You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by Ma...@VerizonWireless.com on 2005/03/16 02:18:44 UTC

Overflow Vulnerability In SAX2Count Demo Program

Here is a patch to fix a buffer overflow in CVS revision 1.29 of
samples/SAX2Count/SAX2Count.cpp.

The code used strcpy() to place a user-supplied command line option into a
64-byte buffer localeStr. I've replaced this with a strncpy call instead.

Yes, I know it's trivial, but it could potentially be a problem, so I
thought it would be best to report it.

PS: In Xerces-C++ for Solaris (binary build), you can trigger the overflow
with 265 bytes of input data to the '-locale' command-line option.

Thanks,
Matt Hall
Verizon Wireless

*** SAX2Count.pcc       Tue Mar 15 18:59:37 2005
--- SAX2Count.cpp       Tue Mar 15 19:04:37 2005
***************
*** 248,254 ****
           else if (!strncmp(argV[argInd], "-locale=", 8))
          {
               // Get out the end of line
!              strcpy(localeStr, &(argV[argInd][8]));
          }
          else
          {
--- 248,254 ----
           else if (!strncmp(argV[argInd], "-locale=", 8))
          {
               // Get out the end of line
!              strncpy(localeStr, &(argV[argInd][8]), sizeof localeStr);
          }
          else
          {
***************
*** 431,434 ****
          return 0;

  }
-
--- 431,433 ----
___________________________________________________________________
The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure.  If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org