WANT the MEDITECH Reports BLOG via EMAIL?

Your email:

About MEDITECH Reports

MEDITECH Reports is an online reference for NPR Report Writing and not affiliated with MEDITECH, Inc @ http://meditech.com. To learn more about NPR report development using the Meditech Report Writer read more here.

View John Sharpe's profile on LinkedInI'm your host, John Sharpe, a MEDITECH Report Writing Consultant living in Spokane, WA. More about me.

Email John


Previous Posts

Sign up for the MEDITECH Reports Blog; details to attend MEDITECH workshops are sent out 1 week in advance to all MEDITECH Report blog subscribers.

These MEDITECH Workshops are sponsored by Donna Carroll at the MEDITECH Community Bulletin

MEDITECH NPR & RW RESOURCES:

Ascii Table: For NPR Report Writer
Loop Builder: For NPR Macros
Key Codes: For CDS Attributes
List Builder: For NPR Macros
MT Report Names: For NPR Reports
MT Structure Viewer: For Physicals
Strings: Format & Sort

HIT Topics

MT Resources

Blog Roll

Archives

MEDITECH Reports

Current Articles | RSS Feed RSS Feed

Buffer Overflow in the MEDITECH NPR Report Writer

Posted by John Sharpe on Mon, Nov 30, 2009 @ 01:32 PM
  | Share on Twitter Twitter | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon |  Share on LinkedIn LinkedIn |  Share On Technorati Technorati | Submit to Reddit reddit 

For months - this bug ran undetected. One day the right conditions allowed it to crash the report.


In this case, /PROC[SU,6] was printed in a custom field:

xx.proc.6
DAT=FREE
LEN=40
VAL=/PROC[SU,6]

The vendor, who'd requested the extract, didn't need data beyond procedure 5 and requested that any remaining data reported in field xx.proc.6. The values in xx.proc.6 would likely be used for manual review if needed. The field only reported the value to a length of 40 characters.

As you know, MEDITECH variables on the Client Server & Magic platforms are limited to 255 characters. However, this code allowed more than 255 characters to be assigned to a variable (/PROC[SU,6]): /PROC[SU,6]_", "_@actual.op^/PROC[SU,6].

To resolve this overflow, the IF statement can be modified to stop processing when the length of the existing variable (/PROC[SU,6]) and field (@actual.op) will be greater than 255 characters when strung together:

IF{L(/PROC[SU,6]_", "_@actual.op)>255 0^/CONTINUE; ...

By implementing a condition based on the value /CONTINUE; the variable /PROC[SU,6] will never contain more than 255 characters. Now our DO{@PROC.NXT stops; this prevents inaccurate reporting if the next value for @actual.op is short enough to print in a field of 40 characters.

PROC.NXT
(/CONTINUE=1)&(@Next(actual.op.urn))

PROCEDURES
""^actual.op.urn,1^/CONTINUE,
DO{@PROC.NXT IF{actual.op.urn<6 @actual.op^/PROC[SU,actual.op.urn];
IF{L(/PROC[SU,6]_", "_@actual.op)>255 0^/CONTINUE;
/PROC[SU,6] /PROC[SU,6]_", "_@actual.op^/PROC[SU,6];
@actual.op^/PROC[SU,6]}}},
IF{/CONTINUE=0 (/PROC[SU,6]_", "_@actual.op):40TL^/PROC[SU,6]}

When you've inherited a report from another report writer, it is tempting to re-design and re-write the report from scratch. There's a saying in the programmer / developer world that goes something like this: if you can come back a year from now and review code you wrote today ... and not want to change anything, you're an expert.

Question: What could be more important than writing expert code in every report you work on?

Answer: Keeping your time focused on those reports that most 1) improve patient outcomes OR 2) contribute to the bottom line.

Have questions? Need answers? Join some of the smartest MEDITECH people in the industry at the Meditech Knowledge Exchange

 

 


Tags: , ,

Comments

I like your test for potential overflow. While the test of L(/PROC[SU,6]_", "_@actual.op)>255 will prevent overflow why not stop at >41 if the field will only present 40 chars max anyway?
Posted @ Friday, December 04, 2009 9:37 PM by Marek
Thank you. 
 
I did think about stopping at 41; but decided to truncate to 255, to allow the field to be extended in the future, without updating the macro.
Posted @ Saturday, December 05, 2009 7:43 PM by John Sharpe
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics