Permalink
Browse files

Replace sprintf with defensive snprintf

* dyn_load.c (GC_register_dynamic_libraries): Replace sprintf with
snprintf add put traling '\0' to buffer to prevent buffer overrun;
cast snprintf result to void (to suppress compiler warning).
* cord/tests/cordtest.c (test_printf): Likewise.
* os_dep.c (GC_print_callers): Likewise.
* os_dep.c (GC_dirty_init): Likewise (if PROC_VDB).
* dyn_load.c (GC_dyld_image_add, GC_dyld_image_remove): Put trailing
'\0' to buffer and cast snprintf result to void (Darwin).
  • Loading branch information...
1 parent c640c6f commit edfd8454687ee1ccb756b51c15483febab388b33 @ivmai committed Jul 20, 2012
Showing with 21 additions and 10 deletions.
  1. +3 −1 cord/tests/cordtest.c
  2. +6 −3 dyn_load.c
  3. +12 −6 os_dep.c
View
@@ -221,7 +221,9 @@ void test_printf(void)
x = CORD_cat(x,x);
if (CORD_sprintf(&result, "->%-120.78r!\n", x) != 124)
ABORT("CORD_sprintf failed 3");
- (void) sprintf(result2, "->%-120.78s!\n", CORD_to_char_star(x));
+ (void)snprintf(result2, sizeof(result2), "->%-120.78s!\n",
+ CORD_to_char_star(x));
+ result2[sizeof(result2) - 1] = '\0';
if (CORD_cmp(result, result2) != 0)ABORT("CORD_sprintf goofed 5");
}
View
@@ -741,7 +741,8 @@ GC_INNER void GC_register_dynamic_libraries(void)
# endif /* SOLARISDL */
if (fd < 0) {
- sprintf(buf, "/proc/%ld", (long)getpid());
+ (void)snprintf(buf, sizeof(buf), "/proc/%ld", (long)getpid());
+ buf[sizeof(buf) - 1] = '\0';
/* The above generates a lint complaint, since pid_t varies. */
/* It's unclear how to improve this. */
fd = open(buf, O_RDONLY);
@@ -1279,7 +1280,8 @@ STATIC void GC_dyld_image_add(const struct GC_MACH_HEADER *hdr,
fmt = GC_dyld_add_sect_fmts[j];
/* Add our manufactured aligned BSS sections. */
for (i = 0; i <= L2_MAX_OFILE_ALIGNMENT; i++) {
- snprintf(secnam, sizeof(secnam), fmt, (unsigned)i);
+ (void)snprintf(secnam, sizeof(secnam), fmt, (unsigned)i);
+ secnam[sizeof(secnam) - 1] = '\0';
sec = GC_GETSECTBYNAME(hdr, SEG_DATA, secnam);
if (sec == NULL || sec->size == 0)
continue;
@@ -1330,7 +1332,8 @@ STATIC void GC_dyld_image_remove(const struct GC_MACH_HEADER *hdr,
for (j = 0; j < sizeof(GC_dyld_add_sect_fmts) / sizeof(char *); j++) {
fmt = GC_dyld_add_sect_fmts[j];
for (i = 0; i <= L2_MAX_OFILE_ALIGNMENT; i++) {
- snprintf(secnam, sizeof(secnam), fmt, (unsigned)i);
+ (void)snprintf(secnam, sizeof(secnam), fmt, (unsigned)i);
+ secnam[sizeof(secnam) - 1] = '\0';
sec = GC_GETSECTBYNAME(hdr, SEG_DATA, secnam);
if (sec == NULL || sec->size == 0)
continue;
View
@@ -3671,7 +3671,8 @@ GC_INNER void GC_dirty_init(void)
+ GC_bytes_allocd_before_gc));
}
- sprintf(buf, "/proc/%ld", (long)getpid());
+ (void)snprintf(buf, sizeof(buf), "/proc/%ld", (long)getpid());
+ buf[sizeof(buf) - 1] = '\0';
fd = open(buf, O_RDONLY);
if (fd < 0) {
ABORT("/proc open failed");
@@ -4678,7 +4679,8 @@ GC_INNER void GC_print_callers(struct callinfo info[NFRAMES])
# else
char buf[40];
char *name = buf;
- sprintf(buf, "##PC##= 0x%lx", info[i].ci_pc);
+ (void)snprintf(buf, sizeof(buf), "##PC##= 0x%lx", info[i].ci_pc);
+ buf[sizeof(buf) - 1] = '\0';
# endif
# if defined(LINUX) && !defined(SMALL_CONFIG)
/* Try for a line number. */
@@ -4713,8 +4715,10 @@ GC_INNER void GC_print_callers(struct callinfo info[NFRAMES])
/* Then we use popen to start addr2line -e <exe> <addr> */
/* There are faster ways to do this, but hopefully this */
/* isn't time critical. */
- sprintf(cmd_buf, "/usr/bin/addr2line -f -e %s 0x%lx", exe_name,
- (unsigned long)info[i].ci_pc);
+ (void)snprintf(cmd_buf, sizeof(cmd_buf),
+ "/usr/bin/addr2line -f -e %s 0x%lx",
+ exe_name, (unsigned long)info[i].ci_pc);
+ cmd_buf[sizeof(cmd_buf) - 1] = '\0';
old_preload = GETENV("LD_PRELOAD");
if (0 != old_preload) {
size_t old_len = strlen(old_preload);
@@ -4758,8 +4762,10 @@ GC_INNER void GC_print_callers(struct callinfo info[NFRAMES])
}
if (result_len < RESULT_SZ - 25) {
/* Add in hex address */
- sprintf(result_buf + result_len, " [0x%lx]",
- (unsigned long)info[i].ci_pc);
+ (void)snprintf(&result_buf[result_len],
+ sizeof(result_buf) - result_len,
+ " [0x%lx]", (unsigned long)info[i].ci_pc);
+ result_buf[sizeof(result_buf) - 1] = '\0';
}
name = result_buf;
pclose(pipe);

0 comments on commit edfd845

Please sign in to comment.