Menu
▾
▴
[wxCode-users] [ wxcode-Bugs-2932605 ] wxJSONWriter buffer overflow
|
From: SourceForge.net <no...@so...> - 2010-01-15 06:48:01
|
Bugs item #2932605, was opened at 2010-01-15 06:48 Message generated for change (Tracker Item Submitted) made by nobody You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=462816&aid=2932605&group_id=51305 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: wxJSON Group: last released version Status: Open Resolution: None Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: wxJSONWriter buffer overflow Initial Comment: wxJSONWriter can cause a buffer overflow when wxJSON_USE_UNICODE is defined. In writeIntValue and WriteUIntValue, the following causes a buffer overflow: char buffer[32]; // need to store 64-bits integers (max 20 digits) NOTE THAT THIS BUFFER'S MEMORY IS NOT ZEROED ... len = strlen( cbData ); wxASSERT( len <= 32 ); memcpy( buffer, cbData, len ); <--- NOTE THAT buffer IS ONLY NULL-TERMINATED HERE IF YOU'RE LUCKY ... len = strlen( buffer ); <--- THIS LENGTH IS INDETERMINANT BECAUSE buffer IS NOT NULL TERMINATED os.Write( buffer, len ); <---- BUFFER OVERRUN!!!!!!!!!!!!!! Something like this is a quick fix: wxASSERT( len < 32 ); <--- len must be less than 32 memcpy( buffer, cbData, len ); buffer[len] = 0; <--- null terminate the string ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=462816&aid=2932605&group_id=51305 |
