Andrew's git / gitweb.git / diff
?
convert unchecked snprintf into xsnprintf
authorJeff King <peff@peff.net>
Tue, 28 Mar 2017 19:46:56 +0000 (15:46 -0400)
committerJunio C Hamano <gitster@pobox.com>
Thu, 30 Mar 2017 21:59:50 +0000 (14:59 -0700)
These calls to snprintf should always succeed, because their
input is small and fixed. Let's use xsnprintf to make sure
this is the case (and to make auditing for actual truncation
easier).

These could be candidates for turning into heap buffers, but
they fall into a few broad categories that make it not worth
doing:

- formatting single numbers is simple enough that we can
see the result should fit

- the size of a sha1 is likewise well-known, and I didn't
want to cause unnecessary conflicts with the ongoing
process to convert these constants to GIT_MAX_HEXSZ

- the interface for curl_errorstr is dictated by curl

Signed-off-by: Jeff King <peff@peff.net>
grep.c patch | blob | history
http.c patch | blob | history
imap-send.c patch | blob | history
sha1_file.c patch | blob | history
submodule.c patch | blob | history
diff --git a/grep.c b/grep.c
index 56ef0ecbfffd8531a5b88585efc0c9097e182ed6..47cee4506703f5dd2b7db84e09dae93adf99fbaf 100644 (file)
--- a/grep.c
+++ b/grep.c
@@ -1171,7 +1171,7 @@ static void show_line(struct grep_opt *opt, char *bol, char *eol,
        }
        if (opt->linenum) {
                char buf[32];
-               snprintf(buf, sizeof(buf), "%d", lno);
+               xsnprintf(buf, sizeof(buf), "%d", lno);
                output_color(opt, buf, strlen(buf), opt->color_lineno);
                output_sep(opt, sign);
        }
@@ -1653,7 +1653,7 @@ static int grep_source_1(struct grep_opt *opt, struct grep_source *gs, int colle
                                     opt->color_filename);
                        output_sep(opt, ':');
                }
-               snprintf(buf, sizeof(buf), "%u\n", count);
+               xsnprintf(buf, sizeof(buf), "%u\n", count);
                opt->output(opt, buf, strlen(buf));
                return 1;
        }
diff --git a/http.c b/http.c
index 96d84bbed3f66153cc3d817f2b342dc5d1600574..8d94e2c63ae30868c8676647b4524bedfd9eaddd 100644 (file)
--- a/http.c
+++ b/http.c
@@ -1366,9 +1366,9 @@ static int handle_curl_result(struct slot_results *results)
                 * FAILONERROR it is lost, so we can give only the numeric
                 * status code.
                 */
-               snprintf(curl_errorstr, sizeof(curl_errorstr),
-                        "The requested URL returned error: %ld",
-                        results->http_code);
+               xsnprintf(curl_errorstr, sizeof(curl_errorstr),
+                         "The requested URL returned error: %ld",
+                         results->http_code);
        }
 
        if (results->curl_result == CURLE_OK) {
@@ -1410,8 +1410,8 @@ int run_one_slot(struct active_request_slot *slot,
 {
        slot->results = results;
        if (!start_active_slot(slot)) {
-               snprintf(curl_errorstr, sizeof(curl_errorstr),
-                        "failed to start HTTP request");
+               xsnprintf(curl_errorstr, sizeof(curl_errorstr),
+                         "failed to start HTTP request");
                return HTTP_START_FAILED;
        }
 
diff --git a/imap-send.c b/imap-send.c
index 5c7e27a89459a9a63018cc469262c82891c6f7b7..857591660f485d65dec3390b22dd2083c94d7a44 100644 (file)
--- a/imap-send.c
+++ b/imap-send.c
@@ -964,7 +964,7 @@ static struct imap_store *imap_open_store(struct imap_server_conf *srvc, char *f
                int gai;
                char portstr[6];
 
-               snprintf(portstr, sizeof(portstr), "%d", srvc->port);
+               xsnprintf(portstr, sizeof(portstr), "%d", srvc->port);
 
                memset(&hints, 0, sizeof(hints));
                hints.ai_socktype = SOCK_STREAM;
diff --git a/sha1_file.c b/sha1_file.c
index 71063890ffe9cfe33f876dd8b2306458323c6f30..43990dec735099fd2e94cf73e41f318fbaf5dd38 100644 (file)
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -3762,8 +3762,8 @@ static int for_each_file_in_obj_subdir(int subdir_nr,
                        char hex[GIT_SHA1_HEXSZ+1];
                        struct object_id oid;
 
-                       snprintf(hex, sizeof(hex), "%02x%s",
-                                subdir_nr, de->d_name);
+                       xsnprintf(hex, sizeof(hex), "%02x%s",
+                                 subdir_nr, de->d_name);
                        if (!get_oid_hex(hex, &oid)) {
                                if (obj_cb) {
                                        r = obj_cb(&oid, path->buf, data);
diff --git a/submodule.c b/submodule.c
index 040f4c2287190cca706f9cd007c5942ae5c2b117..c9f39ebbe55ecfe88f26f43f83b01bd16c7c4962 100644 (file)
--- a/submodule.c
+++ b/submodule.c
@@ -1402,7 +1402,7 @@ static int find_first_merges(struct object_array *result, const char *path,
        memset(&rev_opts, 0, sizeof(rev_opts));
 
        /* get all revisions that merge commit a */
-       snprintf(merged_revision, sizeof(merged_revision), "^%s",
+       xsnprintf(merged_revision, sizeof(merged_revision), "^%s",
                        oid_to_hex(&a->object.oid));
        init_revisions(&revs, NULL);
        rev_opts.submodule = path;