Index: trunk/i386/libsaio/xml.c =================================================================== --- trunk/i386/libsaio/xml.c (revision 2317) +++ trunk/i386/libsaio/xml.c (revision 2318) @@ -744,6 +744,7 @@ { printf("ParseTagInteger hex error (0x%x) in buffer %s\n", *val, buffer); getchar(); + XMLFreeTag(tmpTag); return -1; } } @@ -1240,5 +1241,7 @@ tagList->tagNext = tmpTag; return true; } + + XMLFreeTag(tmpTag); return false; } Index: trunk/i386/libsaio/acpi_patcher.c =================================================================== --- trunk/i386/libsaio/acpi_patcher.c (revision 2317) +++ trunk/i386/libsaio/acpi_patcher.c (revision 2318) @@ -93,41 +93,33 @@ } /* The folowing ACPI Table search algo. should be reused anywhere needed:*/ +/* WARNING: outDirspec string will be overwritten by subsequent calls! */ int search_and_get_acpi_fd(const char * filename, const char ** outDirspec) { int fd = 0; - char dirSpec[512]; + static char dirSpec[512]; // Try finding 'filename' in the usual places // Start searching any potential location for ACPI Table - sprintf(dirSpec, "%s", filename); + snprintf(dirSpec, sizeof(dirSpec), "%s", filename); fd = open(dirSpec, 0); if (fd < 0) - { - sprintf(dirSpec, "/Extra/%s", filename); - fd = open(dirSpec, 0); - if (fd < 0) + { + snprintf(dirSpec, sizeof(dirSpec), "/Extra/%s", filename); + fd = open(dirSpec, 0); + if (fd < 0) { - sprintf(dirSpec, "bt(0,0)/Extra/%s", filename); - fd = open(dirSpec, 0); - if (fd < 0) + snprintf(dirSpec, sizeof(dirSpec), "bt(0,0)/Extra/%s", filename); + fd = open(dirSpec, 0); + if (fd < 0) { - // NOT FOUND: - verbose("ACPI Table not found: %s\n", filename); - *dirSpec = '\0'; + // NOT FOUND: + verbose("ACPI Table not found: %s\n", filename); + *dirSpec = '\0'; } } } -// Bungo -/*** Moved above - if (fd < 0) - { - // NOT FOUND: - verbose("ACPI Table not found: %s\n", filename); - *dirSpec = '\0'; - } -***/ if (outDirspec) *outDirspec = dirSpec; return fd; } @@ -870,7 +862,7 @@ /* Try using the file specified with the DSDT option */ if (getValueForKey(kDSDT, &filename, &len, &bootInfo->chameleonConfig)) { - sprintf(dirSpec, filename); + snprintf(dirSpec, sizeof(dirSpec), filename); } else { Index: trunk/i386/libsaio/allocate.c =================================================================== --- trunk/i386/libsaio/allocate.c (revision 2317) +++ trunk/i386/libsaio/allocate.c (revision 2318) @@ -41,11 +41,14 @@ nameBuf = malloc(strlen(rangeName) + 1); if (nameBuf == 0) return -1; - strcpy(nameBuf, rangeName); buffer = malloc(2 * sizeof(uint32_t)); - if (buffer == 0) return -1; + if (buffer == 0) { + free(nameBuf); + return -1; + } + strcpy(nameBuf, rangeName); buffer[0] = start; buffer[1] = length; Index: trunk/i386/libsaio/gma.c =================================================================== --- trunk/i386/libsaio/gma.c (revision 2317) +++ trunk/i386/libsaio/gma.c (revision 2318) @@ -354,13 +354,11 @@ { if (intel_gfx_chipsets[i].model == ((device_id << 16) | vendor_id)) { - sprintf(desc, "%s %s", INTEL_NAME, intel_gfx_chipsets[i].label_info); - desc[sizeof(desc) - 1] = '\0'; + snprintf(desc, sizeof(desc), "%s %s", INTEL_NAME, intel_gfx_chipsets[i].label_info); return desc; } } - sprintf(desc, "Unknown %s Graphics card", INTEL_NAME); - desc[sizeof(desc) - 1] = '\0'; + snprintf(desc, sizeof(desc), "Unknown %s Graphics card", INTEL_NAME); return desc; } @@ -395,9 +393,7 @@ string = devprop_create_string(); } - struct DevPropDevice *device = malloc(sizeof(struct DevPropDevice)); - device = devprop_add_device(string, devicepath); - + struct DevPropDevice *device = devprop_add_device(string, devicepath); if (!device) { printf("Failed initializing dev-prop string dev-entry.\n"); Index: trunk/i386/libsaio/pci_root.c =================================================================== --- trunk/i386/libsaio/pci_root.c (revision 2317) +++ trunk/i386/libsaio/pci_root.c (revision 2318) @@ -79,7 +79,7 @@ // Try using the file specified with the DSDT option if (getValueForKey(kDSDT, &dsdt_filename, &len, &bootInfo->chameleonConfig)) { - sprintf(dsdt_dirSpec, dsdt_filename); + snprintf(dsdt_dirSpec, sizeof(dsdt_dirSpec), dsdt_filename); } else { @@ -98,13 +98,14 @@ fsize = file_size(fd); - if ((new_dsdt = malloc(fsize)) == NULL) { + if (!