Skip to content

fix: add buffer-length check in libyep.c#1

Merged
zoogies merged 1 commit into
yoyoengine:mainfrom
orbisai0security:fix-heap-buffer-overflow-sprintf-v001
May 31, 2026
Merged

fix: add buffer-length check in libyep.c#1
zoogies merged 1 commit into
yoyoengine:mainfrom
orbisai0security:fix-heap-buffer-overflow-sprintf-v001

Conversation

@orbisai0security
Copy link
Copy Markdown
Contributor

@orbisai0security orbisai0security commented May 31, 2026

Summary

Address high severity security finding in src/libyep.c.

Vulnerability

Field Value
ID V-001
Severity HIGH
Scanner multi_agent_ai
Rule V-001
File src/libyep.c:483
Assessment Likely exploitable
CWE CWE-120

Description: The function at libyep.c:483 uses sprintf to copy final_relative_path into node->name without any bounds checking. If the path string exceeds the allocated size of node->name, a heap buffer overflow occurs, overwriting adjacent memory structures.

Evidence

Scanner confirmation: multi_agent_ai rule V-001 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Changes

  • src/libyep.c

Note: The following lines in the same file use a similar pattern and may also need review: src/libyep.c:416, src/libyep.c:433, src/libyep.c:453, src/libyep.c:481

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Security Invariant

Property: Buffer reads never exceed the declared length

Regression test 
#include <check.h>
#include <stdlib.h>
#include <string.h>
#include <valgrind/valgrind.h>

/* Pull in the production code directly */
#include "../src/libyep.c"

START_TEST(test_path_no_buffer_overflow)
{
    /* Invariant: node->name must never be written beyond its allocated size,
       regardless of the length of final_relative_path */
    const char *payloads[] = {
        /* valid input — short path well within any reasonable buffer */
        "short/path.yep",
        /* boundary — exactly 255 chars (common NAME_MAX) */
        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
        /* exploit — 2x oversized (512 chars) */
        "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
        /* 10x oversized (2560 chars) */
        "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc

This test guards against regressions — it's useful independent of the code change above.

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.

Automated security fix by OrbisAI Security

zoogies
zoogies requested changes May 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@zoogies zoogies left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove test file (without adding an agentic co-author) and I will merge

@orbisai0security
fix: bound copy into yep node name
aae0995 
Replace sprintf with snprintf when copying the relative path into node->name to avoid overflowing the fixed-size name buffer.

Signed-off-by: OrbisAI Security <mediratta01.pally@gmail.com>
@orbisai0security orbisai0security force-pushed the fix-heap-buffer-overflow-sprintf-v001 branch from d10a4e9 to aae0995 Compare May 31, 2026 16:36
@orbisai0security
Copy link
Copy Markdown
Contributor Author

orbisai0security commented May 31, 2026

Please remove test file (without adding an agentic co-author) and I will merge

done. pls review.

@zoogies zoogies merged commit 4332704 into yoyoengine:main May 31, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoogies zoogies zoogies approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@orbisai0security @zoogies