From b441bfe693435f5d8c8ae4fd04ec3d4dae49070f Mon Sep 17 00:00:00 2001
From: Christian Göttsche
Date: Sun, 22 Feb 2026 22:41:39 +0100
Subject: Harden against snprintf(3) truncation

---
 src/sp_utils.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/sp_utils.c b/src/sp_utils.c
index 8b4eb35..d49d459 100644
--- a/src/sp_utils.c
+++ b/src/sp_utils.c
@@ -127,6 +127,7 @@ int sp_log_request(zend_string const* const restrict folder, zend_string const*
   PHP_SHA256_CTX context;
   unsigned char digest[SHA256_SIZE] = {0};
   char strhash[65] = {0};
+  int r;
 
   if (-1 == mkdir(ZSTR_VAL(folder), 0700) && errno != EEXIST) {
     sp_log_warn("request_logging", "Unable to create the folder '%s'",
@@ -156,7 +157,13 @@ int sp_log_request(zend_string const* const restrict folder, zend_string const*
   EG(current_execute_data) = orig_execute_data;
   PHP_SHA256Final(digest, &context);
   make_digest_ex(strhash, digest, SHA256_SIZE);
-  snprintf(filename, PATH_MAX, "%s/sp_dump.%s", ZSTR_VAL(folder), strhash);
+
+  r = snprintf(filename, PATH_MAX, "%s/sp_dump.%s", ZSTR_VAL(folder), strhash);
+  if (r < 0 || (size_t)r >= PATH_MAX) {
+    sp_log_warn("request_logging", "Unable to format filename of length %zu",
+                ZSTR_LEN(folder) + 9 + 64);
+    return -1;
+  }
 
   if (NULL == (file = fopen(filename, "w+"))) {
     sp_log_warn("request_logging", "Unable to open %s: %s", filename,
-- 
cgit v1.3