webmcp

changeset 448:e3da778a8bf3

Use snprintf instead of sprintf as a precautionary measure for security
author jbe
date Wed Jun 01 19:59:05 2016 +0200 (2016-06-01)
parents d68098219642
children c37d4bf50a4b
files libraries/json/json.c
line diff
     1.1 --- a/libraries/json/json.c	Mon May 16 20:12:54 2016 +0200
     1.2 +++ b/libraries/json/json.c	Wed Jun 01 19:59:05 2016 +0200
     1.3 @@ -1114,7 +1114,7 @@
     1.4  #if LUA_VERSION_NUM >= 503
     1.5        // handle integers:
     1.6        if (lua_isinteger(L, json_export_value_idx)) {
     1.7 -        sprintf(numstr, "%ji", (intmax_t)lua_tointeger(L, json_export_value_idx));
     1.8 +        snprintf(numstr, sizeof(numstr), "%ji", (intmax_t)lua_tointeger(L, json_export_value_idx));
     1.9          luaL_addstring(&buf, numstr);
    1.10          break;
    1.11        }
    1.12 @@ -1128,12 +1128,12 @@
    1.13        // check if float is integral:
    1.14        if ((double)trunc((double)num) == (double)num) {
    1.15          // use maximum precision:
    1.16 -        sprintf(numstr, "%.17g", num);  // NOTE: e.g. 12345678901234560
    1.17 +        snprintf(numstr, sizeof(numstr), "%.17g", num);  // NOTE: e.g. 12345678901234560
    1.18        } else {
    1.19          // determine necessary precision to represent double precision floating point number:
    1.20 -        sprintf(numstr, "%.15g", num);  // NOTE: e.g. 0.009 should not be 0.008999999999999999
    1.21 -        if (strtod(numstr, NULL) != num) sprintf(numstr, "%.16g", num);
    1.22 -        if (strtod(numstr, NULL) != num) sprintf(numstr, "%.17g", num);
    1.23 +        snprintf(numstr, sizeof(numstr), "%.15g", num);  // NOTE: e.g. 0.009 should not be 0.008999999999999999
    1.24 +        if (strtod(numstr, NULL) != num) snprintf(numstr, sizeof(numstr), "%.16g", num);
    1.25 +        if (strtod(numstr, NULL) != num) snprintf(numstr, sizeof(numstr), "%.17g", num);
    1.26        }
    1.27        // add string encoding of the number to the output buffer:
    1.28        luaL_addstring(&buf, numstr);
    1.29 @@ -1172,7 +1172,7 @@
    1.30          else if (c == '\t') luaL_addstring(&buf, "\\t");
    1.31          else if (c == '\v') luaL_addstring(&buf, "\\v");
    1.32          else {
    1.33 -          sprintf(hexcode, "\\u%04X", c);
    1.34 +          snprintf(hexcode, sizeof(hexcode), "\\u%04X", c);
    1.35            luaL_addstring(&buf, hexcode);
    1.36          }
    1.37        }

Impressum / About Us