[fmt] Use %s for printf-like funcs

Printing strings without format specifier may lead to vulnerabilities if string is somehow malformed. Ensure prontf-like family calls are protected. See https://www.viva64.com/en/w/v618/print/
2024-08-14 23:57:05 +00:00 · 2020-02-23 20:48:35 +03:00 · 2020-02-23 20:48:35 +03:00 · e892c58334
commit e892c58334
parent ecc94d6521
4 changed files with 6 additions and 6 deletions
--- a/src/badblocks.c
+++ b/src/badblocks.c
@ -463,7 +463,7 @@ static unsigned int test_rw(HANDLE hDrive, blk64_t last_block, size_t block_size
 			if (max_bb && bb_count >= max_bb) {
 				if (s_flag || v_flag) {
 					uprintf(abort_msg);
-					fprintf(log_fd, abort_msg);
+					fprintf(log_fd, "%s", abort_msg);
 					fflush(log_fd);
 				}
 				cancel_ops = -1;
@ -511,7 +511,7 @@ static unsigned int test_rw(HANDLE hDrive, blk64_t last_block, size_t block_size
 			if (max_bb && bb_count >= max_bb) {
 				if (s_flag || v_flag) {
 					uprintf(abort_msg);
-					fprintf(log_fd, abort_msg);
+					fprintf(log_fd, "%s", abort_msg);
 					fflush(log_fd);
 				}
 				cancel_ops = -1;
--- a/src/format.c
+++ b/src/format.c
@ -1863,7 +1863,7 @@ DWORD WINAPI FormatThread(void* param)
 			if (report.bb_count) {
 				bb_msg = lmprintf(MSG_011, report.bb_count, report.num_read_errors, report.num_write_errors,
 					report.num_corruption_errors);
-				fprintf(log_fd, bb_msg);
+				fprintf(log_fd, "%s", bb_msg);
 				GetLocalTime(&lt);
 				fprintf(log_fd, APPLICATION_NAME " bad blocks check ended on: %04d.%02d.%02d %02d:%02d:%02d",
 				lt.wYear, lt.wMonth, lt.wDay, lt.wHour, lt.wMinute, lt.wSecond);
--- a/src/format_ext.c
+++ b/src/format_ext.c
@ -177,7 +177,7 @@ const char* error_message(errcode_t error_code)
 			static_sprintf(error_string, "Unknown ext2fs error %ld (EXT2_ET_BASE + %ld)", error_code, error_code - EXT2_ET_BASE);
 		} else {
 			SetLastError((FormatStatus == 0) ? (ERROR_SEVERITY_ERROR | FAC(FACILITY_STORAGE) | (error_code & 0xFFFF)) : FormatStatus);
-			static_sprintf(error_string, WindowsErrorString());
+			static_sprintf(error_string, "%s", WindowsErrorString());
 		}
 		return error_string;
 	}
--- a/src/rufus.c
+++ b/src/rufus.c
@ -138,7 +138,7 @@ const char* flash_type[BADLOCKS_PATTERN_TYPES] = { "SLC", "MLC", "TLC" };
 static void SetClusterSizeLabels(void)
 {
 	unsigned int i, j, msg_id;
-	safe_sprintf(ClusterSizeLabel[0], 64, lmprintf(MSG_029));
+	safe_sprintf(ClusterSizeLabel[0], 64, "%s", lmprintf(MSG_029));
 	for (i=512, j=1, msg_id=MSG_026; j<MAX_CLUSTER_SIZES; i<<=1, j++) {
 		if (i > 8192) {
 			i /= 1024;
@ -885,7 +885,7 @@ static BOOL PopulateProperties(void)
 	EnableControls(TRUE, FALSE);

 	// Set a proposed label according to the size (eg: "256MB", "8GB")
-	static_sprintf(SelectedDrive.proposed_label,
+	static_sprintf(SelectedDrive.proposed_label, "%s",
 		SizeToHumanReadable(SelectedDrive.DiskSize, FALSE, use_fake_units));

 	// Add a tooltip (with the size of the device in parenthesis)