From b5e86be5855934621685714034c22561698ac31c Mon Sep 17 00:00:00 2001
From: Serhii Mamontov <sergey@pubnub.com>
Date: Tue, 10 Dec 2024 02:05:33 +0200
Subject: [PATCH] fix: buffer write size

---
 core/pubnub_crypto.c          | 12 +++++++-----
 core/pubnub_grant_token_api.c | 16 +++++++++-------
 core/pubnub_json_parse.c      |  5 +++--
 3 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/core/pubnub_crypto.c b/core/pubnub_crypto.c
index e6759f12..76b6f1fb 100644
--- a/core/pubnub_crypto.c
+++ b/core/pubnub_crypto.c
@@ -610,9 +610,10 @@ char* pn_pam_hmac_sha256_sign(char const* key, char const* message) {
 enum pubnub_res pn_gen_pam_v2_sign(pubnub_t* p, char const* qs_to_sign, char const* partial_url, char* signature) {
     enum pubnub_res sign_status = PNR_OK;
     int str_to_sign_len = strlen(p->core.subscribe_key) + strlen(p->core.publish_key) + strlen(partial_url) + strlen(qs_to_sign);
-    char* str_to_sign = (char*)malloc(sizeof(char) * str_to_sign_len + 5); // 4 variables concat + 1
+    size_t str_to_sign_size = sizeof(char) * str_to_sign_len + 5;
+    char* str_to_sign = (char*)malloc(str_to_sign_size); // 4 variables concat + 1
     if (str_to_sign != NULL) {
-	    snprintf(str_to_sign, sizeof(str_to_sign), "%s\n%s\n%s\n%s", p->core.subscribe_key, p->core.publish_key, partial_url, qs_to_sign);
+	    snprintf(str_to_sign, str_to_sign_size, "%s\n%s\n%s\n%s", p->core.subscribe_key, p->core.publish_key, partial_url, qs_to_sign);
     }
     PUBNUB_LOG_DEBUG("\nv2 str_to_sign = %s\n", str_to_sign);
     char* part_sign = (char*)"";
@@ -661,13 +662,14 @@ enum pubnub_res pn_gen_pam_v3_sign(pubnub_t* p, char const* qs_to_sign, char con
         return PNR_CRYPTO_NOT_SUPPORTED;
     }
     int str_to_sign_len = strlen(method_verb) + strlen(p->core.publish_key) + strlen(partial_url) + strlen(qs_to_sign) + 4 * strlen("\n") + (hasBody ? strlen(msg) : 0);
-    char* str_to_sign = (char*)malloc(sizeof(char) * (str_to_sign_len + 1));
+    size_t str_to_sign_size = sizeof(char) * (str_to_sign_len + 1);
+    char* str_to_sign = (char*)malloc(str_to_sign_size);
     if (str_to_sign != NULL) {
         if (hasBody) {
-	        snprintf(str_to_sign, sizeof(str_to_sign), "%s\n%s\n%s\n%s\n%s", method_verb, p->core.publish_key, partial_url, qs_to_sign, msg);
+	        snprintf(str_to_sign, str_to_sign_size, "%s\n%s\n%s\n%s\n%s", method_verb, p->core.publish_key, partial_url, qs_to_sign, msg);
         }
         else {
-	        snprintf(str_to_sign, sizeof(str_to_sign), "%s\n%s\n%s\n%s\n", method_verb, p->core.publish_key, partial_url, qs_to_sign);
+	        snprintf(str_to_sign, str_to_sign_size, "%s\n%s\n%s\n%s\n", method_verb, p->core.publish_key, partial_url, qs_to_sign);
         }
     }
     PUBNUB_LOG_DEBUG("\nv3 str_to_sign = %s\n", str_to_sign);
diff --git a/core/pubnub_grant_token_api.c b/core/pubnub_grant_token_api.c
index ae0e5b95..da3e815e 100644
--- a/core/pubnub_grant_token_api.c
+++ b/core/pubnub_grant_token_api.c
@@ -210,8 +210,9 @@ static CborError data_recursion(CborValue* it, int nestingLevel, char** json_res
                     sig_flag = false;
                 }
                 else {
-                    char* buff_str = (char*)malloc(sizeof(char) * (n+3));
-                    snprintf(buff_str, sizeof(buff_str), "\"%s\"", buf);
+                    size_t buff_size = sizeof(char) * (n+3);
+                    char* buff_str = (char*)malloc(buff_size);
+                    snprintf(buff_str, buff_size, "\"%s\"", buf);
                     current_allocation_size = safe_alloc_strcat(json_result, buff_str, current_allocation_size);
                     free(buff_str);
                 }
@@ -234,15 +235,16 @@ static CborError data_recursion(CborValue* it, int nestingLevel, char** json_res
             size_t n;
             err = cbor_value_dup_text_string(it, &buf, &n, it);
             if (err) { return err; } // parse error
-	    
-	    char* txt_str = (char*)malloc(sizeof(char) * (n+4));
+
+	    size_t txt_size = sizeof(char) * (n+4);
+	    char* txt_str = (char*)malloc(txt_size);
 	    
 	    type = cbor_value_get_type(it);
 	    if (!uuid_flag) {
-	        snprintf(txt_str, sizeof(txt_str), "\"%s\":", buf);
+	        snprintf(txt_str, txt_size, "\"%s\":", buf);
 		    uuid_flag = false;
 	    } else {
-	        snprintf(txt_str, sizeof(txt_str), "\"%s\",", buf);
+	        snprintf(txt_str, txt_size, "\"%s\",", buf);
 	    }
 
 	    current_allocation_size = safe_alloc_strcat(json_result, txt_str, current_allocation_size);
@@ -358,7 +360,7 @@ char* pubnub_parse_token(pubnub_t* pb, char const* token){
   
     unsigned int init_allocation_size = 5*(strlen(rawToken)/4);
     char * json_result = (char*)malloc(init_allocation_size);
-	snprintf(json_result, sizeof(json_result), "%s", "");
+	snprintf(json_result, init_allocation_size, "%s", "");
     CborError err = cbor_parser_init(buf, length, 0, &parser, &it);
 
     if (!err){
diff --git a/core/pubnub_json_parse.c b/core/pubnub_json_parse.c
index c39a99e9..ac63fab7 100644
--- a/core/pubnub_json_parse.c
+++ b/core/pubnub_json_parse.c
@@ -291,8 +291,9 @@ char* pbjson_get_status_400_message_value(struct pbjson_elem const* el)
             "pbjson_get_status_400_message_value: \"error\"='%.*s'\n",
             parse_len,
             parsed.start);
-        char* msgtext = (char*)malloc(sizeof(char) * (parse_len + 3));
-        snprintf(msgtext, sizeof(msgtext), "%.*s", parse_len, parsed.start);
+        size_t text_size = sizeof(char) * (parse_len + 3);
+        char*  msgtext   = (char*)malloc(text_size);
+        snprintf(msgtext, text_size, "%.*s", parse_len, parsed.start);
         return msgtext;
     }