From 43dee6a14e5253829e2a67bf87ea9bfe9edad33c Mon Sep 17 00:00:00 2001
From: imp <imp@FreeBSD.org>
Date: Sun, 9 Feb 1997 05:19:03 +0000
Subject: Buffer overflow from OpenBSD: Rev 1.4 deraadt: (partial from full
 commit, other files not done yet) 	proactive bounds checking; help from
 millert Rev 1.5 millert: 	Possible buf oflow.

Plus minor style nits to keep the style police happy (I hope)
Obtained from: OpenBSD
---
 usr.sbin/lpr/common_source/displayq.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'usr.sbin/lpr')

diff --git a/usr.sbin/lpr/common_source/displayq.c b/usr.sbin/lpr/common_source/displayq.c
index c3d5e53..a974d6f 100644
--- a/usr.sbin/lpr/common_source/displayq.c
+++ b/usr.sbin/lpr/common_source/displayq.c
@@ -199,13 +199,14 @@ displayq(format)
 	 */
 	if (nitems)
 		putchar('\n');
-	(void) sprintf(line, "%c%s", format + '\3', RP);
+	(void) snprintf(line, sizeof(line), "%c%s", format + '\3', RP);
 	cp = line;
-	for (i = 0; i < requests; i++) {
+	for (i = 0; i < requests && cp-line+10 < sizeof(line); i++) {
 		cp += strlen(cp);
 		(void) sprintf(cp, " %d", requ[i]);
 	}
-	for (i = 0; i < users; i++) {
+	for (i = 0; i < users && cp - line + 1 + strlen(user[i]) < 
+		sizeof(line); i++) {
 		cp += strlen(cp);
 		*cp++ = ' ';
 		(void) strcpy(cp, user[i]);
@@ -295,8 +296,10 @@ inform(cf)
 		default: /* some format specifer and file name? */
 			if (line[0] < 'a' || line[0] > 'z')
 				continue;
-			if (j == 0 || strcmp(file, line+1) != 0)
-				(void) strcpy(file, line+1);
+			if (j == 0 || strcmp(file, line+1) != 0) {
+				(void) strncpy(file, line+1, sizeof(file) - 1);
+				file[sizeof(file) - 1] = '\0';
+			}
 			j++;
 			continue;
 		case 'N':
-- 
cgit v1.1