Category

Code Review

Security vulnerabilities and automated fixes for code review issues

9 posts found

critical5 min

How shell command injection happens in Python subprocess and how to fix it

A critical shell command injection vulnerability was discovered in the radare2 build system's `meson.py` file, where `os.system()` was used with an f-string to execute git commands. An attacker who could control the `remote` variable could inject arbitrary shell commands. The fix replaces `os.system()` with `subprocess.call()` using a list of arguments, eliminating shell interpretation entirely.

#security#python#command-injection+4 more
O
orbisai0security
Jul 9, 2026
critical6 min

How buffer overflow in strcat() happens in C and how to fix it

A critical buffer overflow vulnerability was discovered in the `daemonize()` function of `tpl.c`, where command-line arguments are concatenated into a fixed-size 8192-byte buffer using `strcat()` without any bounds checking. An attacker who controls command-line arguments can overflow this buffer to corrupt adjacent memory and potentially achieve arbitrary code execution. The fix adds a buffer-length check before each concatenation to ensure writes never exceed the declared buffer size.

#security#buffer-overflow#c+4 more
O
orbisai0security
Jun 27, 2026
critical6 min

How command injection happens in Python subprocess and how to fix it

A critical command injection vulnerability was discovered in `script/llm_semantic_analyzer.py` at line 394, where user-controlled input (API keys and model parameters) was interpolated directly into shell commands passed to `subprocess.run` with `shell=True`. An attacker who could control these parameters could inject shell metacharacters like `; rm -rf /` or `$(whoami)` to execute arbitrary commands. The fix sanitizes all user input before it reaches shell execution.

#security#command-injection#python+4 more
O
orbisai0security
Jun 23, 2026
critical5 min

How strcpy buffer overflow happens in C++ debugger command handling and how to fix it

A critical stack-based buffer overflow was discovered in `src/debugger.cpp` at line 387, where `strcpy` copied user-entered debugger commands into a fixed-size stack buffer (`prevCommandBuffer`) without any length validation. An attacker could craft an oversized command string to overflow the buffer, overwrite the return address, and achieve arbitrary code execution. The fix replaces `strcpy` with bounded `strncpy` and explicit null-termination.

#security#buffer-overflow#cpp+4 more
O
orbisai0security
Jun 18, 2026
critical5 min

How buffer overflow happens in C xxd utility and how to fix it

A critical buffer overflow vulnerability was discovered in the xxd utility's `xxdline()` function where `strcpy()` was used without bounds checking on file input. An attacker could craft a malicious hex dump file with oversized lines to trigger memory corruption. The fix replaces the unsafe `strcpy()` with `snprintf()` to enforce buffer size limits.

#security#buffer-overflow#c+4 more
O
orbisai0security
Jun 14, 2026
critical5 min

How command injection happens in Python subprocess and how to fix it

A critical command injection vulnerability was discovered in export.py where subprocess calls used `shell=True` with user-controllable CLI arguments. An attacker could inject shell metacharacters through model paths or export parameters to execute arbitrary commands on the host system. The fix replaces shell-based command execution with safer list-based subprocess calls that prevent command injection.

#security#command-injection#python+4 more
O
orbisai0security
Jun 11, 2026
critical5 min

How stack buffer overflow happens in C memcpy() with caller-controlled length and how to fix it

A critical stack buffer overflow vulnerability was discovered in GDI/Comdlg32.cpp where the `memcpy()` function used a caller-controlled `lStructSize` field without validation, allowing attackers to write beyond stack-allocated buffers. The fix applies a simple `min()` check across four affected dialog functions to ensure copy operations never exceed the destination buffer size.

#security#buffer-overflow#c-cpp+4 more
O
orbisai0security
Jun 10, 2026
critical6 min

SQL Injection via SQLite's %s Format Specifier in LR2_statlong.cpp ReadPlayerScore()

A critical SQL injection vulnerability was discovered in `LR2/LR2_statlong.cpp` at line 42, where `sqlite3_snprintf` used the `%s` format specifier instead of `%q` to interpolate a player ID into a SQL query. This single-character difference meant that single quotes in the player ID were inserted verbatim, allowing an attacker to break out of the SQL string literal and inject arbitrary commands. The fix changes `%s` to `%q`, which doubles all single quotes to properly escape them.

#sql-injection#sqlite#c+++4 more
O
orbisai0security
Jun 2, 2026
critical9 min

Buffer Overflow via Unbounded strcpy() in C Game Engine: A Critical Fix

A critical buffer overflow vulnerability was discovered and patched in a C-based game engine, where unbounded `strcpy()` calls in `src/game.c` and `src/anime.c` could allow attackers to overwrite adjacent memory and hijack program control flow. This type of vulnerability has been responsible for some of the most devastating exploits in software history and remains a top concern in systems-level C programming. The fix eliminates the unsafe string copy operations, closing a path that could have en

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
May 19, 2026