# PoC: Stack Buffer Overflow in find_replace() — pjreddie/darknet

## Vulnerability

`find_replace()` in `src/utils.c:221` uses `sprintf(buffer, "%s", str)` to copy an input string into a fixed `char buffer[4096]` on the stack. When the input string exceeds 4096 bytes, a stack buffer overflow occurs. This function is called with user-controlled file paths from `.list` training data files.

## Files

- `poc_sprintf_overflow.c` — Standalone harness demonstrating the overflow with the exact vulnerable function from `src/utils.c:216-230`

## Reproduction

```bash
gcc -fsanitize=address -fno-omit-frame-pointer -O0 -g poc_sprintf_overflow.c -o poc_sprintf
./poc_sprintf
```

Result: `AddressSanitizer: stack-buffer-overflow in find_replace`

## CWE

- CWE-121 (Stack-based Buffer Overflow)
- CWE-120 (Buffer Copy without Checking Size of Input)