SmallBASIC Buffer Overflow Vulnerability in SDL Version Prior to 12_28

A buffer overflow vulnerability has been identified in SmallBASIC community SmallBASIC with SDL, prior to version 12_28. The issue arises in the 'main' function of 'main.cpp', where 'strcpy' is used to copy command line arguments into a global variable, 'opt_command'. This variable has a fixed size of 1024 bytes, as defined by the 'OPT_CMD_CZ' macro. The use of 'strcpy' creates a vulnerability because it does not limit the number of bytes copied, allowing for more than 1024 bytes to be written to 'opt_command'. This overflow can overwrite other global variables, potentially leading to information leakage and program crashes.

Impact

Exploitation of this vulnerability causes a global buffer overflow, which can overwrite other global variables and disrupt the program's execution. The overflow can be exploited by command line arguments longer than 1024 bytes, up to the maximum string length allowed by the operating system.

Reproduction

The vulnerability can be reproduced by building the SmallBASIC project with SDL support, and then running the 'sbasicg' executable with a command line argument that exceeds 1024 bytes. This can be done by using a Python script to generate a string of 'a' characters 1025 bytes long, which will trigger the buffer overflow while the program parses the command line arguments.

Remediation

Users can update to SmallBASIC version 12_28 or later, where this vulnerability has been fixed by replacing 'strcpy' with 'strlcpy', which includes proper bounds checking.