aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--audio/audio.c18
-rw-r--r--block-vmdk.c17
-rw-r--r--block-vvfat.c10
-rw-r--r--dis-asm.h1
-rw-r--r--gdbstub.c29
-rw-r--r--hw/sun4m.c15
-rw-r--r--hw/sun4u.c15
-rw-r--r--hw/usb-net.c8
-rw-r--r--hw/vga.c8
-rw-r--r--i386-dis.c94
-rw-r--r--monitor.c10
-rw-r--r--qemu-malloc.c5
-rw-r--r--slirp/misc.c5
-rw-r--r--slirp/slirp.c2
-rw-r--r--slirp/tcp_subr.c44
-rw-r--r--slirp/tftp.c7
-rw-r--r--vl.c19
17 files changed, 170 insertions, 137 deletions
diff --git a/audio/audio.c b/audio/audio.c
index 84eaa83..20bb2fc 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -211,8 +211,8 @@ static char *audio_alloc_prefix (const char *s)
size_t i;
char *u = r + sizeof (qemu_prefix) - 1;
- strcpy (r, qemu_prefix);
- strcat (r, s);
+ pstrcpy (r, len + sizeof (qemu_prefix), qemu_prefix);
+ pstrcat (r, len, s);
for (i = 0; i < len; ++i) {
u[i] = toupper (u[i]);
@@ -430,7 +430,7 @@ static void audio_process_options (const char *prefix,
{
char *optname;
const char qemu_prefix[] = "QEMU_";
- size_t preflen;
+ size_t preflen, optlen;
if (audio_bug (AUDIO_FUNC, !prefix)) {
dolog ("prefix = NULL\n");
@@ -458,21 +458,25 @@ static void audio_process_options (const char *prefix,
/* len of opt->name + len of prefix + size of qemu_prefix
* (includes trailing zero) + zero + underscore (on behalf of
* sizeof) */
- optname = qemu_malloc (len + preflen + sizeof (qemu_prefix) + 1);
+ optlen = len + preflen + sizeof (qemu_prefix) + 1;
+ optname = qemu_malloc (optlen);
if (!optname) {
dolog ("Could not allocate memory for option name `%s'\n",
opt->name);
continue;
}
- strcpy (optname, qemu_prefix);
+ pstrcpy (optname, optlen, qemu_prefix);
+ optlen -= preflen;
/* copy while upper-casing, including trailing zero */
for (i = 0; i <= preflen; ++i) {
optname[i + sizeof (qemu_prefix) - 1] = toupper (prefix[i]);
}
- strcat (optname, "_");
- strcat (optname, opt->name);
+ pstrcat (optname, optlen, "_");
+ optlen--;
+ pstrcat (optname, optlen, opt->name);
+ optlen -= len;
def = 1;
switch (opt->tag) {
diff --git a/block-vmdk.c b/block-vmdk.c
index 7eb9c3c..e85bd42 100644
--- a/block-vmdk.c
+++ b/block-vmdk.c
@@ -153,11 +153,11 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
return -1;
tmp_str = strstr(desc,"parentCID");
- strcpy(tmp_desc, tmp_str);
+ pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str);
if ((p_name = strstr(desc,"CID")) != 0) {
p_name += sizeof("CID");
- sprintf(p_name,"%x\n",cid);
- strcat(desc,tmp_desc);
+ snprintf(p_name, sizeof(desc) - (p_name - desc), "%x\n", cid);
+ pstrcat(desc, sizeof(desc), tmp_desc);
}
if (bdrv_pwrite(s->hd, 0x200, desc, DESC_SIZE) != DESC_SIZE)
@@ -252,8 +252,8 @@ static int vmdk_snapshot_create(const char *filename, const char *backing_file)
if ((temp_str = strrchr(real_filename, ':')) != NULL)
real_filename = temp_str + 1;
- sprintf(s_desc, desc_template, p_cid, p_cid, backing_file
- , (uint32_t)header.capacity, real_filename);
+ snprintf(s_desc, sizeof(s_desc), desc_template, p_cid, p_cid, backing_file,
+ (uint32_t)header.capacity, real_filename);
/* write the descriptor */
if (lseek(snp_fd, 0x200, SEEK_SET) == -1)
@@ -349,7 +349,8 @@ static int vmdk_parent_open(BlockDriverState *bs, const char * filename)
path_combine(parent_img_name, sizeof(parent_img_name),
filename, s->hd->backing_file);
} else {
- strcpy(parent_img_name, s->hd->backing_file);
+ pstrcpy(parent_img_name, sizeof(parent_img_name),
+ s->hd->backing_file);
}
s->hd->backing_hd = bdrv_new("");
@@ -790,8 +791,8 @@ static int vmdk_create(const char *filename, int64_t total_size,
