From: Kp Date: Sat, 13 Dec 2008 18:37:39 +0000 (-0600) Subject: Cleanup: limit length of strings scanned by scanf. X-Git-Tag: silc.toolkit.1.1.9~6^2 X-Git-Url: http://git.silcnet.org/gitweb/?p=silc.git;a=commitdiff_plain;h=7da2061d1fe888de4b055127ca3c5bec8526e69f Cleanup: limit length of strings scanned by scanf. Several uses of scanf-type functions allowed the scanned string to supply an arbitrarily large input string. Add length qualifiers to prevent scanf from overrunning the supplied buffer. --- diff --git a/apps/silc/clientutil.c b/apps/silc/clientutil.c index 71b628bc..6a41a7c9 100644 --- a/apps/silc/clientutil.c +++ b/apps/silc/clientutil.c @@ -113,7 +113,7 @@ int silc_get_number_of_emails() if (!tl) { fprintf(stderr, "Couldn't open mail file (%s).\n", filename); } else { - while((fscanf(tl, "%s", data)) != EOF) { + while((fscanf(tl, "%1023s", data)) != EOF) { if(!strcmp(data, "From:")) num++; } diff --git a/apps/silcmap/silcmap_bitmap.c b/apps/silcmap/silcmap_bitmap.c index 6440f88d..b171f47b 100644 --- a/apps/silcmap/silcmap_bitmap.c +++ b/apps/silcmap/silcmap_bitmap.c @@ -52,7 +52,7 @@ bool silc_map_load_ppm(SilcMap map, const char *filename) } /* Read width and height */ - ret = sscanf(header, "%s %ld %ld %ld\n", type, + ret = sscanf(header, "%2s %ld %ld %ld\n", type, (unsigned long *)&map->width, (unsigned long *)&map->height, (unsigned long *)&map->maxcolor); diff --git a/util/robodoc/Source/generator.c b/util/robodoc/Source/generator.c index 632c2990..2f9b9928 100644 --- a/util/robodoc/Source/generator.c +++ b/util/robodoc/Source/generator.c @@ -1403,7 +1403,7 @@ RB_HTML_Extra (FILE * dest_doc, int item_type, char *cur_char) if (strncmp ("http://", cur_char, strlen ("http://")) == 0) { - sscanf (cur_char, "%s", link); + sscanf (cur_char, "%1023s", link); RB_Say ("found link %s\n", link); res = (strlen (link) - 1); fprintf (dest_doc, "%s", link, link); @@ -1411,14 +1411,14 @@ RB_HTML_Extra (FILE * dest_doc, int item_type, char *cur_char) else if (strncmp ("href:", cur_char, strlen ("href:")) == 0) { /* handy in relative hyperlink paths, e.g. href:../../modulex/ */ - sscanf ((cur_char + strlen ("href:")), "%s", link); + sscanf ((cur_char + strlen ("href:")), "%1023s", link); RB_Say ("found link %s\n", link); res = (strlen (link) + strlen ("href:") - 1); fprintf (dest_doc, "%s", link, link); } else if (strncmp ("mailto:", cur_char, strlen ("mailto:")) == 0) { - sscanf ((cur_char + strlen ("mailto:")), "%s", link); + sscanf ((cur_char + strlen ("mailto:")), "%1023s", link); RB_Say ("found mail to %s\n", link); res = (strlen (link) + strlen ("mailto:") - 1); fprintf (dest_doc, "%s", link, link);