[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Support #XLH-539346]: [UDUNITS-2] Buffer overrun in function printTimestamp



Pappoo Bombi,

Great catch and fix! Thank you.

This fix will be in the next release.

> There is a buffer overrun vulnerability in function printTimestamp.
> 
> The following code results should be
> seco.XXXXXX
> but results
> seco.X sin.
> ----------------------------
> 
> #include <stdio.h>
> #include <string.h>
> #include "udunits2.h"
> 
> int
> main()
> {
> ut_system *xmlSystem = ut_read_xml(NULL);
> ut_unit *unit = ut_parse(xmlSystem, "second since 1970-01-01", UT_ASCII);
> char buf[64];
> int i;
> 
> memset(buf, 'X', sizeof buf);
> ut_format(unit, buf, 5 /*sizeof buf*/, UT_ASCII | UT_NAMES);
> 
> for (i = 0; i < 11; i++)
> putchar(buf[i] ? buf[i] : '.');
> putchar('\n');
> return 0;
> }
> ----------------------------
> 
> The following patch fix this issue.
> 
> diff --git a/lib/formatter.c b/lib/formatter.c
> index b6b1dc4..5979fc6 100644
> --- a/lib/formatter.c
> +++ b/lib/formatter.c
> @@ -1056,6 +1056,7 @@ printTimestamp(
> if (nchar >= 0) {
> int useSeparators = useNames || year < 1000 || year > 9999;
> 
> +        size = SUBTRACT_SIZET(size, n);
> n =  snprintf(buf+nchar, size,
> useSeparators
> ? " %s %d-%02d-%02d %02d:%02d"


Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: XLH-539346
Department: Support UDUNITS
Priority: Normal
Status: Closed
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata 
inquiry tracking system and then made publicly available through the web.  If 
you do not want to have your interactions made available in this way, you must 
let us know in each email you send to us.