Package: exactimage / 1.0.2-1

Fix-buffer-overflow-when-decoding-code128-code_set_c.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
From: Sven Eckelmann <sven@narfation.org>
Date: Wed, 25 Feb 2015 12:49:39 +0100
Subject: Fix buffer overflow when decoding code128 code_set_c

A dual character string needs at least 3 bytes to be saved by sprintf. Saving
it in a 2 byte buffer will cause the 0-delimiter to overwrite other data on the
stack.

It is better to use snprintf to make sure that no data is written outside the
allocated buffer and provide 3 byte for the buffer.

Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/exactimage/+bug/1425472
---
 bardecode/code128.hh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bardecode/code128.hh b/bardecode/code128.hh
index db1c4ff..296fc08 100644
--- a/bardecode/code128.hh
+++ b/bardecode/code128.hh
@@ -237,7 +237,7 @@ namespace BarDecode
         case code_set_c:
             if (c < 100) {
                 char str[3];
-                sprintf(str,"%02d",c);
+                snprintf(str,sizeof(str),"%02d",c);
                 return std::string(str);
             } else {
                 return std::string(1,caux[c-96]);