database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

The attached patch changes most of the usages of sprintf() to

Browse Source 
snprintf() in contrib/. I didn't touch the places where pointer
arithmatic was being used, or other areas where the fix wasn't
trivial. I would think that few, if any, of the usages of sprintf()
were actually exploitable, but it's probably better to be paranoid...

Neil Conway
This commit is contained in:
Bruce Momjian
2002-08-15 02:58:29 +00:00
parent 7f4981f4af
commit 66eb8df6a4
15 changed files with 80 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
contrib/dbase/dbf.c
View File

@ -437,7 +437,7 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where)
format: sprintf format-string to get the right precision with real numbers
NOTE: this declaration of 'foo' can cause overflow when the contents-field
is longer the 127 chars (which is highly unlikely, cos it is not used
is longer the 127 chars (which is highly unlikely, because it is not used
in text-fields).
*/
/* REMEMBER THAT THERE'S A 0x1A AT THE END OF THE FILE, SO DON'T
@ -488,11 +488,11 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where)
if ((rec[t].db_type == 'N') && (rec[t].db_dec != 0))
{
fl = atof(rec[t].db_contents);
sprintf(format, "%%.%df", rec[t].db_dec);
sprintf(foo, format, fl);
snprintf(format, 32, "%%.%df", rec[t].db_dec);
snprintf(foo, 128, format, fl);
}
else
strcpy(foo, rec[t].db_contents);
strncpy(foo, rec[t].db_contents, 128);
if (strlen(foo) > rec[t].db_flen)
length = rec[t].db_flen;
else