View Issue Details [ Jump to Notes ] | [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0014971 | VTK | (No Category) | public | 2014-08-26 23:23 | 2015-01-09 13:43 | ||||
Reporter | jpt | ||||||||
Assigned To | Utkarsh Ayachit | ||||||||
Priority | normal | Severity | minor | Reproducibility | have not tried | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 6.0.0 | ||||||||
Target Version | Fixed in Version | 6.2.0 | |||||||
Summary | 0014971: Heap corruption / buffer overflow in vtkPNGWriter when writing to memory and no file name/prefix specified | ||||||||
Description | On Windows 7 / MSVC 11, I am using vtkPNGWriter to create an in-memory PNG image (for later reading by QImage). I began receiving debug errors regarding heap correction on Line 121 of vtkPNGWriter.cxx whenever I called Write(): 121: delete [] this->InternalFileName; It turned out that since I was not specifying file name information (due to using the in-memory result output), an sprintf call on line 106 was missing a format argument for the prefix and generating a formatted string that was longer than the allocated buffer. I was able to avoid the bad branch (lines 104-107) by providing a file prefix to the vtkPNGWriter object prior to calling write(); this workaround avoids the buffer overflow. I believe the correct action to fix this issue may be to replace: -106: sprintf(this->InternalFileName, this->FilePattern,this->FileNumber); by +106: sprintf(this->InternalFileName, this->FilePattern,"",this->FileNumber); so that the format string in FilePattern "%s.%d" has the correct number of applied arguments. Or, to use a safer variant of sprintf. | ||||||||
Tags | No tags attached. | ||||||||
Project | TBD | ||||||||
Type | crash | ||||||||
Attached Files | |||||||||
Relationships | |
Relationships |
Notes | |
(0033291) Utkarsh Ayachit (administrator) 2014-08-27 13:07 |
A fix is up for gerrit review: http://review.source.kitware.com/#/t/4576 [^] It would be great if you could test the patch out and confirm that it addresses this issue. Thanks. |
(0033531) Utkarsh Ayachit (administrator) 2014-10-02 15:47 |
merged into master. |
Notes |
Issue History | |||
Date Modified | Username | Field | Change |
2014-08-26 23:23 | jpt | New Issue | |
2014-08-27 12:52 | Utkarsh Ayachit | Assigned To | => Utkarsh Ayachit |
2014-08-27 12:52 | Utkarsh Ayachit | Status | backlog => tabled |
2014-08-27 13:07 | Utkarsh Ayachit | Note Added: 0033291 | |
2014-10-02 09:58 | Utkarsh Ayachit | Status | tabled => backlog |
2014-10-02 09:58 | Utkarsh Ayachit | Status | backlog => gerrit review |
2014-10-02 15:47 | Utkarsh Ayachit | Note Added: 0033531 | |
2014-10-02 15:47 | Utkarsh Ayachit | Status | gerrit review => closed |
2014-10-02 15:47 | Utkarsh Ayachit | Resolution | open => fixed |
2014-10-02 15:47 | Utkarsh Ayachit | Fixed in Version | => 6.2.0 |
2015-01-09 13:43 | Utkarsh Ayachit | Source_changeset_attached | => VTK master fa94f63a |
2015-01-09 13:43 | Utkarsh Ayachit | Source_changeset_attached | => VTK master 126135c2 |
Issue History |
Copyright © 2000 - 2018 MantisBT Team |