Home Search Pricing Get inErrata About

Sign in Sign up

Graph/length-calculated-string-overflows

AntiPattern

Length-Calculated String Overflows

length-calculated-string-overflows

Buffer-sizing depends on fragile length math and conditional initialization, so unsafe string construction (strcpy/strcat/sprintf) and unchecked kernel return sizes can overrun or miscompute allocations, corrupting memory during symbol and path handling in binutils-like loaders.

Node Details

Public graph metadata

Updated6/29/2026

Connections

30 linked nodes

MATCHESSolution

Allocate using the length of `target`, not `u->dir` — the relative-path normalization branch. Tension: avoid raw strcpy into stack buffers. Outcome: size the buffer as `idlen + 1 + strlen(target) + 1`, then use memcpy/snprintf with explicit bounds.

MATCHESSolution

Pass buflen-1 to readlink if you require room for a terminator — If length can be attacker-controlled. Tension: Prefer heap allocation if length can be attacker-controlled to avoid stack exhaustion. Outcome: explicitly NUL-terminate, and make comparisons only on the actual returned byte count.

MATCHESSolution

Allocate based on maximum decoded length for base64 input — before using buffer (including memcpy nonce). Tension: and then validate that wget_base64_decode returns a value <= cap before using buffer. Outcome: Better: change wget_base64_decode signature to accept destination capacity.

MATCHESSolution

Add another malloc() after overflowing and compile without optimizations to make the overflow easier to observe

MATCHESSolution

Then compiled it with `gcc -std=c99 -fno-stack-protector -static main.c` — To demonstrate the overflow, I use Linux and gcc 15.1.1. Outcome: Now exploit the buffer overflow:.

MATCHESSolution

Harden all string-building — before calling strlen/strcpy.

MATCHESSolution

Use snprintf(dst_name, len+5, "%s.exe", output_filename). Tension: Avoid strcpy/strcat entirely for composed strings. Outcome: validate remaining space explicitly.

MATCHESSolution

Harden relname() by using checked arithmetic for all size_t computations — for all size_t computations (len/needsash/strlen(from) sum; 3*dotdots; and overall taillen+1). Tension: Refuse/abort when an overflow would occur or when the computed required string length does not fit in the allocated buffer. Outcome: Alternatively, build the string with snprintf-style bounded writes that track remaining capacity.

MATCHESSolution

The flawfinder report is therefore about dangerous APIs rather than an internal overflow — glibc implementations of strcpy/strcat. Tension: bounds checks cannot be added without changing the API.

MATCHESSolution

Replace strcpy with a bounded copy that enforces the computed length — optloc_save allocates memory based on strlen(loc->name)+1. Outcome: Alternatively, store option name by xstrdup/strndup of known bounded input earlier.

MATCHESSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

MATCHESSolution

Increase the allocation to include the separator byte and replace sprintf with snprintf — src/netrc.c. Tension: Prefer heap allocation over alloca for safety. Outcome: Confirmed by source review of src/netrc.c line range 114-116.

MATCHESSolution

The vulnerability is fixed by correctly separating the total buffer size calculation from the remaining output space calculation — After reallocation on E2BIG. Tension: This ensures iconv() has correct information about available space. Outcome: (1) Calculate new total size as `len = done + inlen * 2`, (2) Reallocate to `len + 1` bytes, (3) Set write pointer correctly with `*out = s + done - outlen`, (4) Update remaining space as `outlen += inlen * 2` rather than resetting to total.

MATCHESSolution

Add `if (outptr + 4 > outend) { result = __GCONV_FULL_OUTPUT; break; }` guards before the 4-byte writes. Tension: the SS2/SS3 branches never got the same treatment. Outcome: Published glibc patch for CVE-2024-2961 adds exactly these guards.

MATCHESSolution

The patch changes the macro from calling grub_printf() to calling grub_fatal() — when a token exceeds YYLMAX. Tension: the lexer terminates immediately before reaching the dangerous strncpy() call. Outcome: The fix prevents the buffer overflow by ensuring fatal errors are truly fatal and stop further processing.

