HPLIP

risk of writing outside the reserved memory

Bug #2077277 reported by Jean COLIN
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HPLIP
New
Undecided
Unassigned

Bug Description

in file /hplip-3.24.4/io/hpmud/hpmud.c

in function
/* Parse device model from uri string. */
int hpmud_get_uri_model(const char *uri, char *buf, int buf_size)
{
   char *p;
   int i;

   if (uri == 0 || uri[0] == 0)
     return 0;

   buf[0] = 0;

   if ((p = strstr(uri, "/")) == NULL)
      return 0;
   if ((p = strstr(p+1, "/")) == NULL)
      return 0;
   p++;

   for (i=0; (p[i] != '?') && (i < buf_size); i++)
      buf[i] = p[i];

   buf[i] = 0;

   return i;
}

the operation buf[i] = 0;
could be executed with i equal to bufsize ... witch is outside the reserved memory
reason : the loop stops when i is equal to bufsize

so the instruction for (i=0; (p[i] != '?') && (i < buf_size); i++)
has to be corrected as : for (i=0; (p[i] != '?') && (i < buf_size-1); i++)

seems to be generic and has to be propagated to all similar loops

Regards

Jean COLIN

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.