Provide a hook to setup iconv path at runtime #116
Conversation
|
@eichelberg This is mostly a WIP but basically I need this API to specify where to search for esbd folders. Let me know if you want more details about the use case. Thanks ! |
oficonv/libsrc/citrus_bcs.c
Outdated
| char *oficonv_path = NULL; | ||
|
|
||
| void OFiconv_setpath(const char *buf) { | ||
| strcpy(oficonv_buffer, buf); |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that you are using strcpy or strncpy functions that does not affirm the size of the destination array and does not automatically NULL-terminate strings leading to buffer overflows risks. We recommend you to apply bound checking or null terminator. Learn more - https://www.geeksforgeeks.org/why-strcpy-and-strncpy-are-not-safe-to-use/
oficonv/libsrc/citrus_bcs.c
Outdated
| char *oficonv_path = NULL; | ||
|
|
||
| void OFiconv_setpath(const char *buf) { | ||
| strcpy(oficonv_buffer, buf); |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
We observed that your code contains out-of-bounds read which is a type of memory access error that occurs when a program reads data from a memory address outside of the bounds of a buffer. This can result in the program reading data that does not belong to it, which can cause crashes, incorrect behaviour, or even security vulnerabilities. To prevent this you can perform bounds checking before accessing an array or other data structure. Learn more - https://www.martellosecurity.com/kb/mitre/cwe/125/
oficonv/libsrc/citrus_bcs.c
Outdated
| char *oficonv_path = NULL; | ||
|
|
||
| void OFiconv_setpath(const char *buf) { | ||
| strcpy(oficonv_buffer, buf); |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
We observed your code contains an out-of-bounds write which may lead to security issues such as crashing, information leaks, or even arbitrary code execution. You should perform bounds checking, validate input sizes and indices to ensure they stay within the allocated memory bounds. Learn more - https://github.com/harsh-bothra/SecurityExplained/blob/main/resources/cwe-787.md
Is there a reason why you cannot use the DCMICONVPATH environment variable to point to the desired directory? |
I am actually glad you raised this point this will a twofold answer:
So one way to work around this is to use GetEnvironmentVariable/SetEnvironmentVariable on windows system.
|
|
@eichelberg In case you are also wondering I am trying to go away from the current solution which makes use of The above is working for us but is not convenient. |
That means that you cannot call SetEnvironmentVariable() to change an environment variable in the running process and then expect the next call to getenv() to report that new value.
It is thread unsafe, but I am fairly certain that each process has its own set of environment variables, on Windows and on Posix systems. Another application calling setenv() cannot interfere with your application. Anyway, I am not against adding a function in the oficonv module that allows you to set the iconv path manually. |
|
One more thing: DcmSpecificCharacterSet::setIconvPath() should return an OFCondition, and should actually return an error when DCMTK has been compiled with a different conversion library (GNU libiconv or libc iconv) that does not support such API. |
|
By the way, I don't see a good reason why OFCharacterEncoding and DcmSpecificCharacterSet should be "polluted" with a static function that has nothing to do with these classes. |
malaterre
changed the title
ACK. I was debating if this call could be generic for the other alternatives implementations. I'll make it oficonv specific. Thx |
Uh. This is exactly what is working for me while _putenv/getenv combo failed for me.
I stand corrected on this. Thanks
Ack |
malaterre
force-pushed
the
runtime-iconvpath
branch
from
20231e1 to
8ead5db
Compare
|
@eichelberg / @jriesmeier How about this one ? |
I am still not happy with it: At least on Linux, it is not possible to safely use a static buffer to store a path. The PATH_MAX constant exists, but the documentation warns against using it. The problem is that at least on Linux, the maximum path length depends on the filesystem used, and is not a hard-coded kernel limit. Therefore, I would suggest that you allocate that buffer dynamically with malloc() and add the corresponding free() call to the OFiconv_cleanup(), which is automatically called when an application terminates (search for OFiconvCleanupHelper in module ofstd for the ugly details). |
malaterre
force-pushed
the
runtime-iconvpath
branch
from
8ead5db to
71ea8f3
Compare
|
This looks good now. I just merged this into our testing branch. It should appear in the public repository in a few days. |
Provide a new function OFiconv_setpath() that allows an application to change the iconv data path at runtime. Note: the DCMICONVPATH environment variable will override any path set with this function. Thanks to Mathieu Malaterre <[email protected]> for the pull request. This closes GitHub PR #116.
No description provided.