sscanf Makes Code Vulnerable to Buffer Overflow Attacks
Veracode code scanner reports use of sscanf to scan input into a buffer. The function sscanf is considered unsafe and the function sscanf_s should be used instead to eliminate possible buffer overflow attacks. Use of scanf was replaced with the safe sscanf_s function instead.2021.1 Release
Buffer Overrun With a Long Face Name of a Font
The length of an incoming font name string was not checked when copied to an internal buffer and results in the buffer being overrun. This is a security vulnerability and could result in data being written into other memory and executed. The code was fixed to ensure the buffer size was adequate and use of secure memory copy routines were utilized.2021.1 Release
Buffer Overflow in SRGraphTitle::ComputeLineBreaks
Function SRGraphTitle::ComputeLineBreaks will overflow a memory buffer when more than 31 line breaks are in the provided text to it. The resulting buffer was enlarged and proper checks were put in place to ensure it is not overwritten.2021.1 Release
Upgrade Use of 3rd-Party Open Source Package Libtiff
Stingray was using an outdated version of libtiff which contained security vulnerabilities. Upgraded use of version 3.3 libtiff to the latest version. High Severity security vulnerabilities resolved: CVE-2011-11672021.1 Release
Memory Leak Fix
Stingray Grid is not properly releasing allocated memory after dialog creation. The code in Grid was fixed to reclaim dynamic memory used during dialog creation.2020.1 Release
Use /DYNAMICBASE Option Instead of Specifying Base Address for Executables
For security reasons Microsoft recommends using the /DYNAMICBASE option when creating executables rather than specifying the base address. Using the same base address makes it easy for hackers to know where your code is loaded into memory when it is run. Stingray's executable creation process was modified to use the /DYNAMICBASE option so that the location it is loaded into memory is different each time.2019 Release

Upgrade to the Latest Stingray Version

Upgrade to the latest Stingray version for best GUI development for Windows security outcomes.