From d7c88780e1df54f34563d60bd7fa01011d2eef03 Mon Sep 17 00:00:00 2001
From: chenluhua1980 <Chenluhua@qq.com>
Date: 星期一, 26 一月 2026 23:17:17 +0800
Subject: [PATCH] 1.CSVData.cpp 里 unserialize 用了 8*2、125*2，但 serialize 只写 8 + 125 字节。 m_svRawData.insert 的 end 指针是 pszBuffer + 125*2，没有用 index 计算，可能把无效区域一起拷进去。 一旦 size 实际是 133（不是 266），就会直接越界，堆会被破坏，m_svDatas.clear() 在销毁元素时崩。

---
 SourceCode/Bond/Servo/CSVData.cpp    |   24 ++++++++++++++----------
 SourceCode/Bond/Servo/CEquipment.cpp |    2 ++
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/SourceCode/Bond/Servo/CEquipment.cpp b/SourceCode/Bond/Servo/CEquipment.cpp
index 3de5521..9f29ea6 100644
--- a/SourceCode/Bond/Servo/CEquipment.cpp
+++ b/SourceCode/Bond/Servo/CEquipment.cpp
@@ -1889,7 +1889,9 @@
 		CSVData svData;
 		int nRet = svData.unserialize(&pszData[0], (int)size);
 		if (nRet < 0) return nRet;
+		Lock();
 		m_svDatas.push_back(svData);
+		Unlock();
 
 		if (m_listener.onSVDataReport != nullptr) {
 			m_listener.onSVDataReport(this, &svData);
diff --git a/SourceCode/Bond/Servo/CSVData.cpp b/SourceCode/Bond/Servo/CSVData.cpp
index fbda14e..a60a7f6 100644
--- a/SourceCode/Bond/Servo/CSVData.cpp
+++ b/SourceCode/Bond/Servo/CSVData.cpp
@@ -26,31 +26,35 @@
 
 	int CSVData::serialize(char* pszBuffer, int nBufferSize)
 	{
-		if (nBufferSize < 133) return -1;
+		if (nBufferSize < 133 * 2) return -1;
 
 		int index = 0;
-		CToolUnits::convertString(&pszBuffer[index], 8, m_strTime);
-		index += 8;
+		CToolUnits::convertString(&pszBuffer[index], 8 * 2, m_strTime);
+		index += 8 * 2;
 
-		memcpy(&pszBuffer[index], m_svRawData.data(), 125);
-		index += 125;
+		memcpy(&pszBuffer[index], m_svRawData.data(), 125 * 2);
+		index += 125 * 2;
 
-		return 133;
+		return 133 * 2;
 	}
 
 	int CSVData::unserialize(const char* pszBuffer, int nBufferSize)
 	{
-		if (nBufferSize < 133) return -1;
+		if (pszBuffer == nullptr) return -1;
+		if (nBufferSize < 133 * 2) return -1;
 
 		int index = 0;
-		CSVData svData;
 		CToolUnits::convertString(&pszBuffer[index], 8 * 2, m_strTime);
 		index += 8 * 2;
 
 		m_svRawData.clear();
-		m_svRawData.insert(m_svRawData.end(), (uint8_t*)(&pszBuffer[index]), (uint8_t*)(pszBuffer)+(125 * 2));
+		if (nBufferSize < index + 125 * 2) return -1;
+		m_svRawData.insert(
+			m_svRawData.end(),
+			(const uint8_t*)&pszBuffer[index],
+			(const uint8_t*)&pszBuffer[index + 125 * 2]);
 		index += 125 * 2;
 
-		return 133;
+		return 133 * 2;
 	}
 }

--
Gitblit v1.9.3