sprintf stack-based buffer overflow in sortshp.c and coshp.c when writing output .dbf filename

[bcs-wildman]

Description

Two command-line utilities use sprintf to construct an output .dbf filename
from an unbounded argv[] argument into a fixed 1024-byte stack buffer. If the
caller passes a path longer than ~1019 characters, the buffer overflows.

This was identified by a Veracode static analysis scan and validated manually by
code review.

Affected Files and Lines

src/apps/coshp.c — line 199

Current code:

char buffer[1024];
/* ... */
sprintf(buffer, "%s.dbf", argv[2]);   /* Stack-based buffer overflow */

src/apps/sortshp.c — line 202

Current code:

char buffer[1024];
/* ... */
sprintf(buffer, "%s.dbf", argv[2]);   /* Stack-based buffer overflow */

Suggested Fix

snprintf(buffer, sizeof(buffer), "%s.dbf", argv[2]);

Note: The safe form snprintf(buffer, sizeof(buffer), ...) is already used
correctly in sortshp.c just a few lines earlier, line 123.

snprintf(buffer, sizeof(buffer), "%s.dbf", argv[1]);

The output-side call maybe was missed when the safer form was introduced.

Root Cause

argv[] elements have no standard-mandated size limit. On Windows the entire command line is limited to ~32 767 characters; on Linux ARG_MAX governs the combined argument list but not individual elements. In both cases argv[2] can exceed 1019 characters, overflowing buffer before the ".dbf" suffix is appended.

Fix Summary

Replace all remaining sprintf(buffer, ...) calls that write into fixed-size stack buffers with snprintf(buffer, sizeof(buffer), ...). The change is minimal and does not alter observable behavior for any valid input.

Security Classification

• CWE-121: Stack-based Buffer Overflow
• Detected by: Veracode Static Analysis, confirmed by manual code review