Skip to content

fix: three unbounded sprintf() calls in cdrom_image_... in...#7133

Merged
OBattler merged 1 commit into
86Box:masterfrom
orbisai0security:fix-viso-sprintf-buffer-overflow
May 12, 2026
Merged

fix: three unbounded sprintf() calls in cdrom_image_... in...#7133
OBattler merged 1 commit into
86Box:masterfrom
orbisai0security:fix-viso-sprintf-buffer-overflow

Conversation

@orbisai0security

Copy link
Copy Markdown
Contributor

Summary

Fix critical severity security issue in src/cdrom/cdrom_image_viso.c.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File src/cdrom/cdrom_image_viso.c:357

Description: Three unbounded sprintf() calls in cdrom_image_viso.c write formatted output into fixed-size stack or heap buffers without specifying a maximum output length. At line 357, sprintf(tail, "~%d", i) writes into a fixed-size tail buffer where a large loop counter can overflow it. At line 492, a timestamp is formatted into a pointer p without tracking remaining buffer space. At line 806, sprintf(n, "CD-ROM %i VISO ", id + 1) writes into buffer n without size enforcement. If the formatted output exceeds the destination buffer size, adjacent memory is overwritten, corrupting stack frames or heap metadata.

Changes

  • src/cdrom/cdrom_image_viso.c

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

Automated security fix generated by Orbis Security AI
@OBattler OBattler merged commit ecd5657 into 86Box:master May 12, 2026
44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants