### The local variable 'szBuffer' in GetVersionFromFile can be exploited by a local attacker for arbitrary code execution. ``` static const char * GetVersionFromFile( const char *filename, const char *match) { size_t cbBuffer = 100; static char szBuffer[100]; char *szResult = NULL; FILE *fp = fopen(filename, "rt"); if (fp != NULL) { /* * Read data until we see our match string. */ while (fgets(szBuffer, cbBuffer, fp) != NULL) { LPSTR p, q; p = strstr(szBuffer, match); if (p != NULL) { /* * Skip to first digit. */ while (*p && !isdigit(*p)) { ++p; } /* * Find ending whitespace. */ q = p; while (*q && (isalnum(*q) || *q == '.')) { ++q; } memcpy(szBuffer, p, q - p); // Vulnerability szBuffer[q-p] = 0; szResult = szBuffer; break; } } fclose(fp); } return szResult; } ``` *(Edit: Title changed for clarity)*