Hi,
just saw a report [1] about a crash in exactimage. This can be reproduced with
the
current version with following steps:
# modify Makefile and add to CFLAGS/CXXFLAGS: -fsanitize=address
-fsanitize=undefined
./configure
make
./objdir/frontends/bardecode example_barcode-bw.png
The patch to fix this is attached.
Kind regards,
Sven
[1] https://bugs.launchpad.net/ubuntu/+source/exactimage/+bug/1425472
>From 179735a4b070393363bd43d428f5093e99299bde Mon Sep 17 00:00:00 2001
From: Sven Eckelmann <[email protected]>
Date: Wed, 25 Feb 2015 12:31:31 +0100
Subject: [PATCH] Fix buffer overflow when decoding code128 code_set_c
A dual character string needs at least 3 bytes to be saved by sprintf. Saving
it in a 2 byte buffer will cause the 0-delimiter to overwrite other data on the
stack.
It is better to use snprintf to make sure that no data is written outside the
allocated buffer and provide 3 byte for the buffer.
---
bardecode/code128.hh | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/bardecode/code128.hh b/bardecode/code128.hh
index e9bfada..e48b36f 100644
--- a/bardecode/code128.hh
+++ b/bardecode/code128.hh
@@ -236,8 +236,9 @@ namespace BarDecode
switch (code_set) {
case code_set_c:
if (c < 100) {
- char str[2];
- sprintf(str,"%02d",c);
+ char str[3];
+ snprintf(str,sizeof(str),"%02d",c);
+ str[sizeof(str) - 1] = '\0';
return std::string(str);
} else {
return std::string(1,caux[c-96]);
--
2.1.4
-----------------------------------------------------------
If you wish to unsubscribe from this mailing, send mail to
[email protected] with a subject of: unsubscribe exact-image
