Use temporary buffer for generating Uxxx names to avoid overflow

Instead of sprintf()'ing a 4 character string to a char [4] buffer, and leaving the trailing '\0' to overwrite into the next entry, snprintf() to a 5 character temp buffer and memcpy the 4 characters to the right place. Fixes parfait errors: Error: Buffer overflow at xkbcomp-1.0.4/misc.c:393 in function 'ComputeKbdDefaults' [Standard C Library pattern matching] In sprintf related dereference of xkb->names->keys[i].name with index not less than '4' Destination array size is 4 bytes, data to be written is 4 bytes Error: Buffer overflow at xkbcomp-1.0.4/misc.c:402 in function 'ComputeKbdDefaults' [Standard C Library pattern matching] In sprintf related dereference of xkb->names->keys[i].name with index not less than '4' Destination array size is 4 bytes, data to be written is 4 bytes [This bug was found by the Parfait bug checking tool. For more information see http://research.sun.com/projects/parfait ] Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
author: Alan Coopersmith <alan.coopersmith@sun.com> 2009-05-11 09:39:03 -0700
committer: Alan Coopersmith <alan.coopersmith@sun.com> 2009-05-11 09:47:26 -0700
commit: eeaa4aec798ef045d0b3b9de3c25932b85b9ac3d (patch)
tree: 49b42e4d6343db697fef5dd452d4423e22b67937 /misc.c
parent: 2fd42dae8840089727f95211abdb86316e566afd (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/misc.c b/misc.c
index 0e4f61d..4990a74 100644
--- a/misc.c
+++ b/misc.c
@@ -383,6 +383,7 @@ ComputeKbdDefaults(XkbDescPtr xkb)
     register int i, tmp, nUnknown;
     KeyNameDesc *name;
     KeySym *syms;
+    char tmpname[XkbKeyNameLength + 1];
 
     if ((xkb->names == NULL) || (xkb->names->keys == NULL))
     {
@@ -430,8 +431,10 @@ ComputeKbdDefaults(XkbDescPtr xkb)
                             ACTION2("Using <U%03d> for key %d\n",
                                     nUnknown, i);
                         }
-                        sprintf(xkb->names->keys[i].name, "U%03d",
-                                nUnknown++);
+                        snprintf(tmpname, sizeof(tmpname), "U%03d",
+                                 nUnknown++);
+                        memcpy(xkb->names->keys[i].name, tmpname,
+                               XkbKeyNameLength);
                     }
                     break;
                 }
@@ -442,7 +445,9 @@ ComputeKbdDefaults(XkbDescPtr xkb)
                 {
                     WARN1("Key %d does not match any defaults\n", i);
                     ACTION1("Using name <U%03d>\n", nUnknown);
-                    sprintf(xkb->names->keys[i].name, "U%03d", nUnknown++);
+                    snprintf(tmpname, sizeof(tmpname), "U%03d", nUnknown++);
+                    memcpy(xkb->names->keys[i].name, tmpname,
+                           XkbKeyNameLength);
                 }
             }
         }
author	Alan Coopersmith <alan.coopersmith@sun.com>	2009-05-11 09:39:03 -0700
committer	Alan Coopersmith <alan.coopersmith@sun.com>	2009-05-11 09:47:26 -0700
commit	eeaa4aec798ef045d0b3b9de3c25932b85b9ac3d (patch)
tree	49b42e4d6343db697fef5dd452d4423e22b67937 /misc.c
parent	2fd42dae8840089727f95211abdb86316e566afd (diff)