real_filename = temp_str + 1;
if ((temp_str = strrchr(real_filename, ':')) != NULL)
real_filename = temp_str + 1;
- sprintf(desc, desc_template, time(NULL), (unsigned long)total_size,
- real_filename, (flags & BLOCK_FLAG_COMPAT6 ? 6 : 4), total_size / (63 * 16));
+ snprintf(desc, sizeof(desc), desc_template, time(NULL), (unsigned long)total_size,
+ real_filename, (flags & BLOCK_FLAG_COMPAT6 ? 6 : 4), total_size / (63 * 16));
/* write the descriptor */
lseek(fd, le64_to_cpu(header.desc_offset) << 9, SEEK_SET);
diff --git a/block-vvfat.c b/block-vvfat.c
index 6de76c6..79804a7 100644
--- a/block-vvfat.c
+++ b/block-vvfat.c
@@ -1733,7 +1733,7 @@ static int check_directory_consistency(BDRVVVFATState *s,
char path2[PATH_MAX];
assert(path_len < PATH_MAX); /* len was tested before! */
- strcpy(path2, path);
+ pstrcpy(path2, sizeof(path2), path);
path2[path_len] = '/';
path2[path_len + 1] = '\0';
@@ -1807,7 +1807,8 @@ DLOG(fprintf(stderr, "check direntry %d: \n", i); print_direntry(direntries + i)
fprintf(stderr, "Name too long: %s/%s\n", path, lfn.name);
goto fail;
}
- strcpy(path2 + path_len + 1, (char*)lfn.name);
+ pstrcpy(path2 + path_len + 1, sizeof(path2) - path_len - 1,
+ (char*)lfn.name);
if (is_directory(direntries + i)) {
if (begin_of_direntry(direntries + i) == 0) {
@@ -2372,8 +2373,9 @@ static int handle_renames_and_mkdirs(BDRVVVFATState* s)
assert(!strncmp(m->path, mapping->path, l2));
- strcpy(new_path, mapping->path);
- strcpy(new_path + l1, m->path + l2);
+ pstrcpy(new_path, l + diff + 1, mapping->path);
+ pstrcpy(new_path + l1, l + diff + 1 - l1,
+ m->path + l2);
schedule_rename(s, m->begin, new_path);
}
diff --git a/dis-asm.h b/dis-asm.h
index 9f2e9a6..1ba86dd 100644
--- a/dis-asm.h
+++ b/dis-asm.h
@@ -20,6 +20,7 @@ typedef uint64_t bfd_vma;
typedef int64_t bfd_signed_vma;
typedef uint8_t bfd_byte;
#define sprintf_vma(s,x) sprintf (s, "%0" PRIx64, x)
+#define snprintf_vma(s,ss,x) snprintf (s, ss, "%0" PRIx64, x)
#define BFD64
diff --git a/gdbstub.c b/gdbstub.c
index 3f062be..98dd889 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -1173,10 +1173,10 @@ static int gdb_handle_packet(GDBState *s, CPUState *env, const char *line_buf)
/* parse any 'q' packets here */
if (!strcmp(p,"qemu.sstepbits")) {
/* Query Breakpoint bit definitions */
- sprintf(buf,"ENABLE=%x,NOIRQ=%x,NOTIMER=%x",
- SSTEP_ENABLE,
- SSTEP_NOIRQ,
- SSTEP_NOTIMER);
+ snprintf(buf, sizeof(buf), "ENABLE=%x,NOIRQ=%x,NOTIMER=%x",
+ SSTEP_ENABLE,
+ SSTEP_NOIRQ,
+ SSTEP_NOTIMER);
put_packet(s, buf);
break;
} else if (strncmp(p,"qemu.sstep",10) == 0) {
@@ -1184,7 +1184,7 @@ static int gdb_handle_packet(GDBState *s, CPUState *env, const char *line_buf)
p += 10;
if (*p != '=') {
/* Display current setting */
- sprintf(buf,"0x%x", sstep_flags);
+ snprintf(buf, sizeof(buf), "0x%x", sstep_flags);
put_packet(s, buf);
break;
}
@@ -1198,12 +1198,12 @@ static int gdb_handle_packet(GDBState *s, CPUState *env, const char *line_buf)
else if (strncmp(p, "Offsets", 7) == 0) {
TaskState *ts = env->opaque;
- sprintf(buf,
- "Text=" TARGET_ABI_FMT_lx ";Data=" TARGET_ABI_FMT_lx
- ";Bss=" TARGET_ABI_FMT_lx,
- ts->info->code_offset,
- ts->info->data_offset,
- ts->info->data_offset);
+ snprintf(buf, sizeof(buf),
+ "Text=" TARGET_ABI_FMT_lx ";Data=" TARGET_ABI_FMT_lx
+ ";Bss=" TARGET_ABI_FMT_lx,
+ ts->info->code_offset,
+ ts->info->data_offset,
+ ts->info->data_offset);
put_packet(s, buf);
break;
}
@@ -1286,17 +1286,18 @@ void gdb_do_syscall(gdb_syscall_complete_cb cb, char *fmt, ...)
