Docopt.cpp Signed Integer Overflow Vulnerability in LeafPattern::match Allows Logic Bypass

A signed integer overflow vulnerability has been identified in docopt.cpp version 0.6.2. The issue arises in the LeafPattern::match function within docopt_private.h, where occurrence counters are merged without proper overflow checks. This flaw can be exploited by seeding a counter with untrusted input that equals LONG_MAX, causing the first legitimate occurrence to trigger an overflow. The resulting negative or unbounded counter can bypass application logic that relies on occurrence limits or safety toggles. In addition, when docopt is built with certain sanitizers, this overflow can lead to a process abort, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability can cause a signed integer overflow, leading to a logic bypass by wrapping occurrence counters. This can disrupt application policies that depend on counting occurrences, such as rate limits or feature toggles. In applications using a hardened build with Undefined Behavior Sanitizer, the overflow is treated as a fatal error, causing the process to abort.

Reproduction

The vulnerability can be reproduced in two ways. The first method is a white-box approach, where the vulnerability is triggered within the library itself. This can be done by compiling a proof-of-concept program with Undefined Behavior Sanitizer enabled, which will catch the signed integer overflow when the LeafPattern::match function is called with a counter seeded at LONG_MAX. The second method involves a realistic scenario where an application uses the docopt library and reads the default counter value from an environment variable. By setting this variable to LONG_MAX and then invoking a command that increases the counter, the overflow can be triggered. This realistic exploitation can be automated with a simple C++ program that interfaces with the docopt library, simulating how the vulnerability could be exploited in a real-world application.

Remediation

It is recommended to use checked or saturated addition for merging occurrence counters, ensuring that any potential overflow is properly handled. Normalizing counters to eliminate negative values before processing can also help mitigate this issue.