From d7c88780e1df54f34563d60bd7fa01011d2eef03 Mon Sep 17 00:00:00 2001
From: chenluhua1980 <Chenluhua@qq.com>
Date: 星期一, 26 一月 2026 23:17:17 +0800
Subject: [PATCH] 1.CSVData.cpp 里 unserialize 用了 8*2、125*2，但 serialize 只写 8 + 125 字节。 m_svRawData.insert 的 end 指针是 pszBuffer + 125*2，没有用 index 计算，可能把无效区域一起拷进去。 一旦 size 实际是 133（不是 266），就会直接越界，堆会被破坏，m_svDatas.clear() 在销毁元素时崩。

---
 SourceCode/Bond/Servo/HsmsPassive.cpp |   83 ++++++++++++++++++++++++++++++++++-------
 1 files changed, 69 insertions(+), 14 deletions(-)

diff --git a/SourceCode/Bond/Servo/HsmsPassive.cpp b/SourceCode/Bond/Servo/HsmsPassive.cpp
index c2359b3..0d0f8a3 100644
--- a/SourceCode/Bond/Servo/HsmsPassive.cpp
+++ b/SourceCode/Bond/Servo/HsmsPassive.cpp
@@ -1909,7 +1909,16 @@
 	if (pszBuffer == nullptr) {
 		index += sizeof(int);
 		for (auto item : m_listActionSpooling) {
-			index += item->serialize(pszBuffer, nBufferSize);
+			if (item == nullptr || item->getSendMessage() == nullptr) {
+				LOGE("<HSMS>skip spooling item: null send message");
+				continue;
+			}
+			int nRet = item->serialize(nullptr, 0);
+			if (nRet <= 0) {
+				LOGE("<HSMS>skip spooling item: serialize failed");
+				continue;
+			}
+			index += nRet;
 		}
 
 		index += calcSpoolCfgSize();
@@ -1917,15 +1926,31 @@
 		return index;
 	}
 	else {
-		int nTemp, nRet;
+		int nTemp = 0;
+		int nRet = 0;
 
-		nTemp = (int)m_listActionSpooling.size();
+		for (auto item : m_listActionSpooling) {
+			if (item == nullptr || item->getSendMessage() == nullptr) {
+				continue;
+			}
+			if (item->serialize(nullptr, 0) > 0) {
+				++nTemp;
+			}
+		}
+
 		memcpy(&pszBuffer[index], &nTemp, sizeof(int));
 		index += sizeof(int);
 
 		for (auto item : m_listActionSpooling) {
+			if (item == nullptr || item->getSendMessage() == nullptr) {
+				LOGE("<HSMS>skip spooling item: null send message");
+				continue;
+			}
 			nRet = item->serialize(&pszBuffer[index], nBufferSize);
-			if (nRet <= 0) break;
+			if (nRet <= 0) {
+				LOGE("<HSMS>skip spooling item: serialize failed");
+				continue;
+			}
 			index += nRet;
 		}
 
@@ -1971,7 +1996,10 @@
 	for (int i = 0; i < nTemp; i++) {
 		CHsmsAction* pAction = new CHsmsAction();
 		nRet = pAction->unserialize(&pszBuffer[index], nBufferSize - index);
-		if (nRet <= 0) break;
+		if (nRet <= 0 || pAction->getSendMessage() == nullptr) {
+			delete pAction;
+			break;
+		}
 		index += nRet;
 		m_listActionSpooling.push_back(pAction);
 	}
@@ -2052,6 +2080,11 @@
 			Unlock();
 			if (!selected) {
 				IMessage* pMsg = pAction->getSendMessage();
+				if (pMsg == NULL) {
+					LOGE("<HSMS>spooling drop: null send message");
+					delete pAction;
+					continue;
+				}
 				uint8_t streamId = 0;
 				uint8_t functionId = 0;
 				if (pMsg && pMsg->getHeader()) {
@@ -2073,9 +2106,14 @@
 
 			if (pAction->isNeedWaitReply()) {
 				// 濡傛灉闇�瑕佺瓑寰呭洖澶�
+				IMessage* pMessage = pAction->getSendMessage();
+				if (pMessage == NULL) {
+					LOGE("<HSMS>drop action: null send message");
+					delete pAction;
+					continue;
+				}
 				Lock();
 				m_pActiveAction = pAction;
-				IMessage* pMessage = pAction->getSendMessage();
 				Unlock();
 
 				ASSERT(pMessage);
@@ -2099,9 +2137,14 @@
 				Unlock();
 			}
 			else {
+				IMessage* pMessage = pAction->getSendMessage();
+				if (pMessage == NULL) {
+					LOGE("<HSMS>drop action: null send message");
+					delete pAction;
+					continue;
+				}
 				Lock();
 				m_listActionSent.push_back(pAction);
-				IMessage* pMessage = pAction->getSendMessage();
 				Unlock();
 
 				ASSERT(pMessage);
@@ -2144,11 +2187,15 @@
 
 	Lock();
 	CHsmsAction* pAction = new CHsmsAction(ACTION_HELLO, FALSE, m_nActionTimeout);
-	m_listAction.push_back(pAction);
 	IMessage* pMessage = NULL;
-	HSMS_Create1Message(pMessage, m_nSessionId, 1 | REPLY, 1, ++m_nSystemByte);
-	ASSERT(pMessage);
+	if (HSMS_Create1Message(pMessage, m_nSessionId, 1 | REPLY, 1, ++m_nSystemByte) != 0 || pMessage == NULL) {
+		LOGE("<HSMS>S1F1 create message failed");
+		delete pAction;
+		Unlock();
+		return ER_CREATED_MESSAGE;
+	}
 	pAction->setSendMessage(pMessage);
+	m_listAction.push_back(pAction);
 
 	SetEvent(m_hCimWorkEvent);
 	Unlock();
@@ -3536,8 +3583,12 @@
 	CHsmsAction* pAction = new CHsmsAction(ACTION_ALARM_REPORT, TRUE, m_nActionTimeout);
 
 	IMessage* pMessage = NULL;
-	HSMS_Create1Message(pMessage, m_nSessionId, 5 | REPLY, 1, ++m_nSystemByte);
-	ASSERT(pMessage);
+	if (HSMS_Create1Message(pMessage, m_nSessionId, 5 | REPLY, 1, ++m_nSystemByte) != 0 || pMessage == NULL) {
+		LOGE("<HSMS>S5F1 create message failed");
+		delete pAction;
+		Unlock();
+		return ER_CREATED_MESSAGE;
+	}
 	ISECS2Item* pItem = pMessage->getBody();
 	pItem->addBinaryItem(szALCD, 1, "ALCD");
 	pItem->addU4Item(ALID, "ALID");
@@ -3580,8 +3631,12 @@
 	Lock();
 	CHsmsAction* pAction = new CHsmsAction(ACTION_EVENT_REPORT, TRUE, m_nActionTimeout);
 	IMessage* pMessage = NULL;
-	HSMS_Create1Message(pMessage, m_nSessionId, 6 | REPLY, 11, ++m_nSystemByte);
-	ASSERT(pMessage);
+	if (HSMS_Create1Message(pMessage, m_nSessionId, 6 | REPLY, 11, ++m_nSystemByte) != 0 || pMessage == NULL) {
+		LOGE("<HSMS>S6F11 create message failed");
+		delete pAction;
+		Unlock();
+		return ER_CREATED_MESSAGE;
+	}
 	ISECS2Item* pItem = pMessage->getBody();
 	// pItem->addU2Item(++DATAID, "DATAID");		// 鏍规嵁鍒殑鏃ュ織鏄剧ずDATAID鎭掍负0锛屾墍浠ユ垜浠厛鐓т娇鐢�0
 	pItem->addU2Item(0, "DATAID");

--
Gitblit v1.9.3