From 8d1bcd124ec4e5702d173f6ec8d882304cdb5439 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=9A=93?= <whiteaxe@tuta.io>
Date: Sat, 26 Apr 2025 18:14:23 -0400
Subject: [PATCH] Fix possible buffer overflow in stringify bindings for
 `Color` and `Tone`

---
 binding/etc-binding.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/binding/etc-binding.cpp b/binding/etc-binding.cpp
index 130bbc3e..d781f724 100644
--- a/binding/etc-binding.cpp
+++ b/binding/etc-binding.cpp
@@ -171,7 +171,7 @@ RB_METHOD(ColorStringify) {
 #if RAPI_FULL > 187
   return rb_sprintf("(%f, %f, %f, %f)", c->red, c->green, c->blue, c->alpha);
 #else
-  char buf[50] = {0};
+  char buf[sizeof("(%f, %f, %f, %f)") + 4 * 24] = {0};
   sprintf((char *)&buf, "(%f, %f, %f, %f)", c->red, c->green, c->blue,
           c->alpha);
   return rb_str_new2(buf);
@@ -186,7 +186,7 @@ RB_METHOD(ToneStringify) {
 #if RAPI_FULL > 187
   return rb_sprintf("(%f, %f, %f, %f)", t->red, t->green, t->blue, t->gray);
 #else
-  char buf[50] = {0};
+  char buf[sizeof("(%f, %f, %f, %f)") + 4 * 24] = {0};
   sprintf((char *)&buf, "(%f, %f, %f, %f)", t->red, t->green, t->blue, t->gray);
   return rb_str_new2(buf);
 #endif