Enviar #544230: Open Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stb_dupreplace Integer Overflow -> Under Allocationinformación

TítuloOpen Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stb_dupreplace Integer Overflow -> Under Allocation
DescripciónThe function allocates memory for the resulting string using the expression: p = (char *) malloc(strlen(src) + count * (len_replace - len_find) + 1); The allocation size is calculated based on the original string length and the net difference from replacing occurrences of `find` with `replace`. However, if `len_replace` is smaller than `len_find`, the subtraction (`len_replace - len_find`) becomes negative. This can result in an allocation that is too small to hold the resulting string when the total decrease is subtracted from `strlen(src)`. Consequently, during the subsequent copying and replacement operations, the function may write past the end of the allocated buffer, leading to a buffer overflow and potential memory corruption. char *stb_dupreplace(char *src, char *find, char *replace) { size_t len_find = strlen(find); size_t len_replace = strlen(replace); int count = 0; char *s, *p; // Count occurrences of 'find' in 'src' s = strstr(src, find); if (s == NULL) return stb_p_strdup(src); do { ++count; s = strstr(s + len_find, find); } while (s != NULL); // Vulnerable allocation: may under-allocate if len_replace < len_find p = (char *) malloc(strlen(src) + count * (len_replace - len_find) + 1); if (p == NULL) return NULL; // ... (remaining replacement logic) return p; } **Reproduction Steps:** 1. **Prepare Malicious Input:** Craft a source string (`src`) containing one or more occurrences of the substring `find` and choose a `replace` string such that `len_replace` is strictly less than `len_find`. This ensures that the term `count * (len_replace - len_find)` subtracts from `strlen(src)`. 2. **Invoke the Function:** Call `stb_dupreplace(src, find, replace)` with the crafted input. 3. **Trigger the Overflow:** As the function performs the string replacement, the copying operations may exceed the bounds of the allocated buffer.
Usuario
 ninpwn (UID 82253)
Sumisión2025-03-27 15:53 (hace 1 Año)
Moderación2025-04-07 12:56 (11 days later)
EstadoAceptado
Entrada de VulDB303686 [Nothings stb hasta f056911 stb_dupreplace desbordamiento de búfer]
Puntos17

AnteriorVisión De ConjuntoPróximo

Do you know our Splunk app?

Download it now for free!