Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix a buffer overflow.
This is only the minimum workaround to prevent buffer overflow:
Stop iterating once the (fixed!) size of the output buffers is
reached. In response to
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0317

However, this code is a huge mess anyway and is in no way
anything like up-to-date C++ code. Please, anyone, replace it
with something more modern. Thanks.
  • Loading branch information
cstim committed Sep 17, 2017
1 parent f589f0a commit a70934e
Showing 1 changed file with 11 additions and 4 deletions.
15 changes: 11 additions & 4 deletions lib/ofx_preproc.cpp
Expand Up @@ -417,7 +417,6 @@ int ofx_proc_file(LibofxContextPtr ctx, const char * p_filename)
string sanitize_proprietary_tags(string input_string)
{
unsigned int i;
size_t input_string_size;
bool strip = false;
bool tag_open = false;
int tag_open_idx = 0; //Are we within < > ?
Expand All @@ -438,9 +437,17 @@ string sanitize_proprietary_tags(string input_string)
close_tagname[i] = 0;
}

input_string_size = input_string.size();

for (i = 0; i < input_string_size; i++)
size_t input_string_size = input_string.size();

// Minimum workaround to prevent buffer overflow: Stop iterating
// once the (fixed!) size of the output buffers is reached. In
// response to
// https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0317
//
// However, this code is a huge mess anyway and is in no way
// anything like up-to-date C++ code. Please, anyone, replace it
// with something more modern. Thanks. - cstim, 2017-09-17.
for (i = 0; i < std::min(input_string_size, size_t(READ_BUFFER_SIZE)); i++)
{
if (input_string.c_str()[i] == '<')
{
Expand Down

0 comments on commit a70934e

Please sign in to comment.