Prevent buffer-overrun and format-string attacks by "sanitizing" any * provided format string to fit the number of expected string arguments * (MAX) exactly. */
| 122 | * provided format string to fit the number of expected string arguments |
| 123 | * (MAX) exactly. */ |
| 124 | static const char *makeFmtSafe(const char *fmt, int MAX) { |
| 125 | /* format string should have exactly 'MAX' %s */ |
| 126 | |
| 127 | char *result = msSmallMalloc(strlen(fmt)+1+3*MAX), *cp; |
| 128 | int numstr=0, saw_percent=0; |
| 129 | |
| 130 | strcpy(result, fmt); |
| 131 | for (cp=result; *cp; cp++) { |
| 132 | if (saw_percent) { |
| 133 | if (*cp=='%') { |
| 134 | /* safe */ |
| 135 | } else if (*cp=='s' && numstr<MAX) { |
| 136 | numstr++; /* still safe */ |
| 137 | } else { |
| 138 | /* disable this unsafe format string! */ |
| 139 | *(cp-1)=' '; |
| 140 | } |
| 141 | saw_percent=0; |
| 142 | } else if (*cp=='%') |
| 143 | saw_percent=1; |
| 144 | } |
| 145 | /* fixup format strings without enough %s in them */ |
| 146 | while (numstr<MAX) { |
| 147 | strcpy(cp, "%.s"); /* print using zero-length precision */ |
| 148 | cp+=3; |
| 149 | numstr++; |
| 150 | } |
| 151 | return result; |
| 152 | } |
| 153 | |
| 154 | /* Append the given printf-style formatted string to the pString 'ps'. |
| 155 | * This is much cleaner (and faster) than the technique this file |
no test coverage detected