StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSecurity vulnerabilities in fairly simple c code
primarykey
Id
13991018
data
AcceptedAnswerId
13991487
AnswerCount
3
ClosedDate
CommentCount
1
CommunityOwnedDate
CreationDate
2012-12-21T13:24:42.230
FavoriteCount
0
LastActivityDate
2013-01-16T19:06:04.690
LastEditDate
LastEditorUserId
0
OwnerUserId
701140
ParentId
0
PostTypeId
1
Score
5
ViewCount
956
LastEditorDisplayName
text
Body
I'm studying for my last ever exam (yey!), and have run into a problem I have a hard time figuring out. It's an old exam question where you are supposed to find at least two vulnerabilities that can be exploited in a function which reads a ppm image file. The only issue I can identify is if cols and/or rows are given unexpected values, either too large (causing integer overflow) or negative, which leads to img->raster having an incorrect size, opening up the possibility of a heap-based buffer-overflow attack. As far as I can reason, the unchecked malloc should not be exploitable. <pre><code>struct image *read_ppm(FILE *fp) { int version; int rows, cols, maxval; int pixBytes=0, rowBytes=0, rasterBytes; uint8_t *p; struct image *img; /* Read the magic number from the file */ if ((fscanf(fp, " P%d ", &version) < 1) || (version != 6)) { return NULL; } /* Read the image dimensions and color depth from the file */ if (fscanf(fp, " %d %d %d ", &cols, &rows, &maxval) < 3) { return NULL; } /* Calculate some sizes */ pixBytes = (maxval > 255) ? 6 : 3; // Bytes per pixel rowBytes = pixBytes * cols; // Bytes per row rasterBytes = rowBytes * rows; // Bytes for the whole image /* Allocate the image structure and initialize its fields */ img = malloc(sizeof(*img)); if (img == NULL) return NULL; img->rows = rows; img->cols = cols; img->depth = (maxval > 255) ? 2 : 1; img->raster = (void*)malloc(rasterBytes); /* Get a pointer to the first pixel in the raster data. */ /* It is to this pointer that all image data will be written. */ p = img->raster; /* Iterate over the rows in the file */ while (rows--) { /* Iterate over the columns in the file */ cols = img->cols; while (cols--) { /* Try to read a single pixel from the file */ if (fread(p, pixBytes, 1, fp) < 1) { /* If the read fails, free memory and return */ free(img->raster); free(img); return NULL; } /* Advance the pointer to the next location to which we should read a single pixel. */ p += pixBytes; } } /* Return the image */ return img; } </code></pre> Original (the last question): <a href="http://www.ida.liu.se/~TDDC90/exam/old/TDDC90%20TEN1%202009-12-22.pdf" rel="noreferrer">http://www.ida.liu.se/~TDDC90/exam/old/TDDC90%20TEN1%202009-12-22.pdf</a> Thanks for any help.
Tags
<c><security><buffer-overflow>
Title
Security vulnerabilities in fairly simple c code
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USCesar
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POSecurity vulnerabilities in fairly simple c code
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POSecurity vulnerabilities in fairly simple c code
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POSecurity vulnerabilities in fairly simple c code
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COThis puts me in mind of the (2008 winning) example from [The Underhanded C Contest](http://underhanded.xcott.com/), could be some clues there.
 singulars
 PostPostId
 POSecurity vulnerabilities in fairly simple c code
 UserUserId
 USJohn U

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.