<div dir="ltr"><p style="margin:0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">Dear text-live team,</p><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">I would like to report a security vulnerability in your axohelp.</p><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">There is a buffer overflow on the way axohelp handle the .ax1 files.</p><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">On the DoOneObject function, there is an unsecure sprintf being used which could end on a memory corruption. </p><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:small;color:rgb(34,34,34)">int DoOneObject(char *cinput)</span></p>{<br>    int num, i, num1, num2;<br>    char *s, *t, *StartClean;<br>    double *argbuf = 0;<br>    SetDefaults();<br>    s = cinput; while ( *s != '[' ) s++;<br>    s++; t = s; while ( *t != ']' ) t++;<br>    *t++ = 0; while ( *t == ' ' || *t == '\t' || *t == '\n' ) t++;<br>    outpos = outputbuffer;<br>    outpos += sprintf(outpos,"\\axo@setObject{%s}%%\n{%s%c}%%\n{",s,t,TERMCHAR); [1]<br>    if ( *s == '0' && s[1] == ']' ) {<p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">If a line is being sent bigger than the size of  outputbuffer  (1000000), the overflow will happend. I have attached an example file compress, so you could test it yourself.<br></p><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">$ axohelp POC.ax1</p><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">Please let me know when you have fixed the vulnerability so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: <a class="external-link" href="https://lgtm.com/security#disclosure_policy" rel="nofollow" target="_blank" style="color:rgb(0,82,204);text-decoration-line:none">https://lgtm.com/security#disclosure_policy</a><br></p><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">Thank you,</p><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">Nico Waisman</p><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">Semmle Security Research Team</p></div>