| View Issue Details [ Jump to Notes ] | [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0014971 | VTK | (No Category) | public | 2014-08-26 23:23 | 2015-01-09 13:43 | ||||
| Reporter | jpt | ||||||||
| Assigned To | Utkarsh Ayachit | ||||||||
| Priority | normal | Severity | minor | Reproducibility | have not tried | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 6.0.0 | ||||||||
| Target Version | Fixed in Version | 6.2.0 | |||||||
| Summary | 0014971: Heap corruption / buffer overflow in vtkPNGWriter when writing to memory and no file name/prefix specified | ||||||||
| Description | On Windows 7 / MSVC 11, I am using vtkPNGWriter to create an in-memory PNG image (for later reading by QImage). I began receiving debug errors regarding heap correction on Line 121 of vtkPNGWriter.cxx whenever I called Write(): 121: delete [] this->InternalFileName; It turned out that since I was not specifying file name information (due to using the in-memory result output), an sprintf call on line 106 was missing a format argument for the prefix and generating a formatted string that was longer than the allocated buffer. I was able to avoid the bad branch (lines 104-107) by providing a file prefix to the vtkPNGWriter object prior to calling write(); this workaround avoids the buffer overflow. I believe the correct action to fix this issue may be to replace: -106: sprintf(this->InternalFileName, this->FilePattern,this->FileNumber); by +106: sprintf(this->InternalFileName, this->FilePattern,"",this->FileNumber); so that the format string in FilePattern "%s.%d" has the correct number of applied arguments. Or, to use a safer variant of sprintf. | ||||||||
| Tags | No tags attached. | ||||||||
| Project | TBD | ||||||||
| Type | crash | ||||||||
| Attached Files | |||||||||
| Relationships | |
| Relationships |
| Notes | |
|
(0033291) Utkarsh Ayachit (administrator) 2014-08-27 13:07 |
A fix is up for gerrit review: http://review.source.kitware.com/#/t/4576 [^] It would be great if you could test the patch out and confirm that it addresses this issue. Thanks. |
|
(0033531) Utkarsh Ayachit (administrator) 2014-10-02 15:47 |
merged into master. |
| Notes |
| Issue History | |||
| Date Modified | Username | Field | Change |
| 2014-08-26 23:23 | jpt | New Issue | |
| 2014-08-27 12:52 | Utkarsh Ayachit | Assigned To | => Utkarsh Ayachit |
| 2014-08-27 12:52 | Utkarsh Ayachit | Status | backlog => tabled |
| 2014-08-27 13:07 | Utkarsh Ayachit | Note Added: 0033291 | |
| 2014-10-02 09:58 | Utkarsh Ayachit | Status | tabled => backlog |
| 2014-10-02 09:58 | Utkarsh Ayachit | Status | backlog => gerrit review |
| 2014-10-02 15:47 | Utkarsh Ayachit | Note Added: 0033531 | |
| 2014-10-02 15:47 | Utkarsh Ayachit | Status | gerrit review => closed |
| 2014-10-02 15:47 | Utkarsh Ayachit | Resolution | open => fixed |
| 2014-10-02 15:47 | Utkarsh Ayachit | Fixed in Version | => 6.2.0 |
| 2015-01-09 13:43 | Utkarsh Ayachit | Source_changeset_attached | => VTK master fa94f63a |
| 2015-01-09 13:43 | Utkarsh Ayachit | Source_changeset_attached | => VTK master 126135c2 |
| Issue History |
| Copyright © 2000 - 2018 MantisBT Team |