CppUnitLite icon indicating copy to clipboard operation
CppUnitLite copied to clipboard
verified publisher icon smikes

sprintf without bounds

Open RootUp opened this issue 7 years ago • 0 comments

From Brave: https://github.com/brave/browser-ios/blob/development/brave/node_modules/tracking-protection/node_modules/cppunitlite/src/SimpleString.cpp#L85

sprintf (buffer, "%lf", value);

Does not check for buffer overflows, If message's length > str's length, there's a buffer overflow.

This issue was reported to brave via hackerone, they marked my bug as informative and close it by saying.

The code that you highlighted is part of the npm module cppunitlite. The npm module is used in the tracking protection library in the iOS browser, but the code snippet that you highlighted is not used in the code.

You can report the issue here for a fix from the author: https://github.com/smikes/CppUnitLite/

Thanks, Dhiraj

RootUp avatar Jun 29 '18 03:06 RootUp