fix: the opencc c library uses fgets() to read dicti... in text.c (#13970)

## Summary
Fix critical severity security issue in
`internal/cpp/opencc/dictionary/text.c`.

## Vulnerability
| Field | Value |
|-------|-------|
| **ID** | V-001 |
| **Severity** | CRITICAL |
| **Scanner** | multi_agent_ai |
| **Rule** | `V-001` |
| **File** | `internal/cpp/opencc/dictionary/text.c:107` |

**Description**: The OpenCC C library uses fgets() to read dictionary
and configuration files without proper bounds validation on subsequent
buffer operations. While fgets() itself is bounds-checked, the sprintf()
call at config_reader.c:174 constructs file paths by concatenating
home_path and filename without verifying the result fits in pkg_filename
buffer. An attacker providing malformed OpenCC configuration files with
excessively long path components can overflow the fixed-size buffer,
overwriting adjacent memory including return addresses and function
pointers.

## Changes
- `internal/cpp/opencc/config_reader.c`
- `internal/cpp/opencc/dictionary/text.c`
- `internal/cpp/opencc/utils.c`

## Verification
- [x] Build passes
- [x] Scanner re-scan confirms fix
- [x] LLM code review passed

---
*Automated security fix by [OrbisAI Security](https://orbisappsec.com)*


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved error detection and handling for malformed configuration and
dictionary entries during file parsing.
* Enhanced memory cleanup in error recovery paths to prevent potential
issues.
* Strengthened robustness of string operations and buffer handling
throughout the library.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Ubuntu <ubuntu@ip-172-31-32-15.us-west-2.compute.internal>
This commit is contained in:
OrbisAI Security
2026-05-19 11:25:33 +05:30
committed by GitHub
parent c6e3a2e713
commit f17a66d4f0
3 changed files with 42 additions and 10 deletions

View File

@@ -23,8 +23,10 @@ void perr(const char *str) { fputs(str, stderr); }
int qsort_int_cmp(const void *a, const void *b) { return *((int *)a) - *((int *)b); }
char *mstrcpy(const char *str) {
char *strbuf = (char *)malloc(sizeof(char) * (strlen(str) + 1));
strcpy(strbuf, str);
size_t len = strlen(str);
char *strbuf = (char *)malloc(sizeof(char) * (len + 1));
strncpy(strbuf, str, len);
strbuf[len] = '\0';
return strbuf;
}