(new_dsdt = malloc(fsize))) { verbose("[ERROR] alloc DSDT memory failed\n"); close (fd); goto out; } if (read (fd, new_dsdt, fsize) != fsize) { verbose("[ERROR] read %s failed\n", dsdt_filename); + free(new_dsdt); close (fd); goto out; } Index: trunk/i386/libsaio/device_inject.c =================================================================== --- trunk/i386/libsaio/device_inject.c (revision 2317) +++ trunk/i386/libsaio/device_inject.c (revision 2318) @@ -75,10 +75,9 @@ struct DevPropString *devprop_create_string(void) { string = (struct DevPropString*)malloc(sizeof(struct DevPropString)); + if (string == NULL) + return NULL; - if(string == NULL) - return NULL; - memset(string, 0, sizeof(struct DevPropString)); string->length = 12; string->WHAT2 = 0x01000000; @@ -87,20 +86,25 @@ struct DevPropDevice *devprop_add_device(struct DevPropString *string, char *path) { - struct DevPropDevice *device; - const char pciroot_string[] = "PciRoot(0x"; - const char pci_device_string[] = "Pci(0x"; + struct DevPropDevice *device = NULL; + static const char pciroot_string[] = "PciRoot(0x"; + static const char pci_device_string[] = "Pci(0x"; if (string == NULL || path == NULL) { + printf("ERROR null device path\n"); return NULL; } - device = malloc(sizeof(struct DevPropDevice)); if (strncmp(path, pciroot_string, strlen(pciroot_string))) { printf("ERROR parsing device path\n"); return NULL; } + if (!(device = malloc(sizeof(struct DevPropDevice)))) { + printf("ERROR malloc failed\n"); + return NULL; + } + memset(device, 0, sizeof(struct DevPropDevice)); device->acpi_dev_path._UID = getPciRootUID(); @@ -144,8 +148,10 @@ } } - if(!numpaths) - return NULL; + if (!numpaths) { + free(device); + return NULL; + } device->numentries = 0x00; @@ -172,12 +178,15 @@ device->string = string; device->data = NULL; - string->length += device->length; - if(!string->entries) - if((string->entries = (struct DevPropDevice**)malloc(sizeof(device)*DEV_PROP_DEVICE_MAX_ENTRIES))== NULL) - return 0; + if (!string->entries) + if (!(string->entries = (struct DevPropDevice**) malloc(sizeof(device) * DEV_PROP_DEVICE_MAX_ENTRIES))) { + free(device); + return NULL; + } + /* FIXME: probably needs bounds checking, as well as error handling in event of malloc failure */ + string->length += device->length; string->entries[string->numentries++] = (struct DevPropDevice*)malloc(sizeof(device)); string->entries[string->numentries-1] = device; @@ -397,23 +406,21 @@ void set_eth_builtin(pci_dt_t *eth_dev) { char *devicepath = get_pci_dev_path(eth_dev); - struct DevPropDevice *device = (struct DevPropDevice*)malloc(sizeof(struct DevPropDevice)); + struct DevPropDevice *device = NULL; verbose("LAN Controller [%04x:%04x] :: %s\n", eth_dev->vendor_id, eth_dev->device_id, devicepath); - if (!string) - string = devprop_create_string(); + if(!string) + string = devprop_create_string(); - device = devprop_add_device(string, devicepath); - if(device) - { - verbose("Setting up lan keys\n"); - devprop_add_network_template(device, eth_dev->vendor_id); - stringdata = (uint8_t*)malloc(sizeof(uint8_t) * string->length); - if(stringdata) - { - memcpy(stringdata, (uint8_t*)devprop_generate_string(string), string->length); - stringlength = string->length; - } + device = devprop_add_device(string, devicepath); + if(device) { + verbose("Setting up lan keys\n"); + devprop_add_network_template(device, eth_dev->vendor_id); + stringdata = (uint8_t*)malloc(sizeof(uint8_t) * string->length); + if(stringdata) { + memcpy(stringdata, (uint8_t*)devprop_generate_string(string), string->length); + stringlength = string->length; + } } } Index: trunk/i386/libsaio/dram_controllers.c =================================================================== --- trunk/i386/libsaio/dram_controllers.c (revision 2317) +++ trunk/i386/libsaio/dram_controllers.c (revision 2318) @@ -57,7 +57,7 @@ // Nehalem supports Scrubbing // First, locate the PCI bus where the MCH is located - for(i = 0; i < sizeof(possible_nhm_bus); i++) + for(i = 0; i < (sizeof(possible_nhm_bus)/sizeof(possible_nhm_bus[0])); i++) { vid = pci_config_read16(PCIADDR(possible_nhm_bus[i], 3, 4), PCI_VENDOR_ID); did = pci_config_read16(PCIADDR(possible_nhm_bus[i], 3, 4), PCI_DEVICE_ID); Index: trunk/i386/libsaio/nvidia.c =================================================================== --- trunk/i386/libsaio/nvidia.c (revision 2317) +++ trunk/i386/libsaio/nvidia.c (revision 2318) @@ -1702,10 +1702,9 @@ { if (nvidia_card_vendors[j].device == (subsys_id & 0xffff0000)) { - sprintf(name_model, "%s %s", - nvidia_card_vendors[j].name, nvidia_card_generic[i].name); - name_model[sizeof(name_model) - 1] = '\0'; - return name_model; + snprintf(name_model, sizeof(name_model), "%s %s", + nvidia_card_vendors[j].name, nvidia_card_generic[i].name); + return name_model; } } } @@ -2067,7 +2066,7 @@ } } - sprintf(biosVersion, "%s", (nvBiosOveride > 0) ? nvFilename : version_str); + snprintf(biosVersion, sizeof(biosVersion), "%s", (nvBiosOveride > 0) ? nvFilename : version_str); sprintf(kNVCAP, "NVCAP_%04x", nvda_dev->device_id); if (getValueForKey(kNVCAP, &value, &len, &bootInfo->chameleonConfig) && len == NVCAP_LEN * 2) @@ -2172,6 +2171,7 @@ memcpy(stringdata, (uint8_t*)devprop_generate_string(string), string->length); stringlength = string->length; + free(version_str); free(rom); return true; } Index: trunk/i386/libsaio/ntfs.c =================================================================== --- trunk/i386/libsaio/ntfs.c (revision 2317) +++ trunk/i386/libsaio/ntfs.c (revision 2318) @@ -272,8 +272,7 @@ } if (read(fd, buf, mftRecordSize) != mftRecordSize) { - //verbose("NTFS: error reading MFT $Volume record: %s\n", - strerror(errno)); + //verbose("NTFS: error reading MFT $Volume record: %s\n", strerror(errno)); goto error; } #endif Index: trunk/i386/libsaio/pci.c =================================================================== --- trunk/i386/libsaio/pci.c (revision 2317) +++ trunk/i386/libsaio/pci.c (revision 2318) @@ -151,7 +151,7 @@ { pci_dt_t *current; pci_dt_t *end; - char tmp[64]; + int dev_path_len = 0; dev_path[0] = 0; end = root_pci_dev; @@ -159,19 +159,19 @@ int uid = getPciRootUID(); while (end != pci_dt) { - current = pci_dt; - while (current->parent != end) - current = current->parent; - end = current; - if (current->parent == root_pci_dev) - { - sprintf(tmp, "PciRoot(0x%x)/Pci(0x%x,0x%x)", uid, - current->dev.bits.dev, current->dev.bits.func); - } else { - sprintf(tmp, "/Pci(0x%x,0x%x)", - current->dev.bits.dev, current->dev.bits.func); - } - strcat(dev_path, tmp); + current = pci_dt; + while (current->parent != end) + current = current->parent; + end = current; + if (current->parent == root_pci_dev) { + dev_path_len += + snprintf(dev_path + dev_path_len, sizeof(dev_path) - dev_path_len, "PciRoot(0x%x)/Pci(0x%x,0x%x)", uid, + current->dev.bits.dev, current->dev.bits.func); + } else { + dev_path_len += + snprintf(dev_path + dev_path_len, sizeof(dev_path) - dev_path_len, "/Pci(0x%x,0x%x)", + current->dev.bits.dev, current->dev.bits.func); + } } return dev_path; } @@ -184,7 +184,8 @@ while (current) { printf("%02x:%02x.%x [%04x%02x] [%04x:%04x] (subsys [%04x:%04x]):: %s\n", current->dev.bits.bus, current->dev.bits.dev, current->dev.bits.func, - current->class_id, current->vendor_id, current->device_id, + current->class_id, 0 /* FIXME: what should this be? */, + current->vendor_id, current->device_id, current->subsys_id.subsys.vendor_id, current->subsys_id.subsys.device_id, get_pci_dev_path(current)); dump_pci_dt(current->children); Index: trunk/i386/libsaio/smbios_getters.c =================================================================== --- trunk/i386/libsaio/smbios_getters.c (revision 2317) +++ trunk/i386/libsaio/smbios_getters.c (revision 2318) @@ -105,7 +105,7 @@ // Nehalem supports Scrubbing // First, locate the PCI bus where the MCH is located - for(i = 0; i < sizeof(possible_nhm_bus); i++) + for(i = 0; i < (sizeof(possible_nhm_bus)/sizeof(possible_nhm_bus[0])); i++) { vid = pci_config_read16(PCIADDR(possible_nhm_bus[i], 3, 4), 0x00); did = pci_config_read16(PCIADDR(possible_nhm_bus[i], 3, 4), 0x02); Index: trunk/i386/klibc/strlcpy.c =================================================================== --- trunk/i386/klibc/strlcpy.c (revision 2317) +++ trunk/i386/klibc/strlcpy.c (revision 2318) @@ -2,26 +2,54 @@ * strlcpy.c */ +/* Use OpenBSD heritage source -- Chucko 2014-01-06 */ + +/*- + * Copyright (c) 1998 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + #include #include -size_t strlcpy(char *dst, const char *src, size_t size) +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t +strlcpy(char * __restrict dst, const char * __restrict src, size_t siz) { - size_t bytes = 0; - char *q = dst; - const char *p = src; - char ch; + char *d = dst; + const char *s = src; + size_t n = siz; - while ((ch = *p++)) { - if (bytes + 1 < size) - *q++ = ch; + /* Copy as many bytes as will fit */ + if (n != 0) { + while (--n != 0) { + if ((*d++ = *s++) == '\0') + break; + } + } - bytes++; - } + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } - /* If size == 0 there is no space for a final null... */ - if (size) - *q = '\0'; - - return bytes; + return(s - src - 1); /* count does not include NUL */ } Index: trunk/i386/boot2/picopng.c =================================================================== --- trunk/i386/boot2/picopng.c (revision 2317) +++ trunk/i386/boot2/picopng.c (revision 2318) @@ -1097,14 +1097,22 @@ printf("file empty\n"); return 1; } - insize = (uint32_t) statbuf.st_size; - inbuf = malloc(insize); infp = fopen(fname, "rb"); if (!infp) { perror("fopen"); return 1; - } else if (fread(inbuf, 1, insize, infp) != insize) { + } + insize = (uint32_t) statbuf.st_size; + inbuf = malloc(insize); + if (!inbuf) { + perror("malloc"); + fclose(infp); + return 1; + } + if (fread(inbuf, 1, insize, infp) != insize) { perror("fread"); + free(inbuf); + fclose(infp); return 1; } fclose(infp); Index: trunk/i386/boot2/graphics.c =================================================================== --- trunk/i386/boot2/graphics.c (revision 2317) +++ trunk/i386/boot2/graphics.c (revision 2318) @@ -50,8 +50,6 @@ { VBEInfoBlock vbeInfo; int err, small; - char *buff = malloc(sizeof(char)*256); - if(!buff) return 0; bzero( &vbeInfo, sizeof(vbeInfo) ); strcpy( (char*)&vbeInfo, "VBE2" ); @@ -74,9 +72,8 @@ { VBEInfoBlock vbeInfo; int err, small; - char *buff = malloc(sizeof(char)*256); - if(!buff) return 0; - + char* buff = NULL; + bzero( &vbeInfo, sizeof(vbeInfo) ); strcpy( (char*)&vbeInfo, "VBE2" ); err = getVBEInfo( &vbeInfo ); @@ -86,14 +83,19 @@ if ( strncmp( (char *)vbeInfo.VESASignature, "VESA", 4 ) ) return 0; + buff = malloc(sizeof(char) * 256); + if (!buff) + return 0; + small = (vbeInfo.TotalMemory < 16); - sprintf(buff, "VESA v%d.%d %d%s (%s)\n", - vbeInfo.VESAVersion >> 8, - vbeInfo.VESAVersion & 0xf, - small ? (vbeInfo.TotalMemory * 64) : (vbeInfo.TotalMemory / 16), - small ? "KB" : "MB", - VBEDecodeFP(const char *, vbeInfo.OEMStringPtr) ); + snprintf(buff, 256, + "VESA v%d.%d %d%s (%s)\n", + vbeInfo.VESAVersion >> 8, + vbeInfo.VESAVersion & 0xf, + small ? (vbeInfo.TotalMemory * 64) : (vbeInfo.TotalMemory / 16), + small ? "KB" : "MB", + VBEDecodeFP(const char *, vbeInfo.OEMStringPtr) ); return buff; } @@ -109,6 +111,7 @@ VBEModeInfoBlock modeInfo; int err; int line; + char* vbeInfoString = NULL; bzero( &vbeInfo, sizeof(vbeInfo) ); strcpy( (char*)&vbeInfo, "VBE2" ); @@ -123,7 +126,15 @@ clearScreenRows(0, 24); setCursorPosition( 0, 0, 1 ); - printf( getVBEInfoString() ); + vbeInfoString = getVBEInfoString(); + if (!vbeInfoString) { + printf("Error: getVBEInfoString failed\n"); + return; + } + printf("%s", vbeInfoString); + free(vbeInfoString); + vbeInfoString = NULL; + printf("Video modes supported:\n", VBEDecodeFP(const char *, vbeInfo.OEMStringPtr)); // Loop through the mode list, and find the matching mode. @@ -173,10 +184,12 @@ char *buff=malloc(sizeof(char)*3072); if(!buff) return 0; + int bufflen = 0; // Loop through the mode list, and find the matching mode. for ( modePtr = VBEDecodeFP( unsigned short *, vbeInfo.VideoModePtr ); - *modePtr != modeEndOfList; modePtr++ ) + (*modePtr != modeEndOfList) && (bufflen < 3072); /* prevent buffer overrun */ + modePtr++ ) { // Get mode information. @@ -187,10 +200,11 @@ continue; } - sprintf(buff+strlen(buff), "Mode %x: %dx%dx%d mm:%d attr:%x\n", - *modePtr, modeInfo.XResolution, modeInfo.YResolution, - modeInfo.BitsPerPixel, modeInfo.MemoryModel, - modeInfo.ModeAttributes); + bufflen += + snprintf(buff+bufflen, 3072-bufflen, "Mode %x: %dx%dx%d mm:%d attr:%x\n", + *modePtr, modeInfo.XResolution, modeInfo.YResolution, + modeInfo.BitsPerPixel, modeInfo.MemoryModel, + modeInfo.ModeAttributes); } return buff; Index: trunk/i386/boot2/drivers.c =================================================================== --- trunk/i386/boot2/drivers.c (revision 2317) +++ trunk/i386/boot2/drivers.c (revision 2318) @@ -244,11 +244,11 @@ else { if (gMacOSVersion[3] == '9') { - strcpy(gExtensionsSpec, dirSpec); + strlcpy(gExtensionsSpec, dirSpec, 4087); /* 4096 - sizeof("Library/") */ strcat(gExtensionsSpec, "Library/"); FileLoadDrivers(gExtensionsSpec, 0); } - strcpy(gExtensionsSpec, dirSpec); + strlcpy(gExtensionsSpec, dirSpec, 4080); /* 4096 - sizeof("System/Library/") */ strcat(gExtensionsSpec, "System/Library/"); FileLoadDrivers(gExtensionsSpec, 0); } @@ -278,7 +278,7 @@ long ret, flags, time, time2; char altDirSpec[512]; - sprintf (altDirSpec, "%s%s", dirSpec, extDirSpec); + snprintf(altDirSpec, sizeof(altDirSpec), "%s%s", dirSpec, extDirSpec); ret = GetFileInfo(altDirSpec, "Extensions.mkext", &flags, &time); if ((ret == 0) && ((flags & kFileTypeMask) == kFileTypeFlat)) @@ -289,7 +289,7 @@ || ((flags & kFileTypeMask) != kFileTypeDirectory) || (((gBootMode & kBootModeSafe) == 0) && (time == (time2 + 1)))) { - sprintf(gDriverSpec, "%sExtensions.mkext", altDirSpec); + snprintf(gDriverSpec, sizeof(altDirSpec) + 18, "%sExtensions.mkext", altDirSpec); verbose("LoadDrivers: