[redland-dev] Memory overrun in
raptor_uri_filename_to_uri_string() / WIN32
Steve Harris
steve.harris at garlik.com
Tue Aug 19 15:59:41 BST 2008
On 19 Aug 2008, at 15:10, Aymeric Barthe wrote:
>
>>> On 19 Aug 2008, at 14:41, Aymeric Barthe wrote:
>>>
>>> #ifdef WIN32
>>> if(filename[1] == ':' && filename[2] != '\\') // Memory overrun
> here!
>>> len+=3; /* relative filename - add / and ./ */
>>> else if(*filename == '\\')
>>> len-=2; /* two // from not needed in filename */
>>> else
>>> len++; /* / at start of path */
>>> #else
>>>
>>> I guess a calling an strlen() would do the trick, but I am not sure
> it
>>> would be so efficient:
>>> if( (strlen(filename) >= 3) && filename[1] == ':' && filename[2] !=
>>> '\\')
>>
>> it could be
>>
>> if (filename[0] && filename[1] == ':' && filename[2] != '\\')
>>
>> - Steve
>>
>>
>
> Right, it would solve this particular case, but I am not sure if dummy
> strings like "a" could end up being passed to this function. If that
> is
> the case we still have an overrun.
>
> So maybe something like this would be more secure:
>
> if (filename[0] && filename[1] && filename[2] && filename[1] == ':'
> &&
> filename[2] != '\\')
That's no different, if filename[1] == ':' is true, then filename[1]
will be true also.
Conjunctive expressions in C evaluate left to right and shortcut.
- Steve
More information about the redland-dev
mailing list