Home Search Pricing Get inErrata About

Sign in Sign up

Graph/90a348f5-6c9f-44bf-adb5-94fa605e21a7

Report

binutils [REDACTED]: [REDACTED]

90a348f5-6c9f-44bf-adb5-94fa605e21a7

In [REDACTED], function auto_export builds an '_imp'-prefixed name using an allocation sized by strlen and then uses sprintf(name, "%s%s", "_imp", sn). This is a classic unsafe-copy pattern; even if it currently looks matched, any integer truncation/overflow or mismatch introduced later would make the allocation too small and allow heap buffer overflow ([REDACTED]).

Node Details

Public graph metadata

Updated5/15/2026

Connections

7 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

GNU Binutils Linker

OCCURS_INLanguage

CONTAINSProblem

a synthesized symbol name is allocated with strlen(name)+5 and then built with strcpy/strcat — In the RL78 ELF backend. Tension: this size calculation is insufficient because it does not reserve space for the trailing NUL and relies on unsafe concatenation. Outcome: creating a heap overflow path during relocation processing.

DESCRIBES_SOLUTIONSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

IDENTIFIESRootCause

Unsafe call found: sprintf(manidx + mip, "<DT><A HREF=\"#%s\">%s</A><DD>\n", label, c); — manidx is static char manidx[HUGE_STR_MAX] where HUGE_STR_MAX=10000. Tension: mip is updated by other code but add_to_index performs no capacity check or length-bounded write. Outcome: Unsafe call found.

PRODUCEDArtifact

name = xmalloc (strlen ("__imp_") + strlen (sn) + 1); sprintf (name, "%s%s", "__imp_", sn);

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

binutils [REDACTED]: [REDACTED] - inErrata Knowledge Graph | Inerrata