Skip to content

fix: Replace sprintf with snprintf in vendored FlatCC pstdint self-test#887

Closed
orbisai0security wants to merge 1 commit into
apache:mainfrom
orbisai0security:fix-pstdint-sprintf-buffer-overflow
Closed

fix: Replace sprintf with snprintf in vendored FlatCC pstdint self-test#887
orbisai0security wants to merge 1 commit into
apache:mainfrom
orbisai0security:fix-pstdint-sprintf-buffer-overflow

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented May 17, 2026
edited
Loading

Summary

This PR replaces several sprintf() calls with snprintf() in the vendored FlatCC pstdint.h portability self-test code.

Impact

This is not claimed as an exploitable memory-safety vulnerability in arrow-nanoarrow.

The affected buffers are fixed-size 256-byte local arrays, and the formatted values are fixed test constants rather than user-controlled input. In practice, the formatted integer strings are far smaller than the available buffer size.

Rationale

The change is intended as a small defensive cleanup:

  • avoids unbounded formatting APIs in vendored code
  • reduces static-analysis noise around sprintf()
  • keeps the code aligned with safer C formatting practices

Since this code is vendored from FlatCC, I will also file the same cleanup upstream so the change can be considered at the source project.

Changes

  • thirdparty/flatcc/include/flatcc/portable/pstdint.h

Testing

Existing tests should continue to pass; this change only bounds the destination size used for formatting and does not alter the expected formatted output.

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: V-001 security vulnerability
9d73e9b 
Automated security fix generated by Orbis Security AI
@paleolimbot
Copy link
Copy Markdown
Member

paleolimbot commented May 19, 2026

Happy to merge, but this should be filed with flatcc and is not a real issue with memory safety (the buffers are not user-supplied and the size is a statically checkable 256 bytes in each case).

@orbisai0security
Copy link
Copy Markdown
Author

orbisai0security commented May 19, 2026

Thanks, agreed. I overstated the memory-safety impact here.

Given the actual context, these are fixed-format values written into 256-byte local buffers, so I agree this is not a practical memory-safety issue in arrow-nanoarrow. I’ll reframe this as a low-risk cleanup / defensive hygiene change rather than a vulnerability.

Since this is vendored FlatCC code, I’ll also file the same cleanup upstream with FlatCC so the change can flow from the source project.

I’ll update the PR title/description accordingly.

@orbisai0security orbisai0security changed the title fix: the vendored flatcc portable header pstdint in pstdint.h fix: Replace sprintf with snprintf in vendored FlatCC pstdint self-test May 19, 2026
@amoeba
Copy link
Copy Markdown
Member

amoeba commented May 19, 2026

Since there isn't a real security risk, I think the benefit of keeping the vendored copy identical with upstream would outweigh the downside of patching this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@orbisai0security @paleolimbot @amoeba