From e36836e64f89fcc40e802b7e9a347b9cf7e41e60 Mon Sep 17 00:00:00 2001 From: Pekka Paalanen Date: Mon, 1 Jun 2026 13:52:35 +0300 Subject: [PATCH] backend-rdp: fix sprintf compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch seems to fix the following compiler warning (as error) from GCC 16.1.1: ../../git/weston/libweston/backend-rdp/rdpclip.c: In function ‘clipboard_process_html’: ../../git/weston/libweston/backend-rdp/rdpclip.c:417:31: error: ‘%08u’ directive writing between 8 and 10 bytes into a region of size 0 [-Werror=format-overflow=] 417 | sprintf(cur, "%08u", fragment_start); | ^~~~ ../../git/weston/libweston/backend-rdp/rdpclip.c:417:17: note: ‘sprintf’ output between 9 and 11 bytes into a destination of size 0 417 | sprintf(cur, "%08u", fragment_start); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../../git/weston/libweston/backend-rdp/rdpclip.c:420:31: error: ‘%08u’ directive writing between 8 and 10 bytes into a region of size 0 [-Werror=format-overflow=] 420 | sprintf(cur, "%08u", fragment_end); | ^~~~ ../../git/weston/libweston/backend-rdp/rdpclip.c:420:30: note: using the range [0, 4294967295] for directive argument 420 | sprintf(cur, "%08u", fragment_end); | ^~~~~~ ../../git/weston/libweston/backend-rdp/rdpclip.c:420:17: note: ‘sprintf’ output between 9 and 11 bytes into a destination of size 0 420 | sprintf(cur, "%08u", fragment_end); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is a false-positive, as the destination is fixed via the hardcoded HTML header and the offsets into it. First I thought the problem was with the "region of size 0" and could not make sense of it. Turns out the warnings were triggered by the potential of formatting numbers longer than 8 decimal characters. Ensuring the numbers cannot need more than 8 characters makes the compiler happy. If the numbers were more than 8 characters, the header would get corrupted, and the numbers itself would get corrupted. Hence it seems prudent to just bail off in that case. Input data is not trusted anyway, and although unlikely, a 100+ MB blob does seem possible in theory. Signed-off-by: Pekka Paalanen --- libweston/backend-rdp/rdpclip.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libweston/backend-rdp/rdpclip.c b/libweston/backend-rdp/rdpclip.c index ce5708f40..acd1aaf88 100644 --- a/libweston/backend-rdp/rdpclip.c +++ b/libweston/backend-rdp/rdpclip.c @@ -413,6 +413,10 @@ clipboard_process_html(struct rdp_clipboard_data_source *source, bool is_send) strcat(buf, rdp_clipboard_html_fragment_end); strcat(buf, cur); + if (fragment_start >= 100000000u || + fragment_end >= 100000000u) + goto error_return; + cur = buf + RDP_CLIPBOARD_FRAGMENT_START_OFFSET; sprintf(cur, "%08u", fragment_start); *(cur+8) = '\r';