From edfd8454687ee1ccb756b51c15483febab388b33 Mon Sep 17 00:00:00 2001
From: Ivan Maidanski <ivmai@mail.ru>
Date: Fri, 20 Jul 2012 14:23:10 +0400
Subject: [PATCH] Replace sprintf with defensive snprintf

* dyn_load.c (GC_register_dynamic_libraries): Replace sprintf with
snprintf add put traling '\0' to buffer to prevent buffer overrun;
cast snprintf result to void (to suppress compiler warning).
* cord/tests/cordtest.c (test_printf): Likewise.
* os_dep.c (GC_print_callers): Likewise.
* os_dep.c (GC_dirty_init): Likewise (if PROC_VDB).
* dyn_load.c (GC_dyld_image_add, GC_dyld_image_remove): Put trailing
'\0' to buffer and cast snprintf result to void (Darwin).
---
 cord/tests/cordtest.c |  4 +++-
 dyn_load.c            |  9 ++++++---
 os_dep.c              | 18 ++++++++++++------
 3 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/cord/tests/cordtest.c b/cord/tests/cordtest.c
index 86b7ce21..a089f80d 100644
--- a/cord/tests/cordtest.c
+++ b/cord/tests/cordtest.c
@@ -221,7 +221,9 @@ void test_printf(void)
     x = CORD_cat(x,x);
     if (CORD_sprintf(&result, "->%-120.78r!\n", x) != 124)
         ABORT("CORD_sprintf failed 3");
-    (void) sprintf(result2, "->%-120.78s!\n", CORD_to_char_star(x));
+    (void)snprintf(result2, sizeof(result2), "->%-120.78s!\n",
+                   CORD_to_char_star(x));
+    result2[sizeof(result2) - 1] = '\0';
     if (CORD_cmp(result, result2) != 0)ABORT("CORD_sprintf goofed 5");
 }
 
diff --git a/dyn_load.c b/dyn_load.c
index b521806c..bab89709 100644
--- a/dyn_load.c
+++ b/dyn_load.c
@@ -741,7 +741,8 @@ GC_INNER void GC_register_dynamic_libraries(void)
 #   endif /* SOLARISDL */
 
     if (fd < 0) {
-      sprintf(buf, "/proc/%ld", (long)getpid());
+      (void)snprintf(buf, sizeof(buf), "/proc/%ld", (long)getpid());
+      buf[sizeof(buf) - 1] = '\0';
         /* The above generates a lint complaint, since pid_t varies.    */
         /* It's unclear how to improve this.                            */
       fd = open(buf, O_RDONLY);
@@ -1279,7 +1280,8 @@ STATIC void GC_dyld_image_add(const struct GC_MACH_HEADER *hdr,
     fmt = GC_dyld_add_sect_fmts[j];
     /* Add our manufactured aligned BSS sections.       */
     for (i = 0; i <= L2_MAX_OFILE_ALIGNMENT; i++) {
-      snprintf(secnam, sizeof(secnam), fmt, (unsigned)i);
+      (void)snprintf(secnam, sizeof(secnam), fmt, (unsigned)i);
+      secnam[sizeof(secnam) - 1] = '\0';
       sec = GC_GETSECTBYNAME(hdr, SEG_DATA, secnam);
       if (sec == NULL || sec->size == 0)
         continue;
@@ -1330,7 +1332,8 @@ STATIC void GC_dyld_image_remove(const struct GC_MACH_HEADER *hdr,
   for (j = 0; j < sizeof(GC_dyld_add_sect_fmts) / sizeof(char *); j++) {
     fmt = GC_dyld_add_sect_fmts[j];
     for (i = 0; i <= L2_MAX_OFILE_ALIGNMENT; i++) {
-      snprintf(secnam, sizeof(secnam), fmt, (unsigned)i);
+      (void)snprintf(secnam, sizeof(secnam), fmt, (unsigned)i);
+      secnam[sizeof(secnam) - 1] = '\0';
       sec = GC_GETSECTBYNAME(hdr, SEG_DATA, secnam);
       if (sec == NULL || sec->size == 0)
         continue;
diff --git a/os_dep.c b/os_dep.c
index eb9a3f66..30452e35 100644
--- a/os_dep.c
+++ b/os_dep.c
@@ -3671,7 +3671,8 @@ GC_INNER void GC_dirty_init(void)
                                       + GC_bytes_allocd_before_gc));
     }
 
-    sprintf(buf, "/proc/%ld", (long)getpid());
+    (void)snprintf(buf, sizeof(buf), "/proc/%ld", (long)getpid());
+    buf[sizeof(buf) - 1] = '\0';
     fd = open(buf, O_RDONLY);
     if (fd < 0) {
         ABORT("/proc open failed");
@@ -4678,7 +4679,8 @@ GC_INNER void GC_print_callers(struct callinfo info[NFRAMES])
 #         else
             char buf[40];
             char *name = buf;
-            sprintf(buf, "##PC##= 0x%lx", info[i].ci_pc);
+            (void)snprintf(buf, sizeof(buf), "##PC##= 0x%lx", info[i].ci_pc);
+            buf[sizeof(buf) - 1] = '\0';
 #         endif
 #         if defined(LINUX) && !defined(SMALL_CONFIG)
             /* Try for a line number. */
@@ -4713,8 +4715,10 @@ GC_INNER void GC_print_callers(struct callinfo info[NFRAMES])
                 /* Then we use popen to start addr2line -e <exe> <addr> */
                 /* There are faster ways to do this, but hopefully this */
                 /* isn't time critical.                                 */
-                sprintf(cmd_buf, "/usr/bin/addr2line -f -e %s 0x%lx", exe_name,
-                                 (unsigned long)info[i].ci_pc);
+                (void)snprintf(cmd_buf, sizeof(cmd_buf),
+                               "/usr/bin/addr2line -f -e %s 0x%lx",
+                               exe_name, (unsigned long)info[i].ci_pc);
+                cmd_buf[sizeof(cmd_buf) - 1] = '\0';
                 old_preload = GETENV("LD_PRELOAD");
                 if (0 != old_preload) {
                   size_t old_len = strlen(old_preload);
@@ -4758,8 +4762,10 @@ GC_INNER void GC_print_callers(struct callinfo info[NFRAMES])
                 }
                 if (result_len < RESULT_SZ - 25) {
                   /* Add in hex address */
-                    sprintf(result_buf + result_len, " [0x%lx]",
-                          (unsigned long)info[i].ci_pc);
+                  (void)snprintf(&result_buf[result_len],
+                                 sizeof(result_buf) - result_len,
+                                 " [0x%lx]", (unsigned long)info[i].ci_pc);
+                  result_buf[sizeof(result_buf) - 1] = '\0';
                 }
                 name = result_buf;
                 pclose(pipe);
-- 
2.50.1