mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-07-14 00:48:26 +08:00
fix: the opencc c library uses fgets() to read dicti... in text.c (#13970)
## Summary Fix critical severity security issue in `internal/cpp/opencc/dictionary/text.c`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-001 | | **Severity** | CRITICAL | | **Scanner** | multi_agent_ai | | **Rule** | `V-001` | | **File** | `internal/cpp/opencc/dictionary/text.c:107` | **Description**: The OpenCC C library uses fgets() to read dictionary and configuration files without proper bounds validation on subsequent buffer operations. While fgets() itself is bounds-checked, the sprintf() call at config_reader.c:174 constructs file paths by concatenating home_path and filename without verifying the result fits in pkg_filename buffer. An attacker providing malformed OpenCC configuration files with excessively long path components can overflow the fixed-size buffer, overwriting adjacent memory including return addresses and function pointers. ## Changes - `internal/cpp/opencc/config_reader.c` - `internal/cpp/opencc/dictionary/text.c` - `internal/cpp/opencc/utils.c` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved error detection and handling for malformed configuration and dictionary entries during file parsing. * Enhanced memory cleanup in error recovery paths to prevent potential issues. * Strengthened robustness of string operations and buffer handling throughout the library. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Ubuntu <ubuntu@ip-172-31-32-15.us-west-2.compute.internal>
This commit is contained in:
@@ -23,8 +23,10 @@ void perr(const char *str) { fputs(str, stderr); }
|
||||
int qsort_int_cmp(const void *a, const void *b) { return *((int *)a) - *((int *)b); }
|
||||
|
||||
char *mstrcpy(const char *str) {
|
||||
char *strbuf = (char *)malloc(sizeof(char) * (strlen(str) + 1));
|
||||
strcpy(strbuf, str);
|
||||
size_t len = strlen(str);
|
||||
char *strbuf = (char *)malloc(sizeof(char) * (len + 1));
|
||||
strncpy(strbuf, str, len);
|
||||
strbuf[len] = '\0';
|
||||
return strbuf;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user