erl_interface: potential buffer overflow in every call to a ei_decode_* function

Romain Lenglet <>
Fri May 12 05:46:25 CEST 2006


Hello,


No ei_decode_* function takes a buffer size as an argument. 
Therefore, when decoding wrong data, those functions may read 
after the end of the buffer.

This may be detected afterwards, by comparing the returned index 
with the buffer size, but an access out of the buffer bounds may 
already have provoked a segmentation fault before the decoding 
function call returns.

The solution is to add a buffer size argument to every 
ei_decode_* function, and to compare it with the index for every 
buffer access.


Regards,

-- 
Romain LENGLET



More information about the erlang-bugs mailing list