Menu

#89 RLECodec::Code buffer overrun RLEHeader::Offset

closed
5
2009-12-14
2009-12-12
No

RLECodec::Code(in, out) overruns the RLEHeader::Offset buffer. When I run gdcmMSFFTests.exe, TestImageChangeTransferSyntax3 (trunk revision 6408), Microsoft Visual C++ 2008 SP1 tells me: "Run-Time Check Failure #2 - Stack around the variable 'header' was corrupted"

The bug appears very trivial, as trunk/Source/MediaStorageAndFileFormat/gdcmRLECodec.cxx says:

> RLEHeader header;
> header.NumSegments = MaxNumSegments;
> for(int i = 0; i < 16;++i)
> header.Offset[i] = 0;
> header.Offset[0] = 64;

While RLEHeader::Offset only has 15 elements:

> class RLEHeader
> {
> public:
> uint32_t NumSegments;
> uint32_t Offset[15];

C++ allows initializing aggregates like RLEHeader by specifying a brace-enclosed initializer-list. So the following would correctly initialize the entire RLEHeader:

RLEHeader header = { MaxNumSegments, { 64 } };

Hereby header.Offset[0] is set to 64, and all the other elements of header.Offset are implicitly zero-initialized. So this one line can replace five lines currently in gdcmRLECodec.cxx.

Discussion

  • Mathieu Malaterre

    Good catch !

    Please commit proposed patch.

    Thanks

     
  • Mathieu Malaterre

    • status: open --> closed
     
  • Mathieu Malaterre

    Closed by Niels

     

Log in to post a comment.