[anova] Replace sprintf with bounds-checked alternatives

[remote_base] Replace unsafe sprintf with buf_append_printf; fix buffer overflow (#13257 )
Co-authored-by: Keith Burzinski <kbx81x@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-01-17 15:34:50 -07:00 · 2026-01-16 14:06:55 -10:00 · 2026-01-16 16:56:47 -06:00
5 changed files with 40 additions and 53 deletions
--- a/esphome/components/anova/anova_base.cpp
+++ b/esphome/components/anova/anova_base.cpp
@@ -18,31 +18,31 @@ AnovaPacket *AnovaCodec::clean_packet_() {

 AnovaPacket *AnovaCodec::get_read_device_status_request() {
  this->current_query_ = READ_DEVICE_STATUS;
-  sprintf((char *) this->packet_.data, "%s", CMD_READ_DEVICE_STATUS);
+  strncpy((char *) this->packet_.data, CMD_READ_DEVICE_STATUS, sizeof(this->packet_.data));
  return this->clean_packet_();
 }

 AnovaPacket *AnovaCodec::get_read_target_temp_request() {
  this->current_query_ = READ_TARGET_TEMPERATURE;
-  sprintf((char *) this->packet_.data, "%s", CMD_READ_TARGET_TEMP);
+  strncpy((char *) this->packet_.data, CMD_READ_TARGET_TEMP, sizeof(this->packet_.data));
  return this->clean_packet_();
 }

 AnovaPacket *AnovaCodec::get_read_current_temp_request() {
  this->current_query_ = READ_CURRENT_TEMPERATURE;
-  sprintf((char *) this->packet_.data, "%s", CMD_READ_CURRENT_TEMP);
+  strncpy((char *) this->packet_.data, CMD_READ_CURRENT_TEMP, sizeof(this->packet_.data));
  return this->clean_packet_();
 }

 AnovaPacket *AnovaCodec::get_read_unit_request() {
  this->current_query_ = READ_UNIT;
-  sprintf((char *) this->packet_.data, "%s", CMD_READ_UNIT);
+  strncpy((char *) this->packet_.data, CMD_READ_UNIT, sizeof(this->packet_.data));
  return this->clean_packet_();
 }

 AnovaPacket *AnovaCodec::get_read_data_request() {
  this->current_query_ = READ_DATA;
-  sprintf((char *) this->packet_.data, "%s", CMD_READ_DATA);
+  strncpy((char *) this->packet_.data, CMD_READ_DATA, sizeof(this->packet_.data));
  return this->clean_packet_();
 }

@@ -50,25 +50,25 @@ AnovaPacket *AnovaCodec::get_set_target_temp_request(float temperature) {
  this->current_query_ = SET_TARGET_TEMPERATURE;
  if (this->fahrenheit_)
    temperature = ctof(temperature);
-  sprintf((char *) this->packet_.data, CMD_SET_TARGET_TEMP, temperature);
+  snprintf((char *) this->packet_.data, sizeof(this->packet_.data), CMD_SET_TARGET_TEMP, temperature);
  return this->clean_packet_();
 }

 AnovaPacket *AnovaCodec::get_set_unit_request(char unit) {
  this->current_query_ = SET_UNIT;
-  sprintf((char *) this->packet_.data, CMD_SET_TEMP_UNIT, unit);
+  snprintf((char *) this->packet_.data, sizeof(this->packet_.data), CMD_SET_TEMP_UNIT, unit);
  return this->clean_packet_();
 }

 AnovaPacket *AnovaCodec::get_start_request() {
  this->current_query_ = START;
-  sprintf((char *) this->packet_.data, CMD_START);
+  strncpy((char *) this->packet_.data, CMD_START, sizeof(this->packet_.data));
  return this->clean_packet_();
 }

 AnovaPacket *AnovaCodec::get_stop_request() {
  this->current_query_ = STOP;
-  sprintf((char *) this->packet_.data, CMD_STOP);
+  strncpy((char *) this->packet_.data, CMD_STOP, sizeof(this->packet_.data));
  return this->clean_packet_();
 }

