- 2015.06.02 13:53 "Re: [Tiff] Compiling 4.0.4beta on 64 bit MSWin has some problems.", by Bob Friesenhahn
- 2015.06.02 21:34 "Re: [Tiff] Compiling 4.0.4beta on 64 bit MSWin has some problems.", by Edward Lam
- 2015.06.13 05:15 "Re: [Tiff] [security][PATCH] tiff2pdf: fix snprintf return value misuse", by Lee Howard
2015.06.13 05:15 "Re: [Tiff] [security][PATCH] tiff2pdf: fix snprintf return value misuse", by Lee Howard
I've committed your patch as requested. Please checkout, review, and test current CVS to ensure that you are happy with the result.
Thanks,
Lee.
On 01/25/2015 08:56 AM, Yuriy M. Kaminskiy wrote:
> There are a lot of code like this:
>
> buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
> written += t2pWriteFile(output, (tdata_t) buffer, buflen );
>
> in tiff2pdf. This is seriously broken: when formatted string is larger than > buffer, snprintf return value is >= sizeof(buffer) [current standard] or -1
> [legacy]. And in case of other errors, snprintf returns -1. > Both would result in reading unallocated memory and possible SIGSEGV (DoS).
>
> I doubt it can be really exploitable (to begin with, in most cases buffer was > large enough and sprintf->snprintf change was pure paranoia, IMO), but /if/ you
> decided previous code was not safe and snprintf is necessary, /then/ you MUST > check its return value.
>
> PS no reaction to private message -> reposting publicly with 1 month delay