From a2492ffd4bd58450c17e879d72de6d5250849054 Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Wed, 1 Apr 2026 04:33:03 +0000 Subject: [PATCH] fix: eight memcpy operations in uvwasi components co... in fd_table.c Eight memcpy operations in UVWASI components copy data from attacker-controlled sources (file paths, environment variables, argv parameters) without validating that source length fits within destination buffer boundaries --- deps/uvwasi/src/fd_table.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/deps/uvwasi/src/fd_table.c b/deps/uvwasi/src/fd_table.c index 881d192ff3a340..1b6aa4c1e7ff78 100644 --- a/deps/uvwasi/src/fd_table.c +++ b/deps/uvwasi/src/fd_table.c @@ -83,6 +83,12 @@ uvwasi_errno_t uvwasi_fd_table_insert(uvwasi_t* uvwasi, if (type != UVWASI_FILETYPE_SOCKET_STREAM) { mp_len = strlen(mapped_path); rp_len = strlen(real_path); + /* Validate path lengths to prevent integer overflow in the allocation + size calculation below and to bound the memcpy operations. WASI paths + are limited to 65535 bytes, which is far beyond any practical path + length and safely avoids overflow in: mp_len + mp_len + rp_len + 3. */ + if (mp_len > 65535 || rp_len > 65535) + return UVWASI_ENAMETOOLONG; } else { mp_len = 0; rp_len = 0;