--- a/esphome/components/cse7766/cse7766.cpp
+++ b/esphome/components/cse7766/cse7766.cpp
@@ -207,24 +207,20 @@ void CSE7766Component::parse_data_() {

 #if ESPHOME_LOG_LEVEL >= ESPHOME_LOG_LEVEL_VERY_VERBOSE
  {
-    // Buffer: 7 + 15 + 33 + 15 + 25 = 95 chars max + null, rounded to 128 for safety margin.
-    // Float sizes with %.4f can be up to 11 chars for large values (e.g., 999999.9999).
-    char buf[128];
-    size_t pos = buf_append_printf(buf, sizeof(buf), 0, "Parsed:");
+    std::string buf = "Parsed:";
    if (have_voltage) {
-      pos = buf_append_printf(buf, sizeof(buf), pos, " V=%.4fV", voltage);
+      buf += str_sprintf(" V=%fV", voltage);
    }
    if (have_current) {
-      pos = buf_append_printf(buf, sizeof(buf), pos, " I=%.4fmA (~%.4fmA)", current * 1000.0f,
-                              calculated_current * 1000.0f);
+      buf += str_sprintf(" I=%fmA (~%fmA)", current * 1000.0f, calculated_current * 1000.0f);
    }
    if (have_power) {
-      pos = buf_append_printf(buf, sizeof(buf), pos, " P=%.4fW", power);
+      buf += str_sprintf(" P=%fW", power);
    }
    if (energy != 0.0f) {
-      buf_append_printf(buf, sizeof(buf), pos, " E=%.4fkWh (%u)", energy, cf_pulses);
+      buf += str_sprintf(" E=%fkWh (%u)", energy, cf_pulses);
    }
-    ESP_LOGVV(TAG, "%s", buf);
+    ESP_LOGVV(TAG, "%s", buf.c_str());
  }
 #endif
 }
--- a/esphome/components/remote_base/aeha_protocol.cpp
+++ b/esphome/components/remote_base/aeha_protocol.cpp
@@ -85,8 +85,8 @@ optional<AEHAData> AEHAProtocol::decode(RemoteReceiveData src) {
 std::string AEHAProtocol::format_data_(const std::vector<uint8_t> &data) {
  std::string out;
  for (uint8_t byte : data) {
-    char buf[6];
-    sprintf(buf, "0x%02X,", byte);
+    char buf[8];  // "0x%02X," = 5 chars + null + margin
+    snprintf(buf, sizeof(buf), "0x%02X,", byte);
    out += buf;
  }
  out.pop_back();
--- a/esphome/components/remote_base/raw_protocol.cpp
+++ b/esphome/components/remote_base/raw_protocol.cpp
@@ -1,4 +1,5 @@
 #include "raw_protocol.h"
+#include "esphome/core/helpers.h"
 #include "esphome/core/log.h"

 namespace esphome {
@@ -8,36 +9,30 @@ static const char *const TAG = "remote.raw";

 bool RawDumper::dump(RemoteReceiveData src) {
  char buffer[256];
-  uint32_t buffer_offset = 0;
-  buffer_offset += sprintf(buffer, "Received Raw: ");
+  size_t pos = buf_append_printf(buffer, sizeof(buffer), 0, "Received Raw: ");

  for (int32_t i = 0; i < src.size() - 1; i++) {
    const int32_t value = src[i];
-    const uint32_t remaining_length = sizeof(buffer) - buffer_offset;
-    int written;
+    size_t prev_pos = pos;

    if (i + 1 < src.size() - 1) {
-      written = snprintf(buffer + buffer_offset, remaining_length, "%" PRId32 ", ", value);
+      pos = buf_append_printf(buffer, sizeof(buffer), pos, "%" PRId32 ", ", value);
    } else {
-      written = snprintf(buffer + buffer_offset, remaining_length, "%" PRId32, value);
+      pos = buf_append_printf(buffer, sizeof(buffer), pos, "%" PRId32, value);
    }

