Skip navigation
FornavnEfternavn
FornavnEfternavn Calculating status...
Currently Being Moderated

Memory overwrite in TIFF_FileWriter::UpdateMemByAppend

Dec 21, 2010 1:35 AM

The following unsigned comparison doesn't behave as expected (when valueOffset is larger than newLength):

[XMP-Toolkit-SDK-5.1.2/source/XMPFiles/FormatSupport/TIFF_FileWriter.c pp:1420]

                    if ( currTag.dataLen > (newLength - valueOffset) ) XMP_Throw ( "Buffer overrun", kXMPErr_InternalFailure );
                    memcpy ( (newStream + valueOffset), currTag.dataPtr, currTag.dataLen );    // AUDIT: Protected by the above check.
                    if ( (currTag.dataLen & 1) != 0 ) newStream[valueOffset+currTag.dataLen] = 0;

 

This would be better:

                    if ( (currTag.dataLen + valueOffset) > newLength ) XMP_Throw ( "Buffer overrun", kXMPErr_InternalFailure );
                     memcpy ( (newStream + valueOffset), currTag.dataPtr,  currTag.dataLen );    // AUDIT: Protected by the above check.
                     if ( (currTag.dataLen & 1) != 0 ) newStream[valueOffset+currTag.dataLen] = 0;

 

Kind regards,

-Michael

2169 Views   1 Reply   Latest reply: Joerg Ehrlich, Nov 16, 2011 6:25 AM
 
Replies
  • Joerg Ehrlich
    Currently Being Moderated
    1. Joerg Ehrlich,
    Nov 16, 2011 6:25 AM   in reply to FornavnEfternavn
    Report

    Hi Michael,

     

    thanks for pointing this out.

    In this particular case the valueOffset cannot get larger as newLength as it includes the appended growth and is therefor larger than the original TIFF stream length. The valueOffset is within the original stream.

     

    Regards

    Jörg

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points