From c4aaf8e9d3763985bad2025dc88cd80e6b26af80 Mon Sep 17 00:00:00 2001 From: Robin Krahl Date: Sun, 11 Feb 2018 20:11:22 +0100 Subject: Null-terminate string before calling strtoul hex_string_to_byte in misc.cc calls strtoul with a non-null-terminated string, causing a buffer over-read. This patch extends the buffer to always include a null character in the end. Fixes issue #95. --- misc.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/misc.cc b/misc.cc index 7a54a94..eaaad50 100644 --- a/misc.cc +++ b/misc.cc @@ -43,7 +43,8 @@ namespace misc { auto data = ::std::vector(); data.reserve(d_size); - char buf[2]; + char buf[3]; + buf[2] = '\0'; for(size_t i=0; i Date: Mon, 12 Feb 2018 09:20:59 +0100 Subject: Use strnlen to determine string length strnlen stops scanning after reaching big_string_size and returns last position in the searched string. If a string terminator is not found then the big_string_size is returned hence the modification of the later size-checking condition. Signed-off-by: Szczepan Zalega --- misc.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misc.cc b/misc.cc index eaaad50..59185f3 100644 --- a/misc.cc +++ b/misc.cc @@ -34,10 +34,10 @@ namespace misc { ::std::vector hex_string_to_byte(const char* hexString){ - const size_t big_string_size = 256; //arbitrary 'big' number - const size_t s_size = strlen(hexString); + const size_t big_string_size = 257; //arbitrary 'big' number + const size_t s_size = strnlen(hexString, big_string_size); const size_t d_size = s_size/2; - if (s_size%2!=0 || s_size>big_string_size){ + if (s_size%2!=0 || s_size>=big_string_size){ throw InvalidHexString(0); } auto data = ::std::vector(); -- cgit v1.2.3