gwj / at91sam9263 · Commits

Commit 363a37d52016e0a16e3599d690f610346fc6898a

Authored by blueswir1
1 parent c93e7817

Fix OpenBSD linker warnings 

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5044 c046a42c-6fe2-441c-8c8c-71466251a162
Inline Side-by-side
Showing 17 changed files with 170 additions and 137 deletions
audio/audio.c
  View file @363a37d
... ... @@ -211,8 +211,8 @@ static char *audio_alloc_prefix (const char *s)
211 211 size_t i;
212 212 char *u = r + sizeof (qemu_prefix) - 1;
213 213  
214   - strcpy (r, qemu_prefix);
215   - strcat (r, s);
  214 + pstrcpy (r, len + sizeof (qemu_prefix), qemu_prefix);
  215 + pstrcat (r, len, s);
216 216  
217 217 for (i = 0; i < len; ++i) {
218 218 u[i] = toupper (u[i]);
... ... @@ -430,7 +430,7 @@ static void audio_process_options (const char *prefix,
430 430 {
431 431 char *optname;
432 432 const char qemu_prefix[] = "QEMU_";
433   - size_t preflen;
  433 + size_t preflen, optlen;
434 434  
435 435 if (audio_bug (AUDIO_FUNC, !prefix)) {
436 436 dolog ("prefix = NULL\n");
... ... @@ -458,21 +458,25 @@ static void audio_process_options (const char *prefix,
458 458 /* len of opt->name + len of prefix + size of qemu_prefix
459 459 * (includes trailing zero) + zero + underscore (on behalf of
460 460 * sizeof) */
461   - optname = qemu_malloc (len + preflen + sizeof (qemu_prefix) + 1);
  461 + optlen = len + preflen + sizeof (qemu_prefix) + 1;
  462 + optname = qemu_malloc (optlen);
462 463 if (!optname) {
463 464 dolog ("Could not allocate memory for option name `%s'\n",
464 465 opt->name);
465 466 continue;
466 467 }
467 468  
468   - strcpy (optname, qemu_prefix);
  469 + pstrcpy (optname, optlen, qemu_prefix);
  470 + optlen -= preflen;
469 471  
470 472 /* copy while upper-casing, including trailing zero */
471 473 for (i = 0; i <= preflen; ++i) {
472 474 optname[i + sizeof (qemu_prefix) - 1] = toupper (prefix[i]);
473 475 }
474   - strcat (optname, "_");
475   - strcat (optname, opt->name);
  476 + pstrcat (optname, optlen, "_");
  477 + optlen--;
  478 + pstrcat (optname, optlen, opt->name);
  479 + optlen -= len;
476 480  
477 481 def = 1;
478 482 switch (opt->tag) {
... ...
block-vmdk.c
  View file @363a37d
... ... @@ -153,11 +153,11 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
153 153 return -1;
154 154  
155 155 tmp_str = strstr(desc,"parentCID");
156   - strcpy(tmp_desc, tmp_str);
  156 + pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str);
157 157 if ((p_name = strstr(desc,"CID")) != 0) {
158 158 p_name += sizeof("CID");
159   - sprintf(p_name,"%x\n",cid);
160   - strcat(desc,tmp_desc);
  159 + snprintf(p_name, sizeof(desc) - (p_name - desc), "%x\n", cid);
  160 + pstrcat(desc, sizeof(desc), tmp_desc);
161 161 }
162 162  
163 163 if (bdrv_pwrite(s->hd, 0x200, desc, DESC_SIZE) != DESC_SIZE)
... ... @@ -252,8 +252,8 @@ static int vmdk_snapshot_create(const char *filename, const char *backing_file)
252 252 if ((temp_str = strrchr(real_filename, ':')) != NULL)
253 253 real_filename = temp_str + 1;
254 254  
255   - sprintf(s_desc, desc_template, p_cid, p_cid, backing_file
256   - , (uint32_t)header.capacity, real_filename);
  255 + snprintf(s_desc, sizeof(s_desc), desc_template, p_cid, p_cid, backing_file,
  256 + (uint32_t)header.capacity, real_filename);
257 257  
258 258 /* write the descriptor */
259 259 if (lseek(snp_fd, 0x200, SEEK_SET) == -1)
... ... @@ -349,7 +349,8 @@ static int vmdk_parent_open(BlockDriverState *bs, const char * filename)
349 349 path_combine(parent_img_name, sizeof(parent_img_name),
350 350 filename, s->hd->backing_file);
351 351 } else {
352   - strcpy(parent_img_name, s->hd->backing_file);
  352 + pstrcpy(parent_img_name, sizeof(parent_img_name),
  353 + s->hd->backing_file);
353 354 }
354 355  
355 356 s->hd->backing_hd = bdrv_new("");
... ... @@ -790,8 +791,8 @@ static int vmdk_create(const char *filename, int64_t total_size,
790 791 real_filename = temp_str + 1;
791 792 if ((temp_str = strrchr(real_filename, ':')) != NULL)
792 793 real_filename = temp_str + 1;
793   - sprintf(desc, desc_template, time(NULL), (unsigned long)total_size,
794   - real_filename, (flags & BLOCK_FLAG_COMPAT6 ? 6 : 4), total_size / (63 * 16));
  794 + snprintf(desc, sizeof(desc), desc_template, time(NULL), (unsigned long)total_size,
  795 + real_filename, (flags & BLOCK_FLAG_COMPAT6 ? 6 : 4), total_size / (63 * 16));
795 796  
796 797 /* write the descriptor */
797 798 lseek(fd, le64_to_cpu(header.desc_offset) << 9, SEEK_SET);
... ...
block-vvfat.c
  View file @363a37d
... ... @@ -1733,7 +1733,7 @@ static int check_directory_consistency(BDRVVVFATState *s,
1733 1733 char path2[PATH_MAX];
1734 1734  
1735 1735 assert(path_len < PATH_MAX); /* len was tested before! */
1736   - strcpy(path2, path);
  1736 + pstrcpy(path2, sizeof(path2), path);
1737 1737 path2[path_len] = '/';
1738 1738 path2[path_len + 1] = '\0';
1739 1739  
... ... @@ -1807,7 +1807,8 @@ DLOG(fprintf(stderr, &quot;check direntry %d: \n&quot;, i); print_direntry(direntries + i)
1807 1807 fprintf(stderr, "Name too long: %s/%s\n", path, lfn.name);
1808 1808 goto fail;
1809 1809 }
1810   - strcpy(path2 + path_len + 1, (char*)lfn.name);
  1810 + pstrcpy(path2 + path_len + 1, sizeof(path2) - path_len - 1,
  1811 + (char*)lfn.name);
1811 1812  
1812 1813 if (is_directory(direntries + i)) {
1813 1814 if (begin_of_direntry(direntries + i) == 0) {
... ... @@ -2372,8 +2373,9 @@ static int handle_renames_and_mkdirs(BDRVVVFATState* s)
2372 2373  
2373 2374 assert(!strncmp(m->path, mapping->path, l2));
2374 2375  
2375   - strcpy(new_path, mapping->path);
2376   - strcpy(new_path + l1, m->path + l2);
  2376 + pstrcpy(new_path, l + diff + 1, mapping->path);
  2377 + pstrcpy(new_path + l1, l + diff + 1 - l1,
  2378 + m->path + l2);
2377 2379  
2378 2380 schedule_rename(s, m->begin, new_path);
2379 2381 }
... ...
dis-asm.h
  View file @363a37d
... ... @@ -20,6 +20,7 @@ typedef uint64_t bfd_vma;
20 20 typedef int64_t bfd_signed_vma;
21 21 typedef uint8_t bfd_byte;
22 22 #define sprintf_vma(s,x) sprintf (s, "%0" PRIx64, x)
  23 +#define snprintf_vma(s,ss,x) snprintf (s, ss, "%0" PRIx64, x)
23 24  
24 25 #define BFD64
25 26  
... ...
gdbstub.c
  View file @363a37d
... ... @@ -1173,10 +1173,10 @@ static int gdb_handle_packet(GDBState *s, CPUState *env, const char *line_buf)
1173 1173 /* parse any 'q' packets here */
1174 1174 if (!strcmp(p,"qemu.sstepbits")) {
1175 1175 /* Query Breakpoint bit definitions */
1176   - sprintf(buf,"ENABLE=%x,NOIRQ=%x,NOTIMER=%x",
1177   - SSTEP_ENABLE,
1178   - SSTEP_NOIRQ,
1179   - SSTEP_NOTIMER);
  1176 + snprintf(buf, sizeof(buf), "ENABLE=%x,NOIRQ=%x,NOTIMER=%x",
  1177 + SSTEP_ENABLE,
  1178 + SSTEP_NOIRQ,
  1179 + SSTEP_NOTIMER);
1180 1180 put_packet(s, buf);
1181 1181 break;
1182 1182 } else if (strncmp(p,"qemu.sstep",10) == 0) {
... ... @@ -1184,7 +1184,7 @@ static int gdb_handle_packet(GDBState *s, CPUState *env, const char *line_buf)
1184 1184 p += 10;
1185 1185 if (*p != '=') {
1186 1186 /* Display current setting */
1187   - sprintf(buf,"0x%x", sstep_flags);
  1187 + snprintf(buf, sizeof(buf), "0x%x", sstep_flags);
1188 1188 put_packet(s, buf);
1189 1189 break;
1190 1190 }
... ... @@ -1198,12 +1198,12 @@ static int gdb_handle_packet(GDBState *s, CPUState *env, const char *line_buf)
1198 1198 else if (strncmp(p, "Offsets", 7) == 0) {
1199 1199 TaskState *ts = env->opaque;
1200 1200  
1201   - sprintf(buf,
1202   - "Text=" TARGET_ABI_FMT_lx ";Data=" TARGET_ABI_FMT_lx
1203   - ";Bss=" TARGET_ABI_FMT_lx,
1204   - ts->info->code_offset,
1205   - ts->info->data_offset,
1206   - ts->info->data_offset);
  1201 + snprintf(buf, sizeof(buf),
  1202 + "Text=" TARGET_ABI_FMT_lx ";Data=" TARGET_ABI_FMT_lx
  1203 + ";Bss=" TARGET_ABI_FMT_lx,
  1204 + ts->info->code_offset,
  1205 + ts->info->data_offset,
  1206 + ts->info->data_offset);
1207 1207 put_packet(s, buf);
1208 1208 break;
1209 1209 }
... ... @@ -1286,17 +1286,18 @@ void gdb_do_syscall(gdb_syscall_complete_cb cb, char *fmt, ...)
1286 1286 switch (*fmt++) {
1287 1287 case 'x':
1288 1288 addr = va_arg(va, target_ulong);
1289   - p += sprintf(p, TARGET_FMT_lx, addr);
  1289 + p += snprintf(p, &buf[sizeof(buf)] - p, TARGET_FMT_lx, addr);
1290 1290 break;
1291 1291 case 'l':
1292 1292 if (*(fmt++) != 'x')
1293 1293 goto bad_format;
1294 1294 i64 = va_arg(va, uint64_t);
1295   - p += sprintf(p, "%" PRIx64, i64);
  1295 + p += snprintf(p, &buf[sizeof(buf)] - p, "%" PRIx64, i64);
1296 1296 break;
1297 1297 case 's':
1298 1298 addr = va_arg(va, target_ulong);
1299   - p += sprintf(p, TARGET_FMT_lx "/%x", addr, va_arg(va, int));
  1299 + p += snprintf(p, &buf[sizeof(buf)] - p, TARGET_FMT_lx "/%x",
  1300 + addr, va_arg(va, int));
1300 1301 break;
1301 1302 default:
1302 1303 bad_format:
... ...
hw/sun4m.c
  View file @363a37d
... ... @@ -159,7 +159,8 @@ static int nvram_boot_set(void *opaque, const char *boot_device)
159 159 for (i = 0; i < sizeof(image); i++)
160 160 image[i] = m48t59_read(nvram, i) & 0xff;
161 161  
162   - strcpy((char *)header->boot_devices, boot_device);
  162 + pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices),
  163 + boot_device);
163 164 header->nboot_devices = strlen(boot_device) & 0xff;
164 165 header->crc = cpu_to_be16(OHW_compute_crc(header, 0x00, 0xF8));
165 166  
... ... @@ -187,17 +188,19 @@ static void nvram_init(m48t59_t *nvram, uint8_t *macaddr, const char *cmdline,
187 188 memset(image, '\0', sizeof(image));
188 189  
189 190 // Try to match PPC NVRAM
190   - strcpy((char *)header->struct_ident, "QEMU_BIOS");
  191 + pstrcpy((char *)header->struct_ident, sizeof(header->struct_ident),
  192 + "QEMU_BIOS");
191 193 header->struct_version = cpu_to_be32(3); /* structure v3 */
192 194  
193 195 header->nvram_size = cpu_to_be16(0x2000);
194 196 header->nvram_arch_ptr = cpu_to_be16(sizeof(ohwcfg_v3_t));
195 197 header->nvram_arch_size = cpu_to_be16(sizeof(struct sparc_arch_cfg));
196   - strcpy((char *)header->arch, arch);
  198 + pstrcpy((char *)header->arch, sizeof(header->arch), arch);
197 199 header->nb_cpus = smp_cpus & 0xff;
198 200 header->RAM0_base = 0;
199 201 header->RAM0_size = cpu_to_be64((uint64_t)RAM_size);
200   - strcpy((char *)header->boot_devices, boot_devices);
  202 + pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices),
  203 + boot_devices);
201 204 header->nboot_devices = strlen(boot_devices) & 0xff;
202 205 header->kernel_image = cpu_to_be64((uint64_t)KERNEL_LOAD_ADDR);
203 206 header->kernel_size = cpu_to_be64((uint64_t)kernel_size);
... ... @@ -225,7 +228,7 @@ static void nvram_init(m48t59_t *nvram, uint8_t *macaddr, const char *cmdline,
225 228 // Variable partition
226 229 part_header = (struct OpenBIOS_nvpart_v1 *)&image[start];
227 230 part_header->signature = OPENBIOS_PART_SYSTEM;
228   - strcpy(part_header->name, "system");
  231 + pstrcpy(part_header->name, sizeof(part_header->name), "system");
229 232  
230 233 end = start + sizeof(struct OpenBIOS_nvpart_v1);
231 234 for (i = 0; i < nb_prom_envs; i++)
... ... @@ -241,7 +244,7 @@ static void nvram_init(m48t59_t *nvram, uint8_t *macaddr, const char *cmdline,
241 244 start = end;
242 245 part_header = (struct OpenBIOS_nvpart_v1 *)&image[start];
243 246 part_header->signature = OPENBIOS_PART_FREE;
244   - strcpy(part_header->name, "free");
  247 + pstrcpy(part_header->name, sizeof(part_header->name), "free");
245 248  
246 249 end = 0x1fd0;
247 250 OpenBIOS_finish_partition(part_header, end - start);
... ...
hw/sun4u.c
  View file @363a37d
... ... @@ -82,7 +82,8 @@ static int nvram_boot_set(void *opaque, const char *boot_device)
82 82 for (i = 0; i < sizeof(image); i++)
83 83 image[i] = m48t59_read(nvram, i) & 0xff;
84 84  
85   - strcpy((char *)header->boot_devices, boot_device);
  85 + pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices),
  86 + boot_device);
86 87 header->nboot_devices = strlen(boot_device) & 0xff;
87 88 header->crc = cpu_to_be16(OHW_compute_crc(header, 0x00, 0xF8));
88 89  
... ... @@ -115,17 +116,19 @@ static int sun4u_NVRAM_set_params (m48t59_t *nvram, uint16_t NVRAM_size,
115 116 memset(image, '\0', sizeof(image));
116 117  
117 118 // Try to match PPC NVRAM
118   - strcpy((char *)header->struct_ident, "QEMU_BIOS");
  119 + pstrcpy((char *)header->struct_ident, sizeof(header->struct_ident),
  120 + "QEMU_BIOS");
119 121 header->struct_version = cpu_to_be32(3); /* structure v3 */
120 122  
121 123 header->nvram_size = cpu_to_be16(NVRAM_size);
122 124 header->nvram_arch_ptr = cpu_to_be16(sizeof(ohwcfg_v3_t));
123 125 header->nvram_arch_size = cpu_to_be16(sizeof(struct sparc_arch_cfg));
124   - strcpy((char *)header->arch, arch);
  126 + pstrcpy((char *)header->arch, sizeof(header->arch), arch);
125 127 header->nb_cpus = smp_cpus & 0xff;
126 128 header->RAM0_base = 0;
127 129 header->RAM0_size = cpu_to_be64((uint64_t)RAM_size);
128   - strcpy((char *)header->boot_devices, boot_devices);
  130 + pstrcpy((char *)header->boot_devices, sizeof(header->boot_devices),
  131 + boot_devices);
129 132 header->nboot_devices = strlen(boot_devices) & 0xff;
130 133 header->kernel_image = cpu_to_be64((uint64_t)kernel_image);
131 134 header->kernel_size = cpu_to_be64((uint64_t)kernel_size);
... ... @@ -156,7 +159,7 @@ static int sun4u_NVRAM_set_params (m48t59_t *nvram, uint16_t NVRAM_size,
156 159 // Variable partition
157 160 part_header = (struct OpenBIOS_nvpart_v1 *)&image[start];
158 161 part_header->signature = OPENBIOS_PART_SYSTEM;
159   - strcpy(part_header->name, "system");
  162 + pstrcpy(part_header->name, sizeof(part_header->name), "system");
160 163  
161 164 end = start + sizeof(struct OpenBIOS_nvpart_v1);
162 165 for (i = 0; i < nb_prom_envs; i++)
... ... @@ -172,7 +175,7 @@ static int sun4u_NVRAM_set_params (m48t59_t *nvram, uint16_t NVRAM_size,
172 175 start = end;
173 176 part_header = (struct OpenBIOS_nvpart_v1 *)&image[start];
174 177 part_header->signature = OPENBIOS_PART_FREE;
175   - strcpy(part_header->name, "free");
  178 + pstrcpy(part_header->name, sizeof(part_header->name), "free");
176 179  
177 180 end = 0x1fd0;
178 181 OpenBIOS_finish_partition(part_header, end - start);
... ...
hw/usb-net.c
  View file @363a37d
... ... @@ -625,7 +625,8 @@ typedef struct USBNetState {
625 625 } USBNetState;
626 626  
627 627 static int ndis_query(USBNetState *s, uint32_t oid,
628   - uint8_t *inbuf, unsigned int inlen, uint8_t *outbuf)
  628 + uint8_t *inbuf, unsigned int inlen, uint8_t *outbuf,
  629 + size_t outlen)
629 630 {
630 631 unsigned int i, count;
631 632  
... ... @@ -680,7 +681,7 @@ static int ndis_query(USBNetState *s, uint32_t oid,
680 681  
681 682 /* mandatory */
682 683 case OID_GEN_VENDOR_DESCRIPTION:
683   - strcpy(outbuf, "QEMU USB RNDIS Net");
  684 + pstrcpy(outbuf, outlen, "QEMU USB RNDIS Net");
684 685 return strlen(outbuf) + 1;
685 686  
686 687 case OID_GEN_VENDOR_DRIVER_VERSION:
... ... @@ -882,7 +883,8 @@ static int rndis_query_response(USBNetState *s,
882 883 return USB_RET_STALL;
883 884  
884 885 infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
885   - bufoffs + (uint8_t *) buf, buflen, infobuf);
  886 + bufoffs + (uint8_t *) buf, buflen, infobuf,
  887 + sizeof(infobuf));
886 888 resplen = sizeof(rndis_query_cmplt_type) +
887 889 ((infobuflen < 0) ? 0 : infobuflen);
888 890 resp = rndis_queue_response(s, resplen);
... ...
