[125678kqv][cl]: fix sprint() and strcpy() buffer overflows

author: cinap_lenrek <cinap_lenrek@felloff.net> 2015-02-17 22:13:35 +0100
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2015-02-17 22:13:35 +0100
commit: 03feba8cc1a68da8882bfc90d182365308a00743 (patch)
tree: 7abec9fa0987ffd70ae30dffb7496d34d1d32241 /sys/src/cmd/2l
parent: fdeea811b7f309e1bd542a0a23fd382e332b2c2e (diff)
2 files changed, 76 insertions, 87 deletions
diff --git a/sys/src/cmd/2l/list.c b/sys/src/cmd/2l/list.c
index 1ebf488ed..3d24ece20 100644
--- a/sys/src/cmd/2l/list.c
+++ b/sys/src/cmd/2l/list.c
@@ -16,17 +16,15 @@ static	Prog	*bigP;
 int
 Pconv(Fmt *fp)
 {
-	char str[STRINGSZ], s[20];
+	char str[STRINGSZ];
 	Prog *p;
 
 	p = va_arg(fp->args, Prog*);
 	bigP = p;
-	sprint(str, "(%ld)	%A	%D,%D",
+	snprint(str, sizeof str, "(%ld)	%A	%D,%D",
 		p->line, p->as, &p->from, &p->to);
-	if(p->from.field) {
-		sprint(s, ",%d,%d", p->to.field, p->from.field);
-		strcat(str, s);
-	}
+	if(p->from.field)
+		return fmtprint(fp, "%s,%d,%d", str, p->to.field, p->from.field);
 	bigP = P;
 	return fmtstrcpy(fp, str);
 }
@@ -34,26 +32,20 @@ Pconv(Fmt *fp)
 int
 Aconv(Fmt *fp)
 {
-
 	return fmtstrcpy(fp, anames[va_arg(fp->args, int)]);
 }
 
 int
 Xconv(Fmt *fp)
 {
-	char str[20], s[10];
+	char str[30];
 	int i0, i1;
 
 	str[0] = 0;
 	i0 = va_arg(fp->args, int) & D_MASK;
 	i1 = va_arg(fp->args, int);
-	if(i0 != D_NONE) {
-		sprint(str, "(%R.", i0);
-		sprint(s, "%c*%c)",
-			"WWWWLLLL"[i1],
-			"12481248"[i1]);
-		strcat(str, s);
-	}
+	if(i0 != D_NONE)
+		snprint(str, sizeof str, "(%R.%c*%c)", i0, "WWWWLLLL"[i1], "12481248"[i1]);
 	return fmtstrcpy(fp, str);
 }
 
@@ -73,37 +65,38 @@ Dconv(Fmt *fp)
 		a->displace = 0;
 		switch(i & I_MASK) {
 		default:
-			sprint(str, "???%ld(%D)", d, a);
+			snprint(str, sizeof str, "???%ld(%D)", d, a);
 			break;
 
 		case I_INDEX1:
-			sprint(str, "%D", a);
+			snprint(str, sizeof str, "%D", a);
 			break;
 
 		case I_INDEX2:
 			if(d)
-				sprint(str, "%ld(%D)", d, a);
+				snprint(str, sizeof str, "%ld(%D)", d, a);
 			else
-				sprint(str, "(%D)", a);
+				snprint(str, sizeof str, "(%D)", a);
 			break;
 
 		case I_INDEX3:
 			if(d)
-				sprint(str, "%ld(%D", d, a);
+				snprint(str, sizeof str, "%ld(%D", d, a);
 			else
-				sprint(str, "(%D", a);
+				snprint(str, sizeof str, "(%D", a);
 			break;
 		}
 
 		if(i != D_NONE) {
 			j = a->scale & 7;
-			sprint(strchr(str,0), "(%R.", i);
-			sprint(strchr(str,0), "%c*%c)",
-				"WWWWLLLL"[j],
-				"12481248"[j]);
+			snprint(s, sizeof s, "(%R.%c*%c)", i, "WWWWLLLL"[j], "12481248"[j]);
+			strncat(str, s, sizeof str - 1);
+			str[sizeof str - 1] = 0;
+		}
+		if((i & I_MASK) == I_INDEX3){
+			strncat(str, ")", sizeof str - 1);
+			str[sizeof str - 1] = 0;
 		}
-		if((i & I_MASK) == I_INDEX3)
-			strcat(str, ")");
 		a->displace = d;
 		a->index = i;
 		goto out;
@@ -116,23 +109,23 @@ Dconv(Fmt *fp)
 		a->offset = 0;
 		switch(j) {
 		case I_INDINC:
-			sprint(str, "(%D)+", a);
+			snprint(str, sizeof str, "(%D)+", a);
 			break;
 
 		case I_INDDEC:
-			sprint(str, "-(%D)", a);
+			snprint(str, sizeof str, "-(%D)", a);
 			break;
 
