From 7982f52830caeaa39fadd3e6f3fece900ea7b705 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 11:33:25 +0200 Subject: [PATCH] security: replace sprintf with snprintf in spa_debugc_mem Memory Safety: Medium The spa_debugc_mem() function used unbounded sprintf() calls to format hex dump output into a fixed 512-byte stack buffer. While the current line-by-line output (16 bytes per line) fits within the buffer, sprintf provides no overflow protection if the format changes or assumptions are violated. Replace with snprintf() using sizeof(buffer) and remaining space tracking to guarantee the buffer cannot be overflowed. Co-Authored-By: Claude Opus 4.6 --- spa/include/spa/debug/mem.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spa/include/spa/debug/mem.h b/spa/include/spa/debug/mem.h index 98f1761a1..4285225c7 100644 --- a/spa/include/spa/debug/mem.h +++ b/spa/include/spa/debug/mem.h @@ -35,8 +35,8 @@ SPA_API_DEBUG_MEM int spa_debugc_mem(struct spa_debug_context *ctx, int indent, for (i = 0; i < size; i++) { if (i % 16 == 0) - pos = sprintf(buffer, "%p: ", &t[i]); - pos += sprintf(buffer + pos, "%02x ", t[i]); + pos = snprintf(buffer, sizeof(buffer), "%p: ", &t[i]); + pos += snprintf(buffer + pos, sizeof(buffer) - pos, "%02x ", t[i]); if (i % 16 == 15 || i == size - 1) { spa_debugc(ctx, "%*s" "%s", indent, "", buffer); }