TIC-80
TIC-80 copied to clipboard
multiple strncat misues - potential security vulnerabilities
The strncat
function is incorrectly used in multiple places. This potentially leads to buffer overflow vulnerabilities. Impact is undetermined, as I am not familiar with the project.
The problem is that strncat
function's third argument limits amount of bytes read from source (second arg), and not maximal allowed size of destination buffer (first arg) - https://linux.die.net/man/3/strncat
For example, in the tic_fs_changedir
the call to strncat
will always append 1 byte to the fs->work
:
https://github.com/nesbox/TIC-80/blob/9c38a8063081605e7265069bf9c731c090f2e841/src/studio/fs.c#L523-L526
Interestingly, call to strncat
is followed by call to strcat
without any limit - that may be another bug.
Same problem seems to occur in other places, listed below: https://github.com/nesbox/TIC-80/blob/9c38a8063081605e7265069bf9c731c090f2e841/src/studio/fs.c#L400-L401
https://github.com/nesbox/TIC-80/blob/9c38a8063081605e7265069bf9c731c090f2e841/src/studio/net.c#L323-L326