StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
13991487
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
7
CommunityOwnedDate
CreationDate
2012-12-21T13:57:19.207
FavoriteCount
0
LastActivityDate
2012-12-21T14:29:17.753
LastEditDate
2012-12-21T14:29:17.753
LastEditorUserId
1122645
OwnerUserId
1122645
ParentId
13991018
PostTypeId
2
Score
3
ViewCount
0
LastEditorDisplayName
text
Body
Create a large file such that reading <code>row</code> and <code>cols</code> are both negatives. <code>rasterBytes = pixBytes * rows * cols</code> is positive so everything will be fine till <code>p = img->raster;</code>. But at this point you have two infinite loops, and the program may overwrite the heap. Another attack is to set up <code>row</code> and <code>cols</code> such that they have different sign. You can choose either value to be <code>-1</code>, while the other is large enough to read the data you want. The allocation <pre><code> img->raster = (void*)malloc(rasterBytes); </code></pre> will fail, which lead img->raster to point to NULL. Which means <pre><code> fread(p, pixBytes, 1, fp) < 1 </code></pre> will try to read the content of the file to kernel memory. If this code is executed in kernel mode, depending of the system (let say old unix which doesn use memory segment), then you will overwrite the content of the kernel memory with the content of the file. A kernel which doesn use memory segment rely not on segmentation faults but on page faults (a virtual address which doesnt have any real page assigned to it). The issue is that there are virtual memory designs such that the first real pages are directly assigned to the kernel pages. Ie kernel virtual address 0x0 is correspond to the real memory at 0x0 and is perfectly valid (inside the kernel). EDIT: In both of those cases, the goal of the attacker is to inject the content of the input file (which is totally under his control) in a region of memory he should not have access to, while not being able to modify the function <code>read_ppm()</code>.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POSecurity vulnerabilities in fairly simple c code
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USUmNyobe
UserOwnerUserId
1. USUmNyobe
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POSecurity vulnerabilities in fairly simple c code
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.