Skip to content

Commit 770a9e5

Browse files
tillkamppetertillkamppeter
committed
Do not sprintf() into fixed-size string buffers
Replaced the fixed-string buffers by dynamicly allocated memory with sufficient size for the input data or used snprintf(), to avoid crashes and vulnerabilities.
1 parent 08711a1 commit 770a9e5

2 files changed

Lines changed: 18 additions & 16 deletions

File tree

src/backend_helper.c

Lines changed: 17 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -143,9 +143,10 @@ gboolean dialog_contains_printer(BackendObj *b, const char *dialog_name, const c
143143

144144
if (d == NULL || d->printers == NULL)
145145
{
146-
char msg[512];
146+
char *msg = malloc(sizeof(char) * (strlen(dialog_name) + 50));
147147
sprintf(msg, "Can't retrieve printers for dialog %s.\n", dialog_name);
148148
MSG_LOG(msg, ERR);
149+
free(msg);
149150
return FALSE;
150151
}
151152
if (g_hash_table_contains(d->printers, printer_name))
@@ -159,9 +160,10 @@ PrinterCUPS *add_printer_to_dialog(BackendObj *b, const char *dialog_name, const
159160
Dialog *d = (Dialog *)g_hash_table_lookup(b->dialogs, dialog_name);
160161
if (d == NULL)
161162
{
162-
char msg[512];
163+
char *msg = malloc(sizeof(char) * (strlen(dialog_name) + 50));
163164
sprintf(msg, "Invalid dialog name %s.\n", dialog_name);
164165
MSG_LOG(msg, ERR);
166+
free(msg);
165167
return NULL;
166168
}
167169

@@ -175,9 +177,10 @@ void remove_printer_from_dialog(BackendObj *b, const char *dialog_name, const ch
175177
Dialog *d = (Dialog *)g_hash_table_lookup(b->dialogs, dialog_name);
176178
if (d == NULL)
177179
{
178-
char msg[512];
180+
char *msg = malloc(sizeof(char) * (strlen(printer_name) + 50));
179181
sprintf(msg, "Unable to remove printer %s.\n", printer_name);
180182
MSG_LOG(msg, WARN);
183+
free(msg);
181184
return;
182185
}
183186
g_hash_table_remove(d->printers, printer_name);
@@ -968,22 +971,23 @@ char *extract_ipp_attribute(ipp_attribute_t *attr, int index, const char *option
968971

969972
/** Then deal with the generic cases **/
970973
char *str;
974+
const char *attrstr;
971975
switch (ippGetValueTag(attr))
972976
{
973977
case IPP_TAG_INTEGER:
974978
str = (char *)(malloc(sizeof(char) * 50));
975-
sprintf(str, "%d", ippGetInteger(attr, index));
979+
snprintf(str, sizeof(str), "%d", ippGetInteger(attr, index));
976980
break;
977981

978982
case IPP_TAG_ENUM:
979-
str = (char *)(malloc(sizeof(char) * 50));
980-
sprintf(str, "%s", ippEnumString(option_name, ippGetInteger(attr, index)));
983+
attrstr = ippEnumString(option_name, ippGetInteger(attr, index));
984+
str = strdup(attrstr);
981985
break;
982986

983987
case IPP_TAG_RANGE:
984-
str = (char *)(malloc(sizeof(char) * 50));
988+
str = (char *)(malloc(sizeof(char) * 100));
985989
int upper, lower = ippGetRange(attr, index, &upper);
986-
sprintf(str, "%d-%d", lower, upper);
990+
snprintf(str, sizeof(str), "%d-%d", lower, upper);
987991
break;
988992

989993
case IPP_TAG_RESOLUTION:
@@ -992,9 +996,7 @@ char *extract_ipp_attribute(ipp_attribute_t *attr, int index, const char *option
992996
return extract_string_from_ipp(attr, index);
993997
}
994998

995-
char *ans = get_string_copy(str);
996-
free(str);
997-
return ans;
999+
return str;
9981000
}
9991001

10001002
char *extract_res_from_ipp(ipp_attribute_t *attr, int index)
@@ -1004,11 +1006,11 @@ char *extract_res_from_ipp(ipp_attribute_t *attr, int index)
10041006
xres = ippGetResolution(attr, index, &yres, &units);
10051007

10061008
char *unit = units == IPP_RES_PER_INCH ? "dpi" : "dpcm";
1007-
char buf[50];
1009+
char buf[100];
10081010
if (xres == yres)
1009-
sprintf(buf, "%d%s", xres, unit);
1011+
snprintf(buf, sizeof(buf), "%d%s", xres, unit);
10101012
else
1011-
sprintf(buf, "%dx%d%s", xres, yres, unit);
1013+
snprintf(buf, sizeof(buf), "%dx%d%s", xres, yres, unit);
10121014

10131015
return get_string_copy(buf);
10141016
}
@@ -1065,7 +1067,7 @@ GVariant *pack_cups_job(cups_job_t job)
10651067
printf("%s\n", job.dest);
10661068
GVariant **t = g_new0(GVariant *, 7);
10671069
char jobid[20];
1068-
sprintf(jobid, "%d", job.id);
1070+
snprintf(jobid, sizeof(jobid), "%d", job.id);
10691071
t[0] = g_variant_new_string(jobid);
10701072
t[1] = g_variant_new_string(job.title);
10711073
t[2] = g_variant_new_string(job.dest);

src/print_backend_cups.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -267,7 +267,7 @@ static gboolean on_handle_print_file(PrintBackend *interface,
267267
int job_id = print_file(p, file_path, num_settings, settings);
268268

269269
char jobid_string[64];
270-
sprintf(jobid_string, "%d", job_id);
270+
snprintf(jobid_string, sizeof(jobid_string), "%d", job_id);
271271
print_backend_complete_print_file(interface, invocation, jobid_string);
272272

273273
/**

0 commit comments

Comments
 (0)