CCS :: View topic - Bug (v4.099): possible buffer overflow in get

FAQ

Forum Help

Official CCS Support

Profile Log in to check your private messages Log in

CCS does not monitor this forum on a regular basis.

Please do not post bug reports on this forum. Send them to CCS Technical Support

Bug (v4.099): possible buffer overflow in get_string()

CCS Forum Index -> General CCS C Discussion

View previous topic :: View next topic

Author

Message

ckielstra

Joined: 18 Mar 2004
Posts: 3680
Location: The Netherlands

Bug (v4.099): possible buffer overflow in get_string()

Posted: Thu Nov 05, 2009 7:40 pm

For your info: A bug report on input.c I just filed.

Compiler: PCWH v4.099demo
Processor: all

The function get_string() in input.c has a few problems:
1) Information is missing on how to use it. Most importantly it should mention the 'max' parameter is including the terminating zero.
2) Even when the 'max' parameter does include the terminating zero it is possible to create a buffer overflow. The line:

Code:

if(len<=max) {

should have '<' instead of '<='.
Note: this error is not present in the almost identical function bget_string from ex_zmd.c

3) A 'max' parameter 0 is not rejected and will effectively disable length checking, leading to possible memory corruption.
4)

Code:

signed int16 get_int() {
char s[5]; <<-- should be equal to get_string (7)
...
get_string(s, 7);

Code:

signed int32 get_long() {
char s[7]; <<-- should be equal to get_string (10)
...
get_string(s, 10);

Display posts from previous:

	CCS Forum Index -> General CCS C Discussion	All times are GMT - 6 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum