[125678kqv][cl]: fix sprint() and strcpy() buffer overflows

author: cinap_lenrek <cinap_lenrek@felloff.net> 2015-02-17 22:13:35 +0100
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2015-02-17 22:13:35 +0100
commit: 03feba8cc1a68da8882bfc90d182365308a00743 (patch)
tree: 7abec9fa0987ffd70ae30dffb7496d34d1d32241 /sys/src/cmd/5l
parent: fdeea811b7f309e1bd542a0a23fd382e332b2c2e (diff)
2 files changed, 59 insertions, 63 deletions
diff --git a/sys/src/cmd/5l/list.c b/sys/src/cmd/5l/list.c
index 1a3a4527c..2422bcc0f 100644
--- a/sys/src/cmd/5l/list.c
+++ b/sys/src/cmd/5l/list.c
@@ -21,7 +21,7 @@ prasm(Prog *p)
 int
 Pconv(Fmt *fp)
 {
-	char str[STRINGSZ], *s;
+	char str[STRINGSZ];
 	Prog *p;
 	int a;
 
@@ -30,30 +30,28 @@ Pconv(Fmt *fp)
 	a = p->as;
 	switch(a) {
 	default:
-		s = str;
-		s += sprint(s, "(%ld)", p->line);
 		if(p->reg == NREG)
-			sprint(s, "	%A%C	%D,%D",
-				a, p->scond, &p->from, &p->to);
+			snprint(str, sizeof str, "(%ld)	%A%C	%D,%D",
+				p->line, a, p->scond, &p->from, &p->to);
 		else
 		if(p->from.type != D_FREG)
-			sprint(s, "	%A%C	%D,R%d,%D",
-				a, p->scond, &p->from, p->reg, &p->to);
+			snprint(str, sizeof str, "(%ld)	%A%C	%D,R%d,%D",
+				p->line, a, p->scond, &p->from, p->reg, &p->to);
 		else
-			sprint(s, "	%A%C	%D,F%d,%D",
-				a, p->scond, &p->from, p->reg, &p->to);
+			snprint(str, sizeof str, "(%ld)	%A%C	%D,F%d,%D",
+				p->line, a, p->scond, &p->from, p->reg, &p->to);
 		break;
 
 	case ASWPW:
 	case ASWPBU:
-		sprint(str, "(%ld)	%A%C	R%d,%D,%D",
+		snprint(str, sizeof str, "(%ld)	%A%C	R%d,%D,%D",
 			p->line, a, p->scond, p->reg, &p->from, &p->to);
 		break;
 
 	case ADATA:
 	case AINIT:
 	case ADYNT:
-		sprint(str, "(%ld)	%A%C	%D/%d,%D",
+		snprint(str, sizeof str, "(%ld)	%A%C	%D/%d,%D",
 			p->line, a, p->scond, &p->from, p->reg, &p->to);
 		break;
 	}
@@ -124,94 +122,94 @@ Dconv(Fmt *fp)
 	switch(a->type) {
 
 	default:
-		sprint(str, "GOK-type(%d)", a->type);
+		snprint(str, sizeof str, "GOK-type(%d)", a->type);
 		break;
 
 	case D_NONE:
 		str[0] = 0;
 		if(a->name != D_NONE || a->reg != NREG || a->sym != S)
-			sprint(str, "%N(R%d)(NONE)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)(NONE)", a, a->reg);
 		break;
 
 	case D_CONST:
 		if(a->reg == NREG)
-			sprint(str, "$%N", a);
+			snprint(str, sizeof str, "$%N", a);
 		else
-			sprint(str, "$%N(R%d)", a, a->reg);
+			snprint(str, sizeof str, "$%N(R%d)", a, a->reg);
 		break;
 
 	case D_SHIFT:
 		v = a->offset;
 		op = "<<>>->@>" + (((v>>5) & 3) << 1);
 		if(v & (1<<4))
-			sprint(str, "R%ld%c%cR%ld", v&15, op[0], op[1], (v>>8)&15);
+			snprint(str, sizeof str, "R%ld%c%cR%ld", v&15, op[0], op[1], (v>>8)&15);
 		else
-			sprint(str, "R%ld%c%c%ld", v&15, op[0], op[1], (v>>7)&31);
+			snprint(str, sizeof str, "R%ld%c%c%ld", v&15, op[0], op[1], (v>>7)&31);
 		if(a->reg != NREG)
-			sprint(str+strlen(str), "(R%d)", a->reg);
+			snprint(str+strlen(str), sizeof(str)-strlen(str), "(R%d)", a->reg);
 		break;
 
