webmcp
changeset 448:e3da778a8bf3
Use snprintf instead of sprintf as a precautionary measure for security
author | jbe |
---|---|
date | Wed Jun 01 19:59:05 2016 +0200 (2016-06-01) |
parents | d68098219642 |
children | c37d4bf50a4b |
files | libraries/json/json.c |
line diff
1.1 --- a/libraries/json/json.c Mon May 16 20:12:54 2016 +0200 1.2 +++ b/libraries/json/json.c Wed Jun 01 19:59:05 2016 +0200 1.3 @@ -1114,7 +1114,7 @@ 1.4 #if LUA_VERSION_NUM >= 503 1.5 // handle integers: 1.6 if (lua_isinteger(L, json_export_value_idx)) { 1.7 - sprintf(numstr, "%ji", (intmax_t)lua_tointeger(L, json_export_value_idx)); 1.8 + snprintf(numstr, sizeof(numstr), "%ji", (intmax_t)lua_tointeger(L, json_export_value_idx)); 1.9 luaL_addstring(&buf, numstr); 1.10 break; 1.11 } 1.12 @@ -1128,12 +1128,12 @@ 1.13 // check if float is integral: 1.14 if ((double)trunc((double)num) == (double)num) { 1.15 // use maximum precision: 1.16 - sprintf(numstr, "%.17g", num); // NOTE: e.g. 12345678901234560 1.17 + snprintf(numstr, sizeof(numstr), "%.17g", num); // NOTE: e.g. 12345678901234560 1.18 } else { 1.19 // determine necessary precision to represent double precision floating point number: 1.20 - sprintf(numstr, "%.15g", num); // NOTE: e.g. 0.009 should not be 0.008999999999999999 1.21 - if (strtod(numstr, NULL) != num) sprintf(numstr, "%.16g", num); 1.22 - if (strtod(numstr, NULL) != num) sprintf(numstr, "%.17g", num); 1.23 + snprintf(numstr, sizeof(numstr), "%.15g", num); // NOTE: e.g. 0.009 should not be 0.008999999999999999 1.24 + if (strtod(numstr, NULL) != num) snprintf(numstr, sizeof(numstr), "%.16g", num); 1.25 + if (strtod(numstr, NULL) != num) snprintf(numstr, sizeof(numstr), "%.17g", num); 1.26 } 1.27 // add string encoding of the number to the output buffer: 1.28 luaL_addstring(&buf, numstr); 1.29 @@ -1172,7 +1172,7 @@ 1.30 else if (c == '\t') luaL_addstring(&buf, "\\t"); 1.31 else if (c == '\v') luaL_addstring(&buf, "\\v"); 1.32 else { 1.33 - sprintf(hexcode, "\\u%04X", c); 1.34 + snprintf(hexcode, sizeof(hexcode), "\\u%04X", c); 1.35 luaL_addstring(&buf, hexcode); 1.36 } 1.37 }