Fix potential buffer overflows (GitHub issue #346).

(cherry picked from commit e69549034d)
2020-07-28 13:17:57 +01:00 · 2020-07-28 13:17:57 +01:00 · f6c2b79608
parent 9d53ed9618
commit f6c2b79608
4 changed files with 23 additions and 17 deletions
--- a/ivlpp/lexor.lex
+++ b/ivlpp/lexor.lex
@ -1662,7 +1662,8 @@ static void do_include(void)
        }

        for (idx = start ;  idx < include_cnt ;  idx += 1) {
-            sprintf(path, "%s/%s", include_dir[idx], standby->path);
+            snprintf(path, sizeof(path), "%s/%s",
+                     include_dir[idx], standby->path);

            if ((standby->file = fopen(path, "r"))) {
 		standby->file_close = fclose;
--- a/load_module.cc
+++ b/load_module.cc
@ -73,7 +73,8 @@ bool load_module(const char*type, int&parser_errors)
 	    if (cur == lcur->name_map.end())
 		  continue;

-	    sprintf(path, "%s%c%s", lcur->dir, dir_character, (*cur).second);
+	    snprintf(path, sizeof(path), "%s%c%s",
+		     lcur->dir, dir_character, (*cur).second);

 	    if(depend_file) {
                  if (depfile_mode == 'p') {
--- a/tgt-vvp/draw_vpi.c
+++ b/tgt-vvp/draw_vpi.c
@ -484,7 +484,8 @@ void draw_vpi_task_call(ivl_statement_t tnet)
                    ivl_stmt_lineno(tnet), ivl_stmt_name(tnet));
      } else {
 	    char call_string[1024];
-	    sprintf(call_string, "    %s %u %u \"%s\"", command,
+	    snprintf(call_string, sizeof(call_string),
+		     "	  %s %u %u \"%s\"", command,
 		     ivl_file_table_index(ivl_stmt_file(tnet)),
 		     ivl_stmt_lineno(tnet), ivl_stmt_name(tnet));
 	    draw_vpi_taskfunc_args(call_string, tnet, 0);
@ -495,7 +496,8 @@ void draw_vpi_func_call(ivl_expr_t fnet)
 {
      char call_string[1024];

-      sprintf(call_string, "    %%vpi_func %u %u \"%s\" %u",
+      snprintf(call_string, sizeof(call_string),
+	       "    %%vpi_func %u %u \"%s\" %u",
 	       ivl_file_table_index(ivl_expr_file(fnet)),
 	       ivl_expr_lineno(fnet), ivl_expr_name(fnet),
 	       ivl_expr_width(fnet));
@ -507,7 +509,8 @@ void draw_vpi_rfunc_call(ivl_expr_t fnet)
 {
      char call_string[1024];

-      sprintf(call_string, "    %%vpi_func/r %u %u \"%s\"",
+      snprintf(call_string, sizeof(call_string),
+	       "    %%vpi_func/r %u %u \"%s\"",
 	       ivl_file_table_index(ivl_expr_file(fnet)),
 	       ivl_expr_lineno(fnet), ivl_expr_name(fnet));

--- a/vvp/vpi_modules.cc
+++ b/vvp/vpi_modules.cc
@ -87,13 +87,13 @@ void vpip_load_module(const char*name)
 	    if (rc != 0) {            /* did we find a file? */
 	          /* no, try with a .vpi suffix too */
 		  export_flag = false;
-		  sprintf(buf, "%s.vpi", name);
+		  snprintf(buf, sizeof(buf), "%s.vpi", name);
 		  rc = stat(buf, &sb);

 		    /* Try also with the .vpl suffix. */
 		  if (rc != 0) {
 			export_flag = true;
-			sprintf(buf, "%s.vpl", name);
+			snprintf(buf, sizeof(buf), "%s.vpl", name);
 			rc = stat(buf, &sb);
 		  }

@ -112,12 +112,13 @@ void vpip_load_module(const char*name)
 		       ; (rc != 0) && (idx < vpip_module_path_cnt)
 		       ;  idx += 1) {
 		  export_flag = false;
-		  sprintf(buf, "%s%c%s.vpi", vpip_module_path[idx], sep, name);
+		  snprintf(buf, sizeof(buf), "%s%c%s.vpi",
+			   vpip_module_path[idx], sep, name);
 		  rc = stat(buf,&sb);

 		  if (rc != 0) {
 			export_flag = true;
-			sprintf(buf, "%s%c%s.vpl",
+			snprintf(buf, sizeof(buf), "%s%c%s.vpl",
 				 vpip_module_path[idx], sep, name);
 			rc = stat(buf,&sb);
 		  }