fix security issue

[ezo_pmp] Replace sprintf with bounds-checked snprintf
[remote_base] Replace unsafe sprintf with buf_append_printf; fix buffer overflow (#13257 )
2026-01-17 07:24:53 -07:00 · 2026-01-16 14:32:18 -10:00 · 2026-01-16 14:09:47 -10:00 · 2026-01-16 16:56:47 -06:00
4 changed files with 50 additions and 56 deletions
--- a/esphome/components/ezo_pmp/ezo_pmp.cpp
+++ b/esphome/components/ezo_pmp/ezo_pmp.cpp
@@ -318,90 +318,93 @@ void EzoPMP::send_next_command_() {
  switch (this->next_command_) {
    // Read Commands
    case EZO_PMP_COMMAND_READ_DOSING:  // Page 54
-      command_buffer_length = sprintf((char *) command_buffer, "D,?");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "D,?");
      break;

    case EZO_PMP_COMMAND_READ_SINGLE_REPORT:  // Single Report (page 53)
-      command_buffer_length = sprintf((char *) command_buffer, "R");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "R");
      break;

    case EZO_PMP_COMMAND_READ_MAX_FLOW_RATE:
-      command_buffer_length = sprintf((char *) command_buffer, "DC,?");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "DC,?");
      break;

    case EZO_PMP_COMMAND_READ_PAUSE_STATUS:
-      command_buffer_length = sprintf((char *) command_buffer, "P,?");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "P,?");
      break;

    case EZO_PMP_COMMAND_READ_TOTAL_VOLUME_DOSED:
-      command_buffer_length = sprintf((char *) command_buffer, "TV,?");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "TV,?");
      break;

    case EZO_PMP_COMMAND_READ_ABSOLUTE_TOTAL_VOLUME_DOSED:
-      command_buffer_length = sprintf((char *) command_buffer, "ATV,?");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "ATV,?");
      break;

    case EZO_PMP_COMMAND_READ_CALIBRATION_STATUS:
-      command_buffer_length = sprintf((char *) command_buffer, "Cal,?");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "Cal,?");
      break;

    case EZO_PMP_COMMAND_READ_PUMP_VOLTAGE:
-      command_buffer_length = sprintf((char *) command_buffer, "PV,?");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "PV,?");
      break;

      // Non-Read Commands

    case EZO_PMP_COMMAND_FIND:  // Find (page 52)
-      command_buffer_length = sprintf((char *) command_buffer, "Find");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "Find");
      wait_time_for_command = 60000;  // This command will block all updates for a minute
      break;

    case EZO_PMP_COMMAND_DOSE_CONTINUOUSLY:  // Continuous Dispensing (page 54)
-      command_buffer_length = sprintf((char *) command_buffer, "D,*");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "D,*");
      break;

    case EZO_PMP_COMMAND_CLEAR_TOTAL_VOLUME_DOSED:  // Clear Total Volume Dosed (page 64)
-      command_buffer_length = sprintf((char *) command_buffer, "Clear");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "Clear");
      break;

    case EZO_PMP_COMMAND_CLEAR_CALIBRATION:  // Clear Calibration (page 65)
-      command_buffer_length = sprintf((char *) command_buffer, "Cal,clear");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "Cal,clear");
      break;

    case EZO_PMP_COMMAND_PAUSE_DOSING:  // Pause (page 61)
-      command_buffer_length = sprintf((char *) command_buffer, "P");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "P");
      break;

    case EZO_PMP_COMMAND_STOP_DOSING:  // Stop (page 62)
-      command_buffer_length = sprintf((char *) command_buffer, "X");
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "X");
      break;

