| タイトル | Open Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stb_include_string Stack Buffer Overflow |
|---|
| 説明 | The function `stb_include_string` is responsible for processing an input string containing `#include` directives and replacing them with the corresponding file contents.
- The function allocates a fixed 4KB (`4096` bytes) buffer `temp` on the stack:
char temp[4096];
- However, the function later copies user-controlled input (`path_to_includes`) into this buffer using `strcpy`:
strcpy(temp, path_to_includes);
- Since `strcpy` does not perform bounds checking, if `path_to_includes` is larger than `4096` bytes, this will cause a **stack buffer overflow**, potentially corrupting adjacent stack memory, including return addresses.
char *stb_include_string(char *str, char *inject, char *path_to_includes, char *filename, char error[256])
{
char temp[4096]; // Fixed-size stack buffer
include_info *inc_list;
int i, num = stb_include_find_includes(str, &inc_list);
size_t source_len = strlen(str);
char *text=0;
size_t textlen=0, last=0;
for (i=0; i < num; ++i) {
// Potentially dangerous strcpy
strcpy(temp, path_to_includes);
strcat(temp, "/");
strcat(temp, inc_list[i].filename);
}
text = stb_include_append(text, &textlen, str+last, source_len - last + 1);
stb_include_free_includes(inc_list, num);
return text;
}
|
|---|
| ユーザー | ninpwn (UID 82253) |
|---|
| 送信 | 2025年03月27日 15:55 (1 年 ago) |
|---|
| モデレーション | 2025年04月07日 12:56 (11 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 303687 [Nothings stb 迄 f056911 stb_include_string path_to_includes メモリ破損] |
|---|
| ポイント | 17 |
|---|