# HG changeset patch # User jbe # Date 1464803945 -7200 # Node ID e3da778a8bf39f7ff8f9dd3aa789d9249e362ca1 # Parent d68098219642c64ec669a9d7480911f13ab6308e Use snprintf instead of sprintf as a precautionary measure for security diff -r d68098219642 -r e3da778a8bf3 libraries/json/json.c --- a/libraries/json/json.c Mon May 16 20:12:54 2016 +0200 +++ b/libraries/json/json.c Wed Jun 01 19:59:05 2016 +0200 @@ -1114,7 +1114,7 @@ #if LUA_VERSION_NUM >= 503 // handle integers: if (lua_isinteger(L, json_export_value_idx)) { - sprintf(numstr, "%ji", (intmax_t)lua_tointeger(L, json_export_value_idx)); + snprintf(numstr, sizeof(numstr), "%ji", (intmax_t)lua_tointeger(L, json_export_value_idx)); luaL_addstring(&buf, numstr); break; } @@ -1128,12 +1128,12 @@ // check if float is integral: if ((double)trunc((double)num) == (double)num) { // use maximum precision: - sprintf(numstr, "%.17g", num); // NOTE: e.g. 12345678901234560 + snprintf(numstr, sizeof(numstr), "%.17g", num); // NOTE: e.g. 12345678901234560 } else { // determine necessary precision to represent double precision floating point number: - sprintf(numstr, "%.15g", num); // NOTE: e.g. 0.009 should not be 0.008999999999999999 - if (strtod(numstr, NULL) != num) sprintf(numstr, "%.16g", num); - if (strtod(numstr, NULL) != num) sprintf(numstr, "%.17g", num); + snprintf(numstr, sizeof(numstr), "%.15g", num); // NOTE: e.g. 0.009 should not be 0.008999999999999999 + if (strtod(numstr, NULL) != num) snprintf(numstr, sizeof(numstr), "%.16g", num); + if (strtod(numstr, NULL) != num) snprintf(numstr, sizeof(numstr), "%.17g", num); } // add string encoding of the number to the output buffer: luaL_addstring(&buf, numstr); @@ -1172,7 +1172,7 @@ else if (c == '\t') luaL_addstring(&buf, "\\t"); else if (c == '\v') luaL_addstring(&buf, "\\v"); else { - sprintf(hexcode, "\\u%04X", c); + snprintf(hexcode, sizeof(hexcode), "\\u%04X", c); luaL_addstring(&buf, hexcode); } }