From 7ca7eb47c49c852cef7ee23bec31c6a9704ef969 Mon Sep 17 00:00:00 2001
From: Zhang Hai Peng <zhanghaipeng@espressif.com>
Date: Wed, 3 Dec 2025 11:54:15 +0800
Subject: [PATCH] fix(ble/bluedroid): Use snprintf in ble_eddystone example

(cherry picked from commit 24e023e307062c668dd85178b66947dddd534ea8)

Co-authored-by: zhanghaipeng <zhanghaipeng@espressif.com>
---
 .../main/esp_eddystone_api.c                  | 30 ++++++++++++++-----
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/examples/bluetooth/bluedroid/ble/ble_eddystone_receiver/main/esp_eddystone_api.c b/examples/bluetooth/bluedroid/ble/ble_eddystone_receiver/main/esp_eddystone_api.c
index 2832116506..e3051316e9 100644
--- a/examples/bluetooth/bluedroid/ble/ble_eddystone_receiver/main/esp_eddystone_api.c
+++ b/examples/bluetooth/bluedroid/ble/ble_eddystone_receiver/main/esp_eddystone_api.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -21,6 +21,7 @@
 #include "esp_eddystone_protocol.h"
 #include "esp_eddystone_api.h"
 
+#define EDDYSTONE_URL_BUF_SIZE  100
 
 /* Declare static functions */
 static esp_err_t esp_eddystone_uid_received(const uint8_t* buf, uint8_t len, esp_eddystone_result_t* res);
@@ -101,18 +102,33 @@ static esp_err_t esp_eddystone_uid_received(const uint8_t* buf, uint8_t len, esp
 static char* esp_eddystone_resolve_url_scheme(const uint8_t *url_start, const uint8_t *url_end)
 {
     int pos = 0;
-    static char url_buf[100] = {0};
+    static char url_buf[EDDYSTONE_URL_BUF_SIZE] = {0};
     const uint8_t *p = url_start;
+    int written;
 
-    pos += sprintf(&url_buf[pos], "%s", eddystone_url_prefix[*p++]);
+    // Security fix: Use snprintf instead of sprintf to prevent buffer overflow
+    written = snprintf(&url_buf[pos], EDDYSTONE_URL_BUF_SIZE - pos, "%s", eddystone_url_prefix[*p++]);
+    if (written < 0 || written >= (EDDYSTONE_URL_BUF_SIZE - pos)) {
+        url_buf[EDDYSTONE_URL_BUF_SIZE - 1] = '\0';
+        return url_buf;
+    }
+    pos += written;
 
     for (; p <= url_end; p++) {
-        if (esp_eddystone_is_char_invalid((*p))) {
-            pos += sprintf(&url_buf[pos], "%s", eddystone_url_encoding[*p]);
-        } else {
-            pos += sprintf(&url_buf[pos], "%c", *p);
+        if (pos >= EDDYSTONE_URL_BUF_SIZE - 1) {
+            break;
         }
+        if (esp_eddystone_is_char_invalid((*p))) {
+            written = snprintf(&url_buf[pos], EDDYSTONE_URL_BUF_SIZE - pos, "%s", eddystone_url_encoding[*p]);
+        } else {
+            written = snprintf(&url_buf[pos], EDDYSTONE_URL_BUF_SIZE - pos, "%c", *p);
+        }
+        if (written < 0 || written >= (EDDYSTONE_URL_BUF_SIZE - pos)) {
+            break;
+        }
+        pos += written;
     }
+    url_buf[EDDYSTONE_URL_BUF_SIZE - 1] = '\0';
     return url_buf;
 }