Security vulnerabilities and automated fixes for snprintf issues
6 posts found
A critical buffer overflow vulnerability was discovered in `src/patches.c` where the `_EPRINT_I`, `_EPRINT_F`, and `_EPRINT_COEF` macros used `sprintf()` to write formatted AMY event data into a fixed-size buffer without any bounds checking. By replacing every `sprintf()` call with `snprintf()` and tracking remaining buffer space using a `s_entry` base pointer, the fix ensures that formatting 22 event fields — even at maximum values — can never write beyond the buffer boundary.
A critical stack-based buffer overflow vulnerability was discovered in `nvme-print.c`, where multiple `sprintf()` calls wrote formatted output into fixed-size stack buffers without any bounds checking. The vulnerability was most dangerous in `nvme_pel_event_to_string()` at line 224, where a malicious NVMe device could supply unexpected event type values to trigger a buffer overflow enabling arbitrary code execution. The fix replaces all unsafe `sprintf()` calls with `snprintf()`, enforcing stric
A critical heap buffer overflow was discovered in `engine/src/yep.c` at line 448, where `sprintf()` copied an attacker-controlled file path into a fixed 64-byte `node->name` buffer with zero bounds checking. By crafting a malicious resource package file containing an oversized path, an attacker could corrupt adjacent heap memory — potentially enabling arbitrary code execution. The fix replaces the unbounded `sprintf()` call with `snprintf()`, enforcing the 64-byte limit at the call site.
A critical heap buffer overflow vulnerability was discovered in `libyep.c` where an unchecked `sprintf()` call at line 483 could overwrite adjacent memory structures when file path strings exceeded the allocated buffer size of `node->name`. The fix replaces three unsafe string operations across lines 433, 454, and 483 with bounds-checked `snprintf()` equivalents, eliminating the risk of memory corruption and potential code execution. This change is a textbook example of how a single missing size
A critical buffer overflow vulnerability was discovered and patched in the NetCDF Operators (NCO) library, specifically in the filter string construction loop within `nco_flt.c`. The flaw stemmed from repeated use of `strcat()` and `sprintf()` without any bounds checking, allowing an attacker to supply crafted filter specifications that overflow a fixed-size buffer and corrupt adjacent memory. The fix replaces these unsafe calls with bounds-aware `snprintf()` invocations that track the current w
A critical buffer overflow vulnerability was discovered in the Vorbis producer module (`src/modules/vorbis/producer_vorbis.c`), where an unchecked `sprintf()` call allowed attacker-controlled metadata from Vorbis audio files to overflow a fixed-size buffer. The fix replaces `sprintf()` with `snprintf()` and adds explicit bounds checking, ensuring that no metadata key — no matter how long or maliciously crafted — can corrupt adjacent memory. This class of vulnerability is one of the oldest and mo