#74 Wrong argument to sizeof possibly causing memory corruption

latest_mercurial
open
nobody
None
5
2014-09-21
2013-03-06
No

In zbar/processor/posix.h, function remove_poll, sizeof(poll_handler_t) is used:

https://sourceforge.net/p/zbar/code/ci/38e78368283d5afe34bbc0cedb36d4540cda3a30/tree/zbar/processor/posix.h#l117

This isn't actually valid according to the C standard, but unfortunately accepted by GCC. But sizeof(poll_handler_t) will be 1, whereas here it is expected to be the size of a function pointer. Thus memmove will shift the data only by 1 byte, causing memory corruption.

The (trivial) fix is to use sizeof(poll_handler_t*) instead.

Best,
Michael

Discussion


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks