Thou shalt not use g_sprintf() lest thou overflow a buffer. (Yes, even

if you know it's safe. Sorry.) svn path=/trunk/; revision=39242
author: Guy Harris <guy@alum.mit.edu> 2011-10-03 07:28:45 +0000
committer: Guy Harris <guy@alum.mit.edu> 2011-10-03 07:28:45 +0000
commit: 66a8e6aa5d9004e4ef87de336f311c932203433b (patch)
tree: 113639f3ca32c3e6ab4b78c079f1414566ee46cd /epan
parent: 574f05eb2c2483e4aa184f7c67efc8d776e7430f (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/epan/dissectors/packet-t30.c b/epan/dissectors/packet-t30.c
index 447adab202..6f8da98247 100644
--- a/epan/dissectors/packet-t30.c
+++ b/epan/dissectors/packet-t30.c
@@ -617,7 +617,8 @@ dissect_t30_partial_page_request(tvbuff_t *tvb, int offset, packet_info *pinfo,
 {
 	int frame_count = 0;
 	int frame;
-	gchar *buf = ep_alloc(10*1 + 90*2 + 156*3 + 256*2 + 1); /* 0..9 + 10..99 + 100..255 + 256*', ' + \0 */
+#define BUF_SIZE	(10*1 + 90*2 + 156*3 + 256*2 + 1) /* 0..9 + 10..99 + 100..255 + 256*', ' + \0 */
+	gchar *buf = ep_alloc(BUF_SIZE);
 	gchar *buf_top = buf;
 	
 	if (len != 32) {
@@ -634,7 +635,7 @@ dissect_t30_partial_page_request(tvbuff_t *tvb, int offset, packet_info *pinfo,
 		for (;bit;) {
 			if (octet & bit) {
 				++frame_count;
-				buf_top += g_sprintf(buf_top, "%u, ", frame);
+				buf_top += g_snprintf(buf_top, BUF_SIZE - (gulong)(buf_top - buf), "%u, ", frame);
 			}
 			bit >>= 1;
 			++frame;
author	Guy Harris <guy@alum.mit.edu>	2011-10-03 07:28:45 +0000
committer	Guy Harris <guy@alum.mit.edu>	2011-10-03 07:28:45 +0000
commit	66a8e6aa5d9004e4ef87de336f311c932203433b (patch)
tree	113639f3ca32c3e6ab4b78c079f1414566ee46cd /epan
parent	574f05eb2c2483e4aa184f7c67efc8d776e7430f (diff)