      // Non-Read commands with parameters

    case EZO_PMP_COMMAND_DOSE_VOLUME:  // Volume Dispensing (page 55)
-      command_buffer_length = sprintf((char *) command_buffer, "D,%0.1f", this->next_command_volume_);
+      command_buffer_length =
+          snprintf((char *) command_buffer, sizeof(command_buffer), "D,%0.1f", this->next_command_volume_);
      break;

    case EZO_PMP_COMMAND_DOSE_VOLUME_OVER_TIME:  // Dose over time (page 56)
-      command_buffer_length =
-          sprintf((char *) command_buffer, "D,%0.1f,%i", this->next_command_volume_, this->next_command_duration_);
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "D,%0.1f,%i",
+                                       this->next_command_volume_, this->next_command_duration_);
      break;

    case EZO_PMP_COMMAND_DOSE_WITH_CONSTANT_FLOW_RATE:  // Constant Flow Rate (page 57)
-      command_buffer_length =
-          sprintf((char *) command_buffer, "DC,%0.1f,%i", this->next_command_volume_, this->next_command_duration_);
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "DC,%0.1f,%i",
+                                       this->next_command_volume_, this->next_command_duration_);
      break;

    case EZO_PMP_COMMAND_SET_CALIBRATION_VOLUME:  // Set Calibration Volume (page 65)
-      command_buffer_length = sprintf((char *) command_buffer, "Cal,%0.2f", this->next_command_volume_);
+      command_buffer_length =
+          snprintf((char *) command_buffer, sizeof(command_buffer), "Cal,%0.2f", this->next_command_volume_);
      break;

    case EZO_PMP_COMMAND_CHANGE_I2C_ADDRESS:  // Change I2C Address (page 73)
-      command_buffer_length = sprintf((char *) command_buffer, "I2C,%i", this->next_command_duration_);
+      command_buffer_length =
+          snprintf((char *) command_buffer, sizeof(command_buffer), "I2C,%i", this->next_command_duration_);
      break;

    case EZO_PMP_COMMAND_EXEC_ARBITRARY_COMMAND_ADDRESS:  // Run an arbitrary command
-      command_buffer_length = sprintf((char *) command_buffer, this->arbitrary_command_, this->next_command_duration_);
+      command_buffer_length = snprintf((char *) command_buffer, sizeof(command_buffer), "%s", this->arbitrary_command_);
      ESP_LOGI(TAG, "Sending arbitrary command: %s", (char *) command_buffer);
      break;

--- a/esphome/components/remote_base/aeha_protocol.cpp
+++ b/esphome/components/remote_base/aeha_protocol.cpp
@@ -85,8 +85,8 @@ optional<AEHAData> AEHAProtocol::decode(RemoteReceiveData src) {
 std::string AEHAProtocol::format_data_(const std::vector<uint8_t> &data) {
  std::string out;
  for (uint8_t byte : data) {
-    char buf[6];
-    sprintf(buf, "0x%02X,", byte);
+    char buf[8];  // "0x%02X," = 5 chars + null + margin
+    snprintf(buf, sizeof(buf), "0x%02X,", byte);
    out += buf;
  }
  out.pop_back();
--- a/esphome/components/remote_base/raw_protocol.cpp
+++ b/esphome/components/remote_base/raw_protocol.cpp
@@ -1,4 +1,5 @@
 #include "raw_protocol.h"
+#include "esphome/core/helpers.h"
 #include "esphome/core/log.h"

 namespace esphome {
@@ -8,36 +9,30 @@ static const char *const TAG = "remote.raw";

 bool RawDumper::dump(RemoteReceiveData src) {
  char buffer[256];
-  uint32_t buffer_offset = 0;
-  buffer_offset += sprintf(buffer, "Received Raw: ");
+  size_t pos = buf_append_printf(buffer, sizeof(buffer), 0, "Received Raw: ");

  for (int32_t i = 0; i < src.size() - 1; i++) {
    const int32_t value = src[i];
-    const uint32_t remaining_length = sizeof(buffer) - buffer_offset;
-    int written;
+    size_t prev_pos = pos;

    if (i + 1 < src.size() - 1) {
-      written = snprintf(buffer + buffer_offset, remaining_length, "%" PRId32 ", ", value);
+      pos = buf_append_printf(buffer, sizeof(buffer), pos, "%" PRId32 ", ", value);
    } else {
-      written = snprintf(buffer + buffer_offset, remaining_length, "%" PRId32, value);
+      pos = buf_append_printf(buffer, sizeof(buffer), pos, "%" PRId32, value);
    }

