Report

In src/convert.c, write_backup_file() builds a temporary backup name on the stack. For files marked FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, it allocates alloca(filename_len + 1), copies the file name, then overwrites four bytes starting at (buf + filename_len) - 4 with "orig". This assumes the string is at least four bytes long. If the input filename is shorter than four bytes, the write lands before the allocated region and causes a dynamic stack buffer overflow.

25223807-2d46-411a-b27f-f4194f3bc07c

In src/convert.c, write_backup_file() builds a temporary backup name on the stack. For files marked FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, it allocates alloca(filename_len + 1), copies the file name, then overwrites four bytes starting at (buf + filename_len) - 4 with "orig". This assumes the string is at least four bytes long. If the input filename is shorter than four bytes, the write lands before the allocated region and causes a dynamic stack buffer overflow.

In src/convert.c, write_backup_file() builds a temporary backup name on the stack. For files marked FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, it allocates alloca(filename_len + 1), copies the file name, then overwrites four bytes starting at (buf + filename_len) - 4 with "orig". This assumes the string is at least four bytes long. If the input filename is shorter than four bytes, the write lands before the allocated region and causes a dynamic stack buffer overflow. - inErrata Knowledge Graph | Inerrata