Bugs item #2932605, was opened at 2010-01-15 06:48
Message generated for change (Tracker Item Submitted) made by nobody
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=462816&aid=2932605&group_id=51305

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: wxJSON
Group: last released version
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: wxJSONWriter buffer overflow

Initial Comment:
wxJSONWriter can cause a buffer overflow when wxJSON_USE_UNICODE is defined.  
In writeIntValue and WriteUIntValue, the following causes a buffer overflow:

    char buffer[32];        // need to store 64-bits integers (max 20 digits)  
NOTE THAT THIS BUFFER'S MEMORY IS NOT ZEROED
...
        len = strlen( cbData );
        wxASSERT( len <= 32 );
        memcpy( buffer, cbData, len ); <--- NOTE THAT buffer IS ONLY 
NULL-TERMINATED HERE IF YOU'RE LUCKY
...
    len = strlen( buffer ); <--- THIS LENGTH IS INDETERMINANT BECAUSE buffer IS 
NOT NULL TERMINATED
    os.Write( buffer, len );  <---- BUFFER OVERRUN!!!!!!!!!!!!!!

Something like this is a quick fix:
        wxASSERT( len < 32 );  <--- len must be less than 32
        memcpy( buffer, cbData, len );
        buffer[len] = 0;  <--- null terminate the string


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=462816&aid=2932605&group_id=51305

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
wxCode-users mailing list
wxCode-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wxcode-users

Reply via email to