| |||||||||||||||||||||||
catdoc: denial of service
(Log in to post comments)
catdoc: denial of service Posted Nov 15, 2012 11:12 UTC (Thu) by epa (subscriber, #39769) [Link]
Surely there's a project somewhere to run the whole Debian source through various 'lint' programs? Any of them would have spotted this.
catdoc: denial of service Posted Nov 15, 2012 17:18 UTC (Thu) by mgedmin (subscriber, #34497) [Link]
Assuming it wasn't lost in a sea of false positives.
catdoc: denial of service Posted Nov 15, 2012 18:36 UTC (Thu) by dtmill (guest, #87864) [Link]
Something like http://qa.debian.org/daca/cppcheck/sid/catdoc_0.94.2-1.1.... ?
catdoc: denial of service Posted Nov 15, 2012 19:22 UTC (Thu) by epa (subscriber, #39769) [Link]
Nice, I knew it had to exist.
catdoc: denial of service Posted Nov 15, 2012 12:58 UTC (Thu) by lacos (subscriber, #70616) [Link]
I have no idea how the FormatIdxUsed array is used before and after the loop, but the bogus semicolon of course prevents zeroing the array as well! If the array is filled with user-provided data before the loop, and then used later in ways that would depend on the (missing) zeroing, there might be trouble.
catdoc: denial of service Posted Nov 17, 2012 20:07 UTC (Sat) by Ben_P (subscriber, #74247) [Link]
Is there a good reason that iterates over the array at all? This seems like a case for memset/bzero?
catdoc: denial of service Posted Nov 17, 2012 22:16 UTC (Sat) by dark (subscriber, #8483) [Link] I don't know if it's a good reason, but the C standard doesn't guarantee that an integer zero is represented as all-bits-zero. The loop is in that sense more portable than using memset.
catdoc: denial of service Posted Nov 18, 2012 7:10 UTC (Sun) by apoelstra (subscriber, #75205) [Link]
> I don't know if it's a good reason, but the C standard doesn't guarantee that an integer zero is represented as all-bits-zero. The loop is in that sense more portable than using memset.
All-bits-zero is integer zero. It's pointers and floating-point numbers you need to worry about.
catdoc: denial of service Posted Nov 18, 2012 16:41 UTC (Sun) by dark (subscriber, #8483) [Link] Ah ok, thanks. I did some digging and it seems I had this the wrong way around: an integer zero does not have to be all bits zero (because the standard permits padding bits), but C99 explicitly guarantees that all bits zero is interpreted as integer zero. (6.2.6.2/5)The discussion about this that I remembered was about the language in C89 so I feel old now :) C89 has much less to say about padding bits but doesn't rule them out.
catdoc: denial of service Posted Nov 18, 2012 20:27 UTC (Sun) by apoelstra (subscriber, #75205) [Link]
> Ah ok, thanks. I did some digging and it seems I had this the wrong way around: an integer zero does not have to be all bits zero (because the standard permits padding bits), but C99 explicitly guarantees that all bits zero is interpreted as integer zero. (6.2.6.2/5)
Oh! I thought this was true in C89 also.
I wonder, though, when you pass 0 to memset -- are you passing "integer zero" or "all bits zero"? Maybe you are still okay even if nothing is actually all-bits-zero.
catdoc: denial of service Posted Nov 21, 2012 1:18 UTC (Wed) by gjmarter (subscriber, #5777) [Link]
Although I wasn't aware of the padding rule before, I think it is a safe bet that memset is doing "all bits zero". It is setting bytes even though you pass it an integer.
|
|||||||||||||||||||||||