| Title | Open Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stb_include_string Stack Buffer Overflow |
|---|
| Description | The function `stb_include_string` is responsible for processing an input string containing `#include` directives and replacing them with the corresponding file contents.
- The function allocates a fixed 4KB (`4096` bytes) buffer `temp` on the stack:
char temp[4096];
- However, the function later copies user-controlled input (`path_to_includes`) into this buffer using `strcpy`:
strcpy(temp, path_to_includes);
- Since `strcpy` does not perform bounds checking, if `path_to_includes` is larger than `4096` bytes, this will cause a **stack buffer overflow**, potentially corrupting adjacent stack memory, including return addresses.
char *stb_include_string(char *str, char *inject, char *path_to_includes, char *filename, char error[256])
{
char temp[4096]; // Fixed-size stack buffer
include_info *inc_list;
int i, num = stb_include_find_includes(str, &inc_list);
size_t source_len = strlen(str);
char *text=0;
size_t textlen=0, last=0;
for (i=0; i < num; ++i) {
// Potentially dangerous strcpy
strcpy(temp, path_to_includes);
strcat(temp, "/");
strcat(temp, inc_list[i].filename);
}
text = stb_include_append(text, &textlen, str+last, source_len - last + 1);
stb_include_free_includes(inc_list, num);
return text;
}
|
|---|
| User | ninpwn (UID 82253) |
|---|
| Submission | 03/27/2025 15:55 (1 Year ago) |
|---|
| Moderation | 04/07/2025 12:56 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 303687 [Nothings stb up to f056911 stb_include_string path_to_includes stack-based overflow] |
|---|
| Points | 17 |
|---|