From d7c88780e1df54f34563d60bd7fa01011d2eef03 Mon Sep 17 00:00:00 2001
From: chenluhua1980 <Chenluhua@qq.com>
Date: 星期一, 26 一月 2026 23:17:17 +0800
Subject: [PATCH] 1.CSVData.cpp 里 unserialize 用了 8*2、125*2，但 serialize 只写 8 + 125 字节。 m_svRawData.insert 的 end 指针是 pszBuffer + 125*2，没有用 index 计算，可能把无效区域一起拷进去。 一旦 size 实际是 133（不是 266），就会直接越界，堆会被破坏，m_svDatas.clear() 在销毁元素时崩。

---
 SourceCode/Bond/Servo/HsmsAction.cpp |   22 ++++++++++++++++++++--
 1 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/SourceCode/Bond/Servo/HsmsAction.cpp b/SourceCode/Bond/Servo/HsmsAction.cpp
index 1c0d71c..1257696 100644
--- a/SourceCode/Bond/Servo/HsmsAction.cpp
+++ b/SourceCode/Bond/Servo/HsmsAction.cpp
@@ -9,6 +9,7 @@
 	m_nTimeout = 45;
 	m_nResponseTime = 0;
 	m_pContext = NULL;
+	m_pSendMessage = NULL;
 	m_hEvent = ::CreateEvent(NULL, TRUE, FALSE, NULL);
 }
 
@@ -19,6 +20,7 @@
 	m_nTimeout = nTimeout;
 	m_nResponseTime = 0;
 	m_pContext = NULL;
+	m_pSendMessage = NULL;
 	m_hEvent = ::CreateEvent(NULL, TRUE, FALSE, NULL);
 }
 
@@ -41,6 +43,10 @@
 	m_bNeedWaitReply = FALSE;
 	m_nTimeout = 45;
 	m_nResponseTime = 0;
+	if (m_pSendMessage != NULL) {
+		HSMS_Destroy1Message(m_pSendMessage);
+		m_pSendMessage = NULL;
+	}
 	::ResetEvent(m_hEvent);
 }
 
@@ -73,6 +79,9 @@
 
 void CHsmsAction::setSendMessage(IMessage* pMessage)
 {
+	if (m_pSendMessage != NULL && m_pSendMessage != pMessage) {
+		HSMS_Destroy1Message(m_pSendMessage);
+	}
 	m_pSendMessage = pMessage;
 }
 
@@ -110,12 +119,15 @@
 int CHsmsAction::serialize(char* pszBuffer, int nBufferSize)
 {
 	int index = 0;
+	if (m_pSendMessage == NULL) {
+		return 0;
+	}
 	if (pszBuffer == nullptr) {
 		index += sizeof(int);
 		index += sizeof(m_nTimeout);
 		index += sizeof(int);
 		index += sizeof(BOOL);
-		index += m_pSendMessage->serialize(pszBuffer, nBufferSize);
+		index += m_pSendMessage->serialize(nullptr, 0);
 
 		return index;
 	}
@@ -157,7 +169,13 @@
 	memcpy(&m_bNeedWaitReply, &pszBuffer[index], sizeof(BOOL));
 	index += sizeof(BOOL);
 
-	HSMS_Create1Message(m_pSendMessage, 1, 1 | REPLY, 1, 1);
+	if (m_pSendMessage != NULL) {
+		HSMS_Destroy1Message(m_pSendMessage);
+		m_pSendMessage = NULL;
+	}
+	if (HSMS_Create1Message(m_pSendMessage, 1, 1 | REPLY, 1, 1) != 0 || m_pSendMessage == NULL) {
+		return -1;
+	}
 	int nRet = m_pSendMessage->unserialize(&pszBuffer[index], nBufferSize - index);
 	if (nRet < 0) return nRet;
 

--
Gitblit v1.9.3