hw/vga.c
  View file @363a37d
... ... @@ -1726,7 +1726,8 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
1726 1726 if (!full_update)
1727 1727 return;
1728 1728  
1729   - sprintf(msg_buffer, "%i x %i Text mode", width, height);
  1729 + snprintf(msg_buffer, sizeof(msg_buffer), "%i x %i Text mode",
  1730 + width, height);
1730 1731 break;
1731 1732 }
1732 1733  
... ... @@ -1799,14 +1800,15 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
1799 1800 return;
1800 1801  
1801 1802 s->get_resolution(s, &width, &height);
1802   - sprintf(msg_buffer, "%i x %i Graphic mode", width, height);
  1803 + snprintf(msg_buffer, sizeof(msg_buffer), "%i x %i Graphic mode",
  1804 + width, height);
1803 1805 break;
1804 1806 case GMODE_BLANK:
1805 1807 default:
1806 1808 if (!full_update)
1807 1809 return;
1808 1810  
1809   - sprintf(msg_buffer, "VGA Blank mode");
  1811 + snprintf(msg_buffer, sizeof(msg_buffer), "VGA Blank mode");
1810 1812 break;
1811 1813 }
1812 1814  
... ...
i386-dis.c
  View file @363a37d
... ... @@ -37,6 +37,7 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
37 37  
38 38 #include <stdlib.h>
39 39 #include "dis-asm.h"
  40 +#include "qemu-common.h"
40 41  
41 42 #define MAXLEN 20
42 43  
... ... @@ -59,7 +60,8 @@ static int putop PARAMS ((const char *, int));
59 60 static void oappend PARAMS ((const char *));
60 61 static void append_seg PARAMS ((void));
61 62 static void OP_indirE PARAMS ((int, int));
62   -static void print_operand_value PARAMS ((char *, int, bfd_vma));
  63 +static void print_operand_value (char *buf, size_t bufsize, int hex,
  64 + bfd_vma disp);
63 65 static void OP_E PARAMS ((int, int));
64 66 static void OP_G PARAMS ((int, int));
65 67 static bfd_vma get64 PARAMS ((void));
... ... @@ -2512,7 +2514,7 @@ dofloat (sizeflag)
2512 2514  
2513 2515 /* Instruction fnstsw is only one with strange arg. */
2514 2516 if (floatop == 0xdf && codep[-1] == 0xe0)
2515   - strcpy (op1out, names16[0]);
  2517 + pstrcpy (op1out, sizeof(op1out), names16[0]);
2516 2518 }
2517 2519 else
2518 2520 {
... ... @@ -2540,7 +2542,7 @@ OP_STi (bytemode, sizeflag)
2540 2542 int bytemode;
2541 2543 int sizeflag;
2542 2544 {
2543   - sprintf (scratchbuf, "%%st(%d)", rm);
  2545 + snprintf (scratchbuf, sizeof(scratchbuf), "%%st(%d)", rm);
2544 2546 oappend (scratchbuf + intel_syntax);
2545 2547 }
2546 2548  
... ... @@ -2573,7 +2575,7 @@ putop (template, sizeflag)
2573 2575 if (*p == '}')
2574 2576 {
2575 2577 /* Alternative not valid. */
2576   - strcpy (obuf, "(bad)");
  2578 + pstrcpy (obuf, sizeof(obuf), "(bad)");
2577 2579 obufp = obuf + 5;
2578 2580 return 1;
2579 2581 }
... ... @@ -2824,7 +2826,7 @@ static void
2824 2826 oappend (s)
2825 2827 const char *s;
2826 2828 {
2827   - strcpy (obufp, s);
  2829 + pstrcpy (obufp, (size_t)(obufp - obuf), s);
2828 2830 obufp += strlen (s);
2829 2831 }
2830 2832  
... ... @@ -2874,10 +2876,7 @@ OP_indirE (bytemode, sizeflag)
2874 2876 }
2875 2877  
2876 2878 static void
2877   -print_operand_value (buf, hex, disp)
2878   - char *buf;
2879   - int hex;
2880   - bfd_vma disp;
  2879 +print_operand_value (char *buf, size_t bufsize, int hex, bfd_vma disp)
2881 2880 {
2882 2881 if (mode_64bit)
2883 2882 {
... ... @@ -2887,9 +2886,9 @@ print_operand_value (buf, hex, disp)
2887 2886 int i;
2888 2887 buf[0] = '0';
2889 2888 buf[1] = 'x';
2890   - sprintf_vma (tmp, disp);
  2889 + snprintf_vma (tmp, sizeof(tmp), disp);
2891 2890 for (i = 0; tmp[i] == '0' && tmp[i + 1]; i++);
2892   - strcpy (buf + 2, tmp + i);
  2891 + pstrcpy (buf + 2, bufsize - 2, tmp + i);
2893 2892 }
2894 2893 else
2895 2894 {
... ... @@ -2903,13 +2902,13 @@ print_operand_value (buf, hex, disp)
2903 2902 /* Check for possible overflow on 0x8000000000000000. */
2904 2903 if (v < 0)
2905 2904 {
2906   - strcpy (buf, "9223372036854775808");
  2905 + pstrcpy (buf, bufsize, "9223372036854775808");
2907 2906 return;
2908 2907 }
2909 2908 }
2910 2909 if (!v)
2911 2910 {
2912   - strcpy (buf, "0");
  2911 + pstrcpy (buf, bufsize, "0");
2913 2912 return;
2914 2913 }
2915 2914  
... ... @@ -2921,15 +2920,15 @@ print_operand_value (buf, hex, disp)
2921 2920 v /= 10;
2922 2921 i++;
2923 2922 }
2924   - strcpy (buf, tmp + 29 - i);
  2923 + pstrcpy (buf, bufsize, tmp + 29 - i);
2925 2924 }
2926 2925 }
2927 2926 else
2928 2927 {
2929 2928 if (hex)
2930   - sprintf (buf, "0x%x", (unsigned int) disp);
  2929 + snprintf (buf, bufsize, "0x%x", (unsigned int) disp);
2931 2930 else
2932   - sprintf (buf, "%d", (int) disp);
  2931 + snprintf (buf, bufsize, "%d", (int) disp);
2933 2932 }
