Movatterモバイル変換

[0]ホーム
URL:

CodeQL documentation
CodeQL resources

Potentially overrunning write with float to string conversion

ID: cpp/overrunning-write-with-floatKind: problemSecurity severity: 9.3Severity: errorPrecision: mediumTags:   - reliability   - security   - external/cwe/cwe-120   - external/cwe/cwe-787   - external/cwe/cwe-805Query suites:   - cpp-security-extended.qls   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

The program performs a buffer copy or write operation that includes one or more float to string conversions (i.e. the %f format specifier), which may overflow the destination buffer if extreme inputs are given. In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.

Recommendation

Always control the length of buffer copy and buffer write operations.strncpy should be used overstrcpy,snprintf oversprintf, and in other cases ‘n-variant’ functions should be preferred.

Example

voiddisplayValue(doublevalue){charbuffer[256];// BAD: extreme values may overflow the buffersprintf(buffer,"%f",value);MessageBox(hWnd,buffer,"A Number",MB_OK);}

In this example, the call tosprintf contains a%f format specifier. Though a 256 character buffer has been allowed, it is not sufficient for the most extreme floating point inputs. For example the representation of double value 1e304 (that is 1 with 304 zeroes after it) will overflow a buffer of this length.

To fix this issue three changes should be made:

  • Control the size of the buffer using a preprocessor define.

  • Replace the call tosprintf withsnprintf, specifying the define as the maximum length to copy. This will prevent the buffer overflow.

  • Consider using the%g format specifier instead of%f.

References

[8]ページ先頭
©2009-2025 Movatter.jp