On Apr 27 2023, 2ourc3 1er wrote: > The function includes a declaration of a fixed-sized buffer, *char > name_buf[40];*, which is used later in the function with the *sprintf* > function:* sprintf* (*name_buf*, "<section 0x%x>", > (unsigned int) *psym->st_shndx*); > > The problem with this implementation is that the st_shndx argument used in > sprintf is controlled by the user, and therefore, could be larger than the > size of the buffer, leading to a Stack BufferOverflow on the buffer > *name_buf.*
That is obviously impossible: psym->st_shndx can be at most 65535, so it cannot be larger than 4 characters when formatted as a hexadecimal number. -- Andreas Schwab, sch...@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
