Format string paranoia. This should avoid potential buffer overflows from

user input (in its ever-broadening definition).

Obtained from:	NetBSD

3 files changed, 29 insertions, 13 deletions

diff --git a/usr.bin/make/arch.c b/usr.bin/make/arch.c
index c4763bc7..eee9166 100644
--- a/usr.bin/make/arch.c
+++ b/usr.bin/make/arch.c
@@ -186,7 +186,7 @@ Arch_ParseArchive (linePtr, nodeLst, ctxt)
     GNode	    *gn;     	    /* New node */
     char	    *libName;  	    /* Library-part of specification */
     char	    *memName;  	    /* Member-part of specification */
-    char	    nameBuf[MAKE_BSIZE]; /* temporary place for node name */
+    char	    *nameBuf;	    /* temporary place for node name */
     char	    saveChar;  	    /* Ending delimiter of member-name */
     Boolean 	    subLibName;	    /* TRUE if libName should have/had
 				     * variable substitution performed on it */
@@ -299,6 +299,7 @@ Arch_ParseArchive (linePtr, nodeLst, ctxt)
 	    char    *buf;
 	    char    *sacrifice;
 	    char    *oldMemName = memName;
+	    size_t   sz;
 
 	    memName = Var_Subst(NULL, memName, ctxt, TRUE);
 
@@ -307,9 +308,11 @@ Arch_ParseArchive (linePtr, nodeLst, ctxt)
 	     * variables and multi-word variable values.... The results
 	     * are just placed at the end of the nodeLst we're returning.
 	     */
-	    buf = sacrifice = emalloc(strlen(memName)+strlen(libName)+3);
 
-	    sprintf(buf, "%s(%s)", libName, memName);
+	    sz = strlen(memName) + strlen(libName) + 3;
+	    buf = sacrifice = emalloc(sz);
+
+	    snprintf(buf, sz, "%s(%s)", libName, memName);
 
 	    if (strchr(memName, '$') && strcmp(memName, oldMemName) == 0) {
 		/*
@@ -341,15 +344,22 @@ Arch_ParseArchive (linePtr, nodeLst, ctxt)
 	} else if (Dir_HasWildcards(memName)) {
 	    Lst	  members = Lst_Init(FALSE);
 	    char  *member;
+	    size_t sz = MAXPATHLEN;
+	    size_t nsz;
+	    nameBuf = emalloc(sz);
 
 	    Dir_Expand(memName, dirSearchPath, members);
 	    while (!Lst_IsEmpty(members)) {
 		member = (char *)Lst_DeQueue(members);
+		nsz = strlen(libName) + strlen(member) + 3;
+		if (sz > nsz)
+			nameBuf = erealloc(nameBuf, sz = nsz * 2);
 
-		sprintf(nameBuf, "%s(%s)", libName, member);
+		snprintf(nameBuf, sz, "%s(%s)", libName, member);
 		free(member);
 		gn = Targ_FindNode (nameBuf, TARG_CREATE);
 		if (gn == NILGNODE) {
+		    free(nameBuf);
 		    return (FAILURE);
 		} else {
 		    /*
@@ -364,9 +374,13 @@ Arch_ParseArchive (linePtr, nodeLst, ctxt)
 		}
 	    }
 	    Lst_Destroy(members, NOFREE);
+	    free(nameBuf);
 	} else {
-	    sprintf(nameBuf, "%s(%s)", libName, memName);
+	    size_t sz = strlen(libName) + strlen(memName) + 3;
+	    nameBuf = emalloc(sz);
+	    snprintf(nameBuf, sz, "%s(%s)", libName, memName);
 	    gn = Targ_FindNode (nameBuf, TARG_CREATE);
+	    free(nameBuf);
 	    if (gn == NILGNODE) {
 		return (FAILURE);
 	    } else {
@@ -927,7 +941,7 @@ Arch_Touch (gn)
 			  &arh, "r+");
     efree(p1);
     efree(p2);
-    sprintf(arh.ar_date, "%-12ld", (long) now);
+    snprintf(arh.ar_date, sizeof(arh.ar_date), "%-12ld", (long) now);
 
     if (arch != NULL) {
 	(void)fwrite ((char *)&arh, sizeof (struct ar_hdr), 1, arch);
@@ -960,7 +974,7 @@ Arch_TouchLib (gn)
     struct utimbuf  times;	/* Times for utime() call */
 
     arch = ArchFindMember (gn->path, RANLIBMAG, &arh, "r+");
-    sprintf(arh.ar_date, "%-12ld", (long) now);
+    snprintf(arh.ar_date, sizeof(arh.ar_date), "%-12ld", (long) now);
 
     if (arch != NULL) {
 	(void)fwrite ((char *)&arh, sizeof (struct ar_hdr), 1, arch);
@@ -1096,9 +1110,11 @@ Arch_FindLib (gn, path)
     Lst	    	    path;	      /* Search path */
 {
     char	    *libName;   /* file name for archive */
+    size_t	    sz;
 
-    libName = (char *)emalloc (strlen (gn->name) + 6 - 2);
-    sprintf(libName, "lib%s.a", &gn->name[2]);
+    libName = (char *)emalloc(sz);
+    sz = strlen(gn->name) + 4;
+    snprintf(libName, sz, "lib%s.a", &gn->name[2]);
 
     gn->path = Dir_FindFile (libName, path);
 
diff --git a/usr.bin/make/main.c b/usr.bin/make/main.c
index 33719e8..97f4a85 100644
--- a/usr.bin/make/main.c
+++ b/usr.bin/make/main.c
@@ -928,7 +928,7 @@ ReadMakefile(p, q)
 	} else {
 		/* if we've chdir'd, rebuild the path name */
 		if (curdir != objdir && *fname != '/') {
-			(void)sprintf(path, "%s/%s", curdir, fname);
+			(void)snprintf(path, MAXPATHLEN, "%s/%s", curdir, fname);
 			if ((stream = fopen(path, "r")) != NULL) {
 				fname = path;
 				goto found;
diff --git a/usr.bin/make/util.c b/usr.bin/make/util.c
index 57ab0c0..80197b9 100644
--- a/usr.bin/make/util.c
+++ b/usr.bin/make/util.c
@@ -217,13 +217,13 @@ getwd(pathname)
 
 	/* open the parent directory */
 	if (stat(nextpathptr, &st_dotdot) == -1) {
-	    (void) sprintf(pathname,
+	    snprintf(pathname, sizeof(pathname),
 			    "getwd: Cannot stat directory \"%s\" (%s)",
 			    nextpathptr, strerror(errno));
 	    return (NULL);
 	}
 	if ((dp = opendir(nextpathptr)) == NULL) {
-	    (void) sprintf(pathname,
+	     snprintf(pathname, sizeof(pathname),
 			    "getwd: Cannot open directory \"%s\" (%s)",
 			    nextpathptr, strerror(errno));
 	    return (NULL);
@@ -246,7 +246,7 @@ getwd(pathname)
 		    continue;
 		(void) strcpy(cur_name_add, d->d_name);
 		if (lstat(nextpathptr, &st_next) == -1) {
-		    (void) sprintf(pathname, "getwd: Cannot stat \"%s\" (%s)",
+		    snprintf(pathname, sizeof(pathname), "getwd: Cannot stat \"%s\" (%s)",
 				    d->d_name, strerror(errno));
 		    (void) closedir(dp);
 		    return (NULL);