Loading from [%s]\n", gDriverSpec); if (LoadDriverMKext(gDriverSpec) == 0) @@ -336,17 +336,17 @@ if (strcmp(name + length - 5, ".kext")) continue; // Save the file name. - strcpy(gFileName, name); + strlcpy(gFileName, name, 4096); // Determine the bundle type. - sprintf(gTempSpec, "%s/%s", dirSpec, gFileName); + snprintf(gTempSpec, 4096, "%s/%s", dirSpec, gFileName); ret = GetFileInfo(gTempSpec, "Contents", &flags, &time); if (ret == 0) bundleType = kCFBundleType2; else bundleType = kCFBundleType3; if (!plugin) - sprintf(gDriverSpec, "%s/%s/%sPlugIns", dirSpec, gFileName, - (bundleType == kCFBundleType2) ? "Contents/" : ""); + snprintf(gDriverSpec, 4096, "%s/%s/%sPlugIns", dirSpec, gFileName, + (bundleType == kCFBundleType2) ? "Contents/" : ""); ret = LoadDriverPList(dirSpec, gFileName, bundleType); @@ -383,7 +383,7 @@ #endif // INTEL modification - sprintf(gDriverSpec, "%s%s.mkext", dirSpec, bootInfo->bootFile); + snprintf(gDriverSpec, 4096, "%s%s.mkext", dirSpec, bootInfo->bootFile); verbose("NetLoadDrivers: Loading from [%s]\n", gDriverSpec); @@ -436,7 +436,7 @@ memcpy((void *)driversAddr, (void *)package, driversLength); // Add the MKext to the memory map. - sprintf(segName, "DriversPackage-%lx", driversAddr); + snprintf(segName, sizeof(segName), "DriversPackage-%lx", driversAddr); AllocateMemoryRange(segName, driversAddr, driversLength, kBootDriverTypeMKEXT); @@ -460,18 +460,22 @@ do { // Save the driver path. - if(name) sprintf(gFileSpec, "%s/%s/%s", dirSpec, name, - (bundleType == kCFBundleType2) ? "Contents/MacOS/" : ""); - else sprintf(gFileSpec, "%s/%s", dirSpec, - (bundleType == kCFBundleType2) ? "Contents/MacOS/" : ""); + if(name) + snprintf(gFileSpec, 4096, "%s/%s/%s", dirSpec, name, + (bundleType == kCFBundleType2) ? "Contents/MacOS/" : ""); + else + snprintf(gFileSpec, 4096, "%s/%s", dirSpec, + (bundleType == kCFBundleType2) ? "Contents/MacOS/" : ""); executablePathLength = strlen(gFileSpec) + 1; tmpExecutablePath = malloc(executablePathLength); if (tmpExecutablePath == 0) break; strcpy(tmpExecutablePath, gFileSpec); - if(name) sprintf(gFileSpec, "%s/%s", dirSpec, name); - else sprintf(gFileSpec, "%s", dirSpec); + if(name) + snprintf(gFileSpec, 4096, "%s/%s", dirSpec, name); + else + snprintf(gFileSpec, 4096, "%s", dirSpec); bundlePathLength = strlen(gFileSpec) + 1; tmpBundlePath = malloc(bundlePathLength); @@ -481,10 +485,12 @@ // Construct the file spec to the plist, then load it. - if(name) sprintf(gFileSpec, "%s/%s/%sInfo.plist", dirSpec, name, - (bundleType == kCFBundleType2) ? "Contents/" : ""); - else sprintf(gFileSpec, "%s/%sInfo.plist", dirSpec, - (bundleType == kCFBundleType2) ? "Contents/" : ""); + if(name) + snprintf(gFileSpec, 4096, "%s/%s/%sInfo.plist", dirSpec, name, + (bundleType == kCFBundleType2) ? "Contents/" : ""); + else + snprintf(gFileSpec, 4096, "%s/%sInfo.plist", dirSpec, + (bundleType == kCFBundleType2) ? "Contents/" : ""); length = LoadFile(gFileSpec); if (length == -1) break; @@ -574,7 +580,7 @@ if (prop != 0) { fileName = prop->string; - sprintf(gFileSpec, "%s%s", module->executablePath, fileName); + snprintf(gFileSpec, 4096, "%s%s", module->executablePath, fileName); length = LoadThinFatFile(gFileSpec, &executableAddr); if (length == 0) { @@ -629,7 +635,7 @@ strcpy(driver->bundlePathAddr, module->bundlePath); // Add an entry to the memory map. - sprintf(segName, "Driver-%lx", (unsigned long)driver); + snprintf(segName, sizeof(segName), "Driver-%lx", (unsigned long)driver); AllocateMemoryRange(segName, driverAddr, driverLength, kBootDriverTypeKEXT); } Index: trunk/i386/boot2/boot.c =================================================================== --- trunk/i386/boot2/boot.c (revision 2317) +++ trunk/i386/boot2/boot.c (revision 2318) @@ -247,35 +247,38 @@ // Lion, Mountain Lion and Mavericks prelink kernel cache file if ((checkOSVersion("10.7")) || (checkOSVersion("10.8")) || (checkOSVersion("10.9"))) { - sprintf(kernelCacheFile, "%skernelcache", kDefaultCachePathSnow); + snprintf(kernelCacheFile, sizeof(kernelCacheFile), "%skernelcache", kDefaultCachePathSnow); } // Snow Leopard prelink kernel cache file else if (checkOSVersion("10.6")) { - sprintf(kernelCacheFile, "kernelcache_%s", (archCpuType == CPU_TYPE_I386) - ? "i386" : "x86_64"); - int lnam = strlen(kernelCacheFile) + 9; //with adler32 + snprintf(kernelCacheFile, sizeof(kernelCacheFile), "kernelcache_%s", + (archCpuType == CPU_TYPE_I386) ? "i386" : "x86_64"); + int lnam = strlen(kernelCacheFile) + 9; //with adler32 - char* name; - long prev_time = 0; + char* name; + long