From 66eb8df6a4a04922e34dcb2dc543fe231b94903d Mon Sep 17 00:00:00 2001
From: Bruce Momjian
Date: Thu, 15 Aug 2002 02:58:29 +0000
Subject: The attached patch changes most of the usages of sprintf() to
 snprintf() in contrib/. I didn't touch the places where pointer arithmatic
 was being used, or other areas where the fix wasn't trivial. I would think
 that few, if any, of the usages of sprintf() were actually exploitable, but
 it's probably better to be paranoid...

Neil Conway
---
 contrib/dbase/dbf.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'contrib/dbase/dbf.c')

diff --git a/contrib/dbase/dbf.c b/contrib/dbase/dbf.c
index 053e9adffb..357966b499 100644
--- a/contrib/dbase/dbf.c
+++ b/contrib/dbase/dbf.c
@@ -437,7 +437,7 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where)
 	format: sprintf format-string to get the right precision with real numbers
 
 	NOTE: this declaration of 'foo' can cause overflow when the contents-field
-	is longer the 127 chars (which is highly unlikely, cos it is not used
+	is longer the 127 chars (which is highly unlikely, because it is not used
 	in text-fields).
 */
 /*	REMEMBER THAT THERE'S A 0x1A AT THE END OF THE FILE, SO DON'T
@@ -488,11 +488,11 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where)
 				if ((rec[t].db_type == 'N') && (rec[t].db_dec != 0))
 				{
 					fl = atof(rec[t].db_contents);
-					sprintf(format, "%%.%df", rec[t].db_dec);
-					sprintf(foo, format, fl);
+					snprintf(format, 32, "%%.%df", rec[t].db_dec);
+					snprintf(foo, 128, format, fl);
 				}
 				else
-					strcpy(foo, rec[t].db_contents);
+					strncpy(foo, rec[t].db_contents, 128);
 				if (strlen(foo) > rec[t].db_flen)
 					length = rec[t].db_flen;
 				else
-- 
cgit v1.2.3