From d3b4170fbf41c681a5fc41e25af8c07a82a100a9 Mon Sep 17 00:00:00 2001
From: Bradley Bell <btb@icculus.org>
Date: Fri, 16 Jul 2021 14:12:06 -0700
Subject: [PATCH] limit size of formatted strings

---
 arch/linux/ipx_mcast4.c |  2 +-
 arch/sdl/joy.c          | 12 ++++++------
 main/bmread.c           |  4 ++--
 main/credits.c          |  2 +-
 main/editor/medrobot.c  |  8 ++++----
 main/escort.c           |  4 ++--
 main/gamecntl.c         |  2 +-
 main/gamerend.c         |  2 +-
 main/gamesave.c         |  2 +-
 main/gauges.c           |  4 ++--
 main/multi.c            |  2 +-
 main/network.c          |  6 +++---
 main/newdemo.c          |  2 +-
 main/piggy.c            |  8 ++++----
 ui/menubar.c            |  2 +-
 15 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/arch/linux/ipx_mcast4.c b/arch/linux/ipx_mcast4.c
index 49242c64..0eef49f5 100644
--- a/arch/linux/ipx_mcast4.c
+++ b/arch/linux/ipx_mcast4.c
@@ -279,7 +279,7 @@ static void ipx_mcast4_InitNetgameAuxData(ipx_socket_t *sk, u_char buf[NETGAME_A
 
 	// Generate a random session
 //	game_addr = inet_makeaddr(239*256 + 255, d_rand() % 0xFFFF);
-	sprintf(addr, "%i.%i.%i.%i", 239, 255, d_rand() % 0xFF, d_rand() % 0xFF);
+	snprintf(addr, sizeof(addr)-1, "%i.%i.%i.%i", 239, 255, d_rand() % 0xFF, d_rand() % 0xFF);
 	game_addr.s_addr = inet_addr(addr);
 	memcpy(buf + 1, &game_addr, sizeof(game_addr));
 
diff --git a/arch/sdl/joy.c b/arch/sdl/joy.c
index 244fec81..b4ccdc37 100644
--- a/arch/sdl/joy.c
+++ b/arch/sdl/joy.c
@@ -192,13 +192,13 @@ int joy_init()
 
 			for (j=0; j < SDL_Joysticks[num_joysticks].n_axes; j++)
 			{
-				sprintf(temp, "J%d A%d", i + 1, j + 1);
+				snprintf(temp, sizeof(temp)-1, "J%d A%d", i + 1, j + 1);
 				joyaxis_text[Joystick.n_axes] = d_strdup(temp);
 				SDL_Joysticks[num_joysticks].axis_map[j] = Joystick.n_axes++;
 			}
 			for (j=0; j < SDL_Joysticks[num_joysticks].n_buttons; j++)
 			{
-				sprintf(temp, "J%dB%d", i + 1, j + 1);
+				snprintf(temp, sizeof(temp)-1, "J%dB%d", i + 1, j + 1);
 				key_text[KEY_JB1 + Joystick.n_buttons] = d_strdup(temp);
 				SDL_Joysticks[num_joysticks].button_map[j] = Joystick.n_buttons++;
 			}
@@ -207,19 +207,19 @@ int joy_init()
 				SDL_Joysticks[num_joysticks].hat_map[j] = Joystick.n_buttons;
 				//a hat counts as four buttons
 
-				sprintf(temp, "J%dH%dUP", i + 1, j + 1);
+				snprintf(temp, sizeof(temp)-1, "J%dH%dUP", i + 1, j + 1);
 				key_text[KEY_JB1 + Joystick.n_buttons] = d_strdup(temp);
 				Joystick.n_buttons++;
 
-				sprintf(temp, "J%dH%dRIGHT", i + 1, j + 1);
+				snprintf(temp, sizeof(temp)-1, "J%dH%dRIGHT", i + 1, j + 1);
 				key_text[KEY_JB1 + Joystick.n_buttons] = d_strdup(temp);
 				Joystick.n_buttons++;
 
-				sprintf(temp, "J%dH%dDOWN", i + 1, j + 1);
+				snprintf(temp, sizeof(temp)-1, "J%dH%dDOWN", i + 1, j + 1);
 				key_text[KEY_JB1 + Joystick.n_buttons] = d_strdup(temp);
 				Joystick.n_buttons++;
 
