search

belangeo / pyo

Python DSP module
GNU Lesser General Public License v3.0
1.28k stars 130 forks source link

Insecure function vsprintf may cause write-overflow in function Server_debug #222

Closed awen-li closed 3 years ago

awen-li commented 3 years ago

Code snippet

Server_start_rec_internal(Server *self, char *filename)
{
       .................
       Server_debug(self, "Recording filename path = %s\n", filename);   ----> filename comes from external module, the length is indeterminate
        if (! (self->recfile = sf_open(filename, SFM_WRITE, &self->recinfo)))
        {
            Server_error(self, "Not able to open output file %s.\n", filename);  ----> filename comes from external module, the length is indeterminate

            Server_debug(self, "%s\n", sf_strerror(self->recfile));
            return -1;
        }
        .................
}

Server_debug(Server *self, char * format, ...)
{
    if (self->verbosity & 8)
    {
        char buffer[256];
        va_list args;
        va_start (args, format);
        vsprintf (buffer, format, args);    -----> Variable parameters may lead to write overflow in buffer
        va_end (args);
        PySys_WriteStdout("Pyo debug: %s", buffer);
    }
}

Description

Function: Server_debug File: servermodule.c Call-path: recstart (Python) -> Server_start_rec -> Server_start_rec_internal -> Server_debug WarningType: Write-overflow. Our analysis tool reported a warning at vsprintf in Server_debug. As buffer is a fixed size stack variable, when the debug mode is open, vsprintf may cause write overflow with no boundary check especially when the inputs depended on external modules (e.g., Python). Also seen in Details

awen-li commented 3 years ago

Anyone can help confirm this issue? thanks.

belangeo commented 3 years ago

I'll take a look as soon as I get a chance. Thanks for reporting.

belangeo commented 3 years ago

Fixed!