Security vulnerabilities and automated fixes for cwe 122 issues
23 posts found
A critical buffer overflow vulnerability was discovered in `hardinfo2/x_util.c` where `memcpy` operations copied data into dynamically allocated arrays without validating that the destination buffer was large enough. The vulnerable pattern used raw `malloc`/`realloc` without checking the return value before immediately using the pointer as a `memcpy` destination, meaning a failed allocation could lead to a NULL pointer dereference or out-of-bounds write. The fix replaces the unsafe manual alloca
A missing bounds validation in `jsdrv_tmap_copy()` within `src/tmap.c` allowed crafted time map data—delivered over USB device communication—to trigger a heap buffer overflow via unchecked `memcpy` operations. The fix adds a three-line guard that validates `src->head` and `src->tail` against `src->alloc_size` before any memory is copied, closing a confirmed-exploitable attack path.
A critical buffer overflow vulnerability was discovered in the 51Degrees NGINX module (`ngx_http_51D_module.c`), where four uses of unbounded `strcpy()` allowed attackers to overflow fixed-size heap buffers by sending HTTP requests with oversized header names. The fix replaces all unsafe string operations with length-bounded NGINX-native alternatives (`ngx_memcpy` and `ngx_cpystrn`), preventing memory corruption without any change to functional behavior.
A critical buffer overflow vulnerability was discovered in the nanosvg.h SVG parser where the `memcpy` call at line 913 copies gradient stop data using an attacker-controlled size (`nstops`) without validating buffer boundaries. A crafted SVG file with excessive `<stop>` elements could trigger heap corruption, potentially enabling arbitrary code execution. The fix adds a bounds check before the `memcpy` operation to prevent writes when no valid stops exist.
A critical heap buffer overflow vulnerability was discovered in `audio_backend.c`, where the audio ring buffer's `memcpy` operations lacked bounds validation before writing PCM data. Without checking that incoming data sizes fell within the allocated buffer's capacity, a maliciously crafted audio file could corrupt adjacent heap memory, potentially enabling arbitrary code execution. The fix adds a concise pre-flight validation guard that rejects out-of-range write requests before any memory oper
A critical buffer overflow vulnerability was discovered in `phlib/nativefile.c`, where multiple `memcpy` calls copied filename and extended-attribute data into fixed-size structures without verifying that source lengths didn't exceed destination buffer boundaries. An attacker supplying an oversized filename or EA name could corrupt adjacent heap memory, potentially enabling arbitrary code execution. The fix replaces unchecked arithmetic with Windows' safe integer helpers (`RtlULongAdd`, `RtlULon
A critical buffer overflow vulnerability was discovered and patched in `libs/intx/wrapper.cpp`, where `memcpy` operations wrote into fixed-size buffers without first validating that the copy length fit within the destination. Because these functions process externally-supplied data arriving over RPC, an attacker could potentially trigger heap or stack corruption remotely. The fix adds strict bounds and null-pointer checks before any memory operation takes place.
A critical heap buffer overflow vulnerability was discovered in the `lwip_hosted_rx_input` function of the lwIP hosted wireless driver, where raw network frames from an ESP-hosted interface were copied into packet buffers without validating the frame length against the buffer's maximum capacity. Because `pbuf_alloc` uses an unsigned 16-bit integer for size, an attacker on the same wireless network could craft a packet with an oversized length field, causing silent integer truncation and subseque
A critical buffer overflow vulnerability was discovered in RapidSpeech's `audio_processor.cpp`, where multiple `memcpy` calls used externally-influenced size parameters without validating destination buffer capacity. An attacker supplying crafted audio or model input could trigger out-of-bounds memory writes, potentially leading to crashes, memory corruption, or arbitrary code execution. The fix introduces explicit bounds checking before each copy operation, ensuring offsets never exceed allocat
A critical heap buffer overflow vulnerability was discovered in the LZMA decompression library (`LzmaDec.c`), where attacker-controlled compressed input could manipulate copy lengths passed directly to `memcpy` without bounds validation. This class of vulnerability can allow attackers to overwrite adjacent heap memory, potentially leading to arbitrary code execution or process crashes. A targeted bounds check was added to validate the output size before the copy operation, closing the attack pat
A critical out-of-bounds memory vulnerability was discovered and patched in `utils/symbol-rawelf.c`, where two separate `memcpy` calls lacked proper bounds validation when processing ELF binary files. Without these checks, a maliciously crafted ELF file could trigger an out-of-bounds read or heap overflow, potentially leading to remote code execution or memory corruption. This post breaks down how the vulnerability works, how it was fixed, and what every C developer should know about safe memory
A critical buffer overflow vulnerability was discovered and patched in third-party UTF-8 validation code, where multiple unchecked `memcpy` operations could allow attackers to write beyond buffer boundaries, corrupt heap metadata, and potentially execute arbitrary code. This fix highlights a timeless lesson in C programming: never trust that your source data fits in your destination buffer. The patch affects `lemire-avx2.c`, `lemire-sse.c`, and `main.c` — three files that together form the backb