mirror/netcdf-c
2
0
Fork 0
mirror of https://github.com/Unidata/netcdf-c.git synced 2024-11-21 03:13:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix stack buffer overflow in nc4_check_name()

Browse Source 
nc4_check_name() checks that the provided string doesn't exceed NC_MAX_NAME,
but fails to do so after calling nc_utf8_normalize(). This extra check is
needed since a caller of nc4_check_name(), like NC4_def_dim, allocates
norm_name as char norm_name[NC_MAX_NAME + 1]

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2840
Credit to OSS-Fuzz
This commit is contained in:
Even Rouault 2017-08-02 21:54:25 +02:00
parent d18378c69b
commit 1989ddc252
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libsrc4/nc4internal.c
View File

@ -102,6 +102,11 @@ nc4_check_name(const char *name, char *norm_name)
retval = nc_utf8_normalize((const unsigned char *)name,(unsigned char**)&temp); retval = nc_utf8_normalize((const unsigned char *)name,(unsigned char**)&temp);
if(retval != NC_NOERR) if(retval != NC_NOERR)
return retval; return retval;
if( strlen(temp) > NC_MAX_NAME )
{
free(temp);
return NC_EMAXNAME;
}
strcpy(norm_name, temp); strcpy(norm_name, temp);
free(temp); free(temp);