Submeter #544230: Open Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stb_dupreplace Integer Overflow -> Under Allocationinformação

TítuloOpen Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stb_dupreplace Integer Overflow -> Under Allocation
DescriçãoThe function allocates memory for the resulting string using the expression: p = (char *) malloc(strlen(src) + count * (len_replace - len_find) + 1); The allocation size is calculated based on the original string length and the net difference from replacing occurrences of `find` with `replace`. However, if `len_replace` is smaller than `len_find`, the subtraction (`len_replace - len_find`) becomes negative. This can result in an allocation that is too small to hold the resulting string when the total decrease is subtracted from `strlen(src)`. Consequently, during the subsequent copying and replacement operations, the function may write past the end of the allocated buffer, leading to a buffer overflow and potential memory corruption. char *stb_dupreplace(char *src, char *find, char *replace) { size_t len_find = strlen(find); size_t len_replace = strlen(replace); int count = 0; char *s, *p; // Count occurrences of 'find' in 'src' s = strstr(src, find); if (s == NULL) return stb_p_strdup(src); do { ++count; s = strstr(s + len_find, find); } while (s != NULL); // Vulnerable allocation: may under-allocate if len_replace < len_find p = (char *) malloc(strlen(src) + count * (len_replace - len_find) + 1); if (p == NULL) return NULL; // ... (remaining replacement logic) return p; } **Reproduction Steps:** 1. **Prepare Malicious Input:** Craft a source string (`src`) containing one or more occurrences of the substring `find` and choose a `replace` string such that `len_replace` is strictly less than `len_find`. This ensures that the term `count * (len_replace - len_find)` subtracts from `strlen(src)`. 2. **Invoke the Function:** Call `stb_dupreplace(src, find, replace)` with the crafted input. 3. **Trigger the Overflow:** As the function performs the string replacement, the copying operations may exceed the bounds of the allocated buffer.
Utilizador
 ninpwn (UID 82253)
Submissão27/03/2025 15h53 (há 1 Ano)
Moderação07/04/2025 12h56 (11 days later)
EstadoAceite
Entrada VulDB303686 [Nothings stb até f056911 stb_dupreplace Excesso de tampão]
Pontos17

VoltarVisão GeralPróximo

Might our Artificial Intelligence support you?

Check our Alexa App!