net-print/epson-inkjet-printer-escpr/files/epson-inkjet-printer-escpr-1.8.6-snprintf.patch - chromiumos/overlays/chromiumos-overlay - Git at Google

 Replace a fixed-size buffer with one large enough to
 hold all the possible max-length parameter strings and
 use snprintf to ensure it never overflows.

 See b/410000713

 --- a/src/wrapper.c
 +++ b/src/wrapper.c
 @@ -318,9 +318,10 @@

  		if (pfp == NULL)
  		{
 -			char tmpbuf[256];
 +			char tmpbuf[1024];
 +			int n;

 -			sprintf (tmpbuf, "%s/%s \"%s\" %d %d %d %s %s %s %s %s %s %s %s %s",
 +			n = snprintf (tmpbuf, sizeof(tmpbuf), "%s/%s \"%s\" %d %d %d %s %s %s %s %s %s %s %s %s",
  				 CUPS_FILTER_PATH,
  				 CUPS_FILTER_NAME,
  				 fopt.model,
 @@ -337,6 +338,12 @@
  				 fopt.saturation,
  				 fopt.quietmode
  			);
 +			if (n >= sizeof(tmpbuf))
 +			{
 +				debug_msg("snprintf needed %d\n", n);
 +				return 1;
 +			}
 +

  			debug_msg("tmpbuf = [%s]\n", tmpbuf);
	Replace a fixed-size buffer with one large enough to
	hold all the possible max-length parameter strings and
	use snprintf to ensure it never overflows.

	See b/410000713

	--- a/src/wrapper.c
	+++ b/src/wrapper.c
	@@ -318,9 +318,10 @@

	if (pfp == NULL)
	{
	- char tmpbuf[256];
	+ char tmpbuf[1024];
	+ int n;

	- sprintf (tmpbuf, "%s/%s \"%s\" %d %d %d %s %s %s %s %s %s %s %s %s",
	+ n = snprintf (tmpbuf, sizeof(tmpbuf), "%s/%s \"%s\" %d %d %d %s %s %s %s %s %s %s %s %s",
	CUPS_FILTER_PATH,
	CUPS_FILTER_NAME,
	fopt.model,
	@@ -337,6 +338,12 @@
	fopt.saturation,
	fopt.quietmode
	);
	+ if (n >= sizeof(tmpbuf))
	+ {
	+ debug_msg("snprintf needed %d\n", n);
	+ return 1;
	+ }
	+

	debug_msg("tmpbuf = [%s]\n", tmpbuf);