switch (*fmt++) {
case 'x':
addr = va_arg(va, target_ulong);
- p += sprintf(p, TARGET_FMT_lx, addr);
+ p += snprintf(p, &buf[sizeof(buf)] - p, TARGET_FMT_lx, addr);
break;
case 'l':
if (*(fmt++) != 'x')
goto bad_format;
i64 = va_arg(va, uint64_t);
- p += sprintf(p, "%" PRIx64, i64);
+ p += snprintf(p, &buf[sizeof(buf)] - p, "%" PRIx64, i64);
break;
case 's':
addr = va_arg(va, target_ulong);
- p += sprintf(p, TARGET_FMT_lx "/%x", addr, va_arg(va, int));
+ p += snprintf(p, &buf[sizeof(buf)] - p, TARGET_FMT_lx "/%x",
+ addr, va_arg(va, int));
break;
default:
bad_format:
diff --git a/hw/sun4m.c b/hw/sun4m.c
index 33abf01..21f8899 100644
--- a/hw/sun4m.c
+++ b/hw/sun4m.c
@@ -159,7 +159,8 @@ static int nvram_boot_set(void *opaque, const char *boot_device)
for (i = 0; i < sizeof(image); i++)
image[i] = m48t59_read(nvram, i) & 0xff;
- strcpy((char *)header->boot_devices, boot_device);
+ pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices),
+ boot_device);
header->nboot_devices = strlen(boot_device) & 0xff;
header->crc = cpu_to_be16(OHW_compute_crc(header, 0x00, 0xF8));
@@ -187,17 +188,19 @@ static void nvram_init(m48t59_t *nvram, uint8_t *macaddr, const char *cmdline,
memset(image, '\0', sizeof(image));
// Try to match PPC NVRAM
- strcpy((char *)header->struct_ident, "QEMU_BIOS");
+ pstrcpy((char *)header->struct_ident, sizeof(header->struct_ident),
+ "QEMU_BIOS");
header->struct_version = cpu_to_be32(3); /* structure v3 */
header->nvram_size = cpu_to_be16(0x2000);
header->nvram_arch_ptr = cpu_to_be16(sizeof(ohwcfg_v3_t));
header->nvram_arch_size = cpu_to_be16(sizeof(struct sparc_arch_cfg));
- strcpy((char *)header->arch, arch);
+ pstrcpy((char *)header->arch, sizeof(header->arch), arch);
header->nb_cpus = smp_cpus & 0xff;
header->RAM0_base = 0;
header->RAM0_size = cpu_to_be64((uint64_t)RAM_size);
- strcpy((char *)header->boot_devices, boot_devices);
+ pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices),
+ boot_devices);
header->nboot_devices = strlen(boot_devices) & 0xff;
header->kernel_image = cpu_to_be64((uint64_t)KERNEL_LOAD_ADDR);
header->kernel_size = cpu_to_be64((uint64_t)kernel_size);
@@ -225,7 +228,7 @@ static void nvram_init(m48t59_t *nvram, uint8_t *macaddr, const char *cmdline,
// Variable partition
part_header = (struct OpenBIOS_nvpart_v1 *)&image[start];
part_header->signature = OPENBIOS_PART_SYSTEM;
- strcpy(part_header->name, "system");
+ pstrcpy(part_header->name, sizeof(part_header->name), "system");
end = start + sizeof(struct OpenBIOS_nvpart_v1);
for (i = 0; i < nb_prom_envs; i++)
@@ -241,7 +244,7 @@ static void nvram_init(m48t59_t *nvram, uint8_t *macaddr, const char *cmdline,
start = end;
part_header = (struct OpenBIOS_nvpart_v1 *)&image[start];
part_header->signature = OPENBIOS_PART_FREE;
- strcpy(part_header->name, "free");
+ pstrcpy(part_header->name, sizeof(part_header->name), "free");
end = 0x1fd0;
OpenBIOS_finish_partition(part_header, end - start);
diff --git a/hw/sun4u.c b/hw/sun4u.c
index 71b5c79..42a765d 100644
--- a/hw/sun4u.c
+++ b/hw/sun4u.c
@@ -82,7 +82,8 @@ static int nvram_boot_set(void *opaque, const char *boot_device)
for (i = 0; i < sizeof(image); i++)
image[i] = m48t59_read(nvram, i) & 0xff;
- strcpy((char *)header->boot_devices, boot_device);
+ pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices),
+ boot_device);
header->nboot_devices = strlen(boot_device) & 0xff;
header->crc = cpu_to_be16(OHW_compute_crc(header, 0x00, 0xF8));
@@ -115,17 +116,19 @@ static int sun4u_NVRAM_set_params (m48t59_t *nvram, uint16_t NVRAM_size,
memset(image, '\0', sizeof(image));
// Try to match PPC NVRAM
- strcpy((char *)header->struct_ident, "QEMU_BIOS");
+ pstrcpy((char *)header->struct_ident, sizeof(header->struct_ident),
+ "QEMU_BIOS");
header->struct_version = cpu_to_be32(3); /* structure v3 */
header->nvram_size = cpu_to_be16(NVRAM_size);
header->nvram_arch_ptr = cpu_to_be16(sizeof(ohwcfg_v3_t));
header->nvram_arch_size = cpu_to_be16(sizeof(struct sparc_arch_cfg));
- strcpy((char *)header->arch, arch);
+ pstrcpy((char *)header->arch, sizeof(header->arch), arch);
header->nb_cpus = smp_cpus & 0xff;
header->RAM0_base = 0;
header->RAM0_size = cpu_to_be64((uint64_t)RAM_size);
