Actions
Bug #376
closed
Possible buffer overflow in addOverrideKey()
Status:
Closed
Priority:
High
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Module:
dcmnet + weitere
Operating System:
Compiler:
Description
http://forum.dcmtk.org/viewtopic.php?t=2523
At least the following tools are affected:
movescu
wltests
snd2dcm
'DcmPath' & Co. are likely culprits.
The former ones should be done, I haven't seen a sscanf() with a "%s" in DcmPath - Uli
=== Comment Uli ===
Find all instances, where sscanf() is used with s or something else (only %s happens though): git grep sscanf | grep -E '[^%"]*s'
dcmqrdb/libsrc/dcmqrcnf.cc: if (sscanf(rcline, "%s", mnemonic) != 1) dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(valueptr, "%s", value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(valueptr, "%s", value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(valueptr, "%s", value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(rcline, "%s %s", mnemonic, value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(rcline, "%s %s", mnemonic, value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(rcline, "%s %s", mnemonic, value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(helpvalue, "%d , %s", &studies, helpval); dcmqrdb/libsrc/dcmqrtis.cc: narg = sscanf(cmdbuf, "send %s %d", cmdarg, &iarg); Found in dcmdata/libsrc/dcddirif.cc, dcmnet/apps/movescu.cc, dcmwlm/tests/wltests.cc und dcmwave/apps/snd2dcm.cc.
Updated by Andrew Chiw 
Updated by
Actions