| Título | Open Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stb_include_string Stack Buffer Overflow |
|---|
| Descrição | The function `stb_include_string` is responsible for processing an input string containing `#include` directives and replacing them with the corresponding file contents.
- The function allocates a fixed 4KB (`4096` bytes) buffer `temp` on the stack:
char temp[4096];
- However, the function later copies user-controlled input (`path_to_includes`) into this buffer using `strcpy`:
strcpy(temp, path_to_includes);
- Since `strcpy` does not perform bounds checking, if `path_to_includes` is larger than `4096` bytes, this will cause a **stack buffer overflow**, potentially corrupting adjacent stack memory, including return addresses.
char *stb_include_string(char *str, char *inject, char *path_to_includes, char *filename, char error[256])
{
char temp[4096]; // Fixed-size stack buffer
include_info *inc_list;
int i, num = stb_include_find_includes(str, &inc_list);
size_t source_len = strlen(str);
char *text=0;
size_t textlen=0, last=0;
for (i=0; i < num; ++i) {
// Potentially dangerous strcpy
strcpy(temp, path_to_includes);
strcat(temp, "/");
strcat(temp, inc_list[i].filename);
}
text = stb_include_append(text, &textlen, str+last, source_len - last + 1);
stb_include_free_includes(inc_list, num);
return text;
}
|
|---|
| Utilizador | ninpwn (UID 82253) |
|---|
| Submissão | 27/03/2025 15h55 (há 1 Ano) |
|---|
| Moderação | 07/04/2025 12h56 (11 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 303687 [Nothings stb até f056911 stb_include_string path_to_includes Excesso de tampão] |
|---|
| Pontos | 17 |
|---|