Convert more sprintf calls to snprintf

You could analyze most of these and quickly recognize that there was no
chance of buffer overflow already, but why make everyone spend time doing
that when we can just make it obviously safe?

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

4 files changed, 11 insertions, 10 deletions

diff --git a/nx-X11/lib/X11/ErrDes.c b/nx-X11/lib/X11/ErrDes.c
index ac13b480b..f13e3dce4 100644
--- a/nx-X11/lib/X11/ErrDes.c
+++ b/nx-X11/lib/X11/ErrDes.c
@@ -109,7 +109,7 @@ XGetErrorText(
 
     if (nbytes == 0) return 0;
     if (code <= BadImplementation && code > 0) {
-	sprintf(buf, "%d", code);
+        snprintf(buf, sizeof(buf), "%d", code);
         (void) XGetErrorDatabaseText(dpy, "XProtoError", buf,
                                      _XErrorList + _XErrorOffsets[code],
 				     buffer, nbytes);
@@ -125,11 +125,12 @@ XGetErrorText(
 	    bext = ext;
     }
     if (!buffer[0] && bext) {
-	sprintf(buf, "%s.%d", bext->name, code - bext->codes.first_error);
+	snprintf(buf, sizeof(buf), "%s.%d",
+                 bext->name, code - bext->codes.first_error);
 	(void) XGetErrorDatabaseText(dpy, "XProtoError", buf, "", buffer, nbytes);
     }
     if (!buffer[0])
-	sprintf(buffer, "%d", code);
+	snprintf(buffer, nbytes, "%d", code);
     return 0;
 }
 
@@ -190,7 +191,7 @@ XGetErrorDatabaseText(
 	else
 	    tptr = Xmalloc (tlen);
 	if (tptr) {
-	    sprintf(tptr, "%s.%s", name, type);
+	    snprintf(tptr, tlen, "%s.%s", name, type);
 	    XrmGetResource(db, tptr, "ErrorType.ErrorNumber",
 	      &type_str, &result);
 	    if (tptr != temp)
diff --git a/nx-X11/lib/X11/GetDflt.c b/nx-X11/lib/X11/GetDflt.c
index 749893c7e..f2098dff3 100644
--- a/nx-X11/lib/X11/GetDflt.c
+++ b/nx-X11/lib/X11/GetDflt.c
@@ -87,7 +87,7 @@ GetHomeDir(
 	len2 = strlen (ptr2);
     }
     if ((len1 + len2 + 1) < len)
-	sprintf (dest, "%s%s", ptr1, (ptr2) ? ptr2 : "");
+	snprintf (dest, len, "%s%s", ptr1, (ptr2) ? ptr2 : "");
     else
 	*dest = '\0';
 #else
diff --git a/nx-X11/lib/X11/KeysymStr.c b/nx-X11/lib/X11/KeysymStr.c
index 797cf53bd..ba6c8450a 100644
--- a/nx-X11/lib/X11/KeysymStr.c
+++ b/nx-X11/lib/X11/KeysymStr.c
@@ -107,7 +107,7 @@ char *XKeysymToString(KeySym ks)
 	XrmQuark empty = NULLQUARK;
 	GRNData data;
 
-	sprintf(buf, "%lX", ks);
+	snprintf(buf, sizeof(buf), "%lX", ks);
 	resval.addr = (XPointer)buf;
 	resval.size = strlen(buf) + 1;
 	data.name = (char *)NULL;
diff --git a/nx-X11/lib/X11/XlibInt.c b/nx-X11/lib/X11/XlibInt.c
index 2d84c626d..1ecbaaa4f 100644
--- a/nx-X11/lib/X11/XlibInt.c
+++ b/nx-X11/lib/X11/XlibInt.c
@@ -3521,7 +3521,7 @@ static int _XPrintDefaultError(
 	mesg, BUFSIZ);
     (void) fprintf(fp, mesg, event->request_code);
     if (event->request_code < 128) {
-	sprintf(number, "%d", event->request_code);
+	snprintf(number, sizeof(number), "%d", event->request_code);
 	XGetErrorDatabaseText(dpy, "XRequest", number, "", buffer, BUFSIZ);
     } else {
 	for (ext = dpy->ext_procs;
@@ -3541,7 +3541,7 @@ static int _XPrintDefaultError(
 	fputs("  ", fp);
 	(void) fprintf(fp, mesg, event->minor_code);
 	if (ext) {
-	    sprintf(mesg, "%s.%d", ext->name, event->minor_code);
+	    snprintf(mesg, sizeof(mesg), "%s.%d", ext->name, event->minor_code);
 	    XGetErrorDatabaseText(dpy, "XRequest", mesg, "", buffer, BUFSIZ);
 	    (void) fprintf(fp, " (%s)", buffer);
 	}
@@ -3564,8 +3564,8 @@ static int _XPrintDefaultError(
 		bext = ext;
 	}
 	if (bext)
-	    sprintf(buffer, "%s.%d", bext->name,
-		    event->error_code - bext->codes.first_error);
+	    snprintf(buffer, sizeof(buffer), "%s.%d", bext->name,
+                     event->error_code - bext->codes.first_error);
 	else
 	    strcpy(buffer, "Value");
 	XGetErrorDatabaseText(dpy, mtype, buffer, "", mesg, BUFSIZ);