Problem

A Security Engineer on Meta’s product security team is reviewing a small C++ utility used in a Messenger backend component. The code parses user-controlled input and builds a response buffer. Your task is to identify one memory leak and one buffer overflow vulnerability, explain why each occurs, and propose secure fixes.

#include <cstring>
#include <iostream>

void processMessage(const char* input) {
    char* session = new char[64];
    char reply[16];

    strcpy(session, "active-session");

    if (strlen(input) < 32) {
        strcpy(reply, input);
    }

    std::cout << session << ": " << reply << std::endl;
}

Requirements

1. Identify the exact line or operation that causes the memory leak.
2. Identify the exact line or operation that causes the buffer overflow.
3. Describe how an attacker could exploit the overflow if input is user-controlled.
4. Provide a corrected version of the function using safer C++ patterns.
5. Briefly explain which secure coding practices would prevent this class of issue in Meta codebases.

Notes

• Assume this code may be invoked repeatedly in a long-running service.
• Focus on memory safety, not business logic.
• You may use modern C++ constructs such as std::string, std::array, or RAII.
• If you mention tooling, prefer Meta-relevant secure development practices such as static analysis in code review pipelines and sanitizer-based testing in CI.

A strong answer should precisely distinguish between stack and heap memory issues, explain the impact of unbounded copies, and show a fix that removes both vulnerabilities rather than patching symptoms.