2021-06-30 22:44:03

by Samuel Thibault

Subject: [PATCH] speakup: replace sprintf() by scnprintf()

Replace sprintf() by scnprintf() in order to avoid buffer overflows.

Signed-off-by: Salah Triki <[email protected]>
Signed-off-by: Samuel Thibault <[email protected]>
---
drivers/accessibility/speakup/speakup_soft.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/accessibility/speakup/speakup_soft.c b/drivers/accessibility/speakup/speakup_soft.c
index c3f97c572fb6..19824e7006fe 100644
--- a/drivers/accessibility/speakup/speakup_soft.c
+++ b/drivers/accessibility/speakup/speakup_soft.c
@@ -153,18 +153,25 @@ static char *get_initstring(void)
static char buf[40];
char *cp;
struct var_t *var;
+ size_t len;
+ size_t n;

memset(buf, 0, sizeof(buf));
cp = buf;
+ len = sizeof(buf);
+
var = synth_soft.vars;
while (var->var_id != MAXVARS) {
if (var->var_id != CAPS_START && var->var_id != CAPS_STOP &&
- var->var_id != PAUSE && var->var_id != DIRECT)
- cp = cp + sprintf(cp, var->u.n.synth_fmt,
- var->u.n.value);
+ var->var_id != PAUSE && var->var_id != DIRECT) {
+ n = scnprintf(cp, len, var->u.n.synth_fmt,
+ var->u.n.value);
+ cp = cp + n;
+ len = len - n;
+ }
var++;
}
- cp = cp + sprintf(cp, "\n");
+ cp = cp + scnprintf(cp, len, "\n");
return buf;
}

--
2.25.1