Fix potentially overflowing call to snprintf #2673

odaysec · 2025-06-10T07:38:54Z

https://github.com/octodevark/mujoco/blob/caaf7b3a69d674c98572c0244dce1081abe49ca1/src/engine/engine_util_solve.c#L1391-L1411

Fix the issue return value of snprintf should be checked to ensure it does not exceed the remaining buffer size (logsz-logptr). If the return value is negative or greater than or equal to the remaining buffer size, the operation should be terminated to prevent buffer overflow. This involves adding a conditional check after the snprintf call and updating logptr only if the return value is valid.

The return value of a call to snprintf is the number of characters that would have been written to the buffer assuming there was sufficient space. In the event that the operation reaches the end of the buffer and more than one character is discarded, the return value will be greater than the buffer size. This can cause incorrect behavior

#define BUF_SIZE (32)

int main(int argc, char *argv[])
{
	char buffer[BUF_SIZE];
	size_t pos = 0;
	int i;

	for (i = 0; i < argc; i++)
	{
		pos += snprintf(buffer + pos, BUF_SIZE - pos, "%s", argv[i]);
			// BUF_SIZE - pos may overflow
	}
}

References

cplusplus snprintf
Red Hat The trouble with snprintf

Update engine_util_solve.c

8c63e63

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix potentially overflowing call to snprintf #2673

Fix potentially overflowing call to snprintf #2673

Uh oh!

odaysec commented Jun 10, 2025

Uh oh!

Uh oh!

Fix potentially overflowing call to snprintf #2673

Are you sure you want to change the base?

Fix potentially overflowing call to snprintf #2673

Uh oh!

Conversation

odaysec commented Jun 10, 2025

References

Uh oh!

Uh oh!