The attached patch changes most of the usages of sprintf() to

snprintf() in contrib/. I didn't touch the places where pointer arithmatic was being used, or other areas where the fix wasn't trivial. I would think that few, if any, of the usages of sprintf() were actually exploitable, but it's probably better to be paranoid... Neil Conway
2025-07-31 22:04:40 +03:00 · 2002-08-15 02:58:29 +00:00
parent 7f4981f4af
commit 66eb8df6a4
15 changed files with 80 additions and 70 deletions
--- a/contrib/dbase/dbf.c
+++ b/contrib/dbase/dbf.c
@ -437,7 +437,7 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where)
 	format: sprintf format-string to get the right precision with real numbers

 	NOTE: this declaration of 'foo' can cause overflow when the contents-field
-	is longer the 127 chars (which is highly unlikely, cos it is not used
+	is longer the 127 chars (which is highly unlikely, because it is not used
 	in text-fields).
 */
 /*	REMEMBER THAT THERE'S A 0x1A AT THE END OF THE FILE, SO DON'T
@ -488,11 +488,11 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where)
 				if ((rec[t].db_type == 'N') && (rec[t].db_dec != 0))
 				{
 					fl = atof(rec[t].db_contents);
-					sprintf(format, "%%.%df", rec[t].db_dec);
-					sprintf(foo, format, fl);
+					snprintf(format, 32, "%%.%df", rec[t].db_dec);
+					snprintf(foo, 128, format, fl);
 				}
 				else
-					strcpy(foo, rec[t].db_contents);
+					strncpy(foo, rec[t].db_contents, 128);
 				if (strlen(foo) > rec[t].db_flen)
 					length = rec[t].db_flen;
 				else
--- a/contrib/dbase/dbf2pg.c
+++ b/contrib/dbase/dbf2pg.c
@ -308,7 +308,7 @@ do_create(PGconn *conn, char *table, dbhead * dbh)
 				if (dbh->db_fields[i].db_flen > 1)
 				{
 					strcat(query, " varchar");
-					sprintf(t, "(%d)",
+					snprintf(t, 20, "(%d)",
 							dbh->db_fields[i].db_flen);
 					strcat(query, t);
 				}
@ -361,7 +361,7 @@ do_inserts(PGconn *conn, char *table, dbhead * dbh)
 				result;
 	char	   *query,
 			   *foo;
-	char		pgdate[10];
+	char		pgdate[11];

 	if (verbose > 1)
 		printf("Inserting records\n");
@ -467,7 +467,7 @@ do_inserts(PGconn *conn, char *table, dbhead * dbh)
 				{
 					if ((strlen(foo) == 8) && isinteger(foo))
 					{
-						sprintf(pgdate, "%c%c%c%c-%c%c-%c%c",
+						snprintf(pgdate, 11, "%c%c%c%c-%c%c-%c%c",
 								foo[0], foo[1], foo[2], foo[3],
 								foo[4], foo[5], foo[6], foo[7]);
 						strcat(query, pgdate);