- strcpy((char *)header->boot_devices, boot_devices);
+ pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices),
+ boot_devices);
header->nboot_devices = strlen(boot_devices) & 0xff;
header->kernel_image = cpu_to_be64((uint64_t)kernel_image);
header->kernel_size = cpu_to_be64((uint64_t)kernel_size);
@@ -156,7 +159,7 @@ static int sun4u_NVRAM_set_params (m48t59_t *nvram, uint16_t NVRAM_size,
// Variable partition
part_header = (struct OpenBIOS_nvpart_v1 *)&image[start];
part_header->signature = OPENBIOS_PART_SYSTEM;
- strcpy(part_header->name, "system");
+ pstrcpy(part_header->name, sizeof(part_header->name), "system");
end = start + sizeof(struct OpenBIOS_nvpart_v1);
for (i = 0; i < nb_prom_envs; i++)
@@ -172,7 +175,7 @@ static int sun4u_NVRAM_set_params (m48t59_t *nvram, uint16_t NVRAM_size,
start = end;
part_header = (struct OpenBIOS_nvpart_v1 *)&image[start];
part_header->signature = OPENBIOS_PART_FREE;
- strcpy(part_header->name, "free");
+ pstrcpy(part_header->name, sizeof(part_header->name), "free");
end = 0x1fd0;
OpenBIOS_finish_partition(part_header, end - start);
diff --git a/hw/usb-net.c b/hw/usb-net.c
index 7c25f3d..27dea10 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -625,7 +625,8 @@ typedef struct USBNetState {
} USBNetState;
static int ndis_query(USBNetState *s, uint32_t oid,
- uint8_t *inbuf, unsigned int inlen, uint8_t *outbuf)
+ uint8_t *inbuf, unsigned int inlen, uint8_t *outbuf,
+ size_t outlen)
{
unsigned int i, count;
@@ -680,7 +681,7 @@ static int ndis_query(USBNetState *s, uint32_t oid,
/* mandatory */
case OID_GEN_VENDOR_DESCRIPTION:
- strcpy(outbuf, "QEMU USB RNDIS Net");
+ pstrcpy(outbuf, outlen, "QEMU USB RNDIS Net");
return strlen(outbuf) + 1;
case OID_GEN_VENDOR_DRIVER_VERSION:
@@ -882,7 +883,8 @@ static int rndis_query_response(USBNetState *s,
return USB_RET_STALL;
infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
- bufoffs + (uint8_t *) buf, buflen, infobuf);
+ bufoffs + (uint8_t *) buf, buflen, infobuf,
+ sizeof(infobuf));
resplen = sizeof(rndis_query_cmplt_type) +
((infobuflen < 0) ? 0 : infobuflen);
resp = rndis_queue_response(s, resplen);
diff --git a/hw/vga.c b/hw/vga.c
index 5a3203c..eb0bae8 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -1726,7 +1726,8 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
if (!full_update)
return;
- sprintf(msg_buffer, "%i x %i Text mode", width, height);
+ snprintf(msg_buffer, sizeof(msg_buffer), "%i x %i Text mode",
+ width, height);
break;
}
@@ -1799,14 +1800,15 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
return;
s->get_resolution(s, &width, &height);
- sprintf(msg_buffer, "%i x %i Graphic mode", width, height);
+ snprintf(msg_buffer, sizeof(msg_buffer), "%i x %i Graphic mode",
+ width, height);
break;
case GMODE_BLANK:
default:
if (!full_update)
return;
- sprintf(msg_buffer, "VGA Blank mode");
+ snprintf(msg_buffer, sizeof(msg_buffer), "VGA Blank mode");
break;
}
diff --git a/i386-dis.c b/i386-dis.c
index f8abf74..0c97e1c 100644
--- a/i386-dis.c
+++ b/i386-dis.c
@@ -37,6 +37,7 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
#include <stdlib.h>
#include "dis-asm.h"
+#include "qemu-common.h"
#define MAXLEN 20
@@ -59,7 +60,8 @@ static int putop PARAMS ((const char *, int));
static void oappend PARAMS ((const char *));
static void append_seg PARAMS ((void));
static void OP_indirE PARAMS ((int, int));
-static void print_operand_value PARAMS ((char *, int, bfd_vma));
+static void print_operand_value (char *buf, size_t bufsize, int hex,
+ bfd_vma disp);
static void OP_E PARAMS ((int, int));
static void OP_G PARAMS ((int, int));
static bfd_vma get64 PARAMS ((void));
@@ -2512,7 +2514,7 @@ dofloat (sizeflag)
/* Instruction fnstsw is only one with strange arg. */
if (floatop == 0xdf && codep[-1] == 0xe0)
- strcpy (op1out, names16[0]);
+ pstrcpy (op1out, sizeof(op1out), names16[0]);
}
else
{
@@ -2540,7 +2542,7 @@ OP_STi (bytemode, sizeflag)
int bytemode;
int sizeflag;
{
- sprintf (scratchbuf, "%%st(%d)", rm);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%st(%d)", rm);
oappend (scratchbuf + intel_syntax);
}
@@ -2573,7 +2575,7 @@ putop (template, sizeflag)
if (*p == '}')
{
/* Alternative not valid. */
- strcpy (obuf, "(bad)");
