From d7c88780e1df54f34563d60bd7fa01011d2eef03 Mon Sep 17 00:00:00 2001
From: chenluhua1980 <Chenluhua@qq.com>
Date: 星期一, 26 一月 2026 23:17:17 +0800
Subject: [PATCH] 1.CSVData.cpp 里 unserialize 用了 8*2、125*2，但 serialize 只写 8 + 125 字节。 m_svRawData.insert 的 end 指针是 pszBuffer + 125*2，没有用 index 计算，可能把无效区域一起拷进去。 一旦 size 实际是 133（不是 266），就会直接越界，堆会被破坏，m_svDatas.clear() 在销毁元素时崩。

---
 SourceCode/Bond/Servo/CSVData.cpp |   30 +++++++++++++++++-------------
 1 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/SourceCode/Bond/Servo/CSVData.cpp b/SourceCode/Bond/Servo/CSVData.cpp
index 22ee583..a60a7f6 100644
--- a/SourceCode/Bond/Servo/CSVData.cpp
+++ b/SourceCode/Bond/Servo/CSVData.cpp
@@ -26,31 +26,35 @@
 
 	int CSVData::serialize(char* pszBuffer, int nBufferSize)
 	{
-		if (nBufferSize < 133) return -1;
+		if (nBufferSize < 133 * 2) return -1;
 
 		int index = 0;
-		CToolUnits::convertString(&pszBuffer[index], 8, m_strTime);
-		index += 8;
+		CToolUnits::convertString(&pszBuffer[index], 8 * 2, m_strTime);
+		index += 8 * 2;
 
-		memcpy(&pszBuffer[index], m_svRawData.data(), 125);
-		index += 125;
+		memcpy(&pszBuffer[index], m_svRawData.data(), 125 * 2);
+		index += 125 * 2;
 
-		return 133;
+		return 133 * 2;
 	}
 
 	int CSVData::unserialize(const char* pszBuffer, int nBufferSize)
 	{
-		if (nBufferSize < 133) return -1;
+		if (pszBuffer == nullptr) return -1;
+		if (nBufferSize < 133 * 2) return -1;
 
 		int index = 0;
-		CSVData svData;
-		CToolUnits::convertString(&pszBuffer[index], 8, m_strTime);
-		index += 8;
+		CToolUnits::convertString(&pszBuffer[index], 8 * 2, m_strTime);
+		index += 8 * 2;
 
 		m_svRawData.clear();
-		m_svRawData.insert(m_svRawData.end(), (uint8_t*)(pszBuffer), (uint8_t*)(pszBuffer)+125);
-		index += 125;
+		if (nBufferSize < index + 125 * 2) return -1;
+		m_svRawData.insert(
+			m_svRawData.end(),
+			(const uint8_t*)&pszBuffer[index],
+			(const uint8_t*)&pszBuffer[index + 125 * 2]);
+		index += 125 * 2;
 
-		return 133;
+		return 133 * 2;
 	}
 }

--
Gitblit v1.9.3