Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TGNumberEntry string length checks are inaccurate/dangerous. #17334

Open
pcanal opened this issue Dec 26, 2024 · 0 comments
Open

TGNumberEntry string length checks are inaccurate/dangerous. #17334

pcanal opened this issue Dec 26, 2024 · 0 comments
Assignees
@bellenot @dpiparo
Labels
bug

Comments

@pcanal
Copy link
Member

pcanal commented Dec 26, 2024
edited
Loading

As seen in #16913, there is some attempt to guarantee that there will be no write past the end of buffer in the string manipulations. However in several places, it fall short (literally or maybe missing documentation).

We should consider replacing the fixed size buffer or improving the bound checks.

Namely the routines seems to assume that the buffer has a fixed length of 256 but in several place, the buffer is offset compare to its actual beginning.

StrInt(char *text, Long_t i, Int_t digits) hard-codes the length 250 for its input buffer, we should pass the actual length left there. In particular line TGNumberEntry.cxx:310 and TGNumberEntry.cxx:316 needs to be updated.

We should also review the rest TGNumberEntry.cxx for similar problematic patterns.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bellenot bellenot

@dpiparo dpiparo

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pcanal @bellenot @dpiparo