From 4f8db6fac3cf2e5b1c94b16525bbee45607da545 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Wed, 20 Mar 2019 15:56:07 +0000 Subject: [PATCH] worker: Fix potential sprintf overflow If worker->qxl->id is bigger than 0x7ffffff (in other words, it's a negative signed int) then printf(worker_str, "display[%d]", worker->qxl->id); will need: "display[]" -> 9 bytes %d -> 11 bytes The trailing \0 will thus overflow our 20 bytes destination. As QXLInstance::id should be an unsigned int, this commit changes the format string to use %u. This also switches to snprintf. Signed-off-by: Christophe Fergeau Acked-by: Frediano Ziglio --- server/red-worker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/red-worker.c b/server/red-worker.c index 8051d1e4..99369a0c 100644 --- a/server/red-worker.c +++ b/server/red-worker.c @@ -1291,7 +1291,7 @@ RedWorker* red_worker_new(QXLInstance *qxl, worker->zlib_glz_state = reds_get_zlib_glz_state(reds); worker->driver_cap_monitors_config = 0; char worker_str[SPICE_STAT_NODE_NAME_MAX]; - sprintf(worker_str, "display[%d]", worker->qxl->id); + snprintf(worker_str, sizeof(worker_str), "display[%d]", worker->qxl->id & 0xff); stat_init_node(&worker->stat, reds, NULL, worker_str, TRUE); stat_init_counter(&worker->wakeup_counter, reds, &worker->stat, "wakeups", TRUE); stat_init_counter(&worker->command_counter, reds, &worker->stat, "commands", TRUE);