# Extended 5.22 — LocalePlugin / sqMacSSL: vsprintf into fixed 1024-byte stack buffer

Bug ref      : pharo.md §5.22
Severity     : MEDIUM (stack overflow on long format expansion)
Files        : extracted/plugins/LocalePlugin/src/common/LocalePlugin.c (similar pattern)
               extracted/plugins/SqueakSSL/src/osx/sqMacSSL.c:80-112 (logTrace helper)

## Problem

```c
char buf[1024];
vsprintf(buf, fmt, args);
```

Plain `vsprintf` writes without bounds. A long format expansion
overflows the stack buffer.

## Fix

Use `vsnprintf` with the buffer size.

```diff
diff --git a/extracted/plugins/SqueakSSL/src/osx/sqMacSSL.c b/extracted/plugins/SqueakSSL/src/osx/sqMacSSL.c
index 2c28e855e..3c3345dae 100644
--- a/extracted/plugins/SqueakSSL/src/osx/sqMacSSL.c
+++ b/extracted/plugins/SqueakSSL/src/osx/sqMacSSL.c
@@ -92,7 +92,9 @@ static int logStatus(OSStatus status, const char* restrict format, ...)
     CFStringRef _sreas = CFErrorCopyFailureReason(_e);
     CFStringRef _sreco = CFErrorCopyRecoverySuggestion(_e);
 
-    ret += vsprintf(buffer, format, args);
+    /* vsnprintf is bounded; the previous vsprintf could overflow buffer. */
+    ret += vsnprintf(buffer, sizeof(buffer), format, args);
+    buffer[sizeof(buffer) - 1] = '\0';
 
     logTrace(buffer);
 
```

Apply the same change to any other in-tree `vsprintf` (use `git
grep -n 'vsprintf\b'` to find them).

## Test plan

- Pass a format that expands to > 1024 bytes. Before: stack
  overflow. After: truncated at 1023 bytes plus NUL.

## Risk notes

- Trivial drop-in replacement; only behavioral difference is
  truncation versus overflow.