 		case I_INDIR:
 			if(d)
-				sprint(str, "%ld(%D)", d, a);
+				snprint(str, sizeof str, "%ld(%D)", d, a);
 			else
-				sprint(str, "(%D)", a);
+				snprint(str, sizeof str, "(%D)", a);
 			break;
 
 		case I_ADDR:
 			a->offset = d;
-			sprint(str, "$%D", a);
+			snprint(str, sizeof str, "$%D", a);
 			break;
 		}
 		a->type = i;
@@ -142,7 +135,7 @@ Dconv(Fmt *fp)
 	switch(i) {
 
 	default:
-		sprint(str, "%R", i);
+		snprint(str, sizeof str, "%R", i);
 		break;
 
 	case D_NONE:
@@ -152,58 +145,56 @@ Dconv(Fmt *fp)
 	case D_BRANCH:
 		if(bigP != P && bigP->pcond != P)
 			if(a->sym != S)
-				sprint(str, "%lux+%s", bigP->pcond->pc,
+				snprint(str, sizeof str, "%lux+%s", bigP->pcond->pc,
 					a->sym->name);
 			else
-				sprint(str, "%lux", bigP->pcond->pc);
+				snprint(str, sizeof str, "%lux", bigP->pcond->pc);
 		else
-			sprint(str, "%ld(PC)", a->offset);
+			snprint(str, sizeof str, "%ld(PC)", a->offset);
 		break;
 
 	case D_EXTERN:
-		sprint(str, "%s+%ld(SB)", a->sym->name, a->offset);
+		snprint(str, sizeof str, "%s+%ld(SB)", a->sym->name, a->offset);
 		break;
 
 	case D_STATIC:
-		sprint(str, "%s<%d>+%ld(SB)", a->sym->name,
+		snprint(str, sizeof str, "%s<%d>+%ld(SB)", a->sym->name,
 			a->sym->version, a->offset);
 		break;
 
 	case D_AUTO:
-		sprint(str, "%s+%ld(SP)", a->sym->name, a->offset);
+		snprint(str, sizeof str, "%s+%ld(SP)", a->sym->name, a->offset);
 		break;
 
 	case D_PARAM:
 		if(a->sym)
-			sprint(str, "%s+%ld(FP)", a->sym->name, a->offset);
+			snprint(str, sizeof str, "%s+%ld(FP)", a->sym->name, a->offset);
 		else
-			sprint(str, "%ld(FP)", a->offset);
+			snprint(str, sizeof str, "%ld(FP)", a->offset);
 		break;
 
 	case D_CONST:
-		sprint(str, "$%ld", a->offset);
+		snprint(str, sizeof str, "$%ld", a->offset);
 		break;
 
 	case D_STACK:
-		sprint(str, "TOS+%ld", a->offset);
+		snprint(str, sizeof str, "TOS+%ld", a->offset);
 		break;
 
 	case D_QUICK:
-		sprint(str, "$Q%ld", a->offset);
+		snprint(str, sizeof str, "$Q%ld", a->offset);
 		break;
 
 	case D_FCONST:
-		sprint(str, "$(%.8lux,%.8lux)", a->ieee.h, a->ieee.l);
+		snprint(str, sizeof str, "$(%.8lux,%.8lux)", a->ieee.h, a->ieee.l);
 		goto out;
 
 	case D_SCONST:
-		sprint(str, "$\"%S\"", a->scon);
+		snprint(str, sizeof str, "$\"%S\"", a->scon);
 		goto out;
 	}
-	if(a->displace) {
-		sprint(s, "/%ld", a->displace);
-		strcat(str, s);
-	}
+	if(a->displace)
+		return fmtprint(fp, "%s/%ld", str, a->displace);
 out:
 	return fmtstrcpy(fp, str);
 }
@@ -216,113 +207,113 @@ Rconv(Fmt *fp)
 
 	r = va_arg(fp->args, int);
 	if(r >= D_R0 && r < D_R0+NREG)
-		sprint(str, "R%d", r-D_R0);
+		snprint(str, sizeof str, "R%d", r-D_R0);
 	else
 	if(r >= D_A0 && r < D_A0+NREG)
-		sprint(str, "A%d", r-D_A0);
+		snprint(str, sizeof str, "A%d", r-D_A0);
 	else
 	if(r >= D_F0 && r < D_F0+NREG)
-		sprint(str, "F%d", r-D_F0);
+		snprint(str, sizeof str, "F%d", r-D_F0);
 	else
 	switch(r) {
 
 	default:
-		sprint(str, "gok(%d)", r);
+		snprint(str, sizeof str, "gok(%d)", r);
 		break;
 
 	case D_NONE:
-		sprint(str, "NONE");
+		snprint(str, sizeof str, "NONE");
 		break;
 
 	case D_TOS:
-		sprint(str, "TOS");
+		snprint(str, sizeof str, "TOS");
 		break;
 
 	case D_CCR:
-		sprint(str, "CCR");
+		snprint(str, sizeof str, "CCR");
 		break;
 
 	case D_SR:
-		sprint(str, "SR");
+		snprint(str, sizeof str, "SR");
 		break;
 
