[PATCH] xclipboard: avoid overflow crash when building labels
Alan Coopersmith
alan.coopersmith at oracle.com
Fri Jul 8 11:17:28 PDT 2011
On 07/ 8/11 11:01 AM, Kees Cook wrote:
> This replaces sprintf with snprintf to avoid crashing when creating
> various labels.
>
> https://bugs.launchpad.net/ubuntu/+source/x11-apps/+bug/792642
>
> Signed-off-by: Kees Cook <kees.cook at canonical.com>
> ---
> xclipboard.c | 3 ++-
> xcutsel.c | 4 ++--
> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/xclipboard.c b/xclipboard.c
> index 1fddf4c..c6610e9 100644
> --- a/xclipboard.c
> +++ b/xclipboard.c
> @@ -334,7 +334,8 @@ AcceptSaveFile(Widget w, XEvent *e, String *argv, Cardinal *argc)
> {
> char failMessage[1024];
>
> - sprintf (failMessage, "Can't open file \"%s\"", filename);
> + snprintf (failMessage, sizeof (failMessage),
> + "Can't open file \"%s\"", filename);
> XtSetArg (args[0], XtNlabel, failMessage);
> XtSetValues (failDialog, args, 1);
> CenterWidgetOnEvent (failDialogShell, e);
> diff --git a/xcutsel.c b/xcutsel.c
> index 690e201..7f33668 100644
> --- a/xcutsel.c
> +++ b/xcutsel.c
> @@ -288,7 +288,7 @@ main(int argc, char *argv[])
> XtAddCallback( button, XtNcallback, Quit, NULL );
>
> /* %%% hack alert... */
> - sprintf(label, "*label:copy %s to %d",
> + snprintf(label, sizeof(label), "*label:copy %s to %d",
> options.selection_name,
> options.buffer);
> XrmPutLineResource( &rdb, label );
> @@ -297,7 +297,7 @@ main(int argc, char *argv[])
> XtCreateManagedWidget("sel-cut", commandWidgetClass, box, NULL, ZERO);
> XtAddCallback( button, XtNcallback, GetSelection, NULL );
>
> - sprintf(label, "*label:copy %d to %s",
> + snprintf(label, sizeof(label), "*label:copy %d to %s",
> options.buffer,
> options.selection_name);
> XrmPutLineResource( &rdb, label );
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Platform Engineering: X Window System
More information about the xorg-devel
mailing list