[AXIS2C-724] potential access violation in dir_windows.c - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.1.0
Fix Version/s: 1.3.0
Component/s: platforms/windows
Labels:
None
Environment:
OS:WindowsXP

Description

I think scandir() has a potential access violation in dir_windows.c.
The following is an extraction of scandir().

int AXIS2_CALL scandir(const char *_dirname,
struct dirent **__namelist[],
int(*selector)(const struct dirent *entry),
int(*compare)(const struct dirent **_d1, const struct dirent **_d2))
{
DIR *dirp = NULL;
struct dirent **vector = NULL;
struct dirent *dp = NULL;
int vector_size = 0;
int nfiles = 0;

if (!(dirp = opendir(_dirname)))

{ return -1; }

while ((dp = readdir(dirp)))
{

dsize = (int)sizeof(struct dirent) + (int)((strlen(dp->d_name) + 1) * sizeof(char));
newdp = (struct dirent *) malloc(dsize);

if (newdp == NULL)
{
while (nfiles-- > 0)

{ free(vector[nfiles]); }

free(vector);
return -1;
}
vector[nfiles++] = (struct dirent *) memcpy(newdp, dp, dsize);
}

Using memcpy() like this.
vector[nfiles++] = (struct dirent *) memcpy(newdp, dp, dsize);

The "dsize" defined like this.
dsize = (int)sizeof(struct dirent) + (int)((strlen(dp->d_name) + 1) * sizeof(char));

The "dp"(copy src) has only size of "struct dirent". Less size than "dsize".
When access over "dp", it has potential access violation.

Attachments

Activity

People

Assignee:: Senaka Fernando

Reporter:: Atsushi Monna

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 12/Oct/07 01:20

Updated:: 09/Feb/08 21:09

Resolved:: 09/Feb/08 21:06