Category

Sprintf

Security vulnerabilities and automated fixes for sprintf issues

23 posts found

critical8 min

How buffer overflow in FuzzIxml.c sprintf() happens in C and how to fix it

A critical buffer overflow vulnerability was discovered in `fuzzer/FuzzIxml.c` where `sprintf()` wrote a PID-formatted filename into a fixed 256-byte stack buffer without any bounds checking. The fix replaces `sprintf()` with `snprintf()`, explicitly passing the buffer size to prevent any overflow. While exploitation in this specific fuzzer context requires local access, the pattern is a textbook example of CWE-120 that developers should recognize and eliminate everywhere it appears.

#buffer-overflow#c#fuzzing+4 more
O
orbisai0security
Jul 12, 2026
critical6 min

How buffer overflow happens in C sprintf() and how to fix it

A critical buffer overflow vulnerability was discovered in the ArrowTest() function in main/main.c, where sprintf() was writing formatted strings to a 24-byte buffer without bounds checking. By replacing sprintf() with snprintf() and specifying the buffer size, the vulnerability was eliminated, preventing attackers from corrupting heap memory through oversized width or height parameters.

#buffer-overflow#c-security#sprintf+4 more
O
orbisai0security
Jul 12, 2026
critical7 min

How buffer overflow happens in C libficus.c sprintf() and how to fix it

A buffer overflow vulnerability was discovered in `runtime/ficus/impl/libficus.c` where `sprintf()` was used to write a formatted compiler version string into a fixed-size stack buffer without any bounds checking. The fix replaces both vulnerable `sprintf()` calls with `snprintf()`, passing `sizeof(cver)` as the maximum write length to ensure the buffer can never be overrun. This change eliminates the risk of stack memory corruption that could be triggered by an attacker with control over the bu

#buffer-overflow#c#sprintf+4 more
O
orbisai0security
Jul 11, 2026
critical9 min

How buffer overflow happens in C display_controller.cpp and how to fix it

A critical buffer overflow vulnerability was discovered in `playground/GpsBasics/display_controller.cpp` where `sprintf` was used without bounds checking on fixed-size stack buffers. An attacker supplying malicious GPS data with extreme field values (such as a year value of `99999`) could produce a formatted string longer than the declared buffer, leading to stack corruption and potential code execution. The fix introduces proper buffer-length enforcement, ensuring formatted GPS strings can neve

#buffer-overflow#C#embedded-security+4 more
O
orbisai0security
Jul 9, 2026
critical7 min

How buffer overflow happens in C sprintf() calls and how to fix it

A critical stack buffer overflow vulnerability was discovered in `IxNpeMicrocode.h`, where unbounded `sprintf()` calls wrote attacker-controlled data into fixed-size stack buffers without any length limit. By replacing `sprintf()` with `snprintf()` and passing the destination buffer sizes, the firmware loading tool is now protected against crafted NPE microcode blobs that could trigger arbitrary code execution. This is a textbook example of how a single unsafe C function call can open the door t

#buffer-overflow#c#sprintf+4 more
O
orbisai0security
Jul 9, 2026
high6 min

How buffer overflow happens in C sprintf() and how to fix it

A high-severity buffer overflow vulnerability was discovered in `src/GL/arbgenerator.c` where `sprintf()` was used without size bounds checking on an 11-byte buffer. The fix replaces unsafe `sprintf()` calls with `snprintf()`, enforcing strict buffer boundaries and preventing potential heap corruption or code execution attacks.

#buffer-overflow#c-security#sprintf+4 more
O
orbisai0security
Jul 6, 2026
medium8 min

How stack buffer overflow happens in C PMenu_Do_Update() and how to fix it

A stack buffer overflow in `PMenu_Do_Update()` within `src/menu/menu.c` allowed repeated unchecked `sprintf()` calls to overflow a fixed 1400-byte stack buffer when menu entries contained long text strings. The fix replaces every `sprintf(string + strlen(string), ...)` call with `snprintf(string + len, sizeof(string) - len, ...)`, tracking remaining buffer space and preventing writes beyond the buffer boundary.

#buffer-overflow#c#security+4 more
O
orbisai0security
Jul 5, 2026
critical8 min

How buffer overflow happens in C TinyGSM sprintf and how to fix it

A critical buffer overflow vulnerability was discovered in `TinyGsmClientSequansMonarch.h` at line 515, where `sprintf` was writing a two-character hex string into a buffer only two bytes large — leaving no room for the null terminator. The fix replaces `sprintf` with `snprintf` and increases the buffer to three bytes, preventing a one-byte overflow that could corrupt adjacent memory in embedded firmware.

#buffer-overflow#c-cpp#embedded-security+5 more
O
orbisai0security
Jul 5, 2026
critical7 min

How buffer overflow happens in C dlldbg.c sprintf() and how to fix it

A classic buffer overflow vulnerability was discovered in `bld/pbide/dlldbg/dlldbg.c` at line 80, where an unbounded `sprintf()` call wrote a user-influenced `dllName` string into a fixed-size `fmtBuffer` without any length checking. An attacker supplying a maliciously crafted DLL name could overflow the buffer, overwrite adjacent memory, and potentially achieve arbitrary code execution. The fix replaces `sprintf()` with `snprintf()`, passing `sizeof(fmtBuffer)` as an explicit bound to ensure th

#buffer-overflow#c#sprintf+4 more
O
orbisai0security
Jun 29, 2026
critical5 min

How buffer overflow via sprintf() happens in C++ settings parsing and how to fix it

A critical buffer overflow vulnerability was discovered in `app/src/main/cpp/samp/settings.cpp` where `sprintf()` writes to a fixed 127-byte buffer (`char buff[0x7F]`) without bounds checking. If the `g_pszStorage` global variable contains a string longer than ~107 bytes, the formatted output exceeds the buffer, enabling stack corruption. The fix replaces `sprintf()` with `snprintf()` using `sizeof(buff)` to guarantee writes never exceed the declared buffer length.

#security#buffer-overflow#cpp+4 more
O
orbisai0security
Jun 28, 2026
critical6 min

How buffer overflow via sprintf happens in C++ fuzzer code and how to fix it

A critical buffer overflow vulnerability was discovered in `prog/fuzzing/recog_basic_fuzzer.cc` where `sprintf` writes to a fixed 256-byte buffer without bounds checking. An attacker providing crafted fuzzer input could exploit this to corrupt memory. The fix replaces `sprintf` with `snprintf`, enforcing the buffer size limit and preventing overflow.

#security#buffer-overflow#c+++4 more
O
orbisai0security
Jun 23, 2026
medium9 min

How buffer overflow happens in C kernel driver (qcom_usbnet_main.c) and how to fix it

A series of unsafe `sprintf()` calls in the Qualcomm USB network kernel driver (`qcom_usbnet_main.c`) created buffer overflow conditions that, when combined with other memory corruption primitives in the same file, could allow an attacker with physical USB access to escalate privileges to root. The fix replaces unbounded `sprintf()` and `snprintf()` misuse with properly bounded `snprintf()` and `scnprintf()` calls that respect actual buffer sizes. This is a textbook example of how a seemingly mi

#buffer-overflow#linux-kernel#C+4 more
O
orbisai0security
Jun 22, 2026