2934 2933 }
2935 2934  
... ... @@ -3054,7 +3053,7 @@ OP_E (bytemode, sizeflag)
3054 3053 if (!intel_syntax)
3055 3054 if (mod != 0 || (base & 7) == 5)
3056 3055 {
3057   - print_operand_value (scratchbuf, !riprel, disp);
  3056 + print_operand_value (scratchbuf, sizeof(scratchbuf), !riprel, disp);
3058 3057 oappend (scratchbuf);
3059 3058 if (riprel)
3060 3059 {
... ... @@ -3115,14 +3114,14 @@ OP_E (bytemode, sizeflag)
3115 3114 *obufp++ = separator_char;
3116 3115 *obufp = '\0';
3117 3116 }
3118   - sprintf (scratchbuf, "%s",
3119   - mode_64bit && (sizeflag & AFLAG)
3120   - ? names64[index] : names32[index]);
  3117 + snprintf (scratchbuf, sizeof(scratchbuf), "%s",
  3118 + mode_64bit && (sizeflag & AFLAG)
  3119 + ? names64[index] : names32[index]);
3121 3120 }
3122 3121 else
3123   - sprintf (scratchbuf, ",%s",
3124   - mode_64bit && (sizeflag & AFLAG)
3125   - ? names64[index] : names32[index]);
  3122 + snprintf (scratchbuf, sizeof(scratchbuf), ",%s",
  3123 + mode_64bit && (sizeflag & AFLAG)
  3124 + ? names64[index] : names32[index]);
3126 3125 oappend (scratchbuf);
3127 3126 }
3128 3127 if (!intel_syntax
... ... @@ -3133,7 +3132,7 @@ OP_E (bytemode, sizeflag)
3133 3132 {
3134 3133 *obufp++ = scale_char;
3135 3134 *obufp = '\0';
3136   - sprintf (scratchbuf, "%d", 1 << scale);
  3135 + snprintf (scratchbuf, sizeof(scratchbuf), "%d", 1 << scale);
3137 3136 oappend (scratchbuf);
3138 3137 }
3139 3138 }
... ... @@ -3149,7 +3148,8 @@ OP_E (bytemode, sizeflag)
3149 3148 *obufp = '\0';
3150 3149 }
3151 3150  
3152   - print_operand_value (scratchbuf, 0, disp);
  3151 + print_operand_value (scratchbuf, sizeof(scratchbuf), 0,
  3152 + disp);
3153 3153 oappend (scratchbuf);
3154 3154 }
3155 3155 }
... ... @@ -3169,7 +3169,7 @@ OP_E (bytemode, sizeflag)
3169 3169 oappend (names_seg[ds_reg - es_reg]);
3170 3170 oappend (":");
3171 3171 }
3172   - print_operand_value (scratchbuf, 1, disp);
  3172 + print_operand_value (scratchbuf, sizeof(scratchbuf), 1, disp);
3173 3173 oappend (scratchbuf);
3174 3174 }
3175 3175 }
... ... @@ -3202,7 +3202,7 @@ OP_E (bytemode, sizeflag)
3202 3202 if (!intel_syntax)
3203 3203 if (mod != 0 || (rm & 7) == 6)
3204 3204 {
3205   - print_operand_value (scratchbuf, 0, disp);
  3205 + print_operand_value (scratchbuf, sizeof(scratchbuf), 0, disp);
3206 3206 oappend (scratchbuf);
3207 3207 }
3208 3208  
... ... @@ -3504,7 +3504,7 @@ OP_I (bytemode, sizeflag)
3504 3504  
3505 3505 op &= mask;
3506 3506 scratchbuf[0] = '$';
3507   - print_operand_value (scratchbuf + 1, 1, op);
  3507 + print_operand_value (scratchbuf + 1, sizeof(scratchbuf) - 1, 1, op);
3508 3508 oappend (scratchbuf + intel_syntax);
3509 3509 scratchbuf[0] = '\0';
3510 3510 }
... ... @@ -3557,7 +3557,7 @@ OP_I64 (bytemode, sizeflag)
3557 3557  
3558 3558 op &= mask;
3559 3559 scratchbuf[0] = '$';
3560   - print_operand_value (scratchbuf + 1, 1, op);
  3560 + print_operand_value (scratchbuf + 1, sizeof(scratchbuf) - 1, 1, op);
3561 3561 oappend (scratchbuf + intel_syntax);
3562 3562 scratchbuf[0] = '\0';
3563 3563 }
... ... @@ -3609,7 +3609,7 @@ OP_sI (bytemode, sizeflag)
3609 3609 }
3610 3610  
3611 3611 scratchbuf[0] = '$';
3612   - print_operand_value (scratchbuf + 1, 1, op);
  3612 + print_operand_value (scratchbuf + 1, sizeof(scratchbuf) - 1, 1, op);
3613 3613 oappend (scratchbuf + intel_syntax);
3614 3614 }
3615 3615  
... ... @@ -3647,7 +3647,7 @@ OP_J (bytemode, sizeflag)
3647 3647 }
3648 3648 disp = (start_pc + codep - start_codep + disp) & mask;
3649 3649 set_op (disp, 0);
3650   - print_operand_value (scratchbuf, 1, disp);
  3650 + print_operand_value (scratchbuf, sizeof(scratchbuf), 1, disp);
3651 3651 oappend (scratchbuf);
3652 3652 }
3653 3653  
... ... @@ -3678,9 +3678,9 @@ OP_DIR (dummy, sizeflag)
3678 3678 }
3679 3679 used_prefixes |= (prefixes & PREFIX_DATA);
3680 3680 if (intel_syntax)
3681   - sprintf (scratchbuf, "0x%x,0x%x", seg, offset);
  3681 + snprintf (scratchbuf, sizeof(scratchbuf), "0x%x,0x%x", seg, offset);
3682 3682 else
3683   - sprintf (scratchbuf, "$0x%x,$0x%x", seg, offset);
  3683 + snprintf (scratchbuf, sizeof(scratchbuf), "$0x%x,$0x%x", seg, offset);
3684 3684 oappend (scratchbuf);
3685 3685 }
3686 3686  
... ... @@ -3707,7 +3707,7 @@ OP_OFF (bytemode, sizeflag)
3707 3707 oappend (":");
3708 3708 }
3709 3709 }
3710   - print_operand_value (scratchbuf, 1, off);
  3710 + print_operand_value (scratchbuf, sizeof(scratchbuf), 1, off);
3711 3711 oappend (scratchbuf);
3712 3712 }
3713 3713  
... ... @@ -3737,7 +3737,7 @@ OP_OFF64 (bytemode, sizeflag)
3737 3737 oappend (":");
3738 3738 }
3739 3739 }
3740   - print_operand_value (scratchbuf, 1, off);
  3740 + print_operand_value (scratchbuf, sizeof(scratchbuf), 1, off);
3741 3741 oappend (scratchbuf);
3742 3742 }
3743 3743  
... ... @@ -3806,7 +3806,7 @@ OP_C (dummy, sizeflag)
3806 3806 USED_REX (REX_EXTX);
3807 3807 if (rex & REX_EXTX)
3808 3808 add = 8;
3809   - sprintf (scratchbuf, "%%cr%d", reg + add);
  3809 + snprintf (scratchbuf, sizeof(scratchbuf), "%%cr%d", reg + add);
3810 3810 oappend (scratchbuf + intel_syntax);
3811 3811 }
3812 3812  
... ... @@ -3820,9 +3820,9 @@ OP_D (dummy, sizeflag)
3820 3820 if (rex & REX_EXTX)
3821 3821 add = 8;
3822 3822 if (intel_syntax)
3823   - sprintf (scratchbuf, "db%d", reg + add);
  3823 + snprintf (scratchbuf, sizeof(scratchbuf), "db%d", reg + add);
3824 3824 else
3825   - sprintf (scratchbuf, "%%db%d", reg + add);
  3825 + snprintf (scratchbuf, sizeof(scratchbuf), "%%db%d", reg + add);
3826 3826 oappend (scratchbuf);
3827 3827 }
3828 3828  
... ... @@ -3831,7 +3831,7 @@ OP_T (dummy, sizeflag)
3831 3831 int dummy;
3832 3832 int sizeflag;
3833 3833 {
3834   - sprintf (scratchbuf, "%%tr%d", reg);
  3834 + snprintf (scratchbuf, sizeof(scratchbuf), "%%tr%d", reg);
3835 3835 oappend (scratchbuf + intel_syntax);
3836 3836 }
3837 3837  
... ... @@ -3857,9 +3857,9 @@ OP_MMX (bytemode, sizeflag)
3857 3857 add = 8;
3858 3858 used_prefixes |= (prefixes & PREFIX_DATA);
3859 3859 if (prefixes & PREFIX_DATA)
3860   - sprintf (scratchbuf, "%%xmm%d", reg + add);
  3860 + snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", reg + add);
3861 3861 else
3862   - sprintf (scratchbuf, "%%mm%d", reg + add);
  3862 + snprintf (scratchbuf, sizeof(scratchbuf), "%%mm%d", reg + add);
3863 3863 oappend (scratchbuf + intel_syntax);
3864 3864 }
3865 3865  
... ... @@ -3872,7 +3872,7 @@ OP_XMM (bytemode, sizeflag)
3872 3872 USED_REX (REX_EXTX);
3873 3873 if (rex & REX_EXTX)
3874 3874 add = 8;
3875   - sprintf (scratchbuf, "%%xmm%d", reg + add);
  3875 + snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", reg + add);
3876 3876 oappend (scratchbuf + intel_syntax);
3877 3877 }
3878 3878  
... ... @@ -3896,9 +3896,9 @@ OP_EM (bytemode, sizeflag)
3896 3896 codep++;
3897 3897 used_prefixes |= (prefixes & PREFIX_DATA);
3898 3898 if (prefixes & PREFIX_DATA)
3899   - sprintf (scratchbuf, "%%xmm%d", rm + add);
  3899 + snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", rm + add);
3900 3900 else
3901   - sprintf (scratchbuf, "%%mm%d", rm + add);
  3901 + snprintf (scratchbuf, sizeof(scratchbuf), "%%mm%d", rm + add);
3902 3902 oappend (scratchbuf + intel_syntax);
3903 3903 }
3904 3904  
... ... @@ -3920,7 +3920,7 @@ OP_EX (bytemode, sizeflag)
3920 3920 /* Skip mod/rm byte. */
3921 3921 MODRM_CHECK;
3922 3922 codep++;
3923   - sprintf (scratchbuf, "%%xmm%d", rm + add);
  3923 + snprintf (scratchbuf, sizeof(scratchbuf), "%%xmm%d", rm + add);
3924 3924 oappend (scratchbuf + intel_syntax);
3925 3925 }
3926 3926  
... ... @@ -4079,8 +4079,8 @@ OP_SIMD_Suffix (bytemode, sizeflag)
4079 4079 suffix1 = 's', suffix2 = 'd';
4080 4080 }
4081 4081 }
4082   - sprintf (scratchbuf, "cmp%s%c%c",
4083   - simd_cmp_op[cmp_type], suffix1, suffix2);
  4082 + snprintf (scratchbuf, sizeof(scratchbuf), "cmp%s%c%c",
  4083 + simd_cmp_op[cmp_type], suffix1, suffix2);
4084 4084 used_prefixes |= (prefixes & PREFIX_REPZ);
4085 4085 oappend (scratchbuf);
4086 4086 }
... ...
monitor.c
  View file @363a37d
... ... @@ -2251,7 +2251,7 @@ static void monitor_handle_command(const char *cmdline)
2251 2251 goto fail;
2252 2252 }
2253 2253 str = qemu_malloc(strlen(buf) + 1);
2254   - strcpy(str, buf);
  2254 + pstrcpy(str, sizeof(buf), buf);
2255 2255 str_allocated[nb_args] = str;
2256 2256 add_str:
2257 2257 if (nb_args >= MAX_ARGS) {
... ... @@ -2518,7 +2518,7 @@ static void file_completion(const char *input)
2518 2518 if (!p) {
2519 2519 input_path_len = 0;
2520 2520 pstrcpy(file_prefix, sizeof(file_prefix), input);
2521   - strcpy(path, ".");
  2521 + pstrcpy(path, sizeof(path), ".");
2522 2522 } else {
2523 2523 input_path_len = p - input + 1;
2524 2524 memcpy(path, input, input_path_len);
... ... @@ -2540,13 +2540,15 @@ static void file_completion(const char *input)
2540 2540 break;
2541 2541 if (strstart(d->d_name, file_prefix, NULL)) {
2542 2542 memcpy(file, input, input_path_len);
2543   - strcpy(file + input_path_len, d->d_name);
  2543 + if (input_path_len < sizeof(file))
  2544 + pstrcpy(file + input_path_len, sizeof(file) - input_path_len,
  2545 + d->d_name);
2544 2546 /* stat the file to find out if it's a directory.
