From 46e732c28bba60ed0455731028c53aaee5b4e672 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Thu, 23 Apr 2026 14:38:33 +0200 Subject: [PATCH] security: fix unbounded sprintf in RAOP MD5 hash formatting Memory Safety: Low sprintf was used to format MD5 hex digest bytes into a fixed-size buffer without explicit bounds. While the output is bounded by the fixed MD5 digest length (16 bytes = 32 hex chars), using snprintf with an explicit size of 3 (2 hex chars + null) ensures correctness even if the surrounding code changes. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-raop-sink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/module-raop-sink.c b/src/modules/module-raop-sink.c index 5e25b3089..9c0f90c94 100644 --- a/src/modules/module-raop-sink.c +++ b/src/modules/module-raop-sink.c @@ -708,7 +708,7 @@ static int MD5_hash(char hash[MD5_HASH_LENGTH+1], const char *fmt, ...) size = MD5_DIGEST_LENGTH; EVP_Digest(buffer, strlen(buffer), d, &size, EVP_md5(), NULL); for (i = 0; i < MD5_DIGEST_LENGTH; i++) - sprintf(&hash[2*i], "%02x", (uint8_t) d[i]); + snprintf(&hash[2*i], 3, "%02x", (uint8_t) d[i]); hash[MD5_HASH_LENGTH] = '\0'; return 0; }