|
![](/i/fill.gif) |
Am 18.01.2013 16:58, schrieb Warp:
> Francois Labreque <fla### [at] videotron ca> wrote:
>> In the case of the BMP flaw, the leaked Windows 2000 source code showed
>> that the DLL was using a signed int to read an offset value that was
>> unsigned in the file format, so by crafting a special BMP file you would
>> have the DLL jump to a negative offset, and outside of the actual data
>> structure it was supposed to read.
>
> In 2's complement representation MAX_INT+1 has the exact same bits in
> both signed and unsigned forms. How do you get outside the array with
> that value?
That's wrong. In 2's complement representation, MAX_INT+1 has NO bit
representation at all. What you get instead if you interpret the
respective unsigned representation as signed is MIN_INT.
So take an array with a limited size, an "int" as an index into that
array, a check whether that index into that array is smaller than the
array's size - and you have the recipe for a stack overflow or similar
(unless you also remember to check whether the index is non-negative).
Post a reply to this message
|
![](/i/fill.gif) |