luke
/
ngspice
mirror of https://git.code.sf.net/p/ngspice/ngspice
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lingrid(), avoid buffer overflow 

Bug ID: `Buffer overflow detected - ID: 3510521'
    reported by Zsolt Makaró

  The variable `mag3' sometimes seems to take
    unexpected values
    (for example log10 can be -Inf, which will be casted to 0x80000000)
  and seems then to have overflown a buffer buf[LABEL_CHARS]
This commit is contained in:
rlar 2012-03-27 21:07:12 +02:00
parent 6e829f7cc4
commit e91e3c4ec7
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/frontend/plotting/grid.c
View File

@ -331,8 +331,6 @@ lingrid(GRAPH *graph, double lo, double hi, double delta, int type, Axis axis)
tenpowmag = pow(10.0, (double) mag3); tenpowmag = pow(10.0, (double) mag3);
*buf = 0;
i = (mag3 + 18) / 3; i = (mag3 + 18) / 3;
if (i < 0) if (i < 0)
@ -349,24 +347,28 @@ lingrid(GRAPH *graph, double lo, double hi, double delta, int type, Axis axis)
else if (j == 2) else if (j == 2)
(void) sprintf(buf, "x100 "); (void) sprintf(buf, "x100 ");
else if (j) else if (j)
(void) sprintf(buf, "x10^%d ", j); (void) snprintf(buf, sizeof(buf) - 1, "x10^%d ", j);
else
buf[0] = '\0';
if (scaleletters[i]) { if (scaleletters[i]) {
for (p = buf; *p; p++) for (p = buf; *p; p++)
; ;
*p++ = scaleletters[i]; *p++ = scaleletters[i];
*p++ = 0; *p++ = '\0';
} }
} else if (mag > 1) { } else if (mag > 1) {
tenpowmag = pow(10.0, (double) mag); tenpowmag = pow(10.0, (double) mag);
(void) sprintf(buf, "x10^%d ", mag); (void) snprintf(buf, sizeof(buf), "x10^%d ", mag);
} else {
buf[0] = '\0';
} }
if ((s = ft_typabbrev(type)) != NULL) { if ((s = ft_typabbrev(type)) != NULL) {
(void) strcat(buf, s); (void) strncat(buf, s, sizeof(buf) - 1);
} else { } else {
(void) strcat(buf, "Units"); (void) strncat(buf, "Units", sizeof(buf) - 1);
} }
if (delta == 0.0) { if (delta == 0.0) {