1

Closed

opcContainerDeletePart has potential buffer overrun

description

File: container.c
Function opcContainerDeletePart() has a bug which can result in a buffer overrun as the array size used does not match the array used. The final argument should be relation_items instead of relationtype_items.

Current Code:
line: 159
OPC_ENSURE(OPC_ERROR_NONE == opcContainerDeleteAllRelationsToPart(container, container->part_array[i].name, &container->relation_array, &container->relationtype_items));
Fix:
OPC_ENSURE(OPC_ERROR_NONE == opcContainerDeleteAllRelationsToPart(container, container->part_array[i].name, &container->relation_array, &container->relation_items));
Closed Feb 27, 2016 at 6:52 PM by jschroedl

comments

flr wrote Jan 21, 2016 at 9:02 PM

Thanks a lot for the catch!

Since you said you would happy to commit the fix I added you as a developer.

Florian

jschroedl wrote Jan 26, 2016 at 5:53 PM

Excellent. Starting now.

wrote Feb 27, 2016 at 6:52 PM

Resolved with changeset 43456: Use correct relation count when deleting part.