prev_time = 0; - struct dirstuff* cacheDir = opendir(kDefaultCachePathSnow); - - while(readdir(cacheDir, (const char**)&name, &flags, &time) >= 0) - { - if (((flags & kFileTypeMask) != kFileTypeDirectory) && time > prev_time - && strstr(name, kernelCacheFile) && (name[lnam] != '.')) - { - sprintf(kernelCacheFile, "%s%s", kDefaultCachePathSnow, name); - prev_time = time; - } - } + struct dirstuff* cacheDir = opendir(kDefaultCachePathSnow); + /* TODO: handle error? */ + if (cacheDir) { + while (readdir(cacheDir, (const char**)&name, &flags, &time) >= 0) { + if (((flags & kFileTypeMask) != kFileTypeDirectory) && time > prev_time + && strstr(name, kernelCacheFile) && (name[lnam] != '.')) { + snprintf(kernelCacheFile, sizeof(kernelCacheFile), "%s%s", kDefaultCachePathSnow, name); + prev_time = time; + } + } + } + closedir(cacheDir); } else { - // Reset cache name. - bzero(gCacheNameAdler + 64, sizeof(gCacheNameAdler) - 64); - sprintf(gCacheNameAdler + 64, "%s,%s", gRootDevice, bootInfo->bootFile); - adler32 = Adler32((unsigned char *)gCacheNameAdler, sizeof(gCacheNameAdler)); - sprintf(kernelCacheFile, "%s.%08lX", kDefaultCachePathLeo, adler32); + // Reset cache name. + bzero(gCacheNameAdler + 64, sizeof(gCacheNameAdler) - 64); + snprintf(gCacheNameAdler + 64, sizeof(gCacheNameAdler) - 64, + "%s,%s", + gRootDevice, bootInfo->bootFile); + adler32 = Adler32((unsigned char *)gCacheNameAdler, sizeof(gCacheNameAdler)); + snprintf(kernelCacheFile, sizeof(kernelCacheFile), "%s.%08lX", kDefaultCachePathLeo, adler32); } } @@ -284,27 +287,25 @@ // If boot from a boot helper partition check the kernel cache file on it if (gBootVolume->flags & kBVFlagBooter) { - sprintf(kernelCachePath, "com.apple.boot.P%s", kernelCacheFile); - ret = GetFileInfo(NULL, kernelCachePath, &flags, &cachetime); - if ((ret == -1) || ((flags & kFileTypeMask) != kFileTypeFlat)) - { - sprintf(kernelCachePath, "com.apple.boot.R%s", kernelCacheFile); - ret = GetFileInfo(NULL, kernelCachePath, &flags, &cachetime); - if ((ret == -1) || ((flags & kFileTypeMask) != kFileTypeFlat)) - { - sprintf(kernelCachePath, "com.apple.boot.S%s", kernelCacheFile); - ret = GetFileInfo(NULL, kernelCachePath, &flags, &cachetime); - if ((flags & kFileTypeMask) != kFileTypeFlat) - ret = -1; - } - } + snprintf(kernelCachePath, sizeof(kernelCachePath), "com.apple.boot.P%s", kernelCacheFile); + ret = GetFileInfo(NULL, kernelCachePath, &flags, &cachetime); + if ((ret == -1) || ((flags & kFileTypeMask) != kFileTypeFlat)) { + snprintf(kernelCachePath, sizeof(kernelCachePath), "com.apple.boot.R%s", kernelCacheFile); + ret = GetFileInfo(NULL, kernelCachePath, &flags, &cachetime); + if ((ret == -1) || ((flags & kFileTypeMask) != kFileTypeFlat)) { + snprintf(kernelCachePath, sizeof(kernelCachePath), "com.apple.boot.S%s", kernelCacheFile); + ret = GetFileInfo(NULL, kernelCachePath, &flags, &cachetime); + if ((flags & kFileTypeMask) != kFileTypeFlat) + ret = -1; + } + } } // If not found, use the original kernel cache path. if (ret == -1) { - strcpy(kernelCachePath, kernelCacheFile); - ret = GetFileInfo(NULL, kernelCachePath, &flags, &cachetime); - if ((flags & kFileTypeMask) != kFileTypeFlat) - ret = -1; + strlcpy(kernelCachePath, kernelCacheFile, sizeof(kernelCachePath)); + ret = GetFileInfo(NULL, kernelCachePath, &flags, &cachetime); + if ((flags & kFileTypeMask) != kFileTypeFlat) + ret = -1; } // Exit if kernel cache file wasn't found @@ -616,7 +617,8 @@ len--; val++; } - strlcpy(kernelCacheFile, val, len + 1); + /* FIXME: check len vs sizeof(kernelCacheFile) */ + strlcpy(kernelCacheFile, val, len + 1); } else { kernelCacheFile[0] = 0; // Use default kernel cache file } @@ -654,29 +656,29 @@ // bootFile must start with a / if it not start with a device name if (!bootFileWithDevice && (bootInfo->bootFile)[0] != '/') - sprintf(bootFile, "/%s", bootInfo->bootFile); // append a leading / + snprintf(bootFile, sizeof(bootFile), "/%s", bootInfo->bootFile); // append a leading / else strlcpy(bootFile, bootInfo->bootFile, sizeof(bootFile)); // Try to load kernel image from alternate locations on boot helper partitions. ret = -1; if ((gBootVolume->flags & kBVFlagBooter) && !bootFileWithDevice) { - sprintf(bootFilePath, "com.apple.boot.P%s", bootFile); + snprintf(bootFilePath, sizeof(bootFilePath), "com.apple.boot.P%s", bootFile); ret = GetFileInfo(NULL, bootFilePath, &flags, &time); if (ret == -1) { - sprintf(bootFilePath, "com.apple.boot.R%s", bootFile); + snprintf(bootFilePath, sizeof(bootFilePath), "com.apple.boot.R%s", bootFile); ret = GetFileInfo(NULL, bootFilePath, &flags, &time); if (ret == -1) { - sprintf(bootFilePath, "com.apple.boot.S%s", bootFile); + snprintf(bootFilePath, sizeof(bootFilePath), "com.apple.boot.S%s", bootFile); ret = GetFileInfo(NULL, bootFilePath, &flags, &time); } } } if (ret == -1) { // No alternate location found, using the original kernel image path. - strlcpy(bootFilePath, bootFile,sizeof(bootFilePath)); + strlcpy(bootFilePath, bootFile, sizeof(bootFilePath)); } verbose("Loading kernel %s\n", bootFilePath); @@ -754,7 +756,7 @@ static void getOSVersion() { - strlcpy(gMacOSVersion, gBootVolume->OSVersion, sizeof(gMacOSVersion)); + strncpy(gMacOSVersion, gBootVolume->OSVersion, sizeof(gMacOSVersion)); } #define BASE 65521L /* largest prime smaller than 65536 */ Index: trunk/i386/boot2/modules.c =================================================================== --- trunk/i386/boot2/modules.c (revision 2317) +++ trunk/i386/boot2/modules.c (revision 2318) @@ -105,14 +105,14 @@ long flags; long time; struct dirstuff* moduleDir = opendir("/Extra/modules/"); - while(readdir(moduleDir, (const char**)&name, &flags, &time) >= 0) + while (readdir(moduleDir, (const char**)&name, &flags, &time) >= 0) { - if(strcmp(&name[strlen(name) - sizeof("dylib")], ".dylib") == 0) + if (strcmp(&name[strlen(name) - sizeof("dylib")], ".dylib") == 0) { char* tmp = malloc(strlen(name) + 1); strcpy(tmp, name); - if(!load_module(tmp)) + if (!load_module(tmp)) { // failed to load // free(tmp); @@ -122,8 +122,8 @@ { DBG("Ignoring %s\n", name); } - } + closedir(moduleDir); } @@ -143,7 +143,7 @@ return 1; } - sprintf(modString, MODULE_PATH "%s", module); + snprintf(modString, sizeof(modString), MODULE_PATH "%s", module); fh = open(modString, 0); if(fh < 0) { @@ -982,19 +982,17 @@ */ int replace_function(const char* symbol, void* newAddress) { - UInt32* jumpPointer = malloc(sizeof(UInt32*)); UInt32 addr = lookup_all_symbols(symbol); - - char* binary = (char*)addr; if(addr != 0xFFFFFFFF) { - //DBG("Replacing %s to point to 0x%x\n", symbol, newAddress); - *binary++ = 0xFF; // Jump - *binary++ = 0x25; // Long Jump - *((UInt32*)binary) = (UInt32)jumpPointer; - - *jumpPointer = (UInt32)newAddress; - return 1; + //DBG("Replacing %s to point to 0x%x\n", symbol, newAddress); + UInt32* jumpPointer = malloc(sizeof(UInt32*)); + char* binary = (char*)addr; + *binary++ = 0xFF; // Jump + *binary++ = 0x25; // Long Jump + *((UInt32*)binary) = (UInt32)jumpPointer; + *jumpPointer = (UInt32)newAddress; + return 1; } return 0; } Index: trunk/i386/boot2/gui.c =================================================================== --- trunk/i386/boot2/gui.c (revision 2317) +++ trunk/i386/boot2/gui.c (revision 2318) @@ -1811,6 +1811,7 @@ currentline = lines - visiblelines; } } + free(text); } void animateProgressBar() Index: trunk/i386/boot2/ramdisk.c =================================================================== --- trunk/i386/boot2/ramdisk.c (revision 2317) +++ trunk/i386/boot2/ramdisk.c (revision 2318) @@ -29,17 +29,17 @@ &bootInfo->chameleonConfig)) { // Use user specified md0 file - sprintf(filename, "%s", override_filename); + snprintf(filename, sizeof(filename), "%s", override_filename); fh = open(filename, 0); if(fh < 0) { - sprintf(filename, "rd(0,0)/Extra/%s", override_filename); + snprintf(filename, sizeof(filename), "rd(0,0)/Extra/%s", override_filename); fh = open(filename, 0); if(fh < 0) { - sprintf(filename, "/Extra/%s", override_filename); + snprintf(filename, sizeof(filename), "/Extra/%s", override_filename); fh = open(filename, 0); } } @@ -151,7 +151,7 @@ if (error == 0) { // Save filename in gRAMDiskFile to display information. - strcpy(gRAMDiskFile, param); + strlcpy(gRAMDiskFile, param, sizeof(gRAMDiskFile)); // Set gMI as well for the multiboot ramdisk driver hook. gMI = gRAMDiskMI = malloc(sizeof(multiboot_info)); @@ -182,7 +182,7 @@ char dirSpec[128]; // Reading ramdisk configuration. - strcpy(dirSpec, RAMDISKCONFIG_FILENAME); + strlcpy(dirSpec, RAMDISKCONFIG_FILENAME, sizeof(dirSpec)); if (loadConfigFile(dirSpec, &bootInfo->ramdiskConfig) == 0) { Index: trunk/i386/boot2/options.c =================================================================== --- trunk/i386/boot2/options.c (revision 2317) +++ trunk/i386/boot2/options.c (revision 2318) @@ -641,24 +641,28 @@ char *getMemoryInfoString() { - int i; - MemoryRange *mp = bootInfo->memoryMap; - char *buff = malloc(sizeof(char)*1024); - if(!buff) return 0; + int i, bufflen; + MemoryRange *mp = bootInfo->memoryMap; + char *buff = malloc(sizeof(char)*1024); + if (!buff) + return 0; - char info[] = "BIOS