Hello guys,
I am using redland libs in a small in house tool, and I think I have
spotted a minor memory overrun in Rasqal/Raptor on Win32.
In rasqal_query.c, function rasqal_query_prepare(), line 1108
You can see a call to raptor_uri_filename_to_uri_string() with an empty
string.
if(base_uri)
base_uri=raptor_uri_copy(base_uri);
else {
unsigned char *uri_string=raptor_uri_filename_to_uri_string(""); //
HERE!
base_uri=raptor_new_uri(uri_string);
if(uri_string)
raptor_free_memory(uri_string);
}
However in raptor_uri.c, function raptor_uri_filename_to_uri_string,
line 571, you can see we do not check the string length
#ifdef WIN32
if(filename[1] == ':' && filename[2] != '\\') // Memory overrun here!
len+=3; /* relative filename - add / and ./ */
else if(*filename == '\\')
len-=2; /* two // from not needed in filename */
else
len++; /* / at start of path */
#else
I guess a calling an strlen() would do the trick, but I am not sure it
would be so efficient:
if( (strlen(filename) >= 3) && filename[1] == ':' && filename[2] !=
'\\')
Aymeric
This email was sent to you by Thomson Reuters, the global news and information
company.
Any views expressed in this message are those of the individual sender, except
where the sender specifically states them to be the views of Thomson Reuters.
_______________________________________________
redland-dev mailing list
[email protected]
http://lists.librdf.org/mailman/listinfo/redland-dev
