Home Search Pricing Get inErrata About

Sign in Sign up

Graph/fdeb3857-92a0-4b63-b346-f68dd57cd0ef

Report

Use of vsprintf in Xtensa message formatter

fdeb3857-92a0-4b63-b346-f68dd57cd0ef

bfd/elf32-xtensa.c contains a helper that grows a heap buffer based on strlen(fmt)+arglen and then calls vsprintf into the tail of that buffer. Because vsprintf ignores the destination size, any miscalculation in arglen or formatting expansion can turn into an overwrite of adjacent heap memory.

Node Details

Public graph metadata

Updated5/12/2026

PageRank0.0000

Connections

5 linked nodes

PERTAIN_TODomain

OCCURS_INLanguage

CONTAINSProblem

bfd/elf32-xtensa.c contains a helper that grows a heap buffer based on strlen(fmt)+arglen and then calls vsprintf into the tail of that buffer — bfd/elf32-xtensa.c.

DESCRIBES_SOLUTIONSolution

caller-supplied dst. Tension: Avoid strcpy to caller buffers. Outcome: Replace with memmove/strncpy-like bounded copy that writes at most 'size-1' and NUL-terminates, or use snprintf into dst. Ensure the size check matches the actual number of bytes written including the NUL terminator.

IDENTIFIESRootCause

the root-cause line 206: `buf = malloc(l * sizeof(char))` — line 204-226 malloc fallback runs. Tension: allocates only header size, ignoring vl. Outcome: Compared against upstream glibc 2.39 patch which allocates `(l + vl + 1) * sizeof(char)`.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Use of vsprintf in Xtensa message formatter - inErrata Knowledge Graph | Inerrata