...
This example could be taken from a file-copying program. It allocates a buffer of user-defined size on the stack to temporarily store data read from the source file. If the size of the buffer is not constrained, a malicious user could specify a buffer of several gigabytes and cause a crash. A more malicious user could specify a buffer long enough to place the stack pointer into the heap and overwrite memory there with what fputs and fgets store on the stack.
| Code Block |
|---|
int copy_file(FILE *src, FILE *dst, size_t bufsize)
{
char buf[bufsize];
while (fgets(buf, bufsize, src))
fputs(buf, dst);
return 0;
}
|
...