nerd/rufus
1
1
Fork 0
mirror of https://github.com/pbatard/rufus.git synced 2024-08-14 23:57:05 +00:00
Code Issues 1 Projects Releases Wiki Activity

[fmt] Use %s for printf-like funcs

Browse source 
Printing strings without format specifier may lead
to vulnerabilities if string is somehow malformed.
Ensure prontf-like family calls are protected. See
https://www.viva64.com/en/w/v618/print/
This commit is contained in:
Tsarevich Dmitry 2020-02-23 20:48:35 +03:00
parent ecc94d6521
commit e892c58334
No known key found for this signature in database
GPG key ID: E3C61298FF5B1274
4 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/badblocks.c
View file

@ -463,7 +463,7 @@ static unsigned int test_rw(HANDLE hDrive, blk64_t last_block, size_t block_size
if (max_bb && bb_count >= max_bb) { if (max_bb && bb_count >= max_bb) {
if (s_flag || v_flag) { if (s_flag || v_flag) {
uprintf(abort_msg); uprintf(abort_msg);
fprintf(log_fd, abort_msg); fprintf(log_fd, "%s", abort_msg);
fflush(log_fd); fflush(log_fd);
} }
cancel_ops = -1; cancel_ops = -1;
@ -511,7 +511,7 @@ static unsigned int test_rw(HANDLE hDrive, blk64_t last_block, size_t block_size
if (max_bb && bb_count >= max_bb) { if (max_bb && bb_count >= max_bb) {
if (s_flag || v_flag) { if (s_flag || v_flag) {
uprintf(abort_msg); uprintf(abort_msg);
fprintf(log_fd, abort_msg); fprintf(log_fd, "%s", abort_msg);
fflush(log_fd); fflush(log_fd);
} }
cancel_ops = -1; cancel_ops = -1;

2
src/format.c
View file

@ -1863,7 +1863,7 @@ DWORD WINAPI FormatThread(void* param)
if (report.bb_count) { if (report.bb_count) {
bb_msg = lmprintf(MSG_011, report.bb_count, report.num_read_errors, report.num_write_errors, bb_msg = lmprintf(MSG_011, report.bb_count, report.num_read_errors, report.num_write_errors,
report.num_corruption_errors); report.num_corruption_errors);
fprintf(log_fd, bb_msg); fprintf(log_fd, "%s", bb_msg);
GetLocalTime(&lt); GetLocalTime(&lt);
fprintf(log_fd, APPLICATION_NAME " bad blocks check ended on: %04d.%02d.%02d %02d:%02d:%02d", fprintf(log_fd, APPLICATION_NAME " bad blocks check ended on: %04d.%02d.%02d %02d:%02d:%02d",
lt.wYear, lt.wMonth, lt.wDay, lt.wHour, lt.wMinute, lt.wSecond); lt.wYear, lt.wMonth, lt.wDay, lt.wHour, lt.wMinute, lt.wSecond);

2
src/format_ext.c
View file

@ -177,7 +177,7 @@ const char* error_message(errcode_t error_code)
static_sprintf(error_string, "Unknown ext2fs error %ld (EXT2_ET_BASE + %ld)", error_code, error_code - EXT2_ET_BASE); static_sprintf(error_string, "Unknown ext2fs error %ld (EXT2_ET_BASE + %ld)", error_code, error_code - EXT2_ET_BASE);
} else { } else {
SetLastError((FormatStatus == 0) ? (ERROR_SEVERITY_ERROR | FAC(FACILITY_STORAGE) | (error_code & 0xFFFF)) : FormatStatus); SetLastError((FormatStatus == 0) ? (ERROR_SEVERITY_ERROR | FAC(FACILITY_STORAGE) | (error_code & 0xFFFF)) : FormatStatus);
static_sprintf(error_string, WindowsErrorString()); static_sprintf(error_string, "%s", WindowsErrorString());
} }
return error_string; return error_string;
} }

4
src/rufus.c
View file

@ -138,7 +138,7 @@ const char* flash_type[BADLOCKS_PATTERN_TYPES] = { "SLC", "MLC", "TLC" };
static void SetClusterSizeLabels(void) static void SetClusterSizeLabels(void)
{ {
unsigned int i, j, msg_id; unsigned int i, j, msg_id;
safe_sprintf(ClusterSizeLabel[0], 64, lmprintf(MSG_029)); safe_sprintf(ClusterSizeLabel[0], 64, "%s", lmprintf(MSG_029));
for (i=512, j=1, msg_id=MSG_026; j<MAX_CLUSTER_SIZES; i<<=1, j++) { for (i=512, j=1, msg_id=MSG_026; j<MAX_CLUSTER_SIZES; i<<=1, j++) {
if (i > 8192) { if (i > 8192) {
i /= 1024; i /= 1024;
@ -885,7 +885,7 @@ static BOOL PopulateProperties(void)
EnableControls(TRUE, FALSE); EnableControls(TRUE, FALSE);
// Set a proposed label according to the size (eg: "256MB", "8GB") // Set a proposed label according to the size (eg: "256MB", "8GB")
static_sprintf(SelectedDrive.proposed_label, static_sprintf(SelectedDrive.proposed_label, "%s",
SizeToHumanReadable(SelectedDrive.DiskSize, FALSE, use_fake_units)); SizeToHumanReadable(SelectedDrive.DiskSize, FALSE, use_fake_units));
// Add a tooltip (with the size of the device in parenthesis) // Add a tooltip (with the size of the device in parenthesis)