Re: [flac-dev] [PATCH] Fix buffer overflow in metaflac
It would really be better to compare against sizeof(application_id) rather than
coupling to all these
instances of 4 all over the place.
From: Erik de Castro Lopo mle...@mega-nerd.com
To: flac-dev@xiph.org
Sent: Thursday, April 5, 2012 4:02:10 AM
Subject: Re: [flac-dev] [PATCH] Fix buffer overflow in metaflac
Cristian Rodríguez wrote:
strlen() returns the length excluding the terminating null byte..then
an string of len 4 will be off-by-one in application_id[4];
GCC 4.7 detects this bug.
Ah nice!
diff --git a/src/metaflac/options.c b/src/metaflac/options.c
index eb3498d..2cb0959 100644
--- a/src/metaflac/options.c
+++ b/src/metaflac/options.c
@@ -1040,7 +1040,7 @@ FLAC__bool parse_block_type(const char *in,
Argument_BlockType *out)
out-entries[entry].type = FLAC__METADATA_TYPE_APPLICATION;
out-entries[entry].filter_application_by_id = (0 != r);
if(0 != r) {
- if(strlen(r) == 4) {
+ if(strlen(r) == 3) {
strcpy(out-entries[entry].application_id, r);
}
I actually think that this is a better solution:
if(strlen(r) == 4) {
-
strcpy(out-entries[entry].application_id, r);
+
memcpy(out-entries[entry].application_id, r, 4);
}
Cheers,
Erik
--
--
Erik de Castro Lopo
http://www.mega-nerd.com/
___
flac-dev mailing list
flac-dev@xiph.org
http://lists.xiph.org/mailman/listinfo/flac-dev___
flac-dev mailing list
flac-dev@xiph.org
http://lists.xiph.org/mailman/listinfo/flac-dev
Re: [flac-dev] [PATCH] Fix buffer overflow in metaflac
Cristian Rodríguez wrote:
strlen() returns the length excluding the terminating null byte..then
an string of len 4 will be off-by-one in application_id[4];
GCC 4.7 detects this bug.
Ah nice!
diff --git a/src/metaflac/options.c b/src/metaflac/options.c
index eb3498d..2cb0959 100644
--- a/src/metaflac/options.c
+++ b/src/metaflac/options.c
@@ -1040,7 +1040,7 @@ FLAC__bool parse_block_type(const char *in,
Argument_BlockType *out)
out-entries[entry].type =
FLAC__METADATA_TYPE_APPLICATION;
out-entries[entry].filter_application_by_id = (0 != r);
if(0 != r) {
- if(strlen(r) == 4) {
+ if(strlen(r) == 3) {
strcpy(out-entries[entry].application_id, r);
}
I actually think that this is a better solution:
if(strlen(r) == 4) {
-
strcpy(out-entries[entry].application_id, r);
+
memcpy(out-entries[entry].application_id, r, 4);
}
Cheers,
Erik
--
--
Erik de Castro Lopo
http://www.mega-nerd.com/
___
flac-dev mailing list
flac-dev@xiph.org
http://lists.xiph.org/mailman/listinfo/flac-dev
Re: [flac-dev] [PATCH] Fix buffer overflow in metaflac
Agreed. I was going to suggest memcpy() or something equivalent,
because the FLAC structure is not literally a C string, but rather a
32-bit field that may or may not have a terminating NULL. Erik's
code should work correctly in all cases.
On Apr 5, 2012, at 04:02, Erik de Castro Lopo wrote:
I actually think that this is a better solution:
if(strlen(r) == 4) {
- strcpy(out-entries
[entry].application_id, r);
+ memcpy(out-entries
[entry].application_id, r, 4);
}
___
flac-dev mailing list
flac-dev@xiph.org
http://lists.xiph.org/mailman/listinfo/flac-dev
Re: [flac-dev] [PATCH] Fix buffer overflow in metaflac
El 05/04/12 18:30, Brian Willoughby escribió: Agreed. I was going to suggest memcpy() or something equivalent, because the FLAC structure is not literally a C string, but rather a 32-bit field that may or may not have a terminating NULL. Erik's code should work correctly in all cases. Yep, and a fix is already in git ;) ___ flac-dev mailing list flac-dev@xiph.org http://lists.xiph.org/mailman/listinfo/flac-dev
