[Insight-developers] Change in ITK[master]: BUG: Fix possibility of buffer overflow in itkNumericSeriesF...

Hans Johnson hans-johnson at uiowa.edu
Wed Jan 5 10:47:23 EST 2011 

CC to developer list.  Hopefully someone on the developer list has a
solution.

Hans



On 1/5/11 9:41 AM, "M Stauffer (V)" <mstauff at verizon.net> wrote:

> OK, thanks.
> 
> Regarding snprintf on Windows: in another project I had to use _snprintf
> for windows, via an ifdef. And I have a note that _snprintf does not
> append null if output is truncated at len.
> 
> VS 2008 docs point to _snprintf for snprintf, and have this warning:
> "Ensure that format is not a user-defined string. Because this function
> does not guarantee NULL termination (in particular, when the return
> value is count), ensure that it is followed by code that adds the null
> terminator. "
> 
> As long as a null terminator is added after the call for safety, I don't
> see why you can't use an user-defined string, unless the routine dumbly
> writes the whole formatted string to the buffer without regard to its
> defined size.
> 
> This is getting even more messy. What's the ITK practice regarding
> #ifdef'ing this kind of thing? Or do we just go back to the original
> implementation with a fixed large buffer?
> 
> -Michael
> 
>> -----Original Message-----
>> From: Hans Johnson [mailto:hans-johnson at uiowa.edu]
>> Sent: Wednesday, January 05, 2011 8:35 AM
>> To: Bill Lorensen; M Stauffer (V)
>> Cc: Luis Ibanez; Brad King; Kent Williams
>> Subject: Re: Change in ITK[master]: BUG: Fix possibility of
>> buffer overflow in itkNumericSeriesF...
>> 
>> I just updated and merged with the latest head.  Resolved
>> issues, and pushed the patchset to gerrit to initiate a new build.
>> 
>> We'll see if windows accepts this code in a few hours.
>> 
>> Hans
>> 
>> 
>> 
>> On 1/4/11 10:34 PM, "Bill Lorensen" <bill.lorensen at gmail.com> wrote:
>> 
>>> Michael,
>>> 
>>> Just make a minor change to the code and submit a new patch. Now,
>>> patches will automatically spin off three builds (Mac, Linux,
>>> Windows). This is a fairly new addition to the gerrit process.
>>> 
>>> Bill
>>> 
>>> On Tue, Jan 4, 2011 at 10:21 PM, M Stauffer (V)
>> <mstauff at verizon.net> wrote:
>>>> Sorry, I've been absorbed in another project. I can get
>> back to this 
>>>> next week, unless someone has a solution...pretty please?
>>>> 
>>>> I know I've used snprintf on Windows before in at least one other
>>>> project, I'll have to look at what I did.
>>>> 
>>>> -Michael
>>>> 
>>>>> -----Original Message-----
>>>>> From: Hans J. Johnson (Code Review)
>>>>> [mailto:gerrit2 at public.kitware.com]
>>>>> Sent: Tuesday, January 04, 2011 10:01 PM
>>>>> To: Michael Stauffer
>>>>> Cc: Luis Ibanez; Brad King; Bill Lorensen; kent williams
>>>>> Subject: Change in ITK[master]: BUG: Fix possibility of buffer
>>>>> overflow in itkNumericSeriesF...
>>>>> 
>>>>> Hans J. Johnson has posted comments on this change.
>>>>> 
>>>>> Change subject: BUG: Fix possibility of buffer overflow in
>>>>> itkNumericSeriesFileNames.
>>>>> 
>> ......................................................................
>>>>> 
>>>>> 
>>>>> Patch Set 2: Do not submit
>>>>> 
>>>>> (1 inline comment)
>>>>> 
>>>>> This has been outstanding for nearly a month.  It either
>> needs to be 
>>>>> fully resolved, or abandoned.
>>>>> 
>>>>> ....................................................
>>>>> File Code/IO/itkNumericSeriesFileNames.cxx
>>>>> Line 70:     int result = snprintf (temp, bufflen,
>>>>> m_SeriesFormat.c_str(), i); Based on Bill L.'s comment, it looks
>>>>> like snprintf is not supported under windows computers.  This will
>>>>> need to be tested, or another solution implemented.
>>>>> 
>>>>> --
>>>>> To view, visit http://review.source.kitware.com/521
>>>>> To unsubscribe, visit http://review.source.kitware.com/settings
>>>>> 
>>>>> Gerrit-MessageType: comment
>>>>> Gerrit-Change-Id: If1eff17f184409a02602d450d6e2e7e576bc1ae1
>>>>> Gerrit-PatchSet: 2
>>>>> Gerrit-Project: ITK
>>>>> Gerrit-Branch: master
>>>>> Gerrit-Owner: Michael Stauffer <mstauff at verizon.net>
>>>>> Gerrit-Reviewer: Bill Lorensen <bill.lorensen at gmail.com>
>>>>> Gerrit-Reviewer: Brad King <brad.king at kitware.com>
>>>>> Gerrit-Reviewer: Hans J. Johnson <hans-johnson at uiowa.edu>
>>>>> Gerrit-Reviewer: Luis Ibanez <luis.ibanez at kitware.com>
>>>>> Gerrit-Reviewer: Michael Stauffer <mstauff at verizon.net>
>>>>> Gerrit-Reviewer: kent williams <norman-k-williams at uiowa.edu>
>>>> 
>>>> 
>> 
>> --
>> Hans J. Johnson, Ph.D.
>> Assistant Professor
>> 200 Hawkins Drive
>> T205 BT, The University of Iowa
>> Iowa City, IA 52242
>> 
>> hans-johnson at uiowa.edu
>> PHONE: 319 353 8587
>> 
> 

-- 
Hans J. Johnson, Ph.D.
Assistant Professor
200 Hawkins Drive
T205 BT, The University of Iowa
Iowa City, IA 52242

hans-johnson at uiowa.edu
PHONE: 319 353 8587

More information about the Insight-developers mailing list