URL:
https://www.st.com/content/st_com/en/products/embedded-software/mcu-mpu-embedded-software/stm32-embedded-software/stm32-ode-function-pack-sw/fp-ind-plcwifi1.html
Type:
Buffer overflow
Description:
The global variable rung_pos is initialized to zero when the program starts. If no changes are made to it, accessing the global array output with index rung_pos - 1 which equals -1 as shown in line 387 of Ladder_Lib.c will lead to a buffer overflow.
92
uint8_t rung_pos=0;
236
int16_t WiFi_Decode (uint8_t* frame)
237
{
...
387
memset(&output[rung_pos-1],0,EXPRESSION_MAX_SIZE);
...
429
}
Result: Memory corruption
