[redland-dev] Memory overrun in raptor_uri_filename_to_uri_string() / WIN32

Aymeric Barthe aymeric.barthe at thomsonreuters.com
Tue Aug 19 14:41:07 BST 2008


Hello guys,

I am using redland libs in a small in house tool, and I think I have
spotted a minor memory overrun in Rasqal/Raptor on Win32.

In rasqal_query.c, function rasqal_query_prepare(), line 1108
You can see a call to raptor_uri_filename_to_uri_string() with an empty
string.

  if(base_uri)
    base_uri=raptor_uri_copy(base_uri);
  else {
    unsigned char *uri_string=raptor_uri_filename_to_uri_string(""); //
HERE!
    base_uri=raptor_new_uri(uri_string);
    if(uri_string)
      raptor_free_memory(uri_string);
  }

However in raptor_uri.c, function raptor_uri_filename_to_uri_string,
line 571, you can see we do not check the string length

#ifdef WIN32
  if(filename[1] == ':' && filename[2] != '\\') // Memory overrun here!
    len+=3; /* relative filename - add / and ./ */
  else if(*filename == '\\')
    len-=2; /* two // from not needed in filename */
  else
    len++; /* / at start of path */
#else

I guess a calling an strlen() would do the trick, but I am not sure it
would be so efficient:
  if( (strlen(filename) >= 3) && filename[1] == ':' && filename[2] !=
'\\')

Aymeric


This email was sent to you by Thomson Reuters, the global news and information company.
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Thomson Reuters.




More information about the redland-dev mailing list