bug-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #18366] NSCalendarDate: serious buffer overflow issues


From: Günther Noack
Subject: [bug #18366] NSCalendarDate: serious buffer overflow issues
Date: Fri, 24 Nov 2006 19:04:09 +0000
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

URL:
  <http://savannah.gnu.org/bugs/?18366>

                 Summary: NSCalendarDate: serious buffer overflow issues
                 Project: GNUstep
            Submitted by: guenthernoack
            Submitted on: Friday 24/11/06 at 19:04
                Category: Base/Foundation
                Severity: 3 - Normal
              Item Group: Bug
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open

    _______________________________________________________

Details:


Hi!

NSCalendarDate's parsing method has some serious buffer overflow issues in
it.

When parsing timezone names, the timezone name from the source string is
copied into tmpStr, but tmpStr's bounds are unluckily not checked, which
allows to overwrite different indexes and possibly the return pointer of the
function. At least the application will crash when you provide it with the
wrong strings.

The same problem also applies to the parsing of full month name, full weekday
name and possibly some other options.

It would be good if that could be fixed before the next release, since a
recent change to the timezone part of the switch statement made exploitation
much easier, and it would not be good to have that code in a stable release.

This bug is posted as a private bug and hopefully invisible to the outside
internet (and maybe to me, too).

-Guenther

PS: In one of the comment in the method, it is stated that the author didn't
know if there are locales where the abbreviated weekday names have less then
three characters. In german, they do. It's Mo, Di, Mi, Do, Fr, Sa, So.







    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?18366>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





reply via email to

[Prev in Thread] Current Thread [Next in Thread]