Permalink
Browse files

remove potential dangerous pointer access

  • Loading branch information...
1 parent 362a641 commit 223d18ad61017bf7eec0002ef37fc4839eb69386 @rofl0r committed Oct 26, 2011
Showing with 3 additions and 2 deletions.
  1. +3 −2 display.c
View
@@ -266,13 +266,14 @@ void ungetstr(char *s)
int get_number(INT *i)
{
int err;
+ long long i_cast = *i;
char tmp[BLOCK_SEARCH_SIZE];
echo();
getnstr(tmp, BLOCK_SEARCH_SIZE - 1);
noecho();
if (strbeginswith(tmp, "0x"))
- err = sscanf(tmp + strlen("0x"), "%llx", i);
+ err = sscanf(tmp + strlen("0x"), "%llx", &i_cast);
else
- err = sscanf(tmp, "%lld", i);
+ err = sscanf(tmp, "%lld", &i_cast);
return err == 1;
}

3 comments on commit 223d18a

pixel replied May 9, 2012

Hi,

I'm the author of hexedit (available here: https://github.com/pixel/hexedit).

I was reviewing your commits for inclusion. But i really don't understand your commit: in function get_number, "i" parameter is OUT, not IN.
I would have do the following:

  • sscanf on tmp_i
  • at the end *i = tmp_i;
Owner

rofl0r replied May 9, 2012

you are right, fixed in e0870a0

Owner

rofl0r replied May 9, 2012

i hope you see the issue that the old code would overwrite random memory if off_t happens to be 32bit?
scanf assumes it gets a pointer to a long long.
(found via gcc warnings)

Please sign in to comment.