risk of writing outside the reserved memory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HPLIP |
New
|
Undecided
|
Unassigned |
Bug Description
in file /hplip-
in function
/* Parse device model from uri string. */
int hpmud_get_
{
char *p;
int i;
if (uri == 0 || uri[0] == 0)
return 0;
buf[0] = 0;
if ((p = strstr(uri, "/")) == NULL)
return 0;
if ((p = strstr(p+1, "/")) == NULL)
return 0;
p++;
for (i=0; (p[i] != '?') && (i < buf_size); i++)
buf[i] = p[i];
buf[i] = 0;
return i;
}
the operation buf[i] = 0;
could be executed with i equal to bufsize ... witch is outside the reserved memory
reason : the loop stops when i is equal to bufsize
so the instruction for (i=0; (p[i] != '?') && (i < buf_size); i++)
has to be corrected as : for (i=0; (p[i] != '?') && (i < buf_size-1); i++)
seems to be generic and has to be propagated to all similar loops
Regards
Jean COLIN