Prefer smprintf instead of unsafe sprintf

gaul · gaul · commit 559a2f39f10e · 2019-10-07T19:54:44.000-07:00
Previously checking fans >= 10 overflowed the buffer and corrupted the heap. Found via AddressSanitizer. Regression from 968133e.
diff --git a/src/mbpfan.c b/src/mbpfan.c
@@ -167,9 +167,7 @@ t_sensors *retrieve_sensors()
 	    int counter;
 	    for (counter = 0; counter < NUM_HWMONS; counter++) {
 
-		char hwmon_path[strlen(path_begin)+2];
-
-		sprintf(hwmon_path, "%s%d", path_begin, counter);
+                char *hwmon_path = smprintf("%s%d", path_begin, counter);
 
 		int res = access(hwmon_path, R_OK);
 		if (res == 0) {
@@ -186,8 +184,11 @@ t_sensors *retrieve_sensors()
 
 		    }
 
+                    free(hwmon_path);
 		    break;
 		}
+
+                free(hwmon_path);
 	    }
 
 	    int core = 0;

Original file line number	Diff line number	Diff line change
`@@ -167,9 +167,7 @@ t_sensors *retrieve_sensors()`
`167`	`167`	`int counter;`
`168`	`168`	`for (counter = 0; counter < NUM_HWMONS; counter++) {`
`169`	`169`
`170`		`- char hwmon_path[strlen(path_begin)+2];`
`171`		`-`
`172`		`- sprintf(hwmon_path, "%s%d", path_begin, counter);`
	`170`	`+ char *hwmon_path = smprintf("%s%d", path_begin, counter);`
`173`	`171`
`174`	`172`	`int res = access(hwmon_path, R_OK);`
`175`	`173`	`if (res == 0) {`
`@@ -186,8 +184,11 @@ t_sensors *retrieve_sensors()`
`186`	`184`
`187`	`185`	`}`
`188`	`186`
	`187`	`+ free(hwmon_path);`
`189`	`188`	`break;`
`190`	`189`	`}`
	`190`	`+`
	`191`	`+ free(hwmon_path);`
`191`	`192`	`}`
`192`	`193`
`193`	`194`	`int core = 0;`