Hi, > so, when does that bit of code happen? ie, when is it not a stream, and > could that then be dangerous?
If you create a profile using cmsOpenProfileFromFile(..., "w"), and then, after adding a new tag by means of cmsAddTag() and before you close the profile, you read back the value, then this code is being called. Is just for completness sake, as it is not very frequent to read the contents of the file your are currently writting. Dangerous... well, if you mean it can be exploited as a security hole, I guess it is not possible at all. You cannot reach this part by opening a file. Maybe it should just rise an error, but anyway the code needed to support this feature is smaller than that one needed to rise an error, so... > and staying with this topic, do you safley handle corrupted profiles > with -ve offsets? (or sizes) Should be safer than anterior versions. The FileSeek and MemorySeek, as well as FileRead and MemoryRead methods now raise errors when they detect out-of-bounds requests. That flags such profile as unuseable, but I guess any profile with corrupted offsets is not valid at all. Many thanks again for reviewing the code. I really appreciate your effort! Regards Marti Maria The littleCMS project http://www.littlecms.com ----- Original Message ----- From: "Louis Solomon [SteelBytes]" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 16, 2006 11:51 AM Subject: Re: [Lcms-user] 1.16b >>>> cmsTakeProductDesc() is risking buffer overflow into Name[] when >>>> calling >>>> cmsReadICCText() >> >> I don't think so, 1.16 has a modified cmsReadICCText() which would take >> LCMS_DESC_MAX chars at most. This value is 512. Maybe I'm wrong, and >> still there is a vulnerability, could please explain where? > > ok, you're right (on stepping through with a debugger) > I had only read the code quickly, and saw in cmsReadICCText() > if (!Icc -> stream) { > CopyMemory(Name, Icc -> TagPtrs[n], Icc -> TagSizes[n]); > return (int) Icc -> TagSizes[n]; > } > and assumed that since I was using a profile in memory (not a file) opened > with cmsOpenProfileFromMem(), that it would not be a stream, and hence it > would be doing that CopyMemory with no length limiting. > > so, when does that bit of code happen? ie, when is it not a stream, and > could that then be dangerous? > > and staying with this topic, do you safley handle corrupted profiles > with -ve offsets? (or sizes) > > Louis Solomon > www.SteelBytes.com > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: "Louis Solomon [SteelBytes]" <[EMAIL PROTECTED]> > Cc: "lcms-user" <lcms-user@lists.sourceforge.net> > Sent: Wednesday, August 16, 2006 6:56 PM > Subject: Re: [Lcms-user] 1.16b > > >> >> Hi, >> Many thanks for the feedback. >> >>>> cmsTakeProductDesc() is risking buffer overflow into Name[] when >>>> calling >>>> cmsReadICCText() >> >> I don't think so, 1.16 has a modified cmsReadICCText() which would take >> LCMS_DESC_MAX chars at most. This value is 512. Maybe I'm wrong, and >> still there is a vulnerability, could please explain where? >> >>> also when compiling with VS2005Pro I get >>> >>> cmsintrp.c(425) : warning C4740: flow in or out of inline asm code >>> suppresses global optimization >> >> Yep, that's not very nice. Unfortunately, Borland 5.5 needs such >> construct in order to work, and since it is just a warning I left >> it unchanged. I realize there is not many people is using BC 5.5 >> right now, but dropping support for a (historic!) compiler is >> not nice too. >> >> Anyway, I will try to get rid of the warning by other means. >> >> Regards >> Marti. >> >> >> >> >> ------------------------------------------------------------------------- >> Using Tomcat but need to do more? Need to support web services, security? >> Get stuff done quickly with pre-integrated technology to make your job >> easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache >> Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> _______________________________________________ >> Lcms-user mailing list >> Lcms-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/lcms-user > > > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Lcms-user mailing list Lcms-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lcms-user
