When error happens or formatted string would be larger than supplied buffer, snprintf returns -1 or value larger than supplied buffer size.
If this value is used without validating its range (by adding to pointer/etc), bad things will happen.
Attached patch (against svn trunk) fixes all cases I've found. Compile-tested only. I have not tried to check if any of changed code was exploitable.
Thanks for this Yuriy,
We will get this pushed, however PTPd has moved to github now: https://github.com/ptpd/ptpd
Thanks,
Wojciech