From 4ed6e0ce2503d56e2638b235adbe78524c22caa9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arsen=20Arsenovi=C4=87?= <arsen@gentoo.org>
Date: Sat, 25 Nov 2023 23:27:15 +0100
Subject: [PATCH] vfat: fix out-of-bounds write in autorename

In vfat.c:autorename, the rename routine updates the trailing two
characters of the non-null-terminated dos_name::base using sprintf,
however, sprintf writes a null terminator one past the end of the
buffer.  To prevent this, we can use snprintf with and pass it the
correct output buffer size.

Detected via _FORTIFY_SOURCE=3.

Bug: https://bugs.gentoo.org/916028
---
 vfat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vfat.c b/vfat.c
index 5247d99..ab23098 100644
--- a/vfat.c
+++ b/vfat.c
@@ -127,7 +127,7 @@ static void autorename(char *name,
 
 	tmp = name[dotpos];
 	if((bump && seqnum == 1) || seqnum > 1 || mtools_numeric_tail)
-		sprintf(name+tildapos,"%c%d",tilda, seqnum);
+		snprintf(name+tildapos,limit-tildapos,"%c%d",tilda, seqnum);
 	if(dot)
 	    name[dotpos]=tmp;
 	/* replace the character if it wasn't a space */
-- 
2.43.0