[Dbd-firebird-devel] Buffer Overflow in dbdimp.c
Stefan Roas
stefan.roas at fau.de
Fri Mar 13 16:36:31 UTC 2015
Hi there,
I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use
sprintf to a fix-sized buffer that (quite likely in two cases) might be
too small to hold the final result.
Attached you find a patch that solves the problem by increasing the size
of the buffer to a value that should be large enough for every
conceivable input given the conversion specification and additionally
use snprintf() instead of sprintf(). As snprintf() is already used
somewhere else in dbdimp.c I figure there are no portability issues
involved.
I did not check the other uses of sprintf, although it might be
worthwhile to do so as a quick check found other locations where a
fix-sized buffer is involved.
Best regards,
Stefan
--
Stefan Roas, Datenbanken und studentische Vefahren
Friedrich-Alexander-Universität Erlangen-Nürnberg
Regionales Rechenzentrum Erlangen (RRZE)
Hugenottenplatz 1A, 91054 Erlangen, Deutschland
Tel.: +49 9131 85-29018
Fax : +49 9131 85-25777
stefan.roas at fau.de
http://www.rrze.fau.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dbdimp.patch
Type: text/x-patch
Size: 2187 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/dbd-firebird-devel/attachments/20150313/db56a9f5/attachment.bin>
More information about the Dbd-firebird-devel
mailing list