+ pstrcpy (obuf, sizeof(obuf), "(bad)");
obufp = obuf + 5;
return 1;
}
@@ -2824,7 +2826,7 @@ static void
oappend (s)
const char *s;
{
- strcpy (obufp, s);
+ pstrcpy (obufp, (size_t)(obufp - obuf), s);
obufp += strlen (s);
}
@@ -2874,10 +2876,7 @@ OP_indirE (bytemode, sizeflag)
}
static void
-print_operand_value (buf, hex, disp)
- char *buf;
- int hex;
- bfd_vma disp;
+print_operand_value (char *buf, size_t bufsize, int hex, bfd_vma disp)
{
if (mode_64bit)
{
@@ -2887,9 +2886,9 @@ print_operand_value (buf, hex, disp)
int i;
buf[0] = '0';
buf[1] = 'x';
- sprintf_vma (tmp, disp);
+ snprintf_vma (tmp, sizeof(tmp), disp);
for (i = 0; tmp[i] == '0' && tmp[i + 1]; i++);
- strcpy (buf + 2, tmp + i);
+ pstrcpy (buf + 2, bufsize - 2, tmp + i);
}
else
{
@@ -2903,13 +2902,13 @@ print_operand_value (buf, hex, disp)
/* Check for possible overflow on 0x8000000000000000. */
if (v < 0)
{
- strcpy (buf, "9223372036854775808");
+ pstrcpy (buf, bufsize, "9223372036854775808");
return;
}
}
if (!v)
{
- strcpy (buf, "0");
+ pstrcpy (buf, bufsize, "0");
return;
}
@@ -2921,15 +2920,15 @@ print_operand_value (buf, hex, disp)
v /= 10;
i++;
}
- strcpy (buf, tmp + 29 - i);
+ pstrcpy (buf, bufsize, tmp + 29 - i);
}
}
else
{
if (hex)
- sprintf (buf, "0x%x", (unsigned int) disp);
+ snprintf (buf, bufsize, "0x%x", (unsigned int) disp);
else
- sprintf (buf, "%d", (int) disp);
+ snprintf (buf, bufsize, "%d", (int) disp);
}
}
@@ -3054,7 +3053,7 @@ OP_E (bytemode, sizeflag)
if (!intel_syntax)
if (mod != 0 || (base & 7) == 5)
{
- print_operand_value (scratchbuf, !riprel, disp);
+ print_operand_value (scratchbuf, sizeof(scratchbuf), !riprel, disp);
oappend (scratchbuf);
if (riprel)
{
@@ -3115,14 +3114,14 @@ OP_E (bytemode, sizeflag)
*obufp++ = separator_char;
*obufp = '\0';
}
- sprintf (scratchbuf, "%s",
- mode_64bit && (sizeflag & AFLAG)
- ? names64[index] : names32[index]);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%s",
+ mode_64bit && (sizeflag & AFLAG)
+ ? names64[index] : names32[index]);
}
else
- sprintf (scratchbuf, ",%s",
- mode_64bit && (sizeflag & AFLAG)
- ? names64[index] : names32[index]);
+ snprintf (scratchbuf, sizeof(scratchbuf), ",%s",
+ mode_64bit && (sizeflag & AFLAG)
+ ? names64[index] : names32[index]);
oappend (scratchbuf);
}
if (!intel_syntax
@@ -3133,7 +3132,7 @@ OP_E (bytemode, sizeflag)
{
*obufp++ = scale_char;
*obufp = '\0';
- sprintf (scratchbuf, "%d", 1 << scale);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%d", 1 << scale);
oappend (scratchbuf);
}
}
@@ -3149,7 +3148,8 @@ OP_E (bytemode, sizeflag)
*obufp = '\0';
}
- print_operand_value (scratchbuf, 0, disp);
+ print_operand_value (scratchbuf, sizeof(scratchbuf), 0,
+ disp);
oappend (scratchbuf);
}
}
@@ -3169,7 +3169,7 @@ OP_E (bytemode, sizeflag)
oappend (names_seg[ds_reg - es_reg]);
oappend (":");
}
- print_operand_value (scratchbuf, 1, disp);
+ print_operand_value (scratchbuf, sizeof(scratchbuf), 1, disp);
oappend (scratchbuf);
}
}
@@ -3202,7 +3202,7 @@ OP_E (bytemode, sizeflag)
if (!intel_syntax)
if (mod != 0 || (rm & 7) == 6)
{
- print_operand_value (scratchbuf, 0, disp);
+ print_operand_value (scratchbuf, sizeof(scratchbuf), 0, disp);
oappend (scratchbuf);
}
@@ -3504,7 +3504,7 @@ OP_I (bytemode, sizeflag)
op &= mask;
scratchbuf[0] = '$';
- print_operand_value (scratchbuf + 1, 1, op);
+ print_operand_value (scratchbuf + 1, sizeof(scratchbuf) - 1, 1, op);
oappend (scratchbuf + intel_syntax);
scratchbuf[0] = '\0';
}
@@ -3557,7 +3557,7 @@ OP_I64 (bytemode, sizeflag)
op &= mask;
scratchbuf[0] = '$';
- print_operand_value (scratchbuf + 1, 1, op);
+ print_operand_value (scratchbuf + 1, sizeof(scratchbuf) - 1, 1, op);
oappend (scratchbuf + intel_syntax);
scratchbuf[0] = '\0';
}
@@ -3609,7 +3609,7 @@ OP_sI (bytemode, sizeflag)
}
scratchbuf[0] = '$';
- print_operand_value (scratchbuf + 1, 1, op);
+ print_operand_value (scratchbuf + 1, sizeof(scratchbuf) - 1, 1, op);
oappend (scratchbuf + intel_syntax);
}
@@ -3647,7 +3647,7 @@ OP_J (bytemode, sizeflag)
}
disp = (start_pc + codep - start_codep + disp) & mask;
set_op (disp, 0);
- print_operand_value (scratchbuf, 1, disp);
+ print_operand_value (scratchbuf, sizeof(scratchbuf), 1, disp);
oappend (scratchbuf);
}
@@ -3678,9 +3678,9 @@ OP_DIR (dummy, sizeflag)
}
used_prefixes |= (prefixes & PREFIX_DATA);
if (intel_syntax)
- sprintf (scratchbuf, "0x%x,0x%x", seg, offset);
+ snprintf (scratchbuf, sizeof(scratchbuf), "0x%x,0x%x", seg, offset);
else
- sprintf (scratchbuf, "$0x%x,$0x%x", seg, offset);
+ snprintf (scratchbuf, sizeof(scratchbuf), "$0x%x,$0x%x", seg, offset);
oappend (scratchbuf);
}
@@ -3707,7 +3707,7 @@ OP_OFF (bytemode, sizeflag)
oappend (":");
}
}
- print_operand_value (scratchbuf, 1, off);
+ print_operand_value (scratchbuf, sizeof(scratchbuf), 1, off);
oappend (scratchbuf);
}
@@ -3737,7 +3737,7 @@ OP_OFF64 (bytemode, sizeflag)
oappend (":");
}
}
- print_operand_value (scratchbuf, 1, off);
+ print_operand_value (scratchbuf, sizeof(scratchbuf), 1, off);
oappend (scratchbuf);
}
@@ -3806,7 +3806,7 @@ OP_C (dummy, sizeflag)
USED_REX (REX_EXTX);
if (rex & REX_EXTX)
add = 8;
- sprintf (scratchbuf, "%%cr%d", reg + add);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%cr%d", reg + add);
oappend (scratchbuf + intel_syntax);
}
@@ -3820,9 +3820,9 @@ OP_D (dummy, sizeflag)
if (rex & REX_EXTX)
add = 8;
if (intel_syntax)
- sprintf (scratchbuf, "db%d", reg + add);
+ snprintf (scratchbuf, sizeof(scratchbuf), "db%d", reg + add);
else
- sprintf (scratchbuf, "%%db%d", reg + add);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%db%d", reg + add);
oappend (scratchbuf);
}
@@ -3831,7 +3831,7 @@ OP_T (dummy, sizeflag)
int dummy;
int sizeflag;
{
- sprintf (scratchbuf, "%%tr%d", reg);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%tr%d", reg);
oappend (scratchbuf + intel_syntax);
}
@@ -3857,9 +3857,9 @@ OP_MMX (bytemode, sizeflag)
add = 8;
used_prefixes |= (prefixes & PREFIX_DATA);
if (prefixes & PREFIX_DATA)
- sprintf (scratchbuf, "%%xmm%d", reg + add);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", reg + add);
else
- sprintf (scratchbuf, "%%mm%d", reg + add);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%mm%d", reg + add);
oappend (scratchbuf + intel_syntax);
}
@@ -3872,7 +3872,7 @@ OP_XMM (bytemode, sizeflag)
USED_REX (REX_EXTX);
if (rex & REX_EXTX)
add = 8;
- sprintf (scratchbuf, "%%xmm%d", reg + add);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", reg + add);
oappend (scratchbuf + intel_syntax);
}
@@ -3896,9 +3896,9 @@ OP_EM (bytemode, sizeflag)
codep++;
used_prefixes |= (prefixes & PREFIX_DATA);
if (prefixes & PREFIX_DATA)
- sprintf (scratchbuf, "%%xmm%d", rm + add);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", rm + add);
else
- sprintf (scratchbuf, "%%mm%d", rm + add);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%mm%d", rm + add);
oappend (scratchbuf + intel_syntax);
}
@@ -3920,7 +3920,7 @@ OP_EX (bytemode, sizeflag)
/* Skip mod/rm byte. */
MODRM_CHECK;
codep++;
- sprintf (scratchbuf, "%%xmm%d", rm + add);
+ snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", rm + add);
oappend (scratchbuf + intel_syntax);
}
@@ -4079,8 +4079,8 @@ OP_SIMD_Suffix (bytemode, sizeflag)
suffix1 = 's', suffix2 = 'd';
}
}
- sprintf (scratchbuf, "cmp%s%c%c",
- simd_cmp_op[cmp_type], suffix1, suffix2);
+ snprintf (scratchbuf, sizeof(scratchbuf), "cmp%s%c%c",
+ simd_cmp_op[cmp_type], suffix1, suffix2);
used_prefixes |= (prefixes & PREFIX_REPZ);
oappend (scratchbuf);
}
diff --git a/monitor.c b/monitor.c
index 47c5514..e71f49e 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2251,7 +2251,7 @@ static void monitor_handle_command(const char *cmdline)
goto fail;
}
str = qemu_malloc(strlen(buf) + 1);
- strcpy(str, buf);
+ pstrcpy(str, sizeof(buf), buf);
str_allocated[nb_args] = str;
add_str:
if (nb_args >= MAX_ARGS) {
@@ -2518,7 +2518,7 @@ static void file_completion(const char *input)
if (!p) {
input_path_len = 0;
pstrcpy(file_prefix, sizeof(file_prefix), input);
- strcpy(path, ".");
+ pstrcpy(path, sizeof(path), ".");
} else {
input_path_len = p - input + 1;
memcpy(path, input, input_path_len);
@@ -2540,13 +2540,15 @@ static void file_completion(const char *input)
break;
if (strstart(d->d_name, file_prefix, NULL)) {
memcpy(file, input, input_path_len);
- strcpy(file + input_path_len, d->d_name);
+ if (input_path_len < sizeof(file))
+ pstrcpy(file + input_path_len, sizeof(file) - input_path_len,
+ d->d_name);
/* stat the file to find out if it's a directory.
* In that case add a slash to speed up typing long paths
*/
stat(file, &sb);
if(S_ISDIR(sb.st_mode))
- strcat(file, "/");
+ pstrcat(file, sizeof(file), "/");
add_completion(file);
}
}
diff --git a/qemu-malloc.c b/qemu-malloc.c
index 606eda6..8ad6168 100644
--- a/qemu-malloc.c
+++ b/qemu-malloc.c
@@ -56,9 +56,10 @@ void *qemu_mallocz(size_t size)
char *qemu_strdup(const char *str)
{
char *ptr;
- ptr = qemu_malloc(strlen(str) + 1);
+ size_t len = strlen(str);
+ ptr = qemu_malloc(len + 1);
if (!ptr)
return NULL;
- strcpy(ptr, str);
+ pstrcpy(ptr, len, str);
return ptr;
}
diff --git a/slirp/misc.c b/slirp/misc.c
index 337f8a8..032a1f7 100644
--- a/slirp/misc.c
+++ b/slirp/misc.c
@@ -417,8 +417,9 @@ fork_exec(struct socket *so, const char *ex, int do_pty)
{
char buff[256];
- sprintf(buff, "Error: execvp of %s failed: %s\n",
- argv[0], strerror(errno));
+ snprintf(buff, sizeof(buff),
+ "Error: execvp of %s failed: %s\n",
+ argv[0], strerror(errno));
write(2, buff, strlen(buff)+1);
}
close(0); close(1); close(2); /* XXX */
diff --git a/slirp/slirp.c b/slirp/slirp.c
index 158fd7d..a975b3e 100644
--- a/slirp/slirp.c
+++ b/slirp/slirp.c
@@ -84,7 +84,7 @@ static int get_dns_addr(struct in_addr *pdns_addr)
static int get_dns_addr(struct in_addr *pdns_addr)
{
char buff[512];
- char buff2[256];
+ char buff2[257];
FILE *f;
int found = 0;
struct in_addr tmp_addr;
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index ba1296d..ec423b7 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -629,7 +629,7 @@ tcp_emu(so, m)
struct mbuf *m;
{
u_int n1, n2, n3, n4, n5, n6;
- char buff[256];
+ char buff[257];
u_int32_t laddr;
u_int lport;
char *bptr;
@@ -673,7 +673,9 @@ tcp_emu(so, m)
}
}
}
- so_rcv->sb_cc = sprintf(so_rcv->sb_data, "%d,%d\r\n", n1, n2);
+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+ so_rcv->sb_datalen,
+ "%d,%d\r\n", n1, n2);
so_rcv->sb_rptr = so_rcv->sb_data;
so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
}
@@ -1007,8 +1009,9 @@ do_prompt:
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += sprintf(bptr,"ORT %d,%d,%d,%d,%d,%d\r\n%s",
- n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ m->m_len += snprintf(bptr, m->m_hdr.mh_size - m->m_len,
+ "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+ n1, n2, n3, n4, n5, n6, x==7?buff:"");
return 1;
} else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
/*
@@ -1038,8 +1041,9 @@ do_prompt:
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += sprintf(bptr,"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
- n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ m->m_len += snprintf(bptr, m->m_hdr.mh_size - m->m_len,
+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+ n1, n2, n3, n4, n5, n6, x==7?buff:"");
return 1;
}
@@ -1062,7 +1066,8 @@ do_prompt:
}
if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
(so = solisten(0, so->so_laddr.s_addr, htons(lport), SS_FACCEPTONCE)) != NULL)
- m->m_len = sprintf(m->m_data, "%d", ntohs(so->so_fport))+1;
+ m->m_len = snprintf(m->m_data, m->m_hdr.mh_size, "%d",
+ ntohs(so->so_fport)) + 1;
return 1;
case EMU_IRC:
@@ -1079,25 +1084,28 @@ do_prompt:
return 1;
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += sprintf(bptr, "DCC CHAT chat %lu %u%c\n",
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), 1);
+ m->m_len += snprintf(bptr, m->m_hdr.mh_size,
+ "DCC CHAT chat %lu %u%c\n",
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), 1);
} else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
if ((so = solisten(0, htonl(laddr), htons(lport), SS_FACCEPTONCE)) == NULL)
return 1;
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += sprintf(bptr, "DCC SEND %s %lu %u %u%c\n",
- buff, (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), n1, 1);
