#184 CodeOne buffer overrun issues.

[Milton Neal]

Hi Robin,
Found an issue in CodeOne code.
Function c1_encode()
Step B2 possible buffer over run.
[sp+i ] can end up larger than the source length.
/ Step B2 /
j = 0;

for (i = 0; i < 13; i++) {
    if ((source[sp + i] >= '0') && (source[sp + i] <= '9')) {
        j++;
    }
}
 and the same for step B5           
   if (j == 7) {
        latch = 0;
        for (i = sp + 7; i < length; i++) {
            if (!((source[sp + i] >= '0') && (source[sp + i] <= '9'))) {
                latch = 1;
            }
        }

         It seems to me that at lines 445 & 494 
         source[sp+i] should be replaced with source[i] (only guessing)
        Thanks Milton

[Robin Stuart]

Hi Milton,

Thank you for drawing attention to this.

I think the functionality is correct, but unfortunately I no longer have access to the specification to make sure. I have included some extra checks in steps B2 and B5 to prevent overrun. Can you have a look at this and if you are happy I will close the ticket.

Robin.

[Git Lost]

Hi Robin, I think you missed changing source[sp + i] to source[i] at line 494 (now 497), as I did in MR 39 [0c00ec] when doing the OSS-Fuzz fix. I don't think the extra length checks are necessary given the i < length check in the loop.

[Milton Neal]

Hi Robin, I applied your fix (without the extra length checks) to the ZintNet code and has cleared the "index out of bounds" issues I was having. We will call it fixed. Thanks for having a look at this. Milton

[Robin Stuart]

Hi,

Apologies to Milton and Git Lost - you were right! I've reverted my changes so that both of these loops now use [i] rather than [sp + i].

Robin.

[Milton Neal]

Thanks Robin
Can now close this ticket. Milton