From 595e2bb3adbb7316c2828212f0119ee682918acc Mon Sep 17 00:00:00 2001
From: Koda Reef <koda.reef5@gmail.com>
Date: Mon, 23 Mar 2026 13:03:07 +0000
Subject: [PATCH] Cap snprintf return value in mod_maxminddb to prevent stack
 over-read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

snprintf returns the number of characters that would have been
written, which can exceed the buffer size for large double/float
values (e.g., DBL_MAX → ~315 chars). This return value is used
directly as the data length for http_header_env_set, causing a
stack buffer over-read when vlen > sizeof(buf).

Cap vlen to sizeof(buf) - 1 after each snprintf call.
---
 src/mod_maxminddb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/mod_maxminddb.c b/src/mod_maxminddb.c
index a8bb44062..b84f20b8c 100644
--- a/src/mod_maxminddb.c
+++ b/src/mod_maxminddb.c
@@ -377,9 +377,11 @@ geoip2_env_set (request_st * const r, array * const env,
         break;
       case MMDB_DATA_TYPE_DOUBLE:
         vlen = snprintf(buf, sizeof(buf), "%.5f", data->double_value);
+        if (vlen >= sizeof(buf)) vlen = sizeof(buf) - 1;
         break;
       case MMDB_DATA_TYPE_FLOAT:
         vlen = snprintf(buf, sizeof(buf), "%.5f", data->float_value);
+        if (vlen >= sizeof(buf)) vlen = sizeof(buf) - 1;
         break;
       case MMDB_DATA_TYPE_INT32:
         vlen = li_itostrn(buf, sizeof(buf), data->int32);