worked around the buffer overrun in smprintf()

[slstatus.git] / slstatus.c

diff --git a/slstatus.c b/slstatus.c
index 628c0f4..08866d2 100644 (file)
--- a/slstatus.c
+++ b/slstatus.c
@@ -78,14 +78,15 @@ setstatus(const char *str)
 static char *
 smprintf(const char *fmt, ...)
 {
 static char *
 smprintf(const char *fmt, ...)
 {

-       /* FIXME: This code should have
-       bound checks, it is vulnerable to
-       buffer overflows */

        va_list ap;
        va_list ap;

+       char tmp[120];

        char *ret = NULL;
 
        va_start(ap, fmt);
        char *ret = NULL;
 
        va_start(ap, fmt);

-       if (vasprintf(&ret, fmt, ap) < 0)
+       vsnprintf(tmp, sizeof(tmp)-1, fmt, ap);
+       tmp[strlen(tmp)+1] = '\0';
+
+       if (asprintf(&ret, "%s", tmp) < 0)

                return NULL;
 
        va_end(ap);
                return NULL;
 
        va_end(ap);