geekspeed / littleblackbox

Automatically exported from code.google.com/p/littleblackbox
2 stars 1 forks source link

buffer overflow in format_sha1_hash breaks -p option #8

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
format_sha1_hash allocates a char array SHA_DIGEST_LENGTH*3 bytes in length, 
and proceeds to append SHA_DIGEST_LENGTH 3-byte strings to it in a loop using 
sprintf.  sprintf will always NUL-terminate its string, though, so each 
iteration actually writes 4 bytes.  The final run through the loop overflows 
the buffer, writing a 0 past the end of the array.  The next thing on the stack 
is the variable "i", so the NUL terminator ends up resetting the loop variable 
and function loops infinitely.  

Fix:

Index: common.c
===================================================================
--- common.c    (revision 23)
+++ common.c    (working copy)
@@ -8,7 +8,7 @@
 char *format_sha1_hash(unsigned char *hash)
 {
        int i = 0;
-       char sha_str[SHA_DIGEST_LENGTH*3] = { 0 };
+       char sha_str[SHA_DIGEST_LENGTH*3+1] = { 0 };

        for(i=0; i<SHA_DIGEST_LENGTH; i++)
        {

Original issue reported on code.google.com by dnelson_...@yahoo.com on 18 May 2011 at 5:23

GoogleCodeExporter commented 9 years ago
Latest SVN check in fixes this issue.

Original comment by heffne...@gmail.com on 5 Jun 2011 at 8:58