Security vulnerabilities and automated fixes for cwe 121 issues
25 posts found
A critical buffer overflow vulnerability was discovered and patched in the NetCDF Operators (NCO) library, specifically in the filter string construction loop within `nco_flt.c`. The flaw stemmed from repeated use of `strcat()` and `sprintf()` without any bounds checking, allowing an attacker to supply crafted filter specifications that overflow a fixed-size buffer and corrupt adjacent memory. The fix replaces these unsafe calls with bounds-aware `snprintf()` invocations that track the current w
A critical buffer overflow vulnerability was discovered in `serial.c`, where the `rs232_buffered_input` function could write more bytes than the destination buffer `rs232_ibuff` could hold — with no size limit to stop it. An attacker with access to the RS-232 serial port could exploit this to overwrite adjacent OS memory, including return addresses and critical data structures. The fix adds a simple but essential bounds check that clamps the returned byte count to the actual buffer size.
A critical buffer overflow vulnerability was discovered in a custom `strcpy()` implementation that performed unbounded memory copies without any destination buffer size validation. In kernel and OS contexts, this flaw could allow attackers to overwrite return addresses, corrupt heap metadata, or destabilize critical system data structures. The fix replaces the unsafe `strcpy()` with a bounds-checked `strlcpy()` that enforces a maximum copy length, eliminating the overflow risk entirely.
A critical stack buffer overflow vulnerability was discovered in `ftm_file.cpp`, where unchecked `strcpy()` calls allowed attacker-controlled filenames from crafted FTM files to overwrite stack memory, including the saved return address, enabling arbitrary code execution on ESP32 devices. The fix replaces both dangerous `strcpy()` calls with bounds-checked `strncpy()` plus explicit null-termination, eliminating the overflow vector entirely. This is a textbook reminder that unsafe C string functi
A series of unbounded `sprintf()` calls in `src/mainmenu.c` created a realistic buffer overflow attack chain, allowing an attacker to craft a malicious campaign file that triggers arbitrary code execution when loaded by a victim. The fix replaces each unsafe `sprintf()` with `snprintf()`, enforcing strict buffer size limits and eliminating the overflow conditions. Because campaign files are routinely shared in game communities, this vulnerability required no special access and posed a significan
A critical buffer overflow vulnerability was discovered in `gravier/gravier-str.h`, where a subtle typo in the `next_power_of_2()` function combined with off-by-one allocation errors and unchecked `strcpy()` calls created a dangerous memory corruption pathway. Because this code was directly reachable from user-facing menu text input and the s7 scripting engine, an attacker could potentially exploit it to crash the application or execute arbitrary code. The fix corrects the broken bit-shift opera
A critical buffer overflow vulnerability was discovered in the Vorbis producer module (`src/modules/vorbis/producer_vorbis.c`), where an unchecked `sprintf()` call allowed attacker-controlled metadata from Vorbis audio files to overflow a fixed-size buffer. The fix replaces `sprintf()` with `snprintf()` and adds explicit bounds checking, ensuring that no metadata key — no matter how long or maliciously crafted — can corrupt adjacent memory. This class of vulnerability is one of the oldest and mo
A critical memory corruption vulnerability was discovered and patched in kinnie.c, where an unbounded strcpy call could allow a maliciously crafted input file to trigger out-of-bounds array writes and corrupt adjacent memory. The fix replaces the unsafe strcpy with bounded alternatives like strlcpy and snprintf, eliminating the attack surface entirely. This is a textbook example of how a single unsafe C string function can open the door to serious exploitation.
A critical buffer overflow vulnerability was discovered in the PCF85063A RTC sensor driver, where an unbounded `sprintf` call could corrupt memory when formatting datetime values. This type of vulnerability is especially dangerous in embedded systems where memory protections are minimal and corrupted I2C data from a malicious device could trigger the overflow. The fix replaces the unsafe `sprintf` with bounds-checked alternatives, closing the door on potential memory corruption attacks.
A critical buffer overflow vulnerability was discovered and patched in a C-based game engine, where unbounded `strcpy()` calls in `src/game.c` and `src/anime.c` could allow attackers to overwrite adjacent memory and hijack program control flow. This type of vulnerability has been responsible for some of the most devastating exploits in software history and remains a top concern in systems-level C programming. The fix eliminates the unsafe string copy operations, closing a path that could have en
A critical buffer overflow vulnerability was discovered and patched in `universe/command.c`, where four unbounded `sprintf` calls allowed attacker-controlled strings from simulation save files to overflow a fixed-size stack buffer. Left unpatched, this flaw could enable arbitrary code execution by anyone who could craft a malicious save file. The fix replaces dangerous `sprintf` calls with bounded alternatives, closing the door on a classic but still devastatingly effective class of memory corru
A critical buffer overflow vulnerability was discovered and patched in zlib's `untgz.c` utility, where two unchecked `strcpy()` calls could allow attackers to corrupt memory by supplying an oversized archive name. This class of vulnerability has been responsible for some of the most devastating exploits in software history, making it essential for developers to understand how and why it happens. The fix eliminates unsafe string copying and replaces it with bounds-aware alternatives that prevent