From 3dca5f6164212067947556874c32911dcf0769f5 Mon Sep 17 00:00:00 2001
From: OrbisAI Security <mediratta01.pally@gmail.com>
Date: Mon, 8 Jun 2026 13:44:15 +0530
Subject: [PATCH] fix(rt-thread): prevent buffer overflow in wasm_vsprintf

Use wasm_runtime_get_native_addr_range() to determine the actual
writable buffer size in WASM linear memory, preventing unbounded
writes via format string expansion. This matches the pattern used
in libc-builtin's sprintf_wrapper.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 product-mini/platforms/rt-thread/iwasm.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/product-mini/platforms/rt-thread/iwasm.c b/product-mini/platforms/rt-thread/iwasm.c
index 56905fbc60..4a5a3b33ca 100644
--- a/product-mini/platforms/rt-thread/iwasm.c
+++ b/product-mini/platforms/rt-thread/iwasm.c
@@ -27,7 +27,15 @@ wasm_vprintf(wasm_exec_env_t env, const char *fmt, va_list va)
 static int
 wasm_vsprintf(wasm_exec_env_t env, char *buf, const char *fmt, va_list va)
 {
-    return vsprintf(buf, fmt, va);
+    wasm_module_inst_t module_inst = wasm_runtime_get_module_inst(env);
+    uint8_t *native_end_addr;
+
+    if (!wasm_runtime_get_native_addr_range(module_inst, (uint8_t *)buf, NULL,
+                                            &native_end_addr)) {
+        return -1;
+    }
+
+    return vsnprintf(buf, (size_t)(native_end_addr - (uint8_t *)buf), fmt, va);
 }
 
 static int