fix: buffer over-read, integer overflow, NULL deref, and command injection

- rtext.c: Fix TextRemoveSpaces() buffer over-read when input starts
  with spaces by checking text[i] instead of text[j] for null terminator
- rtext.c: Add integer overflow guard in TextToInteger() before
  value = value*10 + digit
- raudio.c: Add NULL check after RL_MALLOC() in WaveCrop() and
  LoadWaveSamples() to prevent NULL pointer dereference
- rcore_desktop_glfw.c: Harden OpenURL() against command injection by
  rejecting URLs containing shell metacharacters (double-quote, &, |,
  ;, backtick, $, backslash) in addition to single-quote
This commit is contained in:
Srikanth Patchava 2026-04-24 20:22:15 -07:00
parent 58e42ed6d2
commit f9bf646388
No known key found for this signature in database
GPG Key ID: B904FC2A60B7438D
3 changed files with 17 additions and 4 deletions

View File

@ -1190,8 +1190,14 @@ double GetTime(void)
// REF: https://github.com/raysan5/raylib/issues/686
void OpenURL(const char *url)
{
// Security check to (partially) avoid malicious code
if (strchr(url, '\'') != NULL) TRACELOG(LOG_WARNING, "SYSTEM: Provided URL could be potentially malicious, avoid [\'] character");
// Security check to avoid malicious code injection
if (strchr(url, '\'') != NULL || strchr(url, '"') != NULL ||
strchr(url, '&') != NULL || strchr(url, '|') != NULL ||
strchr(url, ';') != NULL || strchr(url, '`') != NULL ||
strchr(url, '$') != NULL || strchr(url, '\\') != NULL)
{
TRACELOG(LOG_WARNING, "SYSTEM: Provided URL contains potentially dangerous characters");
}
else
{
char *cmd = (char *)RL_CALLOC(strlen(url) + 32, sizeof(char));

View File

@ -1322,6 +1322,8 @@ float *LoadWaveSamples(Wave wave)
{
float *samples = (float *)RL_MALLOC(wave.frameCount*wave.channels*sizeof(float));
if (samples == NULL) return NULL;
// NOTE: sampleCount is the total number of interlaced samples (including channels)
for (unsigned int i = 0; i < wave.frameCount*wave.channels; i++)

View File

@ -1612,7 +1612,12 @@ int TextToInteger(const char *text)
text++;
}
for (int i = 0; ((text[i] >= '0') && (text[i] <= '9')); i++) value = value*10 + (int)(text[i] - '0');
for (int i = 0; ((text[i] >= '0') && (text[i] <= '9')); i++)
{
int digit = (int)(text[i] - '0');
if (value > (INT_MAX - digit)/10) { value = INT_MAX; break; } // Overflow guard
value = value*10 + digit;
}
}
return value*sign;
@ -1724,7 +1729,7 @@ const char *TextRemoveSpaces(const char *text)
if (text != NULL)
{
// Avoid copying the ' ' characters
for (int i = 0, j = 0; (i < MAX_TEXT_BUFFER_LENGTH - 1) && (text[j] != '\0'); i++)
for (int i = 0, j = 0; (i < MAX_TEXT_BUFFER_LENGTH - 1) && (text[i] != '\0'); i++)
{
if (text[i] != ' ') { buffer[j] = text[i]; j++; }
}