The Variability Bugs Database Home Database
 marlin "Stack buffer overflow is empty string
If SDSUPPORT is enabled, an error occurs due to the omission of allocating space for / character for the full path of the item that it is read. Issue 2434: https://github.com/MarlinFirmware/Marlin/issues/2434"
Bug fixed by commit a7fc1f83c81
Type StackBasedBufferOverflow
Config "SDSUPPORT" (1st degree)
Fix-in mapping
Location cardreader/
#include<string.h>

/** Number of UTF-16 characters per entry */
#define FILENAME_LENGTH 13

#ifdef SDSUPPORT

	void cardreader(char *prepend)
	{
		int len = strlen(prepend) + FILENAME_LENGTH + 1; // Error - not enough space allocated if prepend is empty 
		char path[len];
		// Get the short name for the item, which we know is a folder
		//char lfilename[FILENAME_LENGTH];
		//createFilename(lfilename, p);
		char lfilename[FILENAME_LENGTH] = "FOLDERNAME12\0";
		// Append the FOLDERNAME12/ to the passed string.
		// It contains the full path to the "parent" argument.
		// We now have the full path to the item in this folder.
		path[0] = '\0';
		if (prepend[0] == '\0') strcat(path, "/"); // a root slash if prepend is empty 
		strcat(path, prepend);
		strcat(path, lfilename);
		strcat(path, "/");

    }
#endif


int main(int argc, char **argv)
{
  cardreader("");
  return 0;
}

diff --git a/simple/a7fc1f8.c b/simple/a7fc1f8.c
--- a/simple/a7fc1f8.c
+++ b/simple/a7fc1f8.c
@@ -7,7 +7,7 @@
 
 	void cardreader(char *prepend)
 	{
-		int len = strlen(prepend) + FILENAME_LENGTH + 1; // Error - not enough space allocated if prepend is empty 
+		int len = strlen(prepend) + FILENAME_LENGTH + 1 + 1;
 		char path[len];
 		// Get the short name for the item, which we know is a folder
 		//char lfilename[FILENAME_LENGTH];

#include<string.h>

/** Number of UTF-16 characters per entry */
#define FILENAME_LENGTH 13



int main(int argc, char **argv)
{
#ifdef SDSUPPORT

	char *prepend = "";
	int len = strlen(prepend) + FILENAME_LENGTH + 1; // Error - not enough space allocated if prepend is empty
	char path[len];
	// Get the short name for the item, which we know is a folder
	//char lfilename[FILENAME_LENGTH];
	//createFilename(lfilename, p);
	char lfilename[FILENAME_LENGTH] = "FOLDERNAME12\0";
	// Append the FOLDERNAME12/ to the passed string.
	// It contains the full path to the "parent" argument.
	// We now have the full path to the item in this folder.
	path[0] = '\0';
	if (prepend[0] == '\0') strcat(path, "/"); // a root slash if prepend is empty 
	strcat(path, prepend);
	strcat(path, lfilename);
	strcat(path, "/");
#endif

  return 0;
}

. call  cardreader.cpp:49:  void CardReader::lsDive()
. 59: // Allocate enough stack space for the full path to a folder
. 60:  int len = strlen(prepend) + FILENAME_LENGTH + 1;
//This does not consider the last appended trailing slash (line 74) in the allocation of memory, resulting in a stack buffer overflow
. 71: if (prepend[0] == '\0') strcat(path, "/"); // a root slash if prepend is empty
. 72: strcat(path, prepend);
. 73: strcat(path, lfilename);
. ERROR: cardreader.cpp: 74  strcat(path, "/");