| # PoC: Stack Buffer Overflow in find_replace() — pjreddie/darknet | |
| ## Vulnerability | |
| `find_replace()` in `src/utils.c:221` uses `sprintf(buffer, "%s", str)` to copy an input string into a fixed `char buffer[4096]` on the stack. When the input string exceeds 4096 bytes, a stack buffer overflow occurs. This function is called with user-controlled file paths from `.list` training data files. | |
| ## Files | |
| - `poc_sprintf_overflow.c` — Standalone harness demonstrating the overflow with the exact vulnerable function from `src/utils.c:216-230` | |
| ## Reproduction | |
| ```bash | |
| gcc -fsanitize=address -fno-omit-frame-pointer -O0 -g poc_sprintf_overflow.c -o poc_sprintf | |
| ./poc_sprintf | |
| ``` | |
| Result: `AddressSanitizer: stack-buffer-overflow in find_replace` | |
| ## CWE | |
| - CWE-121 (Stack-based Buffer Overflow) | |
| - CWE-120 (Buffer Copy without Checking Size of Input) | |