-				sprintf(temp, "J%dH%dLEFT", i + 1, j + 1);
+				snprintf(temp, sizeof(temp)-1, "J%dH%dLEFT", i + 1, j + 1);
 				key_text[KEY_JB1 + Joystick.n_buttons] = d_strdup(temp);
 				Joystick.n_buttons++;
 			}
diff --git a/main/bmread.c b/main/bmread.c
index 2ae61b1c..fafb31c1 100644
--- a/main/bmread.c
+++ b/main/bmread.c
@@ -234,7 +234,7 @@ void ab_load( char * filename, bitmap_index bmp[], int *nframes )
 	_splitpath( filename, NULL, NULL, fname, NULL );
 	
 	for (i=0; i<MAX_BITMAPS_PER_BRUSH; i++ )	{
-		sprintf( tempname, "%s#%d", fname, i );
+		sprintf( tempname, "%.8s#%d", fname, i );
 		bi = piggy_find_bitmap( tempname );
 		if ( !bi.index )	
 			break;
@@ -259,7 +259,7 @@ void ab_load( char * filename, bitmap_index bmp[], int *nframes )
 
 	for (i=0;i< *nframes; i++)	{
 		bitmap_index new_bmp;
-		sprintf( tempname, "%s#%d", fname, i );
+		sprintf( tempname, "%.8s#%d", fname, i );
 		if ( iff_has_transparency )
 			gr_remap_bitmap_good( bm[i], newpal, iff_transparent_color, SuperX );
 		else
diff --git a/main/credits.c b/main/credits.c
index 49b519f7..51015140 100644
--- a/main/credits.c
+++ b/main/credits.c
@@ -145,7 +145,7 @@ void credits_show(char *credits_filename)
 
 		tempp = strchr(filename, '.');
 		*tempp = '\0';
-		sprintf(nfile, "%s.txb", filename);
+		sprintf(nfile, "%.27s.txb", filename);
 		file = cfopen(nfile, "rb");
 		if (file == NULL)
 			Error("Missing CREDITS.TEX and CREDITS.TXB file\n");
diff --git a/main/editor/medrobot.c b/main/editor/medrobot.c
index 63443c37..cd321022 100644
--- a/main/editor/medrobot.c
+++ b/main/editor/medrobot.c
@@ -645,18 +645,18 @@ void do_robot_window()
 		switch (Cur_goody_type) {
 			case OBJ_ROBOT:
 				strcpy(type_text, "Robot  ");
-				strncpy(id_text, Robot_names[Cur_goody_id], strlen(Robot_names[Cur_goody_id]));
+				strncpy(id_text, Robot_names[Cur_goody_id], sizeof(id_text)-1);
 				break;
 			case OBJ_POWERUP:
 				strcpy(type_text, "Powerup");
-				strncpy(id_text, Powerup_names[Cur_goody_id], strlen(Powerup_names[Cur_goody_id]));
+				strncpy(id_text, Powerup_names[Cur_goody_id], sizeof(id_text)-1);
 				break;
 			default:
 				editor_status("Illegal contained object type (%i), changing to powerup.", Cur_goody_type);
 				Cur_goody_type = OBJ_POWERUP;
 				Cur_goody_id = 0;
 				strcpy(type_text, "Powerup");
-				strncpy(id_text, Powerup_names[Cur_goody_id], strlen(Powerup_names[Cur_goody_id]));
+				strncpy(id_text, Powerup_names[Cur_goody_id], sizeof(id_text)-1);
 				break;
 		}
 
@@ -673,7 +673,7 @@ void do_robot_window()
 				id_text[i] = ' ';
 			id_text[i] = 0;
 
-			strncpy(id_text, Robot_names[id], strlen(Robot_names[id]));
+			strncpy(id_text, Robot_names[id], sizeof(id_text)-1);
 
 			ui_wprintf_at( MainWindow, 12,  6, "Robot: %3d ", Cur_object_index );
 			ui_wprintf_at( MainWindow, 12, 22, "   Id: %3d", id);
diff --git a/main/escort.c b/main/escort.c
index d97cd5f0..9f9add94 100644
--- a/main/escort.c
+++ b/main/escort.c
@@ -1820,7 +1820,7 @@ void do_escort_menu(void)
 		sprintf(tstr, "Enable");
 
 	sprintf(msg,	"Select Guide-Bot Command:\n\n"
-						"0.  Next Goal: %s" CC_LSPACING_S "3\n"
+						"0.  Next Goal: %.26s" CC_LSPACING_S "3\n"
 						"\x84.  Find Energy Powerup" CC_LSPACING_S "3\n"
 						"2.  Find Energy Center" CC_LSPACING_S "3\n"
 						"3.  Find Shield Powerup" CC_LSPACING_S "3\n"
@@ -1830,7 +1830,7 @@ void do_escort_menu(void)
 						"7.  Stay Away From Me" CC_LSPACING_S "3\n"
 						"8.  Find My Powerups" CC_LSPACING_S "3\n"
 						"9.  Find the exit\n\n"
-						"T.  %s Messages\n"
+						"T.  %.8s Messages\n"
 						// -- "9.	Find the exit" CC_LSPACING_S "3\n"
 				, goal_str, tstr);
 
diff --git a/main/gamecntl.c b/main/gamecntl.c
index 0ad2c8de..aca63061 100644
--- a/main/gamecntl.c
+++ b/main/gamecntl.c
@@ -355,7 +355,7 @@ void format_time(char *str, int secs_int)
 	s = secs_int%3600;
 	m = s / 60;
 	s = s % 60;
-	sprintf(str, "%1d:%02d:%02d", h, m, s );
+	snprintf(str, 8, "%1d:%02d:%02d", h, m, s );
 }
 
 extern int Redbook_playing;
diff --git a/main/gamerend.c b/main/gamerend.c
index 6f399777..8d7d675b 100644
--- a/main/gamerend.c
+++ b/main/gamerend.c
@@ -964,7 +964,7 @@ void show_extra_views()
 					cvar_setint(&Cockpit_3d_view[w], CV_NONE);
 					break;
 				}
-				sprintf(label, "Marker %d", Marker_viewer_num[w] + 1);
+				snprintf(label, sizeof(label)-1, "Marker %d", Marker_viewer_num[w] + 1);
 				do_cockpit_window_view(w, &Objects[MarkerObject[Marker_viewer_num[w]]], 0, WBU_MARKER, label);
 				break;
 			}
diff --git a/main/gamesave.c b/main/gamesave.c
index b037d226..33b95881 100644
--- a/main/gamesave.c
+++ b/main/gamesave.c
@@ -1639,7 +1639,7 @@ int save_level_sub(char * filename, int compiled_version)
 		_splitpath( temp_filename, NULL, NULL, fname, NULL );
 
 		sprintf( ErrorMessage, \
-			"ERROR: Cannot write to '%s'.\nYou probably need to check out a locked\nversion of the file. You should save\nthis under a different filename, and then\ncheck out a locked copy by typing\n\'co -l %s.lvl'\nat the DOS prompt.\n" 
+			"ERROR: Cannot write to '%.19s'.\nYou probably need to check out a locked\nversion of the file. You should save\nthis under a different filename, and then\ncheck out a locked copy by typing\n\'co -l %.19s.lvl'\nat the DOS prompt.\n" 
 			, temp_filename, fname );
 		stop_time();
 		gr_palette_load(gr_palette);
diff --git a/main/gauges.c b/main/gauges.c
index 4989fc71..1c7177b3 100644
--- a/main/gauges.c
+++ b/main/gauges.c
@@ -1305,7 +1305,7 @@ void show_bomb_count(int x,int y,int bg_color,int always_show)
 	else
 		gr_set_fontcolor(bg_color,bg_color);	//erase by drawing in background color
 
-	sprintf(txt,"B:%02d",count);
+	snprintf(txt, sizeof(txt)-1, "B:%02d", count);
 
 	while ((t=strchr(txt,'1')) != NULL)
 		*t = '\x84';	//convert to wide '1'
@@ -2784,7 +2784,7 @@ void show_HUD_names()
 			
 						color_num = (Game_mode & GM_TEAM)?get_team(p):p;
 
-						sprintf(s, "%s", Players[p].callsign);
+						sprintf(s, "%.7s", Players[p].callsign);
 						gr_get_string_size(s, &w, &h, &aw);
 						gr_set_fontcolor(gr_getcolor(player_rgb[color_num].r,player_rgb[color_num].g,player_rgb[color_num].b),-1 );
 						x1 = f2i(x)-w/2;
diff --git a/main/multi.c b/main/multi.c
index 0367c49d..79d60fb5 100644
--- a/main/multi.c
+++ b/main/multi.c
@@ -1265,7 +1265,7 @@ void multi_send_message_end()
 							multi_reset_object_texture (&Objects[Players[t].objnum]);
 
 					network_send_netgame_update ();
-					sprintf (Network_message,"%s has changed teams!",Players[i].callsign);
+					sprintf(Network_message, "%.7s has changed teams!", Players[i].callsign);
 					if (i==Player_num)
 					{
 						HUD_init_message ("You have changed teams!");
diff --git a/main/network.c b/main/network.c
index 97f9741c..c2d3f9d9 100644
--- a/main/network.c
+++ b/main/network.c
@@ -3904,9 +3904,9 @@ void network_join_poll( int nitems, newmenu_item * menus, int * key, int citem )
 		nplayers=Active_games[i].numconnected;
 
 		if (Active_games[i].levelnum < 0)
-			sprintf(levelname, "S%d", -Active_games[i].levelnum);
+			snprintf(levelname, sizeof(levelname)-1, "S%d", -Active_games[i].levelnum);
 		else
-			sprintf(levelname, "%d", Active_games[i].levelnum);
+			snprintf(levelname, sizeof(levelname)-1, "%d", Active_games[i].levelnum);
 
 		if (game_status == NETSTAT_STARTING)
 		{
@@ -5654,7 +5654,7 @@ void network_more_game_options ()
   newmenu_item m[21];
 
   sprintf (socket_string,"%d",Network_socket);
-  sprintf (packstring,"%d",Netgame.PacketsPerSec);
+  snprintf(packstring, sizeof(packstring)-1, "%d", Netgame.PacketsPerSec);
 
   opt_difficulty = opt;
   m[opt].type = NM_TYPE_SLIDER; m[opt].value=netgame_difficulty; m[opt].text=TXT_DIFFICULTY; m[opt].min_value=0; m[opt].max_value=(NDL-1); opt++;
diff --git a/main/newdemo.c b/main/newdemo.c
index 77e4ee34..5c977c3f 100644
--- a/main/newdemo.c
+++ b/main/newdemo.c
@@ -3088,7 +3088,7 @@ void newdemo_stop_recording()
 		num = atoi(&(filename[i]));
 		num++;
 		filename[i] = '\0';
-		sprintf (newfile, "%s%d", filename, num);
+		snprintf(newfile, sizeof(newfile)-1, "%.13s%d", filename, num);
 		strncpy(filename, newfile, 8);
 		filename[8] = '\0';
 	}
diff --git a/main/piggy.c b/main/piggy.c
index 03ba1fb0..c1681db4 100644
--- a/main/piggy.c
+++ b/main/piggy.c
@@ -430,7 +430,7 @@ void piggy_init_pigfile(char *filename)
 		memcpy( temp_name_read, bmh.name, 8 );
 		temp_name_read[8] = 0;
 		if ( bmh.dflags & DBM_FLAG_ABM )        
-			sprintf( temp_name, "%s#%d", temp_name_read, bmh.dflags & DBM_NUM_FRAMES );
+			sprintf( temp_name, "%.8s#%d", temp_name_read, bmh.dflags & DBM_NUM_FRAMES );
 		else
 			strcpy( temp_name, temp_name_read );
 		width = bmh.width + ((short) (bmh.wh_extra & 0x0f) << 8);
@@ -558,7 +558,7 @@ void piggy_new_pigfile(char *pigname)
 			temp_name_read[8] = 0;
 	
 			if ( bmh.dflags & DBM_FLAG_ABM )        
-				sprintf( temp_name, "%s#%d", temp_name_read, bmh.dflags & DBM_NUM_FRAMES );
+				sprintf( temp_name, "%.8s#%d", temp_name_read, bmh.dflags & DBM_NUM_FRAMES );
 			else
 				strcpy( temp_name, temp_name_read );
 	
@@ -612,7 +612,7 @@ void piggy_new_pigfile(char *pigname)
 				strcpy(basename,AllBitmaps[i].name);
 				basename[p-AllBitmaps[i].name] = 0;  //cut off "#nn" part
 				
-				sprintf( abmname, "%s.abm", basename );
+				sprintf( abmname, "%.8s.abm", basename );
 
 				iff_error = iff_read_animbrush(abmname,bm,MAX_BITMAPS_PER_BRUSH,&nframes,newpal);
 
@@ -672,7 +672,7 @@ void piggy_new_pigfile(char *pigname)
 
 				MALLOC( new, grs_bitmap, 1 );
 
-				sprintf( bbmname, "%s.bbm", AllBitmaps[i].name );
+				sprintf( bbmname, "%.8s.bbm", AllBitmaps[i].name );
 				iff_error = iff_read_bitmap(bbmname,new,BM_LINEAR,newpal);
 
 				new->bm_handle=0;
diff --git a/ui/menubar.c b/ui/menubar.c
index fba3cc7f..ea67ecc4 100644
--- a/ui/menubar.c
+++ b/ui/menubar.c
@@ -693,7 +693,7 @@ void menubar_init( char * file )
 
 		if (buf1[0] != '-' )
 		{
-			sprintf( buf2, " %s ", buf1 );
+			sprintf( buf2, " %.197s ", buf1 );
 			Menu[menu].Item[item].Text = d_strdup(buf2);
 		} else 
 			Menu[menu].Item[item].Text = d_strdup(buf1);
-- 
2.39.2