Thanks for that Alan - I had no idea, and have been looking at lots of C
code lately that has probably has the same mistakes. I will keep an eye on
that.
Ok this patch is turning into a trainwreck - to everyone please be careful
when applying it.
Actually my original idea was more to point to the vulnerabilities that to
actually provide a working patch, but since lcms1 is not maintained
actively any more I decided to produce this. I guess in the future I will
say any patches I send are "provided only an example" and should not be
applied direclty..
Regards,
Pedro
Kind regards,
*Pedro Ribeiro*
Information Security Consultant
Professional Bug Hunter
On 6 August 2013 00:35, Alan Coopersmith <alan.coopersm...@oracle.com>wrote:
> void GetLine(char* Buffer)
>> {
>> - scanf("%s", Buffer);
>> + size_t Buffer_size = sizeof(Buffer);
>> + fgets(Buffer, (Buffer_size - 1), stdin);
>> + sscanf(Buffer,"%s");
>>
>
> sizeof() in the C language does not reach through a pointer to find the
> size of
> the underlying object - that code will always set Buffer_size to the size
> of
> the pointer itself (4 bytes on 32-bit, 8 bytes on 64-bit), not the size of
> the
> buffer the pointer is pointing to.
>
> [Noticed when someone suggested we apply the patch from Debian to our
> packages
> as well.]
>
> --
> -Alan Coopersmith- alan.coopersm...@oracle.com
> Oracle Solaris Engineering - http://blogs.oracle.com/alanc
>
