From e91e3c4ec735ca9738254b60147809abfd1d1db2 Mon Sep 17 00:00:00 2001 From: rlar Date: Tue, 27 Mar 2012 21:07:12 +0200 Subject: [PATCH] lingrid(), avoid buffer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug ID: `Buffer overflow detected - ID: 3510521' reported by Zsolt Makaró The variable `mag3' sometimes seems to take unexpected values (for example log10 can be -Inf, which will be casted to 0x80000000) and seems then to have overflown a buffer buf[LABEL_CHARS] --- src/frontend/plotting/grid.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/frontend/plotting/grid.c b/src/frontend/plotting/grid.c index 7b15ca223..d5333de7d 100644 --- a/src/frontend/plotting/grid.c +++ b/src/frontend/plotting/grid.c @@ -331,8 +331,6 @@ lingrid(GRAPH *graph, double lo, double hi, double delta, int type, Axis axis) tenpowmag = pow(10.0, (double) mag3); - *buf = 0; - i = (mag3 + 18) / 3; if (i < 0) @@ -349,24 +347,28 @@ lingrid(GRAPH *graph, double lo, double hi, double delta, int type, Axis axis) else if (j == 2) (void) sprintf(buf, "x100 "); else if (j) - (void) sprintf(buf, "x10^%d ", j); + (void) snprintf(buf, sizeof(buf) - 1, "x10^%d ", j); + else + buf[0] = '\0'; if (scaleletters[i]) { for (p = buf; *p; p++) ; *p++ = scaleletters[i]; - *p++ = 0; + *p++ = '\0'; } } else if (mag > 1) { tenpowmag = pow(10.0, (double) mag); - (void) sprintf(buf, "x10^%d ", mag); + (void) snprintf(buf, sizeof(buf), "x10^%d ", mag); + } else { + buf[0] = '\0'; } if ((s = ft_typabbrev(type)) != NULL) { - (void) strcat(buf, s); + (void) strncat(buf, s, sizeof(buf) - 1); } else { - (void) strcat(buf, "Units"); + (void) strncat(buf, "Units", sizeof(buf) - 1); } if (delta == 0.0) {