[PATCH:libX11 7/7] Convert more sprintf calls to snprintf

Sun Feb 17 10:32:02 PST 2013

Am 17.02.2013 18:45, schrieb Alan Coopersmith:
> You could analyze most of these and quickly recognize that there was no
> chance of buffer overflow already, but why make everyone spend time doing
> that when we can just make it obviously safe?
> 
> Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> ---
>  src/ErrDes.c    |    9 +++++----
>  src/GetDflt.c   |    2 +-
>  src/KeysymStr.c |    2 +-
>  src/XlibInt.c   |    8 ++++----
>  4 files changed, 11 insertions(+), 10 deletions(-)
> 
> diff --git a/src/ErrDes.c b/src/ErrDes.c
> index 9a5b180..ef5edad 100644
> --- a/src/ErrDes.c
> +++ b/src/ErrDes.c
> @@ -109,7 +109,7 @@ XGetErrorText(
>  
>      if (nbytes == 0) return 0;
>      if (code <= BadImplementation && code > 0) {
> -	sprintf(buf, "%d", code);
> +        snprintf(buf, sizeof(buf), "%d", code);
>          (void) XGetErrorDatabaseText(dpy, "XProtoError", buf,
>                                       _XErrorList + _XErrorOffsets[code],
>  				     buffer, nbytes);
> @@ -125,11 +125,12 @@ XGetErrorText(
>  	    bext = ext;
>      }
>      if (!buffer[0] && bext) {
> -	sprintf(buf, "%s.%d", bext->name, code - bext->codes.first_error);
> +	snprintf(buf, sizeof(buf), "%s.%d",
> +                 bext->name, code - bext->codes.first_error);
>  	(void) XGetErrorDatabaseText(dpy, "XProtoError", buf, "", buffer, nbytes);
>      }
>      if (!buffer[0])
> -	sprintf(buffer, "%d", code);
> +	snprintf(buffer, nbytes, "%d", code);
>      return 0;
>  }
>  
> @@ -190,7 +191,7 @@ XGetErrorDatabaseText(
>  	else
>  	    tptr = Xmalloc (tlen);
>  	if (tptr) {
> -	    sprintf(tptr, "%s.%s", name, type);
> +	    snprintf(tptr, tlen, "%s.%s", name, type);
>  	    XrmGetResource(db, tptr, "ErrorType.ErrorNumber",
>  	      &type_str, &result);
>  	    if (tptr != temp)

perhaps an asprintf() is more nice here ?

re,
 wh

> diff --git a/src/GetDflt.c b/src/GetDflt.c
> index dfda1c6..6f62cd8 100644
> --- a/src/GetDflt.c
> +++ b/src/GetDflt.c
> @@ -110,7 +110,7 @@ GetHomeDir(
>  	len2 = strlen (ptr2);
>      }
>      if ((len1 + len2 + 1) < len)
> -	sprintf (dest, "%s%s", ptr1, (ptr2) ? ptr2 : "");
> +	snprintf (dest, len, "%s%s", ptr1, (ptr2) ? ptr2 : "");
>      else
>  	*dest = '\0';
>  #else
> diff --git a/src/KeysymStr.c b/src/KeysymStr.c
> index f24f3b1..c7c4704 100644
> --- a/src/KeysymStr.c
> +++ b/src/KeysymStr.c
> @@ -107,7 +107,7 @@ char *XKeysymToString(KeySym ks)
>  	XrmQuark empty = NULLQUARK;
>  	GRNData data;
>  
> -	sprintf(buf, "%lX", ks);
> +	snprintf(buf, sizeof(buf), "%lX", ks);
>  	resval.addr = (XPointer)buf;
>  	resval.size = strlen(buf) + 1;
>  	data.name = (char *)NULL;
> diff --git a/src/XlibInt.c b/src/XlibInt.c
> index e4d35fd..c436842 100644
> --- a/src/XlibInt.c
> +++ b/src/XlibInt.c
> @@ -1432,7 +1432,7 @@ static int _XPrintDefaultError(
>  	mesg, BUFSIZ);
>      (void) fprintf(fp, mesg, event->request_code);
>      if (event->request_code < 128) {
> -	sprintf(number, "%d", event->request_code);
> +	snprintf(number, sizeof(number), "%d", event->request_code);
>  	XGetErrorDatabaseText(dpy, "XRequest", number, "", buffer, BUFSIZ);
>      } else {
>  	for (ext = dpy->ext_procs;
> @@ -1452,7 +1452,7 @@ static int _XPrintDefaultError(
>  	fputs("  ", fp);
>  	(void) fprintf(fp, mesg, event->minor_code);
>  	if (ext) {
> -	    sprintf(mesg, "%s.%d", ext->name, event->minor_code);
> +	    snprintf(mesg, sizeof(mesg), "%s.%d", ext->name, event->minor_code);
>  	    XGetErrorDatabaseText(dpy, "XRequest", mesg, "", buffer, BUFSIZ);
>  	    (void) fprintf(fp, " (%s)", buffer);
>  	}
> @@ -1475,8 +1475,8 @@ static int _XPrintDefaultError(
>  		bext = ext;
>  	}
>  	if (bext)
> -	    sprintf(buffer, "%s.%d", bext->name,
> -		    event->error_code - bext->codes.first_error);
> +	    snprintf(buffer, sizeof(buffer), "%s.%d", bext->name,
> +                     event->error_code - bext->codes.first_error);
>  	else
>  	    strcpy(buffer, "Value");
>  	XGetErrorDatabaseText(dpy, mtype, buffer, "", mesg, BUFSIZ);