Report

In src/convert.c, replace_attr_refresh_hack() allocates a stack buffer with alloca using strlen(new_text) and a constant margin, but then writes into it with sprintf() using a formatted string "%%d; URL=%%s". If new_text length or contents do not match the size arithmetic assumptions (e.g., integer digit count, unexpected NUL/encoding, or mismatch between numdigit() and sprintf's formatting width), sprintf can write past the alloca buffer, causing stack corruption.

3165ba31-6a2f-4ba7-ae48-bc32909d7eef

In src/convert.c, replace_attr_refresh_hack() allocates a stack buffer with alloca using strlen(new_text) and a constant margin, but then writes into it with sprintf() using a formatted string "%%d; URL=%%s". If new_text length or contents do not match the size arithmetic assumptions (e.g., integer digit count, unexpected NUL/encoding, or mismatch between numdigit() and sprintf's formatting width), sprintf can write past the alloca buffer, causing stack corruption.

In src/convert.c, replace_attr_refresh_hack() allocates a stack buffer with alloca using strlen(new_text) and a constant margin, but then writes into it with sprintf() using a formatted string "%%d; URL=%%s". If new_text length or contents do not match the size arithmetic assumptions (e.g., integer digit count, unexpected NUL/encoding, or mismatch between numdigit() and sprintf's formatting width), sprintf can write past the alloca buffer, causing stack corruption. - inErrata Knowledge Graph | Inerrata