Re: memcpy with negative length and destination on heap - exploitable?

["Pavel Kankovsky" <peak () argo troja mff cuni cz>]

On Mon, 24 Dec 2001, 3APA3A wrote:

>    memcpy(dst, src + POSITION + 1, len);
>    ...
>    len  is too long then converted to size_t and memcpy will crash... Is
>    it  possible to avoid it if destination buffer is on heap? Program is
>    available on all possible platforms :)

It is possible to avoid a crash if...

1. memcpy() is implemented in a way that turns it into an empty operation
   when you call it with a (small) negative length

   Example: char *last = dst + len;
            while (dst < last) *dst++ = *src++;

2. all dst[i] and src[POSITION+1+i] for each i, 0 <= i < (size_t)len 
   are confined to regions of memory that are fully mapped (i.e. writes
   or read will not cause faults) and the destination region does not
   intersect with any vital part of the process (code, stack)

   Example: 16-bit segmented memory model, e.g. the large mm of the old
            "good" 8086 (and 80286)

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."