Insecure function vsprintf may cause write-overflow in function Server_debug
awen-li opened this issue · comments
Code snippet
Server_start_rec_internal(Server *self, char *filename)
{
.................
Server_debug(self, "Recording filename path = %s\n", filename); ----> filename comes from external module, the length is indeterminate
if (! (self->recfile = sf_open(filename, SFM_WRITE, &self->recinfo)))
{
Server_error(self, "Not able to open output file %s.\n", filename); ----> filename comes from external module, the length is indeterminate
Server_debug(self, "%s\n", sf_strerror(self->recfile));
return -1;
}
.................
}
Server_debug(Server *self, char * format, ...)
{
if (self->verbosity & 8)
{
char buffer[256];
va_list args;
va_start (args, format);
vsprintf (buffer, format, args); -----> Variable parameters may lead to write overflow in buffer
va_end (args);
PySys_WriteStdout("Pyo debug: %s", buffer);
}
}
Description
Function: Server_debug
File: servermodule.c
Call-path: recstart (Python) -> Server_start_rec -> Server_start_rec_internal -> Server_debug
WarningType: Write-overflow. Our analysis tool reported a warning at vsprintf in Server_debug. As buffer is a fixed size stack variable, when the debug mode is open, vsprintf may cause write overflow with no boundary check especially when the inputs depended on external modules (e.g., Python).
Also seen in Details
Anyone can help confirm this issue? thanks.
I'll take a look as soon as I get a chance. Thanks for reporting.
Fixed!