2545 2547 * In that case add a slash to speed up typing long paths
2546 2548 */
2547 2549 stat(file, &sb);
2548 2550 if(S_ISDIR(sb.st_mode))
2549   - strcat(file, "/");
  2551 + pstrcat(file, sizeof(file), "/");
2550 2552 add_completion(file);
2551 2553 }
2552 2554 }
... ...
qemu-malloc.c
  View file @363a37d
... ... @@ -56,9 +56,10 @@ void *qemu_mallocz(size_t size)
56 56 char *qemu_strdup(const char *str)
57 57 {
58 58 char *ptr;
59   - ptr = qemu_malloc(strlen(str) + 1);
  59 + size_t len = strlen(str);
  60 + ptr = qemu_malloc(len + 1);
60 61 if (!ptr)
61 62 return NULL;
62   - strcpy(ptr, str);
  63 + pstrcpy(ptr, len, str);
63 64 return ptr;
64 65 }
... ...
slirp/misc.c
  View file @363a37d
... ... @@ -417,8 +417,9 @@ fork_exec(struct socket *so, const char *ex, int do_pty)
417 417 {
418 418 char buff[256];
419 419  
420   - sprintf(buff, "Error: execvp of %s failed: %s\n",
421   - argv[0], strerror(errno));
  420 + snprintf(buff, sizeof(buff),
  421 + "Error: execvp of %s failed: %s\n",
  422 + argv[0], strerror(errno));
422 423 write(2, buff, strlen(buff)+1);
423 424 }
424 425 close(0); close(1); close(2); /* XXX */
... ...
slirp/slirp.c
  View file @363a37d
... ... @@ -84,7 +84,7 @@ static int get_dns_addr(struct in_addr *pdns_addr)
84 84 static int get_dns_addr(struct in_addr *pdns_addr)
85 85 {
86 86 char buff[512];
87   - char buff2[256];
  87 + char buff2[257];
88 88 FILE *f;
89 89 int found = 0;
90 90 struct in_addr tmp_addr;
... ...
slirp/tcp_subr.c
  View file @363a37d
... ... @@ -629,7 +629,7 @@ tcp_emu(so, m)
629 629 struct mbuf *m;
630 630 {
631 631 u_int n1, n2, n3, n4, n5, n6;
632   - char buff[256];
  632 + char buff[257];
633 633 u_int32_t laddr;
634 634 u_int lport;
635 635 char *bptr;
... ... @@ -673,7 +673,9 @@ tcp_emu(so, m)
673 673 }
674 674 }
675 675 }
676   - so_rcv->sb_cc = sprintf(so_rcv->sb_data, "%d,%d\r\n", n1, n2);
  676 + so_rcv->sb_cc = snprintf(so_rcv->sb_data,
  677 + so_rcv->sb_datalen,
  678 + "%d,%d\r\n", n1, n2);
677 679 so_rcv->sb_rptr = so_rcv->sb_data;
678 680 so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
679 681 }
... ... @@ -1007,8 +1009,9 @@ do_prompt:
1007 1009 n4 = (laddr & 0xff);
1008 1010  
1009 1011 m->m_len = bptr - m->m_data; /* Adjust length */
1010   - m->m_len += sprintf(bptr,"ORT %d,%d,%d,%d,%d,%d\r\n%s",
1011   - n1, n2, n3, n4, n5, n6, x==7?buff:"");
  1012 + m->m_len += snprintf(bptr, m->m_hdr.mh_size - m->m_len,
  1013 + "ORT %d,%d,%d,%d,%d,%d\r\n%s",
  1014 + n1, n2, n3, n4, n5, n6, x==7?buff:"");
1012 1015 return 1;
1013 1016 } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
1014 1017 /*
... ... @@ -1038,8 +1041,9 @@ do_prompt:
1038 1041 n4 = (laddr & 0xff);
1039 1042  
1040 1043 m->m_len = bptr - m->m_data; /* Adjust length */
1041   - m->m_len += sprintf(bptr,"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
1042   - n1, n2, n3, n4, n5, n6, x==7?buff:"");
  1044 + m->m_len += snprintf(bptr, m->m_hdr.mh_size - m->m_len,
  1045 + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
  1046 + n1, n2, n3, n4, n5, n6, x==7?buff:"");
1043 1047  
1044 1048 return 1;
1045 1049 }
... ... @@ -1062,7 +1066,8 @@ do_prompt:
1062 1066 }
1063 1067 if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
1064 1068 (so = solisten(0, so->so_laddr.s_addr, htons(lport), SS_FACCEPTONCE)) != NULL)
1065   - m->m_len = sprintf(m->m_data, "%d", ntohs(so->so_fport))+1;
  1069 + m->m_len = snprintf(m->m_data, m->m_hdr.mh_size, "%d",
  1070 + ntohs(so->so_fport)) + 1;
1066 1071 return 1;
1067 1072  
1068 1073 case EMU_IRC:
... ... @@ -1079,25 +1084,28 @@ do_prompt:
1079 1084 return 1;
1080 1085  
1081 1086 m->m_len = bptr - m->m_data; /* Adjust length */
1082   - m->m_len += sprintf(bptr, "DCC CHAT chat %lu %u%c\n",
1083   - (unsigned long)ntohl(so->so_faddr.s_addr),
1084   - ntohs(so->so_fport), 1);
  1087 + m->m_len += snprintf(bptr, m->m_hdr.mh_size,
  1088 + "DCC CHAT chat %lu %u%c\n",
  1089 + (unsigned long)ntohl(so->so_faddr.s_addr),
  1090 + ntohs(so->so_fport), 1);
1085 1091 } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
1086 1092 if ((so = solisten(0, htonl(laddr), htons(lport), SS_FACCEPTONCE)) == NULL)
1087 1093 return 1;
1088 1094  
1089 1095 m->m_len = bptr - m->m_data; /* Adjust length */
1090   - m->m_len += sprintf(bptr, "DCC SEND %s %lu %u %u%c\n",
1091   - buff, (unsigned long)ntohl(so->so_faddr.s_addr),
1092   - ntohs(so->so_fport), n1, 1);
  1096 + m->m_len += snprintf(bptr, m->m_hdr.mh_size,
  1097 + "DCC SEND %s %lu %u %u%c\n", buff,
  1098 + (unsigned long)ntohl(so->so_faddr.s_addr),
  1099 + ntohs(so->so_fport), n1, 1);
1093 1100 } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
1094 1101 if ((so = solisten(0, htonl(laddr), htons(lport), SS_FACCEPTONCE)) == NULL)
1095 1102 return 1;
1096 1103  
1097 1104 m->m_len = bptr - m->m_data; /* Adjust length */
1098   - m->m_len += sprintf(bptr, "DCC MOVE %s %lu %u %u%c\n",
1099   - buff, (unsigned long)ntohl(so->so_faddr.s_addr),
1100   - ntohs(so->so_fport), n1, 1);
  1105 + m->m_len += snprintf(bptr, m->m_hdr.mh_size,
  1106 + "DCC MOVE %s %lu %u %u%c\n", buff,
  1107 + (unsigned long)ntohl(so->so_faddr.s_addr),
  1108 + ntohs(so->so_fport), n1, 1);
1101 1109 }
1102 1110 return 1;
1103 1111  
... ... @@ -1285,8 +1293,8 @@ tcp_ctl(so)
1285 1293  
1286 1294 /* FALLTHROUGH */
1287 1295 case CTL_ALIAS:
1288   - sb->sb_cc = sprintf(sb->sb_wptr,
1289   - "Error: No application configured.\r\n");
  1296 + sb->sb_cc = snprintf(sb->sb_wptr, sb->sb_datalen - (sb->sb_wptr - sb->sb_data),
  1297 + "Error: No application configured.\r\n");
1290 1298 sb->sb_wptr += sb->sb_cc;
1291 1299 return(0);
1292 1300  
... ...
