Thanks for that Alan - I had no idea, and have been looking at lots of C code lately that has probably has the same mistakes. I will keep an eye on that.
Ok this patch is turning into a trainwreck - to everyone please be careful when applying it. Actually my original idea was more to point to the vulnerabilities that to actually provide a working patch, but since lcms1 is not maintained actively any more I decided to produce this. I guess in the future I will say any patches I send are "provided only an example" and should not be applied direclty.. Regards, Pedro Kind regards, *Pedro Ribeiro* Information Security Consultant Professional Bug Hunter On 6 August 2013 00:35, Alan Coopersmith <alan.coopersm...@oracle.com>wrote: > void GetLine(char* Buffer) >> { >> - scanf("%s", Buffer); >> + size_t Buffer_size = sizeof(Buffer); >> + fgets(Buffer, (Buffer_size - 1), stdin); >> + sscanf(Buffer,"%s"); >> > > sizeof() in the C language does not reach through a pointer to find the > size of > the underlying object - that code will always set Buffer_size to the size > of > the pointer itself (4 bytes on 32-bit, 8 bytes on 64-bit), not the size of > the > buffer the pointer is pointing to. > > [Noticed when someone suggested we apply the patch from Debian to our > packages > as well.] > > -- > -Alan Coopersmith- alan.coopersm...@oracle.com > Oracle Solaris Engineering - http://blogs.oracle.com/alanc >