Security Research

Security Blog

Page 13

critical9 min

How buffer overflow happens in C patches.c sprintf macros and how to fix it

A critical buffer overflow vulnerability was discovered in `src/patches.c` where the `_EPRINT_I`, `_EPRINT_F`, and `_EPRINT_COEF` macros used `sprintf()` to write formatted AMY event data into a fixed-size buffer without any bounds checking. By replacing every `sprintf()` call with `snprintf()` and tracking remaining buffer space using a `s_entry` base pointer, the fix ensures that formatting 22 event fields — even at maximum values — can never write beyond the buffer boundary.

#buffer-overflow#c#sprintf+4 more
O
orbisai0security
Jun 6, 2026
critical8 min

How integer overflow in TLS KDF buffer allocation happens in C with OpenSSL and how to fix it

A critical integer overflow vulnerability was discovered in OpenSSL's `tls1_export_keying_material()` function inside `ssl/t1_enc.c`, where attacker-influenced length values could wrap around during arithmetic, causing the `vallen` buffer to be allocated far smaller than needed. The four subsequent `memcpy` calls would then write beyond the heap buffer boundary, enabling potential remote code execution. The fix adds two targeted overflow checks before the arithmetic operations, preventing the al

#integer-overflow#openssl#c+4 more
O
orbisai0security
Jun 6, 2026
critical9 min

How buffer overflow happens in C dcraw_lz.c nikon_3700() and how to fix it

A critical buffer overflow vulnerability was discovered in `lightcrafts/coprocesses/dcraw/dcraw_lz.c` at line 1334, where the `nikon_3700()` function used `strcpy()` to copy camera make and model strings into fixed 64-byte buffers without any bounds checking. A crafted RAW image file with oversized make/model metadata could trigger a heap or stack corruption, potentially enabling arbitrary code execution. The fix replaces both `strcpy()` calls with `strncpy()` and explicit null-termination, enfo

#buffer-overflow#C#CWE-120+4 more
O
orbisai0security
Jun 6, 2026
critical8 min

How buffer overflow in modxo_queue.c memcpy happens in C embedded systems and how to fix it

A critical buffer overflow vulnerability was discovered in `modxo/modxo_queue.c`, where two `memcpy` operations in the `modxo_queue_insert` and `modxo_queue_remove` functions used `queue->item_size` as the copy length without validating it against the destination buffer's bounds. If `item_size` was corrupted or maliciously set to an oversized value, both the enqueue (line 49) and dequeue (line 61) operations could overflow adjacent heap or stack memory on the embedded target. The fix adds bounds

#buffer-overflow#c#embedded-systems+4 more
O
orbisai0security
Jun 6, 2026
critical9 min

How command injection happens in Go ffmpeg wrappers and how to fix it

A critical command injection vulnerability was discovered in `drivers/local/util.go` where user-influenced file paths were passed directly to `ffmpeg.Input()` without any sanitization. Because many ffmpeg wrapper libraries construct shell command strings under the hood, an attacker could embed shell metacharacters in a file path to execute arbitrary OS commands with server-level privileges. The fix introduces a `sanitizeFilePath()` function that validates paths are absolute, clean, and point to

#command-injection#go#security+4 more
O
orbisai0security
Jun 6, 2026
critical9 min

How buffer overflow in P-256 key decompression happens in C with mbedTLS and how to fix it

A critical buffer overflow vulnerability was discovered in `helpers/src/edhoc_cipher_suite_2.c` within the EDHOC cipher suite 2 implementation. The `mbedtls_ecp_decompress()` function used `raw_key_len` to copy a compressed peer public key into a fixed-size buffer without first verifying that the key length fit within the destination. An attacker sending a crafted EDHOC message with an oversized compressed key could exploit this to corrupt adjacent memory, potentially achieving remote code execu

#buffer-overflow#C#mbedTLS+4 more
O
orbisai0security
Jun 5, 2026
critical6 min

How heap buffer overflow happens in C++ JPEG2000 decoding and how to fix it

A critical heap buffer overflow vulnerability was discovered in the OpenJPEG wrapper for Android (jp2forandroid). The `opj_read_from_byte_array()` function performed memcpy operations without validating that the source offset hadn't exceeded the buffer length, allowing maliciously crafted JPEG2000 images to trigger arbitrary code execution. A simple bounds check before the copy operation now prevents this exploitation path.

#security#buffer-overflow#cpp+4 more
O
orbisai0security
Jun 5, 2026
critical7 min

How buffer overflow happens in C strcpy() and how to fix it

A critical buffer overflow vulnerability was discovered in CodeBaseServer2020's u4name.c file, where the `c4strcpy()` wrapper around `strcpy()` copied user-controlled filenames into fixed-size buffers without bounds checking. The fix adds proper length validation before concatenating strings, preventing attackers from overflowing the buffer and executing arbitrary code.

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
Jun 4, 2026
critical6 min

How heap buffer overflow happens in C UART response handling and how to fix it

A critical heap buffer overflow vulnerability was discovered in the AT client response handler (`sm_at_client.c`) where incoming UART data was copied into a fixed-size buffer without verifying available capacity. A compromised modem or malicious UART data could trigger arbitrary heap corruption. The fix replaces an assertion-only guard with proper bounds clamping using `MIN()` to ensure writes never exceed the `at_cmd_resp` buffer allocation.

#security#buffer-overflow#c+4 more
O
orbisai0security
Jun 4, 2026
critical6 min

How unsigned binary downloads happen in Dart update services and how to fix it

A critical vulnerability in the YourSSH application's update service allowed attackers to serve malicious binaries through man-in-the-middle attacks. The `downloadAsset()` function in `update_service.dart` downloaded application binaries directly from URLs without any cryptographic signature or integrity verification. The fix adds SHA-256 digest validation using the GitHub Releases API's digest field, ensuring only authentic binaries are installed.

#security#dart#flutter+4 more
O
orbisai0security
Jun 3, 2026
critical6 min

How out-of-bounds read via unchecked memcpy happens in C packet processing and how to fix it

A critical out-of-bounds read vulnerability was discovered in `hep-tester/heptester.c` where `memcpy` calls at lines 200-201 read from fixed offsets in a packet buffer without verifying the buffer was large enough. An attacker could send a crafted packet shorter than 18 bytes to trigger the read, potentially leaking memory contents or crashing the capture agent. The fix adds a single bounds check against `pkthdr->caplen` before any memory copy operations.

#security#c#buffer-overflow+4 more
O
orbisai0security
Jun 3, 2026
critical7 min

How unsafe realloc() and memcpy() causes buffer overflow in C email parsing and how to fix it

A critical vulnerability in `email/receive.cpp` allowed attackers to trigger a buffer overflow by sending crafted emails with large payloads. The `writefunc()` callback failed to validate that `realloc()` succeeded before writing to the reallocated pointer, risking NULL pointer dereference and potential code execution. The fix adds a simple bounds check that validates the realloc result before use.

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
Jun 3, 2026