Cleanup: limit length of strings scanned by scanf.

Several uses of scanf-type functions allowed the scanned string to
supply an arbitrarily large input string.  Add length qualifiers to
prevent scanf from overrunning the supplied buffer.

diff --git a/apps/silc/clientutil.c b/apps/silc/clientutil.c
index 71b628bc4aacf7d35d8b689140700ef790cd3ce6..6a41a7c93970025b48b825e2f2d29f656db80f79 100644 (file)
--- a/apps/silc/clientutil.c
+++ b/apps/silc/clientutil.c
@@ -113,7 +113,7 @@ int silc_get_number_of_emails()
   if (!tl) {
     fprintf(stderr, "Couldn't open mail file (%s).\n", filename);
   } else {
-    while((fscanf(tl, "%s", data)) != EOF) { 
+    while((fscanf(tl, "%1023s", data)) != EOF) {
       if(!strcmp(data, "From:"))
        num++;
     }

diff --git a/apps/silcmap/silcmap_bitmap.c b/apps/silcmap/silcmap_bitmap.c
index 6440f88ddcc8e6208d3263f2ad5ce07428cca756..b171f47bed1f77a178a0988410980137c35942b9 100644 (file)
--- a/apps/silcmap/silcmap_bitmap.c
+++ b/apps/silcmap/silcmap_bitmap.c
@@ -52,7 +52,7 @@ bool silc_map_load_ppm(SilcMap map, const char *filename)
   }
 
   /* Read width and height */
-  ret = sscanf(header, "%s %ld %ld %ld\n", type,
+  ret = sscanf(header, "%2s %ld %ld %ld\n", type,
               (unsigned long *)&map->width,
               (unsigned long *)&map->height,
               (unsigned long *)&map->maxcolor);

diff --git a/util/robodoc/Source/generator.c b/util/robodoc/Source/generator.c
index 632c2990f94c880e285de6fc97da3534cfec23a6..2f9b9928755f71bb2b0396b6cf53047dff7085d0 100644 (file)
--- a/util/robodoc/Source/generator.c
+++ b/util/robodoc/Source/generator.c
@@ -1403,7 +1403,7 @@ RB_HTML_Extra (FILE * dest_doc, int item_type, char *cur_char)
 
   if (strncmp ("http://", cur_char, strlen ("http://")) == 0)
     {
-      sscanf (cur_char, "%s", link);
+      sscanf (cur_char, "%1023s", link);
       RB_Say ("found link %s\n", link);
       res = (strlen (link) - 1);
       fprintf (dest_doc, "<A HREF=\"%s\">%s</A>", link, link);
@@ -1411,14 +1411,14 @@ RB_HTML_Extra (FILE * dest_doc, int item_type, char *cur_char)
   else if (strncmp ("href:", cur_char, strlen ("href:")) == 0)
     {
       /* handy in relative hyperlink paths, e.g. href:../../modulex/ */
-      sscanf ((cur_char + strlen ("href:")), "%s", link);
+      sscanf ((cur_char + strlen ("href:")), "%1023s", link);
       RB_Say ("found link %s\n", link);
       res = (strlen (link) + strlen ("href:") - 1);
       fprintf (dest_doc, "<A HREF=\"%s\">%s</A>", link, link);
     }
   else if (strncmp ("mailto:", cur_char, strlen ("mailto:")) == 0)
     {
-      sscanf ((cur_char + strlen ("mailto:")), "%s", link);
+      sscanf ((cur_char + strlen ("mailto:")), "%1023s", link);
       RB_Say ("found mail to %s\n", link);
       res = (strlen (link) + strlen ("mailto:") - 1);
       fprintf (dest_doc, "<A HREF=\"mailto:%s\">%s</A>", link, link);