Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#12274 closed Bug report (rejected)

Buffer overflow when wrongly using `memcpy`

Reported by: arya_lee Owned by:
Priority: normal Component: FileZilla Client
Keywords: buffer overflow, memcpy Cc: arya_lee
Component version: Operating system type:
Operating system version:

Description

In the latest source code /tests/dirparsertest.cpp, there is a buffer overflow in function DirectoryListingParserTest::testIndividual().
len is the length of entry.data, not including the null character. So the sizeof(data) is len. According to the reference of memcpyhttp://www.cplusplus.com/reference/cstring/memcpy/, we need to make sure the 1st parameter of memcpy is larger than strlen(2nd parameter)+1(1 means the null-character.) So we should change 1475 to char* data = new char[len+1]; data[len]=0;

To avoid overflows, the size of the array pointed by destination shall be long enough to contain the same C string as source (including the terminating null character), and should not overlap in memory with source.

1474	    size_t const len = entry.data.size();
1475	    char* data = new char[len];
1476	    memcpy(data, entry.data.c_str(), len);

Change History (3)

comment:1 by arya_lee, 3 months ago

Summary: uffer overflow when wrongly using `memcpy`Buffer overflow when wrongly using `memcpy`

comment:2 by Tim Kosse, 3 months ago

Resolution: rejected
Status: newclosed

Looks you are confusing strcpy with memcpy.

There is no overflow here. Len bytes of data are copied in a block of memory len bytes in size.

comment:3 by arya_lee, 3 months ago

Ooops, yeah, I confuse them. Sorry for the bother ;)

Note: See TracTickets for help on using tickets.