| عنوان | Open Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stb_include_string Stack Buffer Overflow |
|---|
| الوصف | The function `stb_include_string` is responsible for processing an input string containing `#include` directives and replacing them with the corresponding file contents.
- The function allocates a fixed 4KB (`4096` bytes) buffer `temp` on the stack:
char temp[4096];
- However, the function later copies user-controlled input (`path_to_includes`) into this buffer using `strcpy`:
strcpy(temp, path_to_includes);
- Since `strcpy` does not perform bounds checking, if `path_to_includes` is larger than `4096` bytes, this will cause a **stack buffer overflow**, potentially corrupting adjacent stack memory, including return addresses.
char *stb_include_string(char *str, char *inject, char *path_to_includes, char *filename, char error[256])
{
char temp[4096]; // Fixed-size stack buffer
include_info *inc_list;
int i, num = stb_include_find_includes(str, &inc_list);
size_t source_len = strlen(str);
char *text=0;
size_t textlen=0, last=0;
for (i=0; i < num; ++i) {
// Potentially dangerous strcpy
strcpy(temp, path_to_includes);
strcat(temp, "/");
strcat(temp, inc_list[i].filename);
}
text = stb_include_append(text, &textlen, str+last, source_len - last + 1);
stb_include_free_includes(inc_list, num);
return text;
}
|
|---|
| المستخدم | ninpwn (UID 82253) |
|---|
| ارسال | 27/03/2025 03:55 PM (1 سنة منذ) |
|---|
| الاعتدال | 07/04/2025 12:56 PM (11 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 303687 [Nothings stb حتى f056911 stb_include_string path_to_includes تلف الذاكرة] |
|---|
| النقاط | 17 |
|---|