Harden against snprintf(3) truncation

author: Christian Göttsche 2026-02-22 22:41:39 +0100
committer: Julien Voisin 2026-02-22 23:57:53 +0100
commit: b441bfe693435f5d8c8ae4fd04ec3d4dae49070f (patch)
tree: b78e43de7cd76eb423f5d10ddad18288bf201dfc /src
parent: d635da3c53d3d75aca50de340b375b452ba97f8a (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/src/sp_utils.c b/src/sp_utils.c
index 8b4eb35..d49d459 100644
--- a/src/sp_utils.c
+++ b/src/sp_utils.c
@@ -127,6 +127,7 @@ int sp_log_request(zend_string const* const restrict folder, zend_string const*
  PHP_SHA256_CTX context;
  unsigned char digest[SHA256_SIZE] = {0};
  char strhash[65] = {0};
+  int r;
  if (-1 == mkdir(ZSTR_VAL(folder), 0700) && errno != EEXIST) {
    sp_log_warn("request_logging", "Unable to create the folder '%s'",
@@ -156,7 +157,13 @@ int sp_log_request(zend_string const* const restrict folder, zend_string const*
  EG(current_execute_data) = orig_execute_data;
  PHP_SHA256Final(digest, &context);
  make_digest_ex(strhash, digest, SHA256_SIZE);
-  snprintf(filename, PATH_MAX, "%s/sp_dump.%s", ZSTR_VAL(folder), strhash);
+  r = snprintf(filename, PATH_MAX, "%s/sp_dump.%s", ZSTR_VAL(folder), strhash);
+  if (r < 0 || (size_t)r >= PATH_MAX) {
+    sp_log_warn("request_logging", "Unable to format filename of length %zu",
+                ZSTR_LEN(folder) + 9 + 64);
+    return -1;
+  }
  if (NULL == (file = fopen(filename, "w+"))) {
    sp_log_warn("request_logging", "Unable to open %s: %s", filename,
author	Christian Göttsche	2026-02-22 22:41:39 +0100
committer	Julien Voisin	2026-02-22 23:57:53 +0100
commit	b441bfe693435f5d8c8ae4fd04ec3d4dae49070f (patch)
tree	b78e43de7cd76eb423f5d10ddad18288bf201dfc /src
parent	d635da3c53d3d75aca50de340b375b452ba97f8a (diff)

diff --git a/src/sp_utils.c b/src/sp_utils.c index 8b4eb35..d49d459 100644 --- a/src/sp_utils.c +++ b/src/sp_utils.c
@@ -127,6 +127,7 @@ int sp_log_request(zend_string const* const restrict folder, zend_string const*
127	PHP_SHA256_CTX context;	127	PHP_SHA256_CTX context;
128	unsigned char digest[SHA256_SIZE] = {0};	128	unsigned char digest[SHA256_SIZE] = {0};
129	char strhash[65] = {0};	129	char strhash[65] = {0};
		130	int r;
130		131
131	if (-1 == mkdir(ZSTR_VAL(folder), 0700) && errno != EEXIST) {	132	if (-1 == mkdir(ZSTR_VAL(folder), 0700) && errno != EEXIST) {
132	sp_log_warn("request_logging", "Unable to create the folder '%s'",	133	sp_log_warn("request_logging", "Unable to create the folder '%s'",
@@ -156,7 +157,13 @@ int sp_log_request(zend_string const* const restrict folder, zend_string const*
156	EG(current_execute_data) = orig_execute_data;	157	EG(current_execute_data) = orig_execute_data;
157	PHP_SHA256Final(digest, &context);	158	PHP_SHA256Final(digest, &context);
158	make_digest_ex(strhash, digest, SHA256_SIZE);	159	make_digest_ex(strhash, digest, SHA256_SIZE);
159	snprintf(filename, PATH_MAX, "%s/sp_dump.%s", ZSTR_VAL(folder), strhash);	160
		161	r = snprintf(filename, PATH_MAX, "%s/sp_dump.%s", ZSTR_VAL(folder), strhash);
		162	if (r < 0 \|\| (size_t)r >= PATH_MAX) {
		163	sp_log_warn("request_logging", "Unable to format filename of length %zu",
		164	ZSTR_LEN(folder) + 9 + 64);
		165	return -1;
		166	}
160		167
161	if (NULL == (file = fopen(filename, "w+"))) {	168	if (NULL == (file = fopen(filename, "w+"))) {
162	sp_log_warn("request_logging", "Unable to open %s: %s", filename,	169	sp_log_warn("request_logging", "Unable to open %s: %s", filename,