Buffers    Files    Tools    Mule
Date: Mon, 9 Jul 2001 16:46:18 +0200
From: Johannes Steingraeber
To: pvdevelop
Subject: [pvdevelop] LibReadFile buffer overflow
Message-ID: <20010709164618.C1437@brodlin.uni-kiel.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
X-Mailer: Mutt 1.0pre3i
Precedence: bulk
Content-Transfer-Encoding: 8bit
Status: RO
Content-Length: 1221
Lines: 31


most probably you all know about this. The function LibFileRead()
happyly writes behind the end of it's buffer if you perform a binary
read of 0x0C00 bytes e.g. into a variable of type FILE_BUF.

The overflow occures whenever the size of the union fbuf is not a
multiply of FILE_BLOCK_SIZE (=64) and the record is as large as
bin_buf. PVOS (in case of FILE_KIND_BIN) always reads whole blocks
into the destination buffer. The first block will be written to
dummy_16by. The 24 bytes before bin_buf are responsible for the fact
that from the last block 64-24=40 bytes are written behind the end of

This had taken some nervs to discover :-(

Workaround: don't use FILE_BUF but a custom structure equal to
FILE_BUF but with

  byte bin_buf[3072+40];        /* Buffer to store real data (BINARY) 3KB */

Two "side effects" of the PVOS routines:

1. For records of a maximal lenght of 3072-24=3048 you can use the
   original FILE_BUF.

2. LibFileReadEx() always reads in (with block count = 1) a valid
   value for char_num, so you can get the record length in a save way.


--:%%  pvdevelop        (Text Fill)----ALL----------------
M-x view-file ../index.html