mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-25 06:46:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix unbounded sprintf in RAOP MD5 hash formatting

Browse source 
Memory Safety: Low

sprintf was used to format MD5 hex digest bytes into a fixed-size
buffer without explicit bounds. While the output is bounded by the
fixed MD5 digest length (16 bytes = 32 hex chars), using snprintf
with an explicit size of 3 (2 hex chars + null) ensures correctness
even if the surrounding code changes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-23 14:38:33 +02:00
parent 6353eb526d
commit 46e732c28b
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/modules/module-raop-sink.c
View file

@ -708,7 +708,7 @@ static int MD5_hash(char hash[MD5_HASH_LENGTH+1], const char *fmt, ...)
size = MD5_DIGEST_LENGTH; size = MD5_DIGEST_LENGTH;
EVP_Digest(buffer, strlen(buffer), d, &size, EVP_md5(), NULL); EVP_Digest(buffer, strlen(buffer), d, &size, EVP_md5(), NULL);
for (i = 0; i < MD5_DIGEST_LENGTH; i++) for (i = 0; i < MD5_DIGEST_LENGTH; i++)
sprintf(&hash[2*i], "%02x", (uint8_t) d[i]); snprintf(&hash[2*i], 3, "%02x", (uint8_t) d[i]);
hash[MD5_HASH_LENGTH] = '\0'; hash[MD5_HASH_LENGTH] = '\0';
return 0; return 0;
} }