Skip navigation
FornavnEfternavn
Currently Being Moderated

Memory overwrite in TIFF_FileWriter::UpdateMemByAppend

Dec 21, 2010 1:35 AM

The following unsigned comparison doesn't behave as expected (when valueOffset is larger than newLength):

[XMP-Toolkit-SDK-5.1.2/source/XMPFiles/FormatSupport/TIFF_FileWriter.c pp:1420]

                    if ( currTag.dataLen > (newLength - valueOffset) ) XMP_Throw ( "Buffer overrun", kXMPErr_InternalFailure );
                    memcpy ( (newStream + valueOffset), currTag.dataPtr, currTag.dataLen );    // AUDIT: Protected by the above check.
                    if ( (currTag.dataLen & 1) != 0 ) newStream[valueOffset+currTag.dataLen] = 0;

 

This would be better:

                    if ( (currTag.dataLen + valueOffset) > newLength ) XMP_Throw ( "Buffer overrun", kXMPErr_InternalFailure );
                     memcpy ( (newStream + valueOffset), currTag.dataPtr,  currTag.dataLen );    // AUDIT: Protected by the above check.
                     if ( (currTag.dataLen & 1) != 0 ) newStream[valueOffset+currTag.dataLen] = 0;

 

Kind regards,

-Michael

 
Replies
  • Currently Being Moderated
    Nov 16, 2011 6:25 AM   in reply to FornavnEfternavn

    Hi Michael,

     

    thanks for pointing this out.

    In this particular case the valueOffset cannot get larger as newLength as it includes the appended growth and is therefor larger than the original TIFF stream length. The valueOffset is within the original stream.

     

    Regards

    Jörg

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points