From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id DDA6D1A1EF2 for ; Wed, 12 Oct 2016 05:22:17 -0700 (PDT) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga101.fm.intel.com with ESMTP; 12 Oct 2016 05:22:17 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,482,1473145200"; d="scan'208";a="1063789062" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.34]) by orsmga002.jf.intel.com with ESMTP; 12 Oct 2016 05:22:16 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Liming Gao , Yonghong Zhu Date: Wed, 12 Oct 2016 20:20:34 +0800 Message-Id: <1476274836-10544-51-git-send-email-hao.a.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.0 In-Reply-To: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> References: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> Subject: [PATCH 50/52] BaseTools/VolInfo: Use hard-coded format string for calls to sprintf() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 12:22:18 -0000 For calls to API sprintf(), use hard-coded format string instead of a local variable. This helps to prevent the format string from being changed accidentally, which may lead to potential buffer overflows. Cc: Liming Gao Cc: Yonghong Zhu Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- BaseTools/Source/C/VolInfo/VolInfo.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/BaseTools/Source/C/VolInfo/VolInfo.c b/BaseTools/Source/C/VolInfo/VolInfo.c index 5285acd..7ecfb7f 100644 --- a/BaseTools/Source/C/VolInfo/VolInfo.c +++ b/BaseTools/Source/C/VolInfo/VolInfo.c @@ -1599,7 +1599,6 @@ Returns: CHAR8 *ExtractionTool; CHAR8 *ToolInputFile; CHAR8 *ToolOutputFile; - CHAR8 *SystemCommandFormatString; CHAR8 *SystemCommand; EFI_GUID *EfiGuid; UINT16 DataOffset; @@ -1659,9 +1658,8 @@ Returns: SectionLength - SectionHeaderLen ); - SystemCommandFormatString = "%s sha1 -out %s %s"; SystemCommand = malloc ( - strlen (SystemCommandFormatString) + + strlen ("%s sha1 -out %s %s") + strlen (OpenSslPath) + strlen (ToolInputFileName) + strlen (ToolOutputFileName) + @@ -1673,7 +1671,7 @@ Returns: } sprintf ( SystemCommand, - SystemCommandFormatString, + "%s sha1 -out %s %s", OpenSslPath, ToolOutputFileName, ToolInputFileName @@ -1891,9 +1889,8 @@ Returns: // // Construction 'system' command string // - SystemCommandFormatString = "%s -d -o %s %s"; SystemCommand = malloc ( - strlen (SystemCommandFormatString) + + strlen ("%s -d -o %s %s") + strlen (ExtractionTool) + strlen (ToolInputFile) + strlen (ToolOutputFile) + @@ -1909,7 +1906,7 @@ Returns: } sprintf ( SystemCommand, - SystemCommandFormatString, + "%s -d -o %s %s", ExtractionTool, ToolOutputFile, ToolInputFile -- 1.9.5.msysgit.0