fix sprintf writing beyond ubl_lcd_gcode buffer #26984

shadow578 · 2024-04-19T09:37:13Z

Description

In menu_ubl.cpp's _lcd_ubl_adjust_height_cmd, the sprintf call used for constructing the gcode command may write beyond the end of the ubl_lcd_gcode.
This is only the case when abs(ubl_height_amount) >= 1000, so it may not actually affect real-world scenarios.

Still, it's probably best to not ignore this, as it could cause memory corruption.

GCC Warning Message

In file included from /root/.platformio/packages/framework-arduino-hc32f46x/cores/arduino/Arduino.h:34,
                 from Marlin/src/lcd/menu/../../inc/../HAL/../HAL/HC32/../shared/Marduino.h:36,
                 from Marlin/src/lcd/menu/../../inc/../HAL/../HAL/HC32/HAL.h:34,
                 from Marlin/src/lcd/menu/../../inc/../HAL/HAL.h:30,
                 from Marlin/src/lcd/menu/../../inc/MarlinConfig.h:33,
                 from Marlin/src/lcd/menu/../marlinui.h:24,
                 from Marlin/src/lcd/menu/menu.h:24,
                 from Marlin/src/lcd/menu/menu_item.h:24,
                 from Marlin/src/lcd/menu/menu_ubl.cpp:31:
Marlin/src/lcd/menu/menu_ubl.cpp: In function 'void _lcd_ubl_adjust_height_cmd()':
Marlin/src/lcd/menu/menu_ubl.cpp:150:39: warning: 'sprintf' may write a terminating nul past the end of the destination [-Wformat-overflow=]
  150 |   sprintf_P(&ubl_lcd_gcode[ind], PSTR(".%i"), ABS(ubl_height_amount));
/root/.platformio/packages/framework-arduino-hc32f46x/cores/arduino/avr/pgmspace.h:99:44: note: in definition of macro 'sprintf_P'
   99 | #define sprintf_P(s, f, ...) sprintf((s), (f), __VA_ARGS__)
      |                                            ^
Marlin/src/lcd/menu/menu_ubl.cpp:150:34: note: in expansion of macro 'PSTR'
  150 |   sprintf_P(&ubl_lcd_gcode[ind], PSTR(".%i"), ABS(ubl_height_amount));
      |                                  ^~~~
/root/.platformio/packages/framework-arduino-hc32f46x/cores/arduino/avr/pgmspace.h:99:37: note: 'sprintf' output between 3 and 8 bytes into a destination of size 7
   99 | #define sprintf_P(s, f, ...) sprintf((s), (f), __VA_ARGS__)
      |                              ~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
Marlin/src/lcd/menu/menu_ubl.cpp:150:3: note: in expansion of macro 'sprintf_P'
  150 |   sprintf_P(&ubl_lcd_gcode[ind], PSTR(".%i"), ABS(ubl_height_amount));
      |   ^~~~~~~~~

Requirements

Found the issue & tested the fix on HC32 with DWIN_MARLINUI_PORTRAIT and AUTO_BED_LEVELING_UBL.

Since this issue is in the menu implementation, it should affect every marlinui screen when AUTO_BED_LEVELING_UBL is enabled.

Benefits

Removes the compiler warning, potentially fixes hard-to-debug memory corruption issues.

Configurations

N/A

Related Issues

N/A

to account for null terminator

fix: increase size of ubl_lcd_gcode buffer

afcacc0

to account for null terminator

shadow578 changed the title ~~increase size of ubl_lcd_gcode buffer~~ fix sprintf writing beyond ubl_lcd_gcode buffer Apr 19, 2024

sjasonsmith merged commit b4a95db into MarlinFirmware:bugfix-2.1.x Apr 20, 2024
62 checks passed

shadow578 deleted the fix/menu_ubl-sprintf-warning branch May 12, 2024 08:40

RPGFabi pushed a commit to RPGFabi/Marlin that referenced this pull request Jun 15, 2024

🚨Fix buffer overrun warning in UBL (MarlinFirmware#26984)

503b170

to account for null terminator

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix sprintf writing beyond ubl_lcd_gcode buffer #26984

fix sprintf writing beyond ubl_lcd_gcode buffer #26984

shadow578 commented Apr 19, 2024

fix sprintf writing beyond ubl_lcd_gcode buffer #26984

fix sprintf writing beyond ubl_lcd_gcode buffer #26984

Conversation

shadow578 commented Apr 19, 2024

Description

Requirements

Benefits

Configurations

Related Issues