|
![](/i/fill.gif) |
Francois Labreque <fla### [at] videotron ca> wrote:
> In the case of the BMP flaw, the leaked Windows 2000 source code showed
> that the DLL was using a signed int to read an offset value that was
> unsigned in the file format, so by crafting a special BMP file you would
> have the DLL jump to a negative offset, and outside of the actual data
> structure it was supposed to read.
In 2's complement representation MAX_INT+1 has the exact same bits in
both signed and unsigned forms. How do you get outside the array with
that value?
(I suppose that if you use a signed *long* in a 64-bit system where longs
are 64-bit, then expanding a signed 32-bit int to such a signed 64-bit long
will result in the wrong value. But was that the case here?)
--
- Warp
Post a reply to this message
|
![](/i/fill.gif) |