Hello, I have confirmed the bug and will add it to the bug list and I will definitely fix it. Thank you!
Regards, Shigio On Wed, Oct 22, 2025 at 10:41 AM Tim Becker <[email protected]> wrote: > > In libparser/java.c, there is a fixed-size buffer which is filled with > potentially unbounded-length data due to multiple layers of nesting. > > Specifically, an out-of-bounds write to completename can occur due to > unchecked concatenation of nested class names and separators in the '{' > handler. At lines ~91–106, p points into completename and is advanced via > '*p++ = '.';' and 'while (*q) *p++ = *q++;' with no bounds checking. With > enough nesting or long class names, p exceeds the 1024-byte buffer. > > Note: each name component is limited to 511 characters, but there is no limit > on the number of components. > > A fix to safely support arbitrary depths should switch to using a heap buffer > which is reallocated as needed to fit the current name. > > Note: this bug was found by Theori's Xint Code analysis. > > Thanks, > Tim Becker > Theori -- Shigio YAMAGUCHI <[email protected]> PGP fingerprint: 26F6 31B4 3D62 4A92 7E6F 1C33 969C 3BE3 89DD A6EB