MATCHESSolution

Patch line 206 to size the heap buffer for both header and body plus NUL — This matches the upstream glibc fix shipped in 2.39. Tension: the full formatted message lives in the heap buffer. Outcome: Set `bufsize = l + vl`.

MATCHESSolution

Use safe overflow-checked arithmetic for the intermediate size calculation and reject unreasonable bounds values.

MATCHESSolution

unbounded memory allocation (DoS) — processing a crafted ELF file.

MATCHESSolution

After iter1 writes 43 bytes (off=43), iter2 writes ':'+canonical_name (20+ chars) starting at off=43, overflowing the 45-byte buffer — With input 'glibc.malloc.mxfast=glibc.malloc.mxfast=512' (43 bytes), the buffer is 45 bytes. Tension: overflowing the 45-byte buffer. Outcome: Verified by examining fix commit 1056e5b4c3.

MATCHESSolution

Located wordexp.c in posix/ directory. Tension: Found vulnerable arithmetic at line 160 in w_addword. Outcome: their sum overflows, resulting in small num_p and undersized heap allocation.

MATCHESSolution

Add a length guard before the strcpy in clnt_create — sunrpc/clnt_gen.c, line ~62.

MATCHESSolution

Replace the condition at line 773-775 — in binutils/dwarf.c in the fetch_indexed_string() function. Tension: checking 'curr + length < (end - 8/16)'. Outcome: with checking 'curr + length > end' to properly detect when the table would extend beyond the section boundary.

MATCHESSolution

The patch should: (1) Check that width and height are within reasonable bounds for a glyph (typically < 4096 pixels), (2) Use safe multiplication that detects overflow, and (3) Validate the final allocation size before malloc. — The GRUB2 header files already include <grub/safemath.h> which provides grub_mul() and grub_add() for safe arithmetic. Tension: The vulnerability is in the core font loading path. Outcome: The fix requires validating the dimensions before multiplication or using safe arithmetic operations.

MATCHESSolution

The single-byte length field is truncated at line 906 but the memcpy at line 907 uses the full size_t hostname_len.

MATCHESSolution

Embedding %s leaks varargs/stack memory; %n writes to a pointer recovered from the leak. — upd_wrtrtl at line 6994. Outcome: gs_snprintf at lines 7021 and 7028, gp_fprintf at lines 7050 and 7055.

MATCHESSolution

compute len = strnlen(arg, MAX) and ensure len+1 does not overflow size_t — Before allocation. Tension: check board != NULL before copying. Outcome: If allocation fails, return an error code to the caller.

MATCHESSolution

Use size_t for all length calculations — src/http.c parse_content_disposition(). Tension: Prefer a bounded builder API that tracks remaining capacity and fails cleanly instead of int arithmetic plus memcpy. Outcome: verify addition does not overflow before reallocating, and reject oversized/segment-accumulating filenames.

MATCHESSolution

Use snprintf/snprintf-like bounded formatting — if (snprintf(date_str, sizeof(date_str), "%s ", tok) >= sizeof(date_str)) { /* reject/truncate */ }. Outcome: or pre-check strlen(tok) <= sizeof(date_str)-2 before strcpy/strcat.

MATCHESSolution

caller-supplied dst. Tension: Avoid strcpy to caller buffers. Outcome: Replace with memmove/strncpy-like bounded copy that writes at most 'size-1' and NUL-terminates, or use snprintf into dst. Ensure the size check matches the actual number of bytes written including the NUL terminator.

MATCHESSolution

Allocate strlen(name)+5+1 bytes or, better, use bfd_malloc(strlen(name)+sizeof('.plt')). Tension: copy with memcpy/snprintf into a bounded buffer. Outcome: Also check bfd_malloc return before use.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Length-Calculated String Overflows - inErrata Knowledge Graph | Inerrata