I've found a few unchecked sprintf and strcat.
They don't look very dangerous, but you may want to fix them.
crypt-gpgme.c: sizeof(helpstr) < sizeof(buf)
| helpstr[0] = 0;
| mutt_make_help (buf, sizeof (buf), _("Exit "), menu_to_use, OP_EXIT);
|- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
|+ safe_strcat (helpstr, sizeof (helpstr), buf);
pgpkeys.c: ditto
keymap.c: unchecked sprintf
| else if (c >= KEY_F0 && c < KEY_F(256)) /* this maximum is just a guess */
|- sprintf (buf, "<F%d>", c - KEY_F0);
|+ snprintf (buf, sizeof (buf), "<F%d>", c - KEY_F0);
pop_auth.c: ditto
|- sprintf (hash + 2 * i, "%02x", digest[i]);
|+ snprintf (hash + 2 * i, sizeof (hash) - (2 * i), "%02x", digest[i]);
rfc2231.c: ditto
|- sprintf (t, "%%%02X", (unsigned char)*s);
|+ snprintf (t, elen - (t - e), "%%%02X", (unsigned char)*s);
smime.c: no problem
| fname = safe_malloc(13); /* Hash + '.' + Suffix + \0 */
|- sprintf(fname, "%.8x.%i", Table[cur].hash, Table[cur].suffix);
|+ snprintf(fname, 13, "%.8x.%i", Table[cur].hash, Table[cur].suffix);
imap/imap.c:
|- sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid);
|+ snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid);
|- sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid);
|+ snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid);
imap/message.c:
|- sprintf(uid_buf, "/%u", h.data->uid); /* XXX --tg 21:41 04-07-11 */
|+ snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid); /* XXX --tg
21:41 04-07-11 */
|- sprintf(uid_buf, "/%u", h.data->uid);
|+ snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid);
--
tamo
Attachment:
patch-1.5.11cvs.tamo.secwarnings.1.gz
Description: application/gunzip
Index: browser.c
===================================================================
RCS file: /home/roessler/cvs/mutt/browser.c,v
retrieving revision 3.19
diff -p -u -r3.19 browser.c
--- browser.c 6 Oct 2005 06:15:00 -0000 3.19
+++ browser.c 20 May 2006 13:51:42 -0000
@@ -695,7 +695,7 @@ void _mutt_select_file (char *f, size_t
if (mutt_strcmp (state.entry[menu->current].name, "..") == 0)
{
if (mutt_strcmp ("..", LastDir + mutt_strlen (LastDir) - 2) == 0)
- strcat (LastDir, "/.."); /* __STRCAT_CHECKED__ */
+ safe_strcat (LastDir, sizeof (LastDir), "/..");
else
{
char *p = strrchr (LastDir + 1, '/');
@@ -707,7 +707,7 @@ void _mutt_select_file (char *f, size_t
if (LastDir[0] == '/')
LastDir[1] = 0;
else
- strcat (LastDir, "/.."); /* __STRCAT_CHECKED__ */
+ safe_strcat (LastDir, sizeof (LastDir), "/..");
}
}
}
Index: crypt-gpgme.c
===================================================================
RCS file: /home/roessler/cvs/mutt/crypt-gpgme.c,v
retrieving revision 3.10
diff -p -u -r3.10 crypt-gpgme.c
--- crypt-gpgme.c 21 Oct 2005 04:35:37 -0000 3.10
+++ crypt-gpgme.c 20 May 2006 13:51:45 -0000
@@ -3560,15 +3562,15 @@ static crypt_key_t *crypt_select_key (cr
helpstr[0] = 0;
mutt_make_help (buf, sizeof (buf), _("Exit "), menu_to_use, OP_EXIT);
- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
+ safe_strcat (helpstr, sizeof (helpstr), buf);
mutt_make_help (buf, sizeof (buf), _("Select "), menu_to_use,
OP_GENERIC_SELECT_ENTRY);
- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
+ safe_strcat (helpstr, sizeof (helpstr), buf);
mutt_make_help (buf, sizeof (buf), _("Check key "),
menu_to_use, OP_VERIFY_KEY);
- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
+ safe_strcat (helpstr, sizeof (helpstr), buf);
mutt_make_help (buf, sizeof (buf), _("Help"), menu_to_use, OP_HELP);
- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
+ safe_strcat (helpstr, sizeof (helpstr), buf);
menu = mutt_new_menu ();
menu->max = i;
Index: keymap.c
===================================================================
RCS file: /home/roessler/cvs/mutt/keymap.c,v
retrieving revision 3.17
diff -p -u -r3.17 keymap.c
--- keymap.c 17 Sep 2005 20:46:10 -0000 3.17
+++ keymap.c 20 May 2006 13:51:49 -0000
@@ -508,7 +508,7 @@ char *km_keyname (int c)
snprintf (buf, sizeof (buf), "\\%d%d%d", c >> 6, (c >> 3) & 7, c & 7);
}
else if (c >= KEY_F0 && c < KEY_F(256)) /* this maximum is just a guess */
- sprintf (buf, "<F%d>", c - KEY_F0);
+ snprintf (buf, sizeof (buf), "<F%d>", c - KEY_F0);
else if (IsPrint (c))
snprintf (buf, sizeof (buf), "%c", (unsigned char) c);
else
Index: pgpkey.c
===================================================================
RCS file: /home/roessler/cvs/mutt/pgpkey.c,v
retrieving revision 3.11
diff -p -u -r3.11 pgpkey.c
--- pgpkey.c 17 Sep 2005 20:46:11 -0000 3.11
+++ pgpkey.c 20 May 2006 13:51:52 -0000
@@ -512,14 +512,14 @@ static pgp_key_t pgp_select_key (pgp_key
helpstr[0] = 0;
mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_PGP, OP_EXIT);
- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
+ safe_strcat (helpstr, sizeof (helpstr), buf);
mutt_make_help (buf, sizeof (buf), _("Select "), MENU_PGP,
OP_GENERIC_SELECT_ENTRY);
- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
+ safe_strcat (helpstr, sizeof (helpstr), buf);
mutt_make_help (buf, sizeof (buf), _("Check key "), MENU_PGP,
OP_VERIFY_KEY);
- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
+ safe_strcat (helpstr, sizeof (helpstr), buf);
mutt_make_help (buf, sizeof (buf), _("Help"), MENU_PGP, OP_HELP);
- strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
+ safe_strcat (helpstr, sizeof (helpstr), buf);
menu = mutt_new_menu ();
menu->max = i;
Index: pop_auth.c
===================================================================
RCS file: /home/roessler/cvs/mutt/pop_auth.c,v
retrieving revision 3.7
diff -p -u -r3.7 pop_auth.c
--- pop_auth.c 17 Sep 2005 20:46:11 -0000 3.7
+++ pop_auth.c 20 May 2006 13:51:52 -0000
@@ -192,7 +192,7 @@ static pop_auth_res_t pop_auth_apop (POP
MD5Final (digest, &mdContext);
for (i = 0; i < sizeof (digest); i++)
- sprintf (hash + 2 * i, "%02x", digest[i]);
+ snprintf (hash + 2 * i, sizeof (hash) - (2 * i), "%02x", digest[i]);
/* Send APOP command to server */
snprintf (buf, sizeof (buf), "APOP %s %s\r\n", pop_data->conn->account.user,
hash);
Index: rfc2231.c
===================================================================
RCS file: /home/roessler/cvs/mutt/rfc2231.c,v
retrieving revision 3.8
diff -p -u -r3.8 rfc2231.c
--- rfc2231.c 18 May 2006 17:35:30 -0000 3.8
+++ rfc2231.c 20 May 2006 13:51:53 -0000
@@ -348,14 +348,15 @@ int rfc2231_encode_string (char **pd)
if (encode)
{
- e = safe_malloc (dlen + 2*ext + strlen (charset) + 3);
- sprintf (e, "%s''", charset); /* __SPRINTF_CHECKED__ */
+ size_t elen = dlen + 2*ext + strlen (charset) + 3;
+ e = safe_malloc (elen);
+ snprintf (e, elen, "%s''", charset);
t = e + strlen (e);
for (s = d, slen = dlen; slen; s++, slen--)
if (*s < 0x20 || *s >= 0x7f ||
strchr (MimeSpecials, *s) || strchr ("*'%", *s))
{
- sprintf (t, "%%%02X", (unsigned char)*s);
+ snprintf (t, elen - (t - e), "%%%02X", (unsigned char)*s);
t += 3;
}
else
Index: smime.c
===================================================================
RCS file: /home/roessler/cvs/mutt/smime.c,v
retrieving revision 3.48
diff -p -u -r3.48 smime.c
--- smime.c 16 Dec 2005 18:49:40 -0000 3.48
+++ smime.c 20 May 2006 13:51:57 -0000
@@ -465,7 +465,7 @@ char* smime_ask_for_key (char *prompt, c
}
if (hash) {
fname = safe_malloc(13); /* Hash + '.' + Suffix + \0 */
- sprintf(fname, "%.8x.%i", Table[cur].hash, Table[cur].suffix);
+ snprintf(fname, 13, "%.8x.%i", Table[cur].hash, Table[cur].suffix);
}
else fname = NULL;
Index: imap/imap.c
===================================================================
RCS file: /home/roessler/cvs/mutt/imap/imap.c,v
retrieving revision 3.81
diff -p -u -r3.81 imap.c
--- imap/imap.c 18 May 2006 18:35:10 -0000 3.81
+++ imap/imap.c 20 May 2006 13:51:58 -0000
@@ -262,7 +262,7 @@ void imap_expunge_mailbox (IMAP_DATA* id
#if USE_HCACHE
if (hc)
{
- sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid);
+ snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid);
mutt_hcache_delete (hc, uidbuf, imap_hcache_keylen);
}
#endif
@@ -1148,7 +1148,7 @@ int imap_sync_mailbox (CONTEXT* ctx, int
#if USE_HCACHE
if (hc && h->deleted)
{
- sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid);
+ snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid);
mutt_hcache_delete (hc, uidbuf, imap_hcache_keylen);
}
#endif
Index: imap/message.c
===================================================================
RCS file: /home/roessler/cvs/mutt/imap/message.c,v
retrieving revision 3.50
diff -p -u -r3.50 message.c
--- imap/message.c 18 May 2006 18:35:10 -0000 3.50
+++ imap/message.c 20 May 2006 13:51:59 -0000
@@ -158,7 +158,7 @@ int imap_read_headers (IMAP_DATA* idata,
else if (mfhrc < 0)
break;
- sprintf(uid_buf, "/%u", h.data->uid); /* XXX --tg 21:41 04-07-11 */
+ snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid); /* XXX --tg
21:41 04-07-11 */
uid_validity = (unsigned int*)mutt_hcache_fetch (hc, uid_buf,
&imap_hcache_keylen);
if (uid_validity != NULL && *uid_validity == idata->uid_validity)
@@ -287,7 +287,7 @@ int imap_read_headers (IMAP_DATA* idata,
ctx->hdrs[msgno]->content->length = h.content_length;
#if USE_HCACHE
- sprintf(uid_buf, "/%u", h.data->uid);
+ snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid);
mutt_hcache_store(hc, uid_buf, ctx->hdrs[msgno], idata->uid_validity,
&imap_hcache_keylen);
#endif /* USE_HCACHE */