Buffer Overflow Vulnerability in countFields() Function

ayushman1210 · ayushman1210 · commit 3d13343e5673 · 2026-02-01T20:30:43.000+05:30
diff --git a/src/common/modelParams.c b/src/common/modelParams.c
@@ -127,6 +127,10 @@ void initializeOneModelParam(ModelParams *modelParams, char *name,
 
 void checkParamFormat(char *line, const char *sep) {
   int numParams = countFields(line, sep);
+  if (numParams == -1) {
+    logError("memory allocation failure in parameter file processing\n");
+    exit(EXIT_CODE_INTERNAL_ERROR);
+  }
   if (numParams > 2) {
     logWarning("extra columns in .param file are being ignored (found %d "
                "columns)\n",
diff --git a/src/common/util.c b/src/common/util.c
@@ -50,13 +50,19 @@ int stripComment(char *line, const char *commentChars) {
 // count number of fields in a string separated by delimiter 'sep'
 int countFields(const char *line, const char *sep) {
   // strtok modifies string, so we need a copy
-  char lineCopy[256];
+  size_t lineLen = strlen(line);
+  char *lineCopy = (char *)malloc(lineLen + 1);
+  if (lineCopy == NULL) {
+    return -1; // Handle allocation failure
+  }
   strcpy(lineCopy, line);
+  
   int numParams = 0;
   char *par = strtok(lineCopy, sep);
   while (par != NULL) {
     ++numParams;
     par = strtok(NULL, sep);
   }
+  free(lineCopy);
   return numParams;
 }
diff --git a/src/sipnet/sipnet.c b/src/sipnet/sipnet.c
@@ -162,6 +162,10 @@ void readClimData(const char *climFile) {
   }
 
   numFields = countFields(firstLine, SEPARATORS);
+  if (numFields == -1) {
+    logError("memory allocation failure in climate file processing\n");
+    exit(EXIT_CODE_INTERNAL_ERROR);
+  }
   switch (numFields) {
     case NUM_CLIM_FILE_COLS:
       // Standard format
