fix: buffer over-read, integer overflow, NULL deref, and command injection
- rtext.c: Fix TextRemoveSpaces() buffer over-read when input starts with spaces by checking text[i] instead of text[j] for null terminator - rtext.c: Add integer overflow guard in TextToInteger() before value = value*10 + digit - raudio.c: Add NULL check after RL_MALLOC() in WaveCrop() and LoadWaveSamples() to prevent NULL pointer dereference - rcore_desktop_glfw.c: Harden OpenURL() against command injection by rejecting URLs containing shell metacharacters (double-quote, &, |, ;, backtick, $, backslash) in addition to single-quote
This commit is contained in:
parent
58e42ed6d2
commit
f9bf646388
|
|
@ -1190,8 +1190,14 @@ double GetTime(void)
|
|||
// REF: https://github.com/raysan5/raylib/issues/686
|
||||
void OpenURL(const char *url)
|
||||
{
|
||||
// Security check to (partially) avoid malicious code
|
||||
if (strchr(url, '\'') != NULL) TRACELOG(LOG_WARNING, "SYSTEM: Provided URL could be potentially malicious, avoid [\'] character");
|
||||
// Security check to avoid malicious code injection
|
||||
if (strchr(url, '\'') != NULL || strchr(url, '"') != NULL ||
|
||||
strchr(url, '&') != NULL || strchr(url, '|') != NULL ||
|
||||
strchr(url, ';') != NULL || strchr(url, '`') != NULL ||
|
||||
strchr(url, '$') != NULL || strchr(url, '\\') != NULL)
|
||||
{
|
||||
TRACELOG(LOG_WARNING, "SYSTEM: Provided URL contains potentially dangerous characters");
|
||||
}
|
||||
else
|
||||
{
|
||||
char *cmd = (char *)RL_CALLOC(strlen(url) + 32, sizeof(char));
|
||||
|
|
|
|||
|
|
@ -1322,6 +1322,8 @@ float *LoadWaveSamples(Wave wave)
|
|||
{
|
||||
float *samples = (float *)RL_MALLOC(wave.frameCount*wave.channels*sizeof(float));
|
||||
|
||||
if (samples == NULL) return NULL;
|
||||
|
||||
// NOTE: sampleCount is the total number of interlaced samples (including channels)
|
||||
|
||||
for (unsigned int i = 0; i < wave.frameCount*wave.channels; i++)
|
||||
|
|
|
|||
|
|
@ -1612,7 +1612,12 @@ int TextToInteger(const char *text)
|
|||
text++;
|
||||
}
|
||||
|
||||
for (int i = 0; ((text[i] >= '0') && (text[i] <= '9')); i++) value = value*10 + (int)(text[i] - '0');
|
||||
for (int i = 0; ((text[i] >= '0') && (text[i] <= '9')); i++)
|
||||
{
|
||||
int digit = (int)(text[i] - '0');
|
||||
if (value > (INT_MAX - digit)/10) { value = INT_MAX; break; } // Overflow guard
|
||||
value = value*10 + digit;
|
||||
}
|
||||
}
|
||||
|
||||
return value*sign;
|
||||
|
|
@ -1724,7 +1729,7 @@ const char *TextRemoveSpaces(const char *text)
|
|||
if (text != NULL)
|
||||
{
|
||||
// Avoid copying the ' ' characters
|
||||
for (int i = 0, j = 0; (i < MAX_TEXT_BUFFER_LENGTH - 1) && (text[j] != '\0'); i++)
|
||||
for (int i = 0, j = 0; (i < MAX_TEXT_BUFFER_LENGTH - 1) && (text[i] != '\0'); i++)
|
||||
{
|
||||
if (text[i] != ' ') { buffer[j] = text[i]; j++; }
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user