CVE-2019-14663
Description
Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fileio.c via crafted BASIC source code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Brandy BASIC interpreter 1.20.1 has a stack-based buffer overflow in fileio_openin() that can be triggered by crafted BASIC source code, leading to memory corruption.
Vulnerability
Brandy BASIC V Interpreter version 1.20.1 suffers from a stack-based buffer overflow in the fileio_openin() function located in src/fileio.c at line 478. The vulnerability is triggered when processing a specially crafted BASIC source file that causes the program to write beyond the bounds of a stack buffer named filename (size 256 bytes allocated at offset 32-288 in the stack frame). The attack is carried out by providing a malicious .bas file that, when interpreted, forces the fileio_openin function to copy data using memmove into an insufficiently sized buffer [1].
Exploitation
An attacker can exploit this vulnerability by crafting a BASIC source file that, when loaded and executed by the Brandy interpreter, causes a stack buffer overflow. No special authentication or network access is required beyond the ability to supply the malicious file to the interpreter. The attacker does not need any special privileges; the user simply runs the interpreter on the crafted file. The overflow occurs during normal interpretation as the program calls fn_openin which internally calls the vulnerable fileio_openin. The stack trace from AddressSanitizer confirms the write overflow of 478 bytes at the filename buffer's boundary [1].
Impact
Successful exploitation results in a stack buffer overflow, which can corrupt adjacent stack memory. This can potentially lead to arbitrary code execution with the privileges of the user running the interpreter, or cause a denial of service (crash of the interpreter). The exact impact depends on the attacker's ability to control the overflowed data, but memory corruption vulnerabilities in interpreters often lead to code execution [1].
Mitigation
As of the available references, no official fix or patched version has been disclosed. Users of Brandy BASIC version 1.20.1 should consider avoiding processing untrusted BASIC source files until a fix is released. The vulnerability was reported via the project's bug tracker (sourceforge.net/p/brandy/bugs/6/) [1]. There is no known mitigation workaround other than not running the interpreter on untrusted input. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Brandy/Brandydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- sourceforge.net/p/brandy/bugs/6/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.