reported memory ranges:\n"; - sprintf(buff, "%s", info); - for (i=0; imemoryMapCount; i++) { - sprintf( buff+strlen(buff), "Base 0x%08x%08x, ", - (unsigned long)(mp->base >> 32), - (unsigned long)(mp->base)); - sprintf( buff+strlen(buff), "length 0x%08x%08x, type %d\n", - (unsigned long)(mp->length >> 32), - (unsigned long)(mp->length), - mp->type); - mp++; - } - return buff; + static const char info[] = "BIOS reported memory ranges:\n"; + bufflen = sprintf(buff, "%s", info); + + for (i = 0; + (i < bootInfo->memoryMapCount) && (bufflen < 1024); /* prevent buffer overflow */ + i++) { + bufflen += snprintf(buff+bufflen, 1024-bufflen, "Base 0x%08x%08x, ", + (unsigned long)(mp->base >> 32), + (unsigned long)(mp->base)); + bufflen += snprintf(buff+bufflen, 1024-bufflen, "length 0x%08x%08x, type %d\n", + (unsigned long)(mp->length >> 32), + (unsigned long)(mp->length), + mp->type); + mp++; + } + return buff; } //========================================================================== Index: trunk/i386/config/symbol.c =================================================================== --- trunk/i386/config/symbol.c (revision 2317) +++ trunk/i386/config/symbol.c (revision 2318) @@ -881,8 +881,13 @@ newlen = strlen(res) + strlen(symval) + strlen(src) + 1; if (newlen > reslen) { - reslen = newlen; - res = realloc(res, reslen); + char* newres = NULL; + if (!(newres = realloc(res, newlen))) { + /* TODO: handle error gracefully - for now, punt */ + break; + } + res = newres; + reslen = newlen; } strcat(res, symval); Index: trunk/i386/config/lex.zconf.c =================================================================== --- trunk/i386/config/lex.zconf.c (revision 2317) +++ trunk/i386/config/lex.zconf.c (revision 2318) @@ -822,11 +822,15 @@ { int new_size = text_size + size + 1; if (new_size > text_asize) { - new_size += START_STRSIZE - 1; - new_size &= -START_STRSIZE; - text = realloc(text, new_size); - text_asize = new_size; + char* new_text = NULL; + new_size += START_STRSIZE - 1; + new_size &= -START_STRSIZE; + if (!(new_text = realloc(text, new_size))) { + return; } + text = new_text; + text_asize = new_size; + } memcpy(text + text_size, str, size); text_size += size; text[text_size] = 0; Index: trunk/i386/config/confdata.c =================================================================== --- trunk/i386/config/confdata.c (revision 2317) +++ trunk/i386/config/confdata.c (revision 2318) @@ -810,7 +810,7 @@ } out_inc = fopen(".tmpconfig.inc", "w"); - if (!out_h) { + if (!out_inc) { fclose(out); fclose(out_h); return 1; @@ -902,6 +902,7 @@ } fclose(out); fclose(out_h); + fclose(out_inc); name = getenv("CCONFIG_AUTOHEADER"); if (!name) name = "autoconf.h"; Index: trunk/i386/modules/Keylayout/layouts/cham-mklayout.c =================================================================== --- trunk/i386/modules/Keylayout/layouts/cham-mklayout.c (revision 2317) +++ trunk/i386/modules/Keylayout/layouts/cham-mklayout.c (revision 2318) @@ -363,8 +363,11 @@ } struct keyboard_layout* new_layout = create_keylayout(in); - if (new_layout) + if (new_layout) { write_layout(new_layout, out); + free(new_layout); + new_layout = NULL; + } fclose(out); fclose(in); Index: trunk/i386/libsa/libsa.h =================================================================== --- trunk/i386/libsa/libsa.h (revision 2317) +++ trunk/i386/libsa/libsa.h (revision 2318) @@ -136,6 +136,7 @@ * printf.c */ extern int sprintf(char *s, const char * format, ...); +extern int snprintf(char *s, size_t size, const char * format, ...); extern int slvprintf(char * buffer, int len, const char * fmt, va_list arg); /* Index: trunk/i386/libsa/printf.c =================================================================== --- trunk/i386/libsa/printf.c (revision 2317) +++ trunk/i386/libsa/printf.c (revision 2318) @@ -63,6 +63,21 @@ } /*VARARGS1*/ +int snprintf(char * str, size_t size, const char * fmt, ...) +{ + va_list ap; + struct putc_info pi; + + va_start(ap, fmt); + pi.str = str; + pi.last_str = str + size - 1; + prf(fmt, ap, sputc, &pi); + *pi.str = '\0'; + va_end(ap); + return (pi.str - str); +} + +/*VARARGS1*/ int slvprintf(char * str, int len, const char * fmt, va_list ap) { struct putc_info pi; Index: trunk/i386/libsa/string.c =================================================================== --- trunk/i386/libsa/string.c (revision 2317) +++ trunk/i386/libsa/string.c (revision 2318) @@ -161,7 +161,10 @@ { register char *ret = s1; while (n && (*s1++ = *s2++)) - n--; + --n; + /* while (n--) *s1++ = '\0'; */ + if (n > 0) + bzero(s1, n); return ret; }