Menu
▾
▴
Re: [Plplot-devel] [ plplot-Bugs-1256046 ] buffer overflow in plcont.c:plfloatlabel()
|
From: Alan W. I. <ir...@be...> - 2005-08-11 04:51:08
|
On 2005-08-10 21:40-0500 mj...@ga... wrote: > Andrew Roach writes: > > At 01:48 PM 10/08/2005 -0700, you wrote: > > > > >The code in question is > > > > > >char form[10], tmpstring[10]; > > > > > >10 is obviously too small, but making it very large is not the answer either > > >since some cracker will always try something larger. > > > > > >Maurice, as a veteran C coder do you feel the proposed move to snprintf() is > > >a good solution for eliminating buffer overflows from user text input to > > >PLplot? Are there cross-platform issues with snprintf? > > > > snprintf isn't ANSI, so compilers are not obliged to support it. > > Yeah it looked pretty suspicious to me too, but according to my RH9 man page: > > NOTES > The glibc implementation of the functions snprintf and vsnprintf con- > forms to the C99 standard, i.e., behaves as described above, since > glibc version 2.1. Until glibc 2.0.6 they would return -1 when the out- > put was truncated. > > so it is part of the standard now. I never did look at the C99 standard much. > Of course, we only require C89 compliance. > > There may be an autoconf macro that'd allow us to portably use it, i.e. just > on systems that support it. Anyone want to look into that? Here is the result of a quick google search for (autoconf macro snprintf): http://autoconf-archive.cryp.to/ac_func_snprintf.html This macro's functionality looks like exactly what we need although we need an m4 expert to make sure there are no cross-platform (or otherwise) implementation glitches. The macro also refers to alternative snprintf code (see http://www.ijs.si/software/snprintf/) that can be used if snprintf is not functional on a particular platform. HTH. Alan __________________________ Alan W. Irwin email: ir...@be... phone: 250-727-2902 Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the FreeEOS equation-of-state implementation for stellar interiors (freeeos.sf.net); PLplot scientific plotting software package (plplot.org); the Yorick front-end to PLplot (yplot.sf.net); the Loads of Linux Links project (loll.sf.net); and the Linux Brochure Project (lbproject.sf.net). __________________________ Linux-powered Science __________________________ |