From 2536b78acb40e881223e7fd1a4bf0414c0b84638 Mon Sep 17 00:00:00 2001
From: Holger Vogt <holger.vogt@uni-due.de>
Date: Sat, 10 Apr 2021 18:16:22 +0200
Subject: [PATCH] Allow tailing '\0' Remove potentially user induced buffer
 overflow by replacing sprintf by snprintf.

---
 src/frontend/inp.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/frontend/inp.c b/src/frontend/inp.c
index 8158c6416..45d380e81 100644
--- a/src/frontend/inp.c
+++ b/src/frontend/inp.c
@@ -475,7 +475,7 @@ inp_spsource(FILE *fp, bool comfile, char *filename, bool intfile)
 {
     struct card *deck = NULL, *dd, *ld, *prev_param = NULL, *prev_card = NULL;
     struct card *realdeck = NULL, *options = NULL, *curr_meas = NULL;
-    char *tt = NULL, name[BSIZE_SP], *s, *t, *temperature = NULL;
+    char *tt = NULL, name[BSIZE_SP + 1], *s, *t, *temperature = NULL;
     double testemp = 0.0;
     bool commands = FALSE;
     wordlist *wl = NULL, *end = NULL, *wl_first = NULL;
@@ -1621,7 +1621,9 @@ doedit(char *filename)
                 editor = "/usr/bin/vi";
         }
     }
-    sprintf(buf, "%s %s", editor, filename);
+    int len = snprintf(buf, BSIZE_SP - 1, "%s %s", editor, filename);
+    if (len > BSIZE_SP - 1)
+        fprintf(stderr, "Error: the filename is probably tuncated\n");
     return (system(buf) ? FALSE : TRUE);
 }