Security vulnerabilities and automated fixes for thread safety issues
2 posts found
A high-severity vulnerability was discovered in `lvl_script_commands.c` where the use of the non-reentrant `strtok()` function during level script parsing created conditions for memory corruption and potential arbitrary code execution. The fix replaces all `strtok()` calls with the thread-safe `strtok_r()` variant, eliminating shared global state that could be exploited through maliciously crafted level files. This change is part of a broader effort to harden the game's script parsing pipeline a
A medium-severity vulnerability was recently patched in libscram's SCRAM authentication implementation, replacing the unsafe strtok() function with its thread-safe alternative strtok_r(). This seemingly small change prevents potential buffer corruption, race conditions, and authentication bypass vulnerabilities that could compromise application security in multi-threaded environments.