[redland-dev] Memory overrun in
raptor_uri_filename_to_uri_string() / WIN32
Aymeric Barthe
aymeric.barthe at thomsonreuters.com
Tue Aug 19 15:10:03 BST 2008
>> On 19 Aug 2008, at 14:41, Aymeric Barthe wrote:
>>
>> #ifdef WIN32
>> if(filename[1] == ':' && filename[2] != '\\') // Memory overrun
here!
>> len+=3; /* relative filename - add / and ./ */
>> else if(*filename == '\\')
>> len-=2; /* two // from not needed in filename */
>> else
>> len++; /* / at start of path */
>> #else
>>
>> I guess a calling an strlen() would do the trick, but I am not sure
it
>> would be so efficient:
>> if( (strlen(filename) >= 3) && filename[1] == ':' && filename[2] !=
>> '\\')
>
>it could be
>
> if (filename[0] && filename[1] == ':' && filename[2] != '\\')
>
>- Steve
>
>
Right, it would solve this particular case, but I am not sure if dummy
strings like "a" could end up being passed to this function. If that is
the case we still have an overrun.
So maybe something like this would be more secure:
if (filename[0] && filename[1] && filename[2] && filename[1] == ':' &&
filename[2] != '\\')
But we end up reading the value twice, so maybe this is better:
char charAt1, charAt2;
if (filename[0] && (charAt1 = filename[1]) && (charAt2 = filename[2])
&& charAt1 == ':' && charAt2 == '\\') {
Aymeric
This email was sent to you by Thomson Reuters, the global news and information company.
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Thomson Reuters.
More information about the redland-dev
mailing list