VULNERABILITY DETAILS
source: https://chromium.googlesource.com/aosp/platform/external/minijail/+/master/minijail0.c

The above mentioned source uses the banned function strtok a lot.
Be cautious when using these functions. If you do use them, note that:

    These functions modify their first argument.
    These functions cannot be used on constant strings.
    The identity of the delimiting character is lost.
    The strtok() function uses a static buffer while parsing, so it's not thread safe.(buffer overflow)

I recommend you use strtok_s instead.
By using strtok_s the following changes will occur:

A new parameter, s1max, prevents strtok_s from storing outside of the string being tokenized. (The string being divided into tokens is both an input and output of the function since strtok_s stores null characters into the string.)

A new parameter, ptr, eliminates the static internal state that prevents strtok from being re-entrant (Subclause 1.1.12). (The ISO/IEC 9899 function wcstok and the ISO/IEC 9945 (POSIX) function strtok_r fix this problem identically.)



VERSION
Chrome Version: stable