Permalink
Show file tree
Hide file tree
3 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
length checks when looking for control files
- Loading branch information
Showing
2 changed files
with
19 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2f08413There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello, I want to ask why the 33 judged here has become 44, 41, and 105?
I see During this stage at chmd_read_headers() if a CHM file starts file '::' and is shorter than 33 bytes a heap-based buffer overflow happens due to out-of-bands read.
Please help me to answer this doubt,Thanks.
2f08413There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
40, 44, 41 and 105 are the lengths of content_name, control_name, spaninfo_name and rtable_name respectively.
If the file name is shorter than 33 bytes,
name_lenis also less than 33, and so the short-circuiting expressionsname_len == 40,name_len == 44,name_len == 41andname_len == 105all evaluate to false, and memcmp() is never called.The 33 was previously used as it was the length of the prefix all these control filenames shared. To save memory and CPU cycles, the old code checked the filename for this prefix, and then checked the rest of the filename. However, it was flawed, and its replacement is faster as most filenames are not precisely 40/44/41/105 bytes long, so fewer string comparisons are made.
2f08413There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you very much for your patiently answer, I understand.It is great!