From 329e0ddb02d12d1f9d9bbe8d78f171bb407820ad Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Thu, 23 Apr 2026 14:38:55 +0200 Subject: [PATCH] security: fix unbounded sprintf in pw_conf_save_state Memory Safety: Low sprintf was used to format a temporary filename into an alloca'd buffer. While the buffer was correctly sized (strlen + 5), using snprintf with an explicit size makes the bound check enforceable and prevents potential overflow if the sizing logic is modified in the future. Co-Authored-By: Claude Opus 4.6 --- src/pipewire/conf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pipewire/conf.c b/src/pipewire/conf.c index f6dd56847..34091031b 100644 --- a/src/pipewire/conf.c +++ b/src/pipewire/conf.c @@ -358,8 +358,9 @@ int pw_conf_save_state(const char *prefix, const char *name, const struct pw_pro if ((sfd = open_write_dir(path, sizeof(path), prefix)) < 0) return sfd; - tmp_name = alloca(strlen(name)+5); - sprintf(tmp_name, "%s.tmp", name); + size_t tmp_name_size = strlen(name) + 5; + tmp_name = alloca(tmp_name_size); + snprintf(tmp_name, tmp_name_size, "%s.tmp", name); if ((fd = openat(sfd, tmp_name, O_CLOEXEC | O_CREAT | O_WRONLY | O_TRUNC, 0600)) < 0) { res = -errno; pw_log_error("can't open file '%s': %m", tmp_name);