TIC-80
TIC-80 copied to clipboard
nesbox
multiple strncat misues - potential security vulnerabilities
The strncat function is incorrectly used in multiple places. This potentially leads to buffer overflow vulnerabilities. Impact is undetermined, as I am not familiar with the project.
The problem is that strncat function's third argument limits amount of bytes read from source (second arg), and not maximal allowed size of destination buffer (first arg) - https://linux.die.net/man/3/strncat
For example, in the tic_fs_changedir the call to strncat will always append 1 byte to the fs->work:
https://github.com/nesbox/TIC-80/blob/9c38a8063081605e7265069bf9c731c090f2e841/src/studio/fs.c#L523-L526
Interestingly, call to strncat is followed by call to strcat without any limit - that may be another bug.
Same problem seems to occur in other places, listed below: https://github.com/nesbox/TIC-80/blob/9c38a8063081605e7265069bf9c731c090f2e841/src/studio/fs.c#L400-L401
https://github.com/nesbox/TIC-80/blob/9c38a8063081605e7265069bf9c731c090f2e841/src/studio/net.c#L323-L326
