Use of Inherently Dangerous Function [VID:242:consio.cpp:208]

[veracode-workflow-app-preprod]

Sumatrapdf-cpp//ext/unrar/consio.cpp

Lines 203 to 213 in feca3c8

	#if defined(_EMX) || defined (__VMS)
	fgets(StrA,ASIZE(StrA)-1,stdin);
	#elif defined(__sun)
	strncpyz(StrA,getpassphrase(""),ASIZE(StrA));
	#else
	strncpyz(StrA,getpass(""),ASIZE(StrA));
	#endif
	CharToWide(StrA,Str,MaxLength);
	cleandata(StrA,sizeof(StrA));
	#endif
	}

Filename: consio.cpp

Line: 208

CWE: 242 (Use of Inherently Dangerous Function)

The getpass() function is designed to accept a password from the console, which is returned as a null-terminated string. Certain implementations can cause a buffer overflow. In some implementations of the function, there is a maximum length defined for the password, and in other implementations, the password can be of arbitrary length. In the latter case, an attacker can send overly long input to getpass() and overflow the destination buffer, potentially resulting in execution of arbitrary code. Replace getpass() with getpassphrase(), which sets an upper bound on the size of the input. Since the password is returned in a static buffer, be sure to clear the contents after use to prevent the data from persisting in process memory. References: CWE/nDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode