replaced sprintf() with snprintf() to prevent possible buffer overflow
* DOCBparser.c HTMLparser.c debugXML.c encoding.c
nanoftp.c nanohttp.c parser.c tree.c uri.c xmlIO.c
xmllint.c xpath.c: replaced sprintf() with snprintf()
to prevent possible buffer overflow (the bug was pointed
out by Anju Premachandran)
diff --git a/xpath.c b/xpath.c
index f4f79b3..8ad2f10 100644
--- a/xpath.c
+++ b/xpath.c
@@ -1135,18 +1135,18 @@
switch (xmlXPathIsInf(number)) {
case 1:
if (buffersize > (int)sizeof("Infinity"))
- sprintf(buffer, "Infinity");
+ snprintf(buffer, buffersize, "Infinity");
break;
case -1:
if (buffersize > (int)sizeof("-Infinity"))
- sprintf(buffer, "-Infinity");
+ snprintf(buffer, buffersize, "-Infinity");
break;
default:
if (xmlXPathIsNaN(number)) {
if (buffersize > (int)sizeof("NaN"))
- sprintf(buffer, "NaN");
+ snprintf(buffer, buffersize, "NaN");
} else if (number == 0 && xmlXPathGetSign(number) != 0) {
- sprintf(buffer, "0");
+ snprintf(buffer, buffersize, "0");
} else if (number == ((int) number)) {
char work[30];
char *ptr, *cur;