axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Atsushi Monna (JIRA)" <j...@apache.org>
Subject [jira] Created: (AXIS2C-724) potential access violation in dir_windows.c
Date Fri, 12 Oct 2007 01:21:50 GMT
potential access violation in dir_windows.c
-------------------------------------------

                 Key: AXIS2C-724
                 URL: https://issues.apache.org/jira/browse/AXIS2C-724
             Project: Axis2-C
          Issue Type: Bug
          Components: platforms/windows
    Affects Versions: 1.1.0
         Environment: OS:WindowsXP
            Reporter: Atsushi Monna


I think scandir() has a potential access violation in dir_windows.c.
The following is an extraction of scandir().

int AXIS2_CALL scandir(const char *_dirname, 
	struct dirent **__namelist[], 
	int(*selector)(const struct dirent *entry), 
	int(*compare)(const struct dirent **__d1, const struct dirent **__d2))
{
    DIR            *dirp = NULL;
    struct dirent  **vector = NULL;
    struct dirent  *dp = NULL;
    int            vector_size = 0;
    int            nfiles = 0;

    if (!(dirp = opendir(_dirname)))
    {
        return -1;
    }

    while ((dp = readdir(dirp)))
    {

        dsize = (int)sizeof(struct dirent) + (int)((strlen(dp->d_name) + 1) * sizeof(char));
        newdp = (struct dirent *) malloc(dsize);

        if (newdp == NULL)
        {
            while (nfiles-- > 0)
            {
                free(vector[nfiles]);
            }
            free(vector);
            return -1;
        }
        vector[nfiles++] = (struct dirent *) memcpy(newdp, dp, dsize);
    }


Using memcpy() like this.
  vector[nfiles++] = (struct dirent *) memcpy(newdp, dp, dsize);

The "dsize" defined like this.
  dsize = (int)sizeof(struct dirent) + (int)((strlen(dp->d_name) + 1) * sizeof(char));

The "dp"(copy src) has only size of "struct dirent". Less size than "dsize".
When access over "dp", it has potential access violation.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org


Mime
View raw message