speakup: replace sprintf() by scnprintf()

Replace sprintf() by scnprintf() in order to avoid buffer overflows. Signed-off-by: Salah Triki <salah.triki@gmail.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/20210630224248.2iq6o6krecx4cz5j@begin Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-11-11 12:28:41 +08:00 · 2021-07-01 00:42:48 +02:00 · 2021-07-01 00:42:48 +02:00 · ec7b5eda8a
commit ec7b5eda8a
parent f83461e658
1 changed files with 11 additions and 4 deletions
--- a/drivers/accessibility/speakup/speakup_soft.c
+++ b/drivers/accessibility/speakup/speakup_soft.c
@ -153,18 +153,25 @@ static char *get_initstring(void)
 	static char buf[40];
 	char *cp;
 	struct var_t *var;
+	size_t len;
+	size_t n;

 	memset(buf, 0, sizeof(buf));
 	cp = buf;
+	len = sizeof(buf);
+
 	var = synth_soft.vars;
 	while (var->var_id != MAXVARS) {
 		if (var->var_id != CAPS_START && var->var_id != CAPS_STOP &&
-		    var->var_id != PAUSE && var->var_id != DIRECT)
-			cp = cp + sprintf(cp, var->u.n.synth_fmt,
-					  var->u.n.value);
+		    var->var_id != PAUSE && var->var_id != DIRECT) {
+			n = scnprintf(cp, len, var->u.n.synth_fmt,
+				      var->u.n.value);
+			cp = cp + n;
+			len = len - n;
+		}
 		var++;
 	}
-	cp = cp + sprintf(cp, "\n");
+	cp = cp + scnprintf(cp, len, "\n");
 	return buf;
 }