alpine 3.6
buffer weakness #134

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

tiff/src/tiff-4.0.10/tools/tiffcrop.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

   strncpy (exportname, outname, PATH_MAX - sizeof(filenum));
  if (*tiffout == NULL)   /* This is a new export file */
    {
    if (autoindex)
      { /* create a new filename for each export */
      findex++;
      if ((sep = strstr(exportname, ".tif")) || (sep = strstr(exportname, ".TIF")))
        {
        strncpy (export_ext, sep, 5);
        *sep = '\0';
        }
      else
        strncpy (export_ext, ".tiff", 5);
      export_ext[5] = '\0';

      /* MAX_EXPORT_PAGES limited to 6 digits to prevent string overflow of pathname */
      if (findex > MAX_EXPORT_PAGES)
	{
	TIFFError("update_output_file", "Maximum of %d pages per file exceeded", MAX_EXPORT_PAGES);
        return 1;
        }

      snprintf(filenum, sizeof(filenum), "-%03d%.5s", findex, export_ext);
      filenum[sizeof(filenum)-1] = '\0';
      strncat (exportname, filenum, sizeof(filenum)-1);
      }
    exportname[PATH_MAX - 1] = '\0';

    *tiffout = TIFFOpen(exportname, mode);
    if (*tiffout == NULL)
      {
      TIFFError("update_output_file", "Unable to open output file %s", exportname);
      return 1;
      }
    *page = 0; 

    return 0;
    }
  else 
    (*page)++;

  return 0;
  } /* end update_output_file */


int
main(int argc, char* argv[])
  {

#if !HAVE_DECL_OPTARG 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.