+ m->m_len += snprintf(bptr, m->m_hdr.mh_size,
+ "DCC SEND %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
} else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
if ((so = solisten(0, htonl(laddr), htons(lport), SS_FACCEPTONCE)) == NULL)
return 1;
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += sprintf(bptr, "DCC MOVE %s %lu %u %u%c\n",
- buff, (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), n1, 1);
+ m->m_len += snprintf(bptr, m->m_hdr.mh_size,
+ "DCC MOVE %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
}
return 1;
@@ -1285,8 +1293,8 @@ tcp_ctl(so)
/* FALLTHROUGH */
case CTL_ALIAS:
- sb->sb_cc = sprintf(sb->sb_wptr,
- "Error: No application configured.\r\n");
+ sb->sb_cc = snprintf(sb->sb_wptr, sb->sb_datalen - (sb->sb_wptr - sb->sb_data),
+ "Error: No application configured.\r\n");
sb->sb_wptr += sb->sb_cc;
return(0);
diff --git a/slirp/tftp.c b/slirp/tftp.c
index 562ae89..8c01268 100644
--- a/slirp/tftp.c
+++ b/slirp/tftp.c
@@ -23,6 +23,7 @@
*/
#include <slirp.h>
+#include "qemu-common.h" // for pstrcpy
struct tftp_session {
int in_use;
@@ -148,8 +149,8 @@ static int tftp_send_oack(struct tftp_session *spt,
m->m_data += sizeof(struct udpiphdr);
tp->tp_op = htons(TFTP_OACK);
- n += sprintf(tp->x.tp_buf + n, "%s", key) + 1;
- n += sprintf(tp->x.tp_buf + n, "%u", value) + 1;
+ n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", key) + 1;
+ n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", value) + 1;
saddr.sin_addr = recv_tp->ip.ip_dst;
saddr.sin_port = recv_tp->udp.uh_dport;
@@ -189,7 +190,7 @@ static int tftp_send_error(struct tftp_session *spt,
tp->tp_op = htons(TFTP_ERROR);
tp->x.tp_error.tp_error_code = htons(errorcode);
- strcpy(tp->x.tp_error.tp_msg, msg);
+ pstrcpy(tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), msg);
saddr.sin_addr = recv_tp->ip.ip_dst;
saddr.sin_port = recv_tp->udp.uh_dport;
diff --git a/vl.c b/vl.c
index ff9aed9..39503a3 100644
--- a/vl.c
+++ b/vl.c
@@ -1915,11 +1915,12 @@ static void mux_print_help(CharDriverState *chr)
char cbuf[50] = "\n\r";
if (term_escape_char > 0 && term_escape_char < 26) {
- sprintf(cbuf,"\n\r");
- sprintf(ebuf,"C-%c", term_escape_char - 1 + 'a');
+ snprintf(cbuf, sizeof(cbuf), "\n\r");
+ snprintf(ebuf, sizeof(ebuf), "C-%c", term_escape_char - 1 + 'a');
} else {
- sprintf(cbuf,"\n\rEscape-Char set to Ascii: 0x%02x\n\r\n\r",
- term_escape_char);
+ snprintf(cbuf, sizeof(cbuf),
+ "\n\rEscape-Char set to Ascii: 0x%02x\n\r\n\r",
+ term_escape_char);
}
chr->chr_write(chr, (uint8_t *)cbuf, strlen(cbuf));
for (i = 0; mux_help[i] != NULL; i++) {
@@ -4385,7 +4386,7 @@ static int tap_open(char *ifname, int ifname_size)
* Allocate TAP device, returns opened fd.
* Stores dev name in the first arg(must be large enough).
*/
-int tap_alloc(char *dev)
+int tap_alloc(char *dev, size_t dev_size)
{
int tap_fd, if_fd, ppa = -1;
static int ip_fd = 0;
@@ -4498,7 +4499,7 @@ int tap_alloc(char *dev)
syslog (LOG_ERR, "Can't set multiplexor id");
}
- sprintf(dev, "tap%d", ppa);
+ snprintf(dev, dev_size, "tap%d", ppa);
return tap_fd;
}
@@ -4506,7 +4507,7 @@ static int tap_open(char *ifname, int ifname_size)
{
char dev[10]="";
int fd;
- if( (fd = tap_alloc(dev)) < 0 ){
+ if( (fd = tap_alloc(dev, sizeof(dev))) < 0 ){
fprintf(stderr, "Cannot allocate TAP device\n");
return -1;
}
@@ -5461,11 +5462,11 @@ static int drive_init(struct drive_opt *arg, int snapshot,
!strcmp(machine->name, "versatileab")) {
type = IF_SCSI;
max_devs = MAX_SCSI_DEVS;
- strcpy(devname, "scsi");
+ pstrcpy(devname, sizeof(devname), "scsi");
} else {
type = IF_IDE;
max_devs = MAX_IDE_DEVS;
- strcpy(devname, "ide");
+ pstrcpy(devname, sizeof(devname), "ide");
}
media = MEDIA_DISK;