...
This noncompliant code example attempts to read three values from a file and then set the cursor position back to the beginning of the file and return to the caller:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <string.h>
enum { NO_FILE_POS_VALUES = 3 };
int opener(FILE *file) {
int rc;
fpos_t offset;
memset(&offset, 0, sizeof(offset));
if (file == NULL) { return -1; }
/* Read in data from file */
rc = fsetpos(file, &offset);
if (rc != 0 ) { return rc; }
return 0;
}
|
However, because only the return value of an fgetpos() call is a valid argument to fsetpos(), ; passing an fpos_t value that was created in any other way is undefined behavior.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <string.h>
enum { NO_FILE_POS_VALUES = 3 };
int opener(FILE *file) {
int rc;
fpos_t offset;
if (file == NULL) { return -1; }
rc = fgetpos(file, &offset);
if (rc != 0 ) { return rc; }
/* Read in data from file */
rc = fsetpos(file, &offset);
if (rc != 0 ) { return rc; }
return 0;
}
|
Risk Assessment
The misuse Misuse of the fsetpos() function can move position a file stream read to a unintended location in the file. If this location held input from the user, the user would then gain control of the variables holds data provided by an attacker, the misuse of this function could be exploited to overwrite the values of objects being read from the file.
...