slirp/tftp.c
  View file @363a37d
... ... @@ -23,6 +23,7 @@
23 23 */
24 24  
25 25 #include <slirp.h>
  26 +#include "qemu-common.h" // for pstrcpy
26 27  
27 28 struct tftp_session {
28 29 int in_use;
... ... @@ -148,8 +149,8 @@ static int tftp_send_oack(struct tftp_session *spt,
148 149 m->m_data += sizeof(struct udpiphdr);
149 150  
150 151 tp->tp_op = htons(TFTP_OACK);
151   - n += sprintf(tp->x.tp_buf + n, "%s", key) + 1;
152   - n += sprintf(tp->x.tp_buf + n, "%u", value) + 1;
  152 + n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", key) + 1;
  153 + n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", value) + 1;
153 154  
154 155 saddr.sin_addr = recv_tp->ip.ip_dst;
155 156 saddr.sin_port = recv_tp->udp.uh_dport;
... ... @@ -189,7 +190,7 @@ static int tftp_send_error(struct tftp_session *spt,
189 190  
190 191 tp->tp_op = htons(TFTP_ERROR);
191 192 tp->x.tp_error.tp_error_code = htons(errorcode);
192   - strcpy(tp->x.tp_error.tp_msg, msg);
  193 + pstrcpy(tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), msg);
193 194  
194 195 saddr.sin_addr = recv_tp->ip.ip_dst;
195 196 saddr.sin_port = recv_tp->udp.uh_dport;
... ...
... ... @@ -1915,11 +1915,12 @@ static void mux_print_help(CharDriverState *chr)
1915 1915 char cbuf[50] = "\n\r";
1916 1916  
1917 1917 if (term_escape_char > 0 && term_escape_char < 26) {
1918   - sprintf(cbuf,"\n\r");
1919   - sprintf(ebuf,"C-%c", term_escape_char - 1 + 'a');
  1918 + snprintf(cbuf, sizeof(cbuf), "\n\r");
  1919 + snprintf(ebuf, sizeof(ebuf), "C-%c", term_escape_char - 1 + 'a');
1920 1920 } else {
1921   - sprintf(cbuf,"\n\rEscape-Char set to Ascii: 0x%02x\n\r\n\r",
1922   - term_escape_char);
  1921 + snprintf(cbuf, sizeof(cbuf),
  1922 + "\n\rEscape-Char set to Ascii: 0x%02x\n\r\n\r",
  1923 + term_escape_char);
1923 1924 }
1924 1925 chr->chr_write(chr, (uint8_t *)cbuf, strlen(cbuf));
1925 1926 for (i = 0; mux_help[i] != NULL; i++) {
... ... @@ -4385,7 +4386,7 @@ static int tap_open(char *ifname, int ifname_size)
4385 4386 * Allocate TAP device, returns opened fd.
4386 4387 * Stores dev name in the first arg(must be large enough).
4387 4388 */
4388   -int tap_alloc(char *dev)
  4389 +int tap_alloc(char *dev, size_t dev_size)
4389 4390 {
4390 4391 int tap_fd, if_fd, ppa = -1;
4391 4392 static int ip_fd = 0;
... ... @@ -4498,7 +4499,7 @@ int tap_alloc(char *dev)
4498 4499 syslog (LOG_ERR, "Can't set multiplexor id");
4499 4500 }
4500 4501  
4501   - sprintf(dev, "tap%d", ppa);
  4502 + snprintf(dev, dev_size, "tap%d", ppa);
4502 4503 return tap_fd;
4503 4504 }
4504 4505  
... ... @@ -4506,7 +4507,7 @@ static int tap_open(char *ifname, int ifname_size)
4506 4507 {
4507 4508 char dev[10]="";
4508 4509 int fd;
4509   - if( (fd = tap_alloc(dev)) < 0 ){
  4510 + if( (fd = tap_alloc(dev, sizeof(dev))) < 0 ){
4510 4511 fprintf(stderr, "Cannot allocate TAP device\n");
4511 4512 return -1;
4512 4513 }
... ... @@ -5461,11 +5462,11 @@ static int drive_init(struct drive_opt *arg, int snapshot,
5461 5462 !strcmp(machine->name, "versatileab")) {
5462 5463 type = IF_SCSI;
5463 5464 max_devs = MAX_SCSI_DEVS;
5464   - strcpy(devname, "scsi");
  5465 + pstrcpy(devname, sizeof(devname), "scsi");
5465 5466 } else {
5466 5467 type = IF_IDE;
5467 5468 max_devs = MAX_IDE_DEVS;
5468   - strcpy(devname, "ide");
  5469 + pstrcpy(devname, sizeof(devname), "ide");
5469 5470 }
5470 5471 media = MEDIA_DISK;
5471 5472  
... ...