Bug 151308 - libkexif-0.2.2-3: 4 * array subscript out of range
Summary: libkexif-0.2.2-3: 4 * array subscript out of range
Status: RESOLVED FIXED
Alias: None
Product: SUSE LINUX 10.0
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: unspecified
Hardware: All SuSE Linux 10.1
: P5 - None : Minor
Target Milestone: ---
Assignee: Dirk Mueller
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-15 21:12 UTC by David Binderman
Modified: 2006-02-22 14:04 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Binderman 2006-02-15 21:12:08 UTC 
I just tried to compile package libkexif-0.2.2-3 with a non standard version
of the GNU C compiler.

It said

1.

./libkexif/kexifdata.cpp:228: warning: array subscript out of range

The source code is

          char val[1024];
          exif_entry_get_value(entry, val, 1023);
          // just in case we don't get a null-terminated string
          val[1024] = '\0';

Suspect broken code. Suggest code rework.

2.

./libkexif/kexifdata.cpp:252: warning: array subscript out of range
./libkexif/kexifdata.cpp:271: warning: array subscript out of range
./libkexif/kexifentry.cpp:106: warning: array subscript out of range

Duplicates.
Comment 1 Marcus Meissner 2006-02-16 12:56:23 UTC 
actually -> kde-maintainers
Comment 2 Dirk Mueller 2006-02-16 13:18:03 UTC 
where did you get that compiler from?
Comment 3 David Binderman 2006-02-16 13:27:42 UTC 
(In reply to comment #2)
> where did you get that compiler from?

my local GNU site + some local modifications by me.

See http://gcc.gnu.org/bugzilla/show_bug.cgi?id=8268

If only I could figure out how to apply the patch,
valid for gcc 3.4, onto gcc 4.0 ...
Comment 4 Dirk Mueller 2006-02-16 16:22:06 UTC 
thanks. I'm working on a gcc patch. fix submitted - not security relevant as you can only overwrite off by one with a zero byte.
Comment 5 David Binderman 2006-02-16 16:37:06 UTC 
(In reply to comment #4)
> thanks. I'm working on a gcc patch. 

Hurrah !

>fix submitted - not security relevant as
> you can only overwrite off by one with a zero byte. 

I sorry I don't understand this bit. 

Are you saying that it's ok to write one past the end of the array,
if and only if you are writing a zero byte ?
Comment 6 Dirk Mueller 2006-02-17 10:47:55 UTC 
its not okay - still causing stack corruption. but its not influenceable by malcrafted images. it happens always. as such, I don't think it has security implications.
Comment 7 Dirk Mueller 2006-02-22 14:04:42 UTC 
Its fixed both upstream and in our package. closing again.