Hi!
On Mon, Jan 24, 2011 at 9:41 AM, Simon Budig <simon@xxxxxxxx> wrote:
> Ah sorry, should have mentioned that. The bug report is older than your
> mail to the list. We had a report on the %s conversion earlier which is
> what the patch attached to the bug attempts to fix.
Here (also from your patch):
snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds",
sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1,
sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);
sscanf (ptr, fmt_str, colorstr_r, colorstr_g, colorstr_b, colorstr_a);
It will protects against the overflow, but there is a chance to get
wrong data (if the first string is also very big). For example, with
this ugly example code that I think that is similar to the one from
your patch:
#include <stdio.h>
int main()
{
char str1[16];
char str2[16];
char str3[16];
char str4[16];
char fmt[128];
char buf[] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
bbbbbbbbbbbbbbb ccccccccccccccc ddddddddddddddd";
snprintf(fmt, sizeof(fmt), "%%%lds %%%lds %%%lds %%%lds",
sizeof(str1) - 1, sizeof(str2) - 1, sizeof(str3) - 1, sizeof(str4) -
1);
sscanf(buf, fmt, str1, str2, str3, str4);
printf("*%s* *%s* *%s* *%s*", str1, str2, str3, str4);
return 0;
}
See that we have one big string first and all the four vars (wrongly)
were used by it:
*aaaaaaaaaaaaaaa* *aaaaaaaaaaaaaaa* *aaaaaaaaaaaaaaa* *aaaaaaaaaaaaaaa*
Right?
Best regards,
Nelson
_______________________________________________
Gimp-developer mailing list
Gimp-developer@xxxxxxxxxxxxxxxxxxxxxx
https://lists.XCF.Berkeley.EDU/mailman/listinfo/gimp-developer
