diff options
| author | Bruce Momjian | 2002-08-15 02:58:29 +0000 |
|---|---|---|
| committer | Bruce Momjian | 2002-08-15 02:58:29 +0000 |
| commit | 66eb8df6a4a04922e34dcb2dc543fe231b94903d (patch) | |
| tree | 784f595e15219b79a7f4d609b174c155a5c310f7 /contrib/dbase/dbf.c | |
| parent | 7f4981f4af1700456f98ac3f2b2d84959919ec81 (diff) | |
The attached patch changes most of the usages of sprintf() to
snprintf() in contrib/. I didn't touch the places where pointer
arithmatic was being used, or other areas where the fix wasn't
trivial. I would think that few, if any, of the usages of sprintf()
were actually exploitable, but it's probably better to be paranoid...
Neil Conway
Diffstat (limited to 'contrib/dbase/dbf.c')
| -rw-r--r-- | contrib/dbase/dbf.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/contrib/dbase/dbf.c b/contrib/dbase/dbf.c index 053e9adffb..357966b499 100644 --- a/contrib/dbase/dbf.c +++ b/contrib/dbase/dbf.c @@ -437,7 +437,7 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where) format: sprintf format-string to get the right precision with real numbers NOTE: this declaration of 'foo' can cause overflow when the contents-field - is longer the 127 chars (which is highly unlikely, cos it is not used + is longer the 127 chars (which is highly unlikely, because it is not used in text-fields). */ /* REMEMBER THAT THERE'S A 0x1A AT THE END OF THE FILE, SO DON'T @@ -488,11 +488,11 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where) if ((rec[t].db_type == 'N') && (rec[t].db_dec != 0)) { fl = atof(rec[t].db_contents); - sprintf(format, "%%.%df", rec[t].db_dec); - sprintf(foo, format, fl); + snprintf(format, 32, "%%.%df", rec[t].db_dec); + snprintf(foo, 128, format, fl); } else - strcpy(foo, rec[t].db_contents); + strncpy(foo, rec[t].db_contents, 128); if (strlen(foo) > rec[t].db_flen) length = rec[t].db_flen; else |