Re: off by 1 bug in poa.c

From: Paco Moya <Francisco Moya uclm es>
To: Michael Meeks <michael ximian com>
Cc: Paco Moya <fmoya inf-cr uclm es>, orbit <orbit-list gnome org>
Subject: Re: off by 1 bug in poa.c
Date: Mon, 31 Mar 2003 22:23:26 +0200

On Fri, Mar 28, 2003 at 04:19:23PM +0000, Michael Meeks wrote:
> Hi Paco,
> 
> On Tue, 2003-03-25 at 22:09, Paco Moya wrote:
> > In ORBit 2.6.0 poa.c:1340 it can be read:
> 
> 	Looks right to me off hand; it seems like it's checking for a '\0'
> inside the _buffer. I'd imagine reading off the end of that (length+1)
> would be a bad move / memory problem.
> 
> 	What issue are you seeing here ? do you have a regression test we can
> easily add to test/everything to test this problem now and in future ?

Either ObjectId_to_string or string_to_ObjectId is wrong.

IMHO a sequence of octets should not contain the terminal '\0'

Remember ObjectId is not a string, but a sequence of octets. '\0' is
a valid octet inside _buffer.

Cheers,
	Paco

References:
- off by 1 bug in poa.c
  - From: Paco Moya
- Re: off by 1 bug in poa.c
  - From: Michael Meeks

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]