From 03feba8cc1a68da8882bfc90d182365308a00743 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Tue, 17 Feb 2015 22:13:35 +0100
Subject: [125678kqv][cl]: fix sprint() and strcpy() buffer overflows

---
 sys/src/cmd/5c/list.c | 88 +++++++++++++++++++++++++--------------------------
 1 file changed, 43 insertions(+), 45 deletions(-)

(limited to 'sys/src/cmd/5c')

diff --git a/sys/src/cmd/5c/list.c b/sys/src/cmd/5c/list.c
index d50f07db6..9aa4d312a 100644
--- a/sys/src/cmd/5c/list.c
+++ b/sys/src/cmd/5c/list.c
@@ -21,20 +21,18 @@ Bconv(Fmt *fp)
 	Bits bits;
 	int i;
 
-	str[0] = 0;
+	memset(str, 0, sizeof str);
 	bits = va_arg(fp->args, Bits);
 	while(bany(&bits)) {
 		i = bnum(bits);
 		if(str[0])
-			strcat(str, " ");
+			strncat(str, " ", sizeof str - 1);
 		if(var[i].sym == S) {
-			sprint(ss, "$%ld", var[i].offset);
+			snprint(ss, sizeof ss, "$%ld", var[i].offset);
 			s = ss;
 		} else
 			s = var[i].sym->name;
-		if(strlen(str) + strlen(s) + 1 >= STRINGSZ)
-			break;
-		strcat(str, s);
+		strncat(str, s, sizeof str - 1);
 		bits.b[i/32] &= ~(1L << (i%32));
 	}
 	return fmtstrcpy(fp, str);
@@ -68,26 +66,26 @@ Pconv(Fmt *fp)
 		strcat(sc, ".U");
 	if(a == AMOVM) {
 		if(p->from.type == D_CONST)
-			sprint(str, "	%A%s	%R,%D", a, sc, &p->from, &p->to);
+			snprint(str, sizeof str, "	%A%s	%R,%D", a, sc, &p->from, &p->to);
 		else
 		if(p->to.type == D_CONST)
-			sprint(str, "	%A%s	%D,%R", a, sc, &p->from, &p->to);
+			snprint(str, sizeof str, "	%A%s	%D,%R", a, sc, &p->from, &p->to);
 		else
-			sprint(str, "	%A%s	%D,%D", a, sc, &p->from, &p->to);
+			snprint(str, sizeof str, "	%A%s	%D,%D", a, sc, &p->from, &p->to);
 	} else
 	if(a == ADATA)
-		sprint(str, "	%A	%D/%d,%D", a, &p->from, p->reg, &p->to);
+		snprint(str, sizeof str, "	%A	%D/%d,%D", a, &p->from, p->reg, &p->to);
 	else
 	if(p->as == ATEXT)
-		sprint(str, "	%A	%D,%d,%D", a, &p->from, p->reg, &p->to);
+		snprint(str, sizeof str, "	%A	%D,%d,%D", a, &p->from, p->reg, &p->to);
 	else
 	if(p->reg == NREG)
-		sprint(str, "	%A%s	%D,%D", a, sc, &p->from, &p->to);
+		snprint(str, sizeof str, "	%A%s	%D,%D", a, sc, &p->from, &p->to);
 	else
 	if(p->from.type != D_FREG)
-		sprint(str, "	%A%s	%D,R%d,%D", a, sc, &p->from, p->reg, &p->to);
+		snprint(str, sizeof str, "	%A%s	%D,R%d,%D", a, sc, &p->from, p->reg, &p->to);
 	else
-		sprint(str, "	%A%s	%D,F%d,%D", a, sc, &p->from, p->reg, &p->to);
+		snprint(str, sizeof str, "	%A%s	%D,F%d,%D", a, sc, &p->from, p->reg, &p->to);
 	return fmtstrcpy(fp, str);
 }
 
@@ -116,68 +114,68 @@ Dconv(Fmt *fp)
 	switch(a->type) {
 
 	default:
-		sprint(str, "GOK-type(%d)", a->type);
+		snprint(str, sizeof str, "GOK-type(%d)", a->type);
 		break;
 
 	case D_NONE:
 		str[0] = 0;
 		if(a->name != D_NONE || a->reg != NREG || a->sym != S)
-			sprint(str, "%N(R%d)(NONE)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)(NONE)", a, a->reg);
 		break;
 
 	case D_CONST:
 		if(a->reg != NREG)
-			sprint(str, "$%N(R%d)", a, a->reg);
+			snprint(str, sizeof str, "$%N(R%d)", a, a->reg);
 		else
-			sprint(str, "$%N", a);
+			snprint(str, sizeof str, "$%N", a);
 		break;
 
 	case D_SHIFT:
 		v = a->offset;
 		op = "<<>>->@>" + (((v>>5) & 3) << 1);
 		if(v & (1<<4))
-			sprint(str, "R%d%c%cR%d", v&15, op[0], op[1], (v>>8)&15);
+			snprint(str, sizeof str, "R%d%c%cR%d", v&15, op[0], op[1], (v>>8)&15);
 		else
-			sprint(str, "R%d%c%c%d", v&15, op[0], op[1], (v>>7)&31);
+			snprint(str, sizeof str, "R%d%c%c%d", v&15, op[0], op[1], (v>>7)&31);
 		if(a->reg != NREG)
-			sprint(str+strlen(str), "(R%d)", a->reg);
+			snprint(str+strlen(str), sizeof(str)-strlen(str), "(R%d)", a->reg);
 		break;
 
 	case D_OREG:
 		if(a->reg != NREG)
-			sprint(str, "%N(R%d)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)", a, a->reg);
 		else
-			sprint(str, "%N", a);
+			snprint(str, sizeof str, "%N", a);
 		break;
 
 	case D_REG:
-		sprint(str, "R%d", a->reg);
+		snprint(str, sizeof str, "R%d", a->reg);
 		if(a->name != D_NONE || a->sym != S)
-			sprint(str, "%N(R%d)(REG)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)(REG)", a, a->reg);
 		break;
 
 	case D_FREG:
-		sprint(str, "F%d", a->reg);
+		snprint(str, sizeof str, "F%d", a->reg);
 		if(a->name != D_NONE || a->sym != S)
-			sprint(str, "%N(R%d)(REG)", a, a->reg);
+			snprint(str, sizeof str, "%N(R%d)(REG)", a, a->reg);
 		break;
 
 	case D_PSR:
-		sprint(str, "PSR");
+		snprint(str, sizeof str, "PSR");
 		if(a->name != D_NONE || a->sym != S)
-			sprint(str, "%N(PSR)(REG)", a);
+			snprint(str, sizeof str, "%N(PSR)(REG)", a);
 		break;
 
 	case D_BRANCH:
-		sprint(str, "%ld(PC)", a->offset-pc);
+		snprint(str, sizeof str, "%ld(PC)", a->offset-pc);
 		break;
 
 	case D_FCONST:
-		sprint(str, "$%.17e", a->dval);
+		snprint(str, sizeof str, "$%.17e", a->dval);
 		break;
 
 	case D_SCONST:
-		sprint(str, "$\"%S\"", a->sval);
+		snprint(str, sizeof str, "$\"%S\"", a->sval);
 		break;
 	}
 	return fmtstrcpy(fp, str);
@@ -191,7 +189,7 @@ Rconv(Fmt *fp)
 	int i, v;
 
 	a = va_arg(fp->args, Adr*);
-	sprint(str, "GOK-reglist");
+	snprint(str, sizeof str, "GOK-reglist");
 	switch(a->type) {
 	case D_CONST:
 		if(a->reg != NREG)
@@ -199,17 +197,17 @@ Rconv(Fmt *fp)
 		if(a->sym != S)
 			break;
 		v = a->offset;
-		strcpy(str, "");
+		memset(str, 0, sizeof str);
 		for(i=0; i<NREG; i++) {
 			if(v & (1<<i)) {
 				if(str[0] == 0)
-					strcat(str, "[R");
+					strncat(str, "[R", sizeof str - 1);
 				else
-					strcat(str, ",R");
-				sprint(strchr(str, 0), "%d", i);
+					strncat(str, ",R", sizeof str - 1);
+				snprint(str+strlen(str), sizeof(str)-strlen(str), "%d", i);
 			}
 		}
-		strcat(str, "]");
+		strncat(str, "]", sizeof str - 1);
 	}
 	return fmtstrcpy(fp, str);
 }
@@ -271,32 +269,32 @@ Nconv(Fmt *fp)
 	a = va_arg(fp->args, Adr*);
 	s = a->sym;
 	if(s == S) {
-		sprint(str, "%ld", a->offset);
+		snprint(str, sizeof str, "%ld", a->offset);
 		goto out;
 	}
 	switch(a->name) {
 	default:
-		sprint(str, "GOK-name(%d)", a->name);
+		snprint(str, sizeof str, "GOK-name(%d)", a->name);
 		break;
 
 	case D_NONE:
-		sprint(str, "%ld", a->offset);
+		snprint(str, sizeof str, "%ld", a->offset);
 		break;
 
 	case D_EXTERN:
-		sprint(str, "%s+%ld(SB)", s->name, a->offset);
+		snprint(str, sizeof str, "%s+%ld(SB)", s->name, a->offset);
 		break;
 
 	case D_STATIC:
-		sprint(str, "%s<>+%ld(SB)", s->name, a->offset);
+		snprint(str, sizeof str, "%s<>+%ld(SB)", s->name, a->offset);
 		break;
 
 	case D_AUTO:
-		sprint(str, "%s-%ld(SP)", s->name, -a->offset);
+		snprint(str, sizeof str, "%s-%ld(SP)", s->name, -a->offset);
 		break;
 
 	case D_PARAM:
-		sprint(str, "%s+%ld(FP)", s->name, a->offset);
+		snprint(str, sizeof str, "%s+%ld(FP)", s->name, a->offset);
 		break;
 	}
 out:
-- 
cgit v1.2.3