lingrid(), avoid buffer overflow

Bug ID: `Buffer overflow detected - ID: 3510521' reported by Zsolt Makaró The variable `mag3' sometimes seems to take unexpected values (for example log10 can be -Inf, which will be casted to 0x80000000) and seems then to have overflown a buffer buf[LABEL_CHARS]
14 years ago · e91e3c4ec7
1 changed files with 9 additions and 7 deletions
--- a/src/frontend/plotting/grid.c
+++ b/src/frontend/plotting/grid.c
@ -331,8 +331,6 @@ lingrid(GRAPH *graph, double lo, double hi, double delta, int type, Axis axