On Tue, 4 Jul 2006, Markus Neteler via RT wrote:
the snprintf() is used as of today in:
./raster3d/r3.in.ascii/main.c
./db/drivers/dbf/dbfexe.c
./raster/r.support/front/front.c
./raster/r.support/front/check.c
./raster/r.support/front/run.c
./raster/r.support/modhead/check_un.c
./raster/r.support/modhead/modhead.c
./raster/r.support/modhead/ask_format.c
./lib/init/clean_temp.c
./lib/db/dbmi_client/select.c
./lib/gis/user_config.c
./lib/vector/dglib/examples/components.c
Please see attached patch to replace use of snprintf in all those modules. I am posting it to the list first, hopefully for some comments, before committing. Have to admit what I was doing felt a bit pedantic towards the end. But some comments:
Mostly what I have done is replaced snprintf writing into fixed size buffers by dynamically allocating space for the buffers based on the length of the strings that were being copied in. Where a formatted number was going in I allowed 32 characters to be on the safe side.
In all but one example (./lib/init/clean_temp.c) snprintf() was being used without a check on the return value. So while a buffer overflow may have been avoided, if the string was truncated it would lead to unpredictable results later in the program. This won't happen now.
Also in another case (./lib/gis/user_config.c) snprintf() was used with a buffer that had already been correctly dynamically sized, so it wasn't even needed there.
Paul
(attachments)
diff.txt (16 KB)