mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: replace sprintf with snprintf in spa_debugc_mem

Browse source 
Memory Safety: Medium

The spa_debugc_mem() function used unbounded sprintf() calls to format
hex dump output into a fixed 512-byte stack buffer. While the current
line-by-line output (16 bytes per line) fits within the buffer, sprintf
provides no overflow protection if the format changes or assumptions
are violated. Replace with snprintf() using sizeof(buffer) and remaining
space tracking to guarantee the buffer cannot be overflowed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 11:33:25 +02:00
parent 106f641ff3
commit 7982f52830
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
spa/include/spa/debug/mem.h
View file

@ -35,8 +35,8 @@ SPA_API_DEBUG_MEM int spa_debugc_mem(struct spa_debug_context *ctx, int indent,
for (i = 0; i < size; i++) { for (i = 0; i < size; i++) {
if (i % 16 == 0) if (i % 16 == 0)
pos = sprintf(buffer, "%p: ", &t[i]); pos = snprintf(buffer, sizeof(buffer), "%p: ", &t[i]);
pos += sprintf(buffer + pos, "%02x ", t[i]); pos += snprintf(buffer + pos, sizeof(buffer) - pos, "%02x ", t[i]);
if (i % 16 == 15 || i == size - 1) { if (i % 16 == 15 || i == size - 1) {
spa_debugc(ctx, "%*s" "%s", indent, "", buffer); spa_debugc(ctx, "%*s" "%s", indent, "", buffer);
} }