fedora 24
buffer weakness #19

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Does not check for buffer overflows.

File Name:

CoinUtils-2.10.11/src/CoinMpsIO.cpp

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 buffer weakness.

       sscanf (buffer, "%d %lg %lg\n", &j, &rowlower_[i], &rowupper_[i] );

      assert ( i == j );
    }
    collower_ = reinterpret_cast<double *> (malloc ( numberColumns_ * sizeof ( double )));
    colupper_ = reinterpret_cast<double *> (malloc ( numberColumns_ * sizeof ( double )));
    objective_= reinterpret_cast<double *> (malloc ( numberColumns_ * sizeof ( double )));
    start = reinterpret_cast<CoinBigIndex *> (malloc ((numberColumns_ + 1) *
				       sizeof (CoinBigIndex)));
    row = reinterpret_cast<COINRowIndex *> (malloc (numberElements_ * sizeof (COINRowIndex)));
    element = reinterpret_cast<double *> (malloc (numberElements_ * sizeof (double)));

    start[0] = 0;
    numberElements_ = 0;
    for ( i = 0; i < numberColumns_; i++ ) {
      int j;
      int n;

      /* old:
	 fscanf ( fp, "%d %d %lg %lg %lg\n", &j, &n, 
	          &collower_[i], &colupper_[i],
	          &objective_[i] );
      */
      // new: 
      cardReader_->fileInput ()->gets (buffer, 1000);
      sscanf (buffer, "%d %d %lg %lg %lg\n", &j, &n, 
	      &collower_[i], &colupper_[i], &objective_[i] );

      assert ( i == j );
      for ( j = 0; j < n; j++ ) {
	/* old:
	   fscanf ( fp, "       %d %lg\n", &row[numberElements_],
		 &element[numberElements_] );
	*/
	// new: 
	cardReader_->fileInput ()->gets (buffer, 1000);
	sscanf (buffer, "       %d %lg\n", &row[numberElements_],
		 &element[numberElements_] );

	numberElements_++;
      }
      start[i + 1] = numberElements_;
    }
  }
  // construct packed matrix
  matrixByColumn_ = 
    new CoinPackedMatrix(true,
			numberRows_,numberColumns_,numberElements_,
			element,row,start,NULL);
  free ( row ); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.