 	case D_OCONST:
-		sprint(str, "$*$%N", a);
+		snprint(str, sizeof str, "$*$%N", a);
 		if(a->reg != NREG)
-			sprint(str, "%N(R%d)(CONST)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)(CONST)", a, a->reg);
 		break;
 
 	case D_OREG:
 		if(a->reg != NREG)
-			sprint(str, "%N(R%d)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)", a, a->reg);
 		else
-			sprint(str, "%N", a);
+			snprint(str, sizeof str, "%N", a);
 		break;
 
 	case D_REG:
-		sprint(str, "R%d", a->reg);
+		snprint(str, sizeof str, "R%d", a->reg);
 		if(a->name != D_NONE || a->sym != S)
-			sprint(str, "%N(R%d)(REG)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)(REG)", a, a->reg);
 		break;
 
 	case D_REGREG:
-		sprint(str, "(R%d,R%d)", a->reg, (int)a->offset);
+		snprint(str, sizeof str, "(R%d,R%d)", a->reg, (int)a->offset);
 		if(a->name != D_NONE || a->sym != S)
-			sprint(str, "%N(R%d)(REG)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)(REG)", a, a->reg);
 		break;
 
 	case D_FREG:
-		sprint(str, "F%d", a->reg);
+		snprint(str, sizeof str, "F%d", a->reg);
 		if(a->name != D_NONE || a->sym != S)
-			sprint(str, "%N(R%d)(REG)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)(REG)", a, a->reg);
 		break;
 
 	case D_PSR:
 		switch(a->reg) {
 		case 0:
-			sprint(str, "CPSR");
+			snprint(str, sizeof str, "CPSR");
 			break;
 		case 1:
-			sprint(str, "SPSR");
+			snprint(str, sizeof str, "SPSR");
 			break;
 		default:
-			sprint(str, "PSR%d", a->reg);
+			snprint(str, sizeof str, "PSR%d", a->reg);
 			break;
 		}
 		if(a->name != D_NONE || a->sym != S)
-			sprint(str, "%N(PSR%d)(REG)", a, a->reg);
+			snprint(str, sizeof str, "%N(PSR%d)(REG)", a, a->reg);
 		break;
 
 	case D_FPCR:
 		switch(a->reg){
 		case 0:
-			sprint(str, "FPSR");
+			snprint(str, sizeof str, "FPSR");
 			break;
 		case 1:
-			sprint(str, "FPCR");
+			snprint(str, sizeof str, "FPCR");
 			break;
 		default:
-			sprint(str, "FCR%d", a->reg);
+			snprint(str, sizeof str, "FCR%d", a->reg);
 			break;
 		}
 		if(a->name != D_NONE || a->sym != S)
-			sprint(str, "%N(FCR%d)(REG)", a, a->reg);
+			snprint(str, sizeof str, "%N(FCR%d)(REG)", a, a->reg);
 
 		break;
 
@@ -219,22 +217,22 @@ Dconv(Fmt *fp)
 		if(curp->cond != P) {
 			v = curp->cond->pc;
 			if(a->sym != S)
-				sprint(str, "%s+%.5lux(BRANCH)", a->sym->name, v);
+				snprint(str, sizeof str, "%s+%.5lux(BRANCH)", a->sym->name, v);
 			else
-				sprint(str, "%.5lux(BRANCH)", v);
+				snprint(str, sizeof str, "%.5lux(BRANCH)", v);
 		} else
 			if(a->sym != S)
-				sprint(str, "%s+%ld(APC)", a->sym->name, a->offset);
+				snprint(str, sizeof str, "%s+%ld(APC)", a->sym->name, a->offset);
 			else
-				sprint(str, "%ld(APC)", a->offset);
+				snprint(str, sizeof str, "%ld(APC)", a->offset);
 		break;
 
 	case D_FCONST:
-		sprint(str, "$%e", ieeedtod(a->ieee));
+		snprint(str, sizeof str, "$%e", ieeedtod(a->ieee));
 		break;
 
 	case D_SCONST:
-		sprint(str, "$\"%S\"", a->sval);
+		snprint(str, sizeof str, "$\"%S\"", a->sval);
 		break;
 	}
 	return fmtstrcpy(fp, str);
@@ -251,39 +249,39 @@ Nconv(Fmt *fp)
 	s = a->sym;
 	switch(a->name) {
 	default:
-		sprint(str, "GOK-name(%d)", a->name);
+		snprint(str, sizeof str, "GOK-name(%d)", a->name);
 		break;
 
 	case D_NONE:
-		sprint(str, "%ld", a->offset);
+		snprint(str, sizeof str, "%ld", a->offset);
 		break;
 
 	case D_EXTERN:
 		if(s == S)
-			sprint(str, "%ld(SB)", a->offset);
+			snprint(str, sizeof str, "%ld(SB)", a->offset);
 		else
-			sprint(str, "%s+%ld(SB)", s->name, a->offset);
+			snprint(str, sizeof str, "%s+%ld(SB)", s->name, a->offset);
 		break;
 
 	case D_STATIC:
 		if(s == S)
-			sprint(str, "<>+%ld(SB)", a->offset);
+			snprint(str, sizeof str, "<>+%ld(SB)", a->offset);
 		else
-			sprint(str, "%s<>+%ld(SB)", s->name, a->offset);
+			snprint(str, sizeof str, "%s<>+%ld(SB)", s->name, a->offset);
 		break;
 
 	case D_AUTO:
 		if(s == S)
-			sprint(str, "%ld(SP)", a->offset);
+			snprint(str, sizeof str, "%ld(SP)", a->offset);
 		else
-			sprint(str, "%s-%ld(SP)", s->name, -a->offset);
+			snprint(str, sizeof str, "%s-%ld(SP)", s->name, -a->offset);
 		break;
 
 	case D_PARAM:
 		if(s == S)
-			sprint(str, "%ld(FP)", a->offset);
+			snprint(str, sizeof str, "%ld(FP)", a->offset);
 		else
-			sprint(str, "%s+%ld(FP)", s->name, a->offset);
+			snprint(str, sizeof str, "%s+%ld(FP)", s->name, a->offset);
 		break;
 	}
 	return fmtstrcpy(fp, str);
diff --git a/sys/src/cmd/5l/obj.c b/sys/src/cmd/5l/obj.c
index f7096a1d7..218579230 100644
--- a/sys/src/cmd/5l/obj.c
+++ b/sys/src/cmd/5l/obj.c
@@ -335,11 +335,9 @@ objfile(char *file)
 
 	if(file[0] == '-' && file[1] == 'l') {
 		if(debug['9'])
-			sprint(name, "/%s/lib/lib", thestring);
+			snprint(name, sizeof name, "/%s/lib/lib%s.a", thestring, file+2);
 		else
-			sprint(name, "/usr/%clib/lib", thechar);
-		strcat(name, file+2);
-		strcat(name, ".a");
+			snprint(name, sizeof name, "/usr/%clib/lib%s.a", thechar, file+2);
 		file = name;
 	}
 	if(debug['v'])
@@ -399,7 +397,7 @@ objfile(char *file)
 			s = lookup(e+5, 0);
 			if(s->type != SXREF)
 				continue;
-			sprint(pname, "%s(%s)", file, s->name);
+			snprint(pname, sizeof pname, "%s(%s)", file, s->name);
 			if(debug['v'])
 				Bprint(&bso, "%5.2f library: %s\n", cputime(), pname);
 			Bflush(&bso);
@@ -550,17 +548,17 @@ addlib(char *obj)
 		return;
 
 	if(histfrog[0]->name[1] == '/') {
-		sprint(name, "");
+		name[0] = 0;
 		i = 1;
 	} else
 	if(histfrog[0]->name[1] == '.') {
-		sprint(name, ".");
+		snprint(name, sizeof name, ".");
 		i = 0;
 	} else {
 		if(debug['9'])
-			sprint(name, "/%s/lib", thestring);
+			snprint(name, sizeof name, "/%s/lib", thestring);
 		else
-			sprint(name, "/usr/%clib", thechar);
+			snprint(name, sizeof name, "/usr/%clib", thechar);
 		i = 0;
 	}
 
@@ -1009,7 +1007,7 @@ loop:
 
 		if(p->from.type == D_FCONST && chipfloat(p->from.ieee) < 0) {
 			/* size sb 9 max */
-			sprint(literal, "$%lux", ieeedtof(p->from.ieee));
+			snprint(literal, sizeof literal, "$%lux", ieeedtof(p->from.ieee));
 			s = lookup(literal, 0);
 			if(s->type == 0) {
 				s->type = SBSS;
@@ -1038,7 +1036,7 @@ loop:
 
 		if(p->from.type == D_FCONST && chipfloat(p->from.ieee) < 0) {
 			/* size sb 18 max */
-			sprint(literal, "$%lux.%lux",
+			snprint(literal, sizeof literal, "$%lux.%lux",
 				p->from.ieee->l, p->from.ieee->h);
 			s = lookup(literal, 0);
 			if(s->type == 0) {
author	cinap_lenrek <cinap_lenrek@felloff.net>	2015-02-17 22:13:35 +0100
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2015-02-17 22:13:35 +0100
commit	03feba8cc1a68da8882bfc90d182365308a00743 (patch)
tree	7abec9fa0987ffd70ae30dffb7496d34d1d32241 /sys/src/cmd/5l
parent	fdeea811b7f309e1bd542a0a23fd382e332b2c2e (diff)