centos 6
buffer weakness #5

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

freetype-2.3.11/ft2demos-2.3.11/mac/ftoldmac.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 buffer weakness.

   {
    Str255  fileName;


    memset( &ci_pb, 0, sizeof( CInfoPBRec ) );
    fileName[0] = 0;
    ci_pb.hFileInfo.ioVRefNum   = ci_pb_dir->dirInfo.ioVRefNum;
    ci_pb.hFileInfo.ioDirID     = ci_pb_dir->dirInfo.ioDrDirID;
    ci_pb.hFileInfo.ioNamePtr   = fileName;
    ci_pb.hFileInfo.ioFDirIndex = i;
    if ( noErr == PBGetCatInfoSync( &ci_pb ) )
    {
      if ( NULL != ci_pb.hFileInfo.ioNamePtr )
      {
        char  file_name[256];


        strncpy( file_name, (char *)ci_pb.hFileInfo.ioNamePtr + 1, ci_pb.hFileInfo.ioNamePtr[0] );
        file_name[ ci_pb.hFileInfo.ioNamePtr[0] ] = '\0';
        if ( 0 == strcmp( ".DS_Store", file_name ) )
          printf( "*** known non-font filename [%s]\n", file_name );
        else if ( 0 == ( ci_pb.hFileInfo.ioFlAttrib & ioDirMask ) )
        {
          file_full_path[ dirname_len ] = '\0';
          strncat( file_full_path, file_name, sizeof( file_full_path ) );
          crawlFontFile( file_full_path );
        }
      }
    }
  }
}


void
initParamBlock( CInfoPBRec*  paramBlock,
                 Str255      fileName    )
{
  paramBlock->hFileInfo.ioCompletion = 0; /* synch calls */
  paramBlock->hFileInfo.ioNamePtr    = fileName;
  paramBlock->hFileInfo.ioVRefNum    = 0; /* alias for default */
  paramBlock->hFileInfo.ioFDirIndex  = 0; /* XXX */
  paramBlock->hFileInfo.ioDirID      = 0; /* alias for default */
}

void
dumpPBErr( CInfoPBRec* paramBlock )
{
  printf( "[PB access returned after " );
  switch ( paramBlock->hFileInfo.ioResult )
  { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.