Security vulnerabilities and automated fixes for c cpp issues
19 posts found
A critical heap buffer overflow was discovered in `csrc/cpu/comm/shm.cpp` where the `parallel_memcpy` function copies data without validating that the destination buffer is large enough to hold the incoming bytes. A malicious co-located process could manipulate shared memory state to supply a `chunk_size` exceeding the fixed 32MB `MAX_BUF_SIZE` buffer, triggering memory corruption. The fix adds bounds enforcement and switches pointer array initialization from `malloc` to `calloc` to eliminate un
A critical buffer overflow vulnerability was discovered in `TinyGsmClientSequansMonarch.h` at line 515, where `sprintf` was writing a two-character hex string into a buffer only two bytes large — leaving no room for the null terminator. The fix replaces `sprintf` with `snprintf` and increases the buffer to three bytes, preventing a one-byte overflow that could corrupt adjacent memory in embedded firmware.
A critical buffer overflow vulnerability in `src/AudioTools/Communication/RTSP/RTSPSession.h` allowed an attacker to send a crafted RTSP request with an oversized payload, triggering a heap overflow via an unchecked `memcpy()` call at line 408. The fix adds a single bounds check before the copy and replaces several unsafe `strcpy`/`strncpy` calls with `snprintf`, closing multiple paths to memory corruption and potential remote code execution.
A critical buffer overflow vulnerability was discovered in the ESP32-based micro-journal firmware where `memcpy()` calls used `strlen()` without bounds checking, allowing oversized USB descriptor strings to corrupt adjacent memory. The fix replaces unbounded `strlen()` with `strnlen()` calls that enforce the destination buffer sizes (8, 16, and 4 bytes respectively), preventing heap/stack corruption from malicious USB devices.
A critical stack buffer overflow vulnerability was discovered in GDI/Comdlg32.cpp where the `memcpy()` function used a caller-controlled `lStructSize` field without validation, allowing attackers to write beyond stack-allocated buffers. The fix applies a simple `min()` check across four affected dialog functions to ensure copy operations never exceed the destination buffer size.
A critical path traversal vulnerability in a ZMODEM file receiver allowed a malicious sender to supply crafted filenames containing directory traversal sequences (like `../../.ssh/authorized_keys`), causing the receiver to write file contents to arbitrary locations on the filesystem. The fix strips path separators and validates filenames before use, ensuring received files can only be written to the intended download directory. This class of vulnerability is a stark reminder that any input origi
A critical stack buffer overflow vulnerability was discovered in `ftm_file.cpp`, where unchecked `strcpy()` calls allowed attacker-controlled filenames from crafted FTM files to overwrite stack memory, including the saved return address, enabling arbitrary code execution on ESP32 devices. The fix replaces both dangerous `strcpy()` calls with bounds-checked `strncpy()` plus explicit null-termination, eliminating the overflow vector entirely. This is a textbook reminder that unsafe C string functi
A critical heap buffer overflow vulnerability was discovered and patched in a vendored copy of `stb_image.h`, a popular single-header image loading library. The root cause was a missing bounds check that allowed attacker-controlled image data to trigger memory writes beyond allocated heap buffers, potentially enabling arbitrary code execution. A single defensive guard — rejecting negative buffer lengths before any memory operation — closes this dangerous attack vector.
A critical out-of-bounds memory access vulnerability was discovered in the FatFSUSB library used by the micro-journal ESP32 firmware, where memcpy operations on a sector buffer accepted attacker-controlled offset and size values from USB SCSI commands without any bounds validation. A malicious USB host could craft SCSI READ/WRITE commands to corrupt memory, potentially crashing the device or executing arbitrary code. The fix adds a simple but essential bounds check before every memcpy operation,
A critical buffer overflow vulnerability was discovered and fixed in `src/display.cpp`, where unsafe C string functions were used without bounds checking. This type of vulnerability can allow attackers to corrupt memory, crash applications, or execute arbitrary code. The fix replaces unbounded functions with size-aware alternatives like `strlcpy` and `snprintf`, eliminating the overflow risk.
A medium-severity buffer overflow vulnerability was discovered and patched in the miniz.h file embedded within the KittyMemoryEx library, a memory manipulation tool used on Android and iOS platforms. The missing buffer-length check could have allowed attackers to exploit ZIP processing code to achieve arbitrary code execution with elevated privileges. This post breaks down how the vulnerability works, why it's dangerous in privileged contexts, and what developers can do to prevent similar issues
A critical heap buffer overflow vulnerability was discovered and patched in the NanoSVG SVG parsing library, where missing bounds checks on memcpy operations allowed attacker-controlled SVG data to overflow heap buffers. Without validation of gradient stop counts and attribute array indices, a specially crafted SVG file could trigger arbitrary code execution. The fix adds proper bounds checking before all memory copy operations, closing a dangerous attack vector present in any application that p