-    if (written < 0 || written >= int(remaining_length)) {
-      // write failed, flush...
-      buffer[buffer_offset] = '\0';
+    if (pos >= sizeof(buffer) - 1) {
+      // buffer full, flush and continue
+      buffer[prev_pos] = '\0';
      ESP_LOGI(TAG, "%s", buffer);
-      buffer_offset = 0;
-      written = sprintf(buffer, "  ");
      if (i + 1 < src.size() - 1) {
-        written += sprintf(buffer + written, "%" PRId32 ", ", value);
+        pos = buf_append_printf(buffer, sizeof(buffer), 0, "  %" PRId32 ", ", value);
      } else {
-        written += sprintf(buffer + written, "%" PRId32, value);
+        pos = buf_append_printf(buffer, sizeof(buffer), 0, "  %" PRId32, value);
      }
    }
-
-    buffer_offset += written;
  }
-  if (buffer_offset != 0) {
+  if (pos != 0) {
    ESP_LOGI(TAG, "%s", buffer);
  }
  return true;
--- a/esphome/components/remote_base/remote_base.cpp
+++ b/esphome/components/remote_base/remote_base.cpp
@@ -1,4 +1,5 @@
 #include "remote_base.h"
+#include "esphome/core/helpers.h"
 #include "esphome/core/log.h"

 #include <cinttypes>
@@ -169,36 +170,31 @@ void RemoteTransmitterBase::send_(uint32_t send_times, uint32_t send_wait) {
 #ifdef ESPHOME_LOG_HAS_VERY_VERBOSE
  const auto &vec = this->temp_.get_data();
  char buffer[256];
-  uint32_t buffer_offset = 0;
-  buffer_offset += sprintf(buffer, "Sending times=%" PRIu32 " wait=%" PRIu32 "ms: ", send_times, send_wait);
+  size_t pos = buf_append_printf(buffer, sizeof(buffer), 0,
+                                 "Sending times=%" PRIu32 " wait=%" PRIu32 "ms: ", send_times, send_wait);

  for (size_t i = 0; i < vec.size(); i++) {
    const int32_t value = vec[i];
-    const uint32_t remaining_length = sizeof(buffer) - buffer_offset;
-    int written;
+    size_t prev_pos = pos;

    if (i + 1 < vec.size()) {
-      written = snprintf(buffer + buffer_offset, remaining_length, "%" PRId32 ", ", value);
+      pos = buf_append_printf(buffer, sizeof(buffer), pos, "%" PRId32 ", ", value);
    } else {
-      written = snprintf(buffer + buffer_offset, remaining_length, "%" PRId32, value);
+      pos = buf_append_printf(buffer, sizeof(buffer), pos, "%" PRId32, value);
    }

-    if (written < 0 || written >= int(remaining_length)) {
-      // write failed, flush...
-      buffer[buffer_offset] = '\0';
+    if (pos >= sizeof(buffer) - 1) {
+      // buffer full, flush and continue
+      buffer[prev_pos] = '\0';
      ESP_LOGVV(TAG, "%s", buffer);
-      buffer_offset = 0;
-      written = sprintf(buffer, "  ");
      if (i + 1 < vec.size()) {
-        written += sprintf(buffer + written, "%" PRId32 ", ", value);
+        pos = buf_append_printf(buffer, sizeof(buffer), 0, "  %" PRId32 ", ", value);
      } else {
-        written += sprintf(buffer + written, "%" PRId32, value);
+        pos = buf_append_printf(buffer, sizeof(buffer), 0, "  %" PRId32, value);
      }
    }
-
-    buffer_offset += written;
  }
-  if (buffer_offset != 0) {
+  if (pos != 0) {
    ESP_LOGVV(TAG, "%s", buffer);
  }
 #endif
Author	SHA1	Message	Date
J. Nick Koston	8515658008	[anova] Replace sprintf with bounds-checked alternatives	2026-01-16 14:06:55 -10:00
J. Nick Koston	52ac9e1861	[remote_base] Replace unsafe sprintf with buf_append_printf; fix buffer overflow (#13257 ) Co-authored-by: Keith Burzinski <kbx81x@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-01-16 16:56:47 -06:00