1 Reply Latest reply: Nov 16, 2011 6:25 AM by Jörg Ehrlich RSS

    Memory overwrite in TIFF_FileWriter::UpdateMemByAppend

    FornavnEfternavn

      The following unsigned comparison doesn't behave as expected (when valueOffset is larger than newLength):

      [XMP-Toolkit-SDK-5.1.2/source/XMPFiles/FormatSupport/TIFF_FileWriter.cpp:1420]

                          if ( currTag.dataLen > (newLength - valueOffset) ) XMP_Throw ( "Buffer overrun", kXMPErr_InternalFailure );
                          memcpy ( (newStream + valueOffset), currTag.dataPtr, currTag.dataLen );    // AUDIT: Protected by the above check.
                          if ( (currTag.dataLen & 1) != 0 ) newStream[valueOffset+currTag.dataLen] = 0;

       

      This would be better:

                          if ( (currTag.dataLen + valueOffset) > newLength ) XMP_Throw ( "Buffer overrun", kXMPErr_InternalFailure );
                           memcpy ( (newStream + valueOffset), currTag.dataPtr,  currTag.dataLen );    // AUDIT: Protected by the above check.
                           if ( (currTag.dataLen & 1) != 0 ) newStream[valueOffset+currTag.dataLen] = 0;

       

      Kind regards,

      -Michael