 	case D_SFC:
-		sprint(str, "SFC");
+		snprint(str, sizeof str, "SFC");
 		break;
 
 	case D_DFC:
-		sprint(str, "DFC");
+		snprint(str, sizeof str, "DFC");
 		break;
 
 	case D_CACR:
-		sprint(str, "CACR");
+		snprint(str, sizeof str, "CACR");
 		break;
 
 	case D_USP:
-		sprint(str, "USP");
+		snprint(str, sizeof str, "USP");
 		break;
 
 	case D_VBR:
-		sprint(str, "VBR");
+		snprint(str, sizeof str, "VBR");
 		break;
 
 	case D_CAAR:
-		sprint(str, "CAAR");
+		snprint(str, sizeof str, "CAAR");
 		break;
 
 	case D_MSP:
-		sprint(str, "MSP");
+		snprint(str, sizeof str, "MSP");
 		break;
 
 	case D_ISP:
-		sprint(str, "ISP");
+		snprint(str, sizeof str, "ISP");
 		break;
 
 	case D_FPCR:
-		sprint(str, "FPCR");
+		snprint(str, sizeof str, "FPCR");
 		break;
 
 	case D_FPSR:
-		sprint(str, "FPSR");
+		snprint(str, sizeof str, "FPSR");
 		break;
 
 	case D_FPIAR:
-		sprint(str, "FPIAR");
+		snprint(str, sizeof str, "FPIAR");
 		break;
 
 	case D_TREE:
-		sprint(str, "TREE");
+		snprint(str, sizeof str, "TREE");
 		break;
 
 	case D_TC:
-		sprint(str, "TC");
+		snprint(str, sizeof str, "TC");
 		break;
 
 	case D_ITT0:
-		sprint(str, "ITT0");
+		snprint(str, sizeof str, "ITT0");
 		break;
 
 	case D_ITT1:
-		sprint(str, "ITT1");
+		snprint(str, sizeof str, "ITT1");
 		break;
 
 	case D_DTT0:
-		sprint(str, "DTT0");
+		snprint(str, sizeof str, "DTT0");
 		break;
 
 	case D_DTT1:
-		sprint(str, "DTT1");
+		snprint(str, sizeof str, "DTT1");
 		break;
 
 	case D_MMUSR:
-		sprint(str, "MMUSR");
+		snprint(str, sizeof str, "MMUSR");
 		break;
 	case D_URP:
-		sprint(str, "URP");
+		snprint(str, sizeof str, "URP");
 		break;
 
 	case D_SRP:
-		sprint(str, "SRP");
+		snprint(str, sizeof str, "SRP");
 		break;
 	}
 	return fmtstrcpy(fp, str);
diff --git a/sys/src/cmd/2l/obj.c b/sys/src/cmd/2l/obj.c
index cd67ce9e8..70f8f1502 100644
--- a/sys/src/cmd/2l/obj.c
+++ b/sys/src/cmd/2l/obj.c
@@ -308,11 +308,9 @@ objfile(char *file)
 
 	if(file[0] == '-' && file[1] == 'l') {
 		if(debug['9'])
-			sprint(name, "/%s/lib/lib", thestring);
+			snprint(name, sizeof name, "/%s/lib/lib%s.a", thestring, file+2);
 		else
-			sprint(name, "/usr/%clib/lib", thechar);
-		strcat(name, file+2);
-		strcat(name, ".a");
+			snprint(name, sizeof name, "/usr/%clib/lib%s.a", thechar, file+2);
 		file = name;
 	}
 	if(debug['v'])
@@ -370,7 +368,7 @@ objfile(char *file)
 			s = lookup(e+5, 0);
 			if(s->type != SXREF)
 				continue;
-			sprint(pname, "%s(%s)", file, s->name);
+			snprint(pname, sizeof pname, "%s(%s)", file, s->name);
 			if(debug['v'])
 				Bprint(&bso, "%5.2f library: %s\n", cputime(), pname);
 			Bflush(&bso);
@@ -539,17 +537,17 @@ addlib(char *obj)
 		return;
 
 	if(histfrog[0]->name[1] == '/') {
-		sprint(name, "");
+		name[0] = 0;
 		i = 1;
 	} else
 	if(histfrog[0]->name[1] == '.') {
-		sprint(name, ".");
+		snprint(name, sizeof name, ".");
 		i = 0;
 	} else {
 		if(debug['9'])
-			sprint(name, "/%s/lib", thestring);
+			snprint(name, sizeof name, "/%s/lib", thestring);
 		else
-			sprint(name, "/usr/%clib", thechar);
+			snprint(name, sizeof name, "/usr/%clib", thechar);
 		i = 0;
 	}
author	cinap_lenrek <cinap_lenrek@felloff.net>	2015-02-17 22:13:35 +0100
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2015-02-17 22:13:35 +0100
commit	03feba8cc1a68da8882bfc90d182365308a00743 (patch)
tree	7abec9fa0987ffd70ae30dffb7496d34d1d32241 /sys/src/cmd/2l
parent	fdeea811b7f309e1bd542a0a23fd382e332b2c2e (diff)