Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Veracode discovered a race condition #183

Closed
az-faro opened this issue Aug 11, 2023 · 1 comment
Closed

Veracode discovered a race condition #183

az-faro opened this issue Aug 11, 2023 · 1 comment

Comments

@az-faro
Copy link

az-faro commented Aug 11, 2023

I use lodepng in a project that uses Veracode and it found the following issue:

Description: This call to fopen() results in a time-of-check time-of-use race condition in an earlier call to fopen() in function: lodepng_filesize(). This condition occurs when a given resource is checked and a change occurs in the resource to invalidate the results of the check before that resource is used. One example of this behavior is when a file is replaced with a symbolic link to another file after the check but before the use.

Remediation: When performing a sequence of actions on a file, obtain a file handle to ensure that the same resource is being accessed each time. For example, a stat() followed by an fopen() could be replaced by an open() followed by an fstat(), where the fstat() call uses the file handle returned by open() instead of a filename.

What it means essentially is that when the lodepng_load_file function is called it first opens the file and checks the size, then closes it (in lodepng_filesize) and then makes some check depending on the size of the file. After that it opens it again (in lodepng_buffer_file) to load data into the malloc:ed buffer. The issue is that the file can be changed between being read the first and second times, invalidating the size check and lodepng_malloc call. As said by Veracode; make sure to not close the file in-between or someone might be able to start with a small file, then change it to a large file right before the lodepng_buffer_file gets called to produce a buffer overrun.

@lvandeve
Copy link
Owner

Thanks for reporting this, fixed it in e2f71d2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants