[125678kqv][cl]: fix sprint() and strcpy() buffer overflows

1 files changed, 24 insertions, 26 deletions

diff --git a/sys/src/cmd/6l/list.c b/sys/src/cmd/6l/list.c
index 1109b02f6..6aefc0e15 100644
--- a/sys/src/cmd/6l/list.c
+++ b/sys/src/cmd/6l/list.c
@@ -24,18 +24,18 @@ Pconv(Fmt *fp)
 	switch(p->as) {
 	case ATEXT:
 		if(p->from.scale) {
-			sprint(str, "(%ld)	%A	%D,%d,%D",
+			snprint(str, sizeof str, "(%ld)	%A	%D,%d,%D",
 				p->line, p->as, &p->from, p->from.scale, &p->to);
 			break;
 		}
 	default:
-		sprint(str, "(%ld)	%A	%D,%D",
+		snprint(str, sizeof str, "(%ld)	%A	%D,%D",
 			p->line, p->as, &p->from, &p->to);
 		break;
 	case ADATA:
 	case AINIT:
 	case ADYNT:
-		sprint(str, "(%ld)	%A	%D/%d,%D",
+		snprint(str, sizeof str, "(%ld)	%A	%D/%d,%D",
 			p->line, p->as, &p->from, p->from.scale, &p->to);
 		break;
 	}
@@ -55,7 +55,7 @@ Aconv(Fmt *fp)
 int
 Dconv(Fmt *fp)
 {
-	char str[40], s[20];
+	char str[40];
 	Adr *a;
 	int i;
 
@@ -63,18 +63,18 @@ Dconv(Fmt *fp)
 	i = a->type;
 	if(i >= D_INDIR) {
 		if(a->offset)
-			sprint(str, "%lld(%R)", a->offset, i-D_INDIR);
+			snprint(str, sizeof str, "%lld(%R)", a->offset, i-D_INDIR);
 		else
-			sprint(str, "(%R)", i-D_INDIR);
+			snprint(str, sizeof str, "(%R)", i-D_INDIR);
 		goto brk;
 	}
 	switch(i) {
 
 	default:
 		if(a->offset)
-			sprint(str, "$%lld,%R", a->offset, i);
+			snprint(str, sizeof str, "$%lld,%R", a->offset, i);
 		else
-			sprint(str, "%R", i);
+			snprint(str, sizeof str, "%R", i);
 		break;
 
 	case D_NONE:
@@ -84,59 +84,57 @@ Dconv(Fmt *fp)
 	case D_BRANCH:
 		if(bigP != P && bigP->pcond != P)
 			if(a->sym != S)
-				sprint(str, "%llux+%s", bigP->pcond->pc,
+				snprint(str, sizeof str, "%llux+%s", bigP->pcond->pc,
 					a->sym->name);
 			else
-				sprint(str, "%llux", bigP->pcond->pc);
+				snprint(str, sizeof str, "%llux", bigP->pcond->pc);
 		else
-			sprint(str, "%lld(PC)", a->offset);
+			snprint(str, sizeof str, "%lld(PC)", a->offset);
 		break;
 
 	case D_EXTERN:
-		sprint(str, "%s+%lld(SB)", a->sym->name, a->offset);
+		snprint(str, sizeof str, "%s+%lld(SB)", a->sym->name, a->offset);
 		break;
 
 	case D_STATIC:
-		sprint(str, "%s<%d>+%lld(SB)", a->sym->name,
+		snprint(str, sizeof str, "%s<%d>+%lld(SB)", a->sym->name,
 			a->sym->version, a->offset);
 		break;
 
 	case D_AUTO:
-		sprint(str, "%s+%lld(SP)", a->sym->name, a->offset);
+		snprint(str, sizeof str, "%s+%lld(SP)", a->sym->name, a->offset);
 		break;
 
 	case D_PARAM:
 		if(a->sym)
-			sprint(str, "%s+%lld(%s)", a->sym->name, a->offset, paramspace);
+			snprint(str, sizeof str, "%s+%lld(%s)", a->sym->name, a->offset, paramspace);
 		else
-			sprint(str, "%lld(%s)", a->offset, paramspace);
+			snprint(str, sizeof str, "%lld(%s)", a->offset, paramspace);
 		break;
 
 	case D_CONST:
-		sprint(str, "$%lld", a->offset);
+		snprint(str, sizeof str, "$%lld", a->offset);
 		break;
 
 	case D_FCONST:
-		sprint(str, "$(%.8lux,%.8lux)", a->ieee.h, a->ieee.l);
+		snprint(str, sizeof str, "$(%.8lux,%.8lux)", a->ieee.h, a->ieee.l);
 		break;
 
 	case D_SCONST:
-		sprint(str, "$\"%S\"", a->scon);
+		snprint(str, sizeof str, "$\"%S\"", a->scon);
 		break;
 
 	case D_ADDR:
 		a->type = a->index;
 		a->index = D_NONE;
-		sprint(str, "$%D", a);
+		snprint(str, sizeof str, "$%D", a);
 		a->index = a->type;
 		a->type = D_ADDR;
 		goto conv;
 	}
 brk:
-	if(a->index != D_NONE) {
-		sprint(s, "(%R*%d)", a->index, a->scale);
-		strcat(str, s);
-	}
+	if(a->index != D_NONE)
+		return fmtprint(fp, "%s(%R*%d)", str, a->index, a->scale);
 conv:
 	return fmtstrcpy(fp, str);
 }
@@ -276,9 +274,9 @@ Rconv(Fmt *fp)
 
 	r = va_arg(fp->args, int);
 	if(r >= D_AL && r <= D_NONE)
-		sprint(str, "%s", regstr[r-D_AL]);
+		snprint(str, sizeof str, "%s", regstr[r-D_AL]);
 	else
-		sprint(str, "gok(%d)", r);
+		snprint(str, sizeof str, "gok(%d)", r);
 
 	return fmtstrcpy(fp, str);
 }