-    if (written < 0 || written >= int(remaining_length)) {
-      // write failed, flush...
-      buffer[buffer_offset] = '\0';
+    if (pos >= sizeof(buffer) - 1) {
+      // buffer full, flush and continue
+      buffer[prev_pos] = '\0';
      ESP_LOGI(TAG, "%s", buffer);
-      buffer_offset = 0;
-      written = sprintf(buffer, "  ");
      if (i + 1 < src.size() - 1) {
-        written += sprintf(buffer + written, "%" PRId32 ", ", value);
+        pos = buf_append_printf(buffer, sizeof(buffer), 0, "  %" PRId32 ", ", value);
      } else {
-        written += sprintf(buffer + written, "%" PRId32, value);
+        pos = buf_append_printf(buffer, sizeof(buffer), 0, "  %" PRId32, value);
      }
    }
-
-    buffer_offset += written;
  }
-  if (buffer_offset != 0) {
+  if (pos != 0) {
    ESP_LOGI(TAG, "%s", buffer);
  }
  return true;
--- a/esphome/components/remote_base/remote_base.cpp
+++ b/esphome/components/remote_base/remote_base.cpp
@@ -1,4 +1,5 @@
 #include "remote_base.h"
+#include "esphome/core/helpers.h"
 #include "esphome/core/log.h"

 #include <cinttypes>
@@ -169,36 +170,31 @@ void RemoteTransmitterBase::send_(uint32_t send_times, uint32_t send_wait) {
 #ifdef ESPHOME_LOG_HAS_VERY_VERBOSE
  const auto &vec = this->temp_.get_data();
  char buffer[256];
-  uint32_t buffer_offset = 0;
-  buffer_offset += sprintf(buffer, "Sending times=%" PRIu32 " wait=%" PRIu32 "ms: ", send_times, send_wait);
+  size_t pos = buf_append_printf(buffer, sizeof(buffer), 0,
+                                 "Sending times=%" PRIu32 " wait=%" PRIu32 "ms: ", send_times, send_wait);

  for (size_t i = 0; i < vec.size(); i++) {
    const int32_t value = vec[i];
-    const uint32_t remaining_length = sizeof(buffer) - buffer_offset;
-    int written;
+    size_t prev_pos = pos;

    if (i + 1 < vec.size()) {
-      written = snprintf(buffer + buffer_offset, remaining_length, "%" PRId32 ", ", value);
+      pos = buf_append_printf(buffer, sizeof(buffer), pos, "%" PRId32 ", ", value);
    } else {
-      written = snprintf(buffer + buffer_offset, remaining_length, "%" PRId32, value);
+      pos = buf_append_printf(buffer, sizeof(buffer), pos, "%" PRId32, value);
    }

-    if (written < 0 || written >= int(remaining_length)) {
-      // write failed, flush...
-      buffer[buffer_offset] = '\0';
+    if (pos >= sizeof(buffer) - 1) {
+      // buffer full, flush and continue
+      buffer[prev_pos] = '\0';
      ESP_LOGVV(TAG, "%s", buffer);
-      buffer_offset = 0;
-      written = sprintf(buffer, "  ");
      if (i + 1 < vec.size()) {
-        written += sprintf(buffer + written, "%" PRId32 ", ", value);
+        pos = buf_append_printf(buffer, sizeof(buffer), 0, "  %" PRId32 ", ", value);
      } else {
-        written += sprintf(buffer + written, "%" PRId32, value);
+        pos = buf_append_printf(buffer, sizeof(buffer), 0, "  %" PRId32, value);
      }
    }
-
-    buffer_offset += written;
  }
-  if (buffer_offset != 0) {
+  if (pos != 0) {
    ESP_LOGVV(TAG, "%s", buffer);
  }
 #endif
Author	SHA1	Message	Date
J. Nick Koston	687b8d1d95	fix security issue	2026-01-16 14:32:18 -10:00
J. Nick Koston	0390c3a8a6	[ezo_pmp] Replace sprintf with bounds-checked snprintf	2026-01-16 14:09:47 -10:00
J. Nick Koston	52ac9e1861	[remote_base] Replace unsafe sprintf with buf_append_printf; fix buffer overflow (#13257 ) Co-authored-by: Keith Burzinski <kbx81x@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-01-16 16:56:47 -06:00