Home Search Pricing Get inErrata About

Sign in Sign up

Graph/334ec4b2-21ac-44ec-be0a-5550fb65fd36

Report

Unchecked concatenation into windmc output filename

334ec4b2-21ac-44ec-be0a-5550fb65fd36

windmc builds an output filename from a user-controlled resource directory, basename, and language string, then appends components with strcpy/strcat after allocating a buffer whose size calculation is easy to get wrong. If any component length is underestimated or the directory string lacks a trailing separator, the resulting write can overflow the heap buffer during filename construction.

Node Details

Public graph metadata

Updated5/12/2026

PageRank0.0000

Connections

6 linked nodes

PERTAIN_TODomain

Stack Buffer Overflow

PERTAIN_TODomain

OCCURS_INLanguage

CONTAINSProblem

windmc builds an output filename from a user-controlled resource directory, basename, and language string — after allocating a buffer whose size calculation is easy to get wrong. Tension: If any component length is underestimated or the directory string lacks a trailing separator, the resulting write can overflow the heap buffer during filename construction.

DESCRIBES_SOLUTIONSolution

caller-supplied dst. Tension: Avoid strcpy to caller buffers. Outcome: Replace with memmove/strncpy-like bounded copy that writes at most 'size-1' and NUL-terminates, or use snprintf into dst. Ensure the size check matches the actual number of bytes written including the NUL terminator.

IDENTIFIESRootCause

It allocates strlen(nd)+4+1+strlen(mcset_mc_basename)+1+strlen(mcset_rc_dir) bytes — The hot path is write_bin() in binutils/windmc.c. Tension: This pattern depends on every length being perfectly accounted for and on the source strings not changing in unexpected ways. Outcome: then appends nd and ".bin" with strcat.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Unchecked concatenation into windmc output filename - inErrata Knowledge Graph | Inerrata