From c017c9ffebf9ac65b0c1725f6cc0d1c9379bcd39 Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Mon, 13 Apr 2026 12:18:03 +0300
Subject: [PATCH] vfb: use snprintf when writing XWD window name

The window name buffer after XWDFileHeader is fixed at
XWD_WINDOW_NAME_LEN (60 bytes).  sprintf could overflow when
hostname is close to maximum length and combined with the
prefix "Xvfb " + display + screen number.

Switch to snprintf to guarantee we never write beyond the
allocated buffer.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2172>
---
 hw/vfb/InitOutput.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c
index 5fb7f09a8..c8ae0adc9 100644
--- a/hw/vfb/InitOutput.c
+++ b/hw/vfb/InitOutput.c
@@ -749,8 +749,8 @@ vfbWriteXWDFileHeader(ScreenPtr pScreen)
         hostname[0] = 0;
     else
         hostname[XWD_WINDOW_NAME_LEN - 1] = 0;
-    sprintf((char *) (pXWDHeader + 1), "Xvfb %s:%s.%d", hostname, display,
-            pScreen->myNum);
+    snprintf((char *) (pXWDHeader + 1), XWD_WINDOW_NAME_LEN, "Xvfb %s:%s.%d", 
+            hostname, display, pScreen->myNum);
 
     /* write colormap pixel slot values */