Crash when calling NrrdImageIO::Write() with an overly long file name

[TrudbertSchwoerer]

Description

• Calling NrrdImageIO::Write(const void* buffer) with a buffersize larger than 1025 byte.
• This will finally be passed to _biffMsgAddVL(biffMsg msg, const char errfmt, va_list args) as argument in args.
• vsprintf writes the argument together with the format string into the local buffer errstr, which has a fixed size of 1025 byte.
• This overwrites the stack and leads to a crash.

Steps to Reproduce

This crash was observed in our MITK based application and was reproducible there.

Expected behavior

Application should not crash.

Actual behavior

Application crashes.

See the debugger stack trace below:

Reproducibility

100% reproducible

Versions

ITK 5.2 as part of MITK 2023.04

Environment

Ran as part of a MITK based application.

[github-actions[bot]]

Thank you for contributing an issue! 🙏

Welcome to the ITK community! 🤗👋☀️

We are glad you are here and appreciate your contribution. Please keep in mind our community participation guidelines. 📜 Also, please check existing open issues and consider discussion on the ITK Discourse. 📖

This is an automatic message. Allow for time for the ITK community to be able to read the issue and comment on it.

[N-Dekker]

@seanm Could it be that you already fixed this issue, by your efforts to replace sprintf usage with snprintf? (This issue was reported with ITK 5.2.)

For example:

• pull request #3469

[seanm]

Could be!

@TrudbertSchwoerer do you repro with master?

[TrudbertSchwoerer]

Hi.

No, I do not consume ITK directly, but indirectly by using MITK 2023.04.0.

Best Regards Trudbert Schwörer

---

Von: Sean McBride @.> Gesendet: Mittwoch, 1. Mai 2024 15:17 An: InsightSoftwareConsortium/ITK @.> Cc: Schwoerer, Trudbert @.>; Mention @.> Betreff: Re: [InsightSoftwareConsortium/ITK] Crash when calling NrrdImageIO::Write() with an overly long file name (Issue #4623)

Sie erhalten nicht oft eine E-Mail von @.*** Erfahren Sie, warum dies wichtig isthttps://aka.ms/LearnAboutSenderIdentification EXTERNAL EMAIL

Could be!

@TrudbertSchwoererhttps://github.com/TrudbertSchwoerer do you repro with master?

— Reply to this email directly, view it on GitHubhttps://github.com/InsightSoftwareConsortium/ITK/issues/4623#issuecomment-2088449186, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BDZKLANJCXTS4FQEZ5O2PZ3ZADTQDAVCNFSM6AAAAABG6QXUHOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBYGQ2DSMJYGY. You are receiving this because you were mentioned.Message ID: @.***>

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. Please forward all suspicious emails to @.*** Follow this link to read our Privacy Statementhttps://www.stryker.com/content/stryker/gb/en/legal/global-policy-statement.html/

[seanm]

In fact no, I did not fix this, because it's not in ITK proper but in 3rd party code in /Modules/ThirdParty/NrrdIO/src/NrrdIO/biffbiff.c

This should be fixed in their upstream.