Thanks Johannes, it is fixed now. Raghu -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johannes Meixner Sent: Monday, February 05, 2007 5:38 AM To: hplip-devel@lists.sourceforge.net Subject: [HPLIP-Devel] too small string buffer overflows in ljcolor.cpp
Hello, In hplip-1.7.1 in prnt/hpijs/ljcolor.cpp line 310 is ------------------------------------------------------------------ strcpy (res, "@PJL [EMAIL PROTECTED] USTATUS DEVICE = [EMAIL PROTECTED] USTATUS JOB = ON\015\012"); ------------------------------------------------------------------ which cpoies 66 bytes plus a terminating null byte to res which overflows the buffer "res" because line 275 is only ------------------------------------------------------------------ char res[64]; ------------------------------------------------------------------ Our newest GCC with certain special compiler flags enabled by default finds this problem: ------------------------------------------------------------------ g++ -DPACKAGE_NAME=\"HP\ Printer\ Driver\" -DPACKAGE_TARNAME=\"hpijs\" -DPACKAGE_VERSION=\"2.7.1\" -DPACKAGE_STRING=\"HP\ Printer\ Driver\ 2.7.1\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"hpijs\" -DVERSION=\"2.7.1\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DHAVE_LIBM=1 -DHAVE_LIBJPEG=1 -DHAVE_LIBDL=1 -DSTDC_HEADERS=1 -DHAVE_FCNTL_H=1 -DHAVE_MALLOC_H=1 -DHAVE_SYSLOG_H=1 -DHAVE_UNISTD_H=1 -DHAVE_JPEGLIB_H=1 -DHAVE_UINT32_T=1 -DHAVE_STRTOD=1 -DHAVE_STRTOL=1 -I. -O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -ffortify=2 -fstack-protector -fno-strict-aliasing -DAPDK_LITTLE_ENDIAN -DAPDK_DJ660 -DAPDK_DJ6xx -DAPDK_DJ6xxPhoto -DAPDK_DJ8xx -DAPDK_DJ9xx -DAPDK_DJ9xxVIP -DAPDK_DJ630 -DAPDK_APOLLO2XXX -DAPDK_APOLLO21XX -DAPDK_APOLLO2560 -DAPDK_DJ600 -DAPDK_DJ350 -DAPDK_DJ8x5 -DAPDK_PSP100 -DAPDK_AUTODUPLEX -DAPDK_HIGH_RES_MODES -DAPDK_LJMONO -DAPDK_DJ540 -DAPDK_DJ850 -DAPDK_DJ890 -DAPDK_DJ3320 -DAPDK_LJCOLOR -DAPDK_DJGENERICVIP -DAPDK_LJJETREADY -DAPDK_LJFASTRASTER -DAPDK_BUFFER_SEND -DAPDK_LDL_COMPRESS -DAPDK_EXTENDED_MEDIASIZE -DAPDK_MLC_PRINTER -DAPDK_DJ3600 -DAPDK_LINUX -DNDEBUG -DAPDK_AUTO_INCLUDE -MT ljcolor.o -MD -MP -MF .deps/ljcolor.Tpo -c -o ljcolor.o ljcolor.cpp ljcolor.cpp: In member function 'virtual apdk::DRIVER_ERROR apdk::HeaderLJColor::StartSend()': ljcolor.cpp:310: warning: call to char* strcpy(char*, const char*, unsigned int) will always overflow destination buffer ------------------------------------------------------------------ The compiler does no longer complain for char res[67]; i.e. there seems to be no even longer string in ljcolor.cpp than the above string in line 310. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5 Mail: [EMAIL PROTECTED] 90409 Nuernberg, Germany WWW: http://www.suse.de/ ------------------------------------------------------------------------ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ HPLIP-Devel mailing list HPLIP-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hplip-devel ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ HPLIP-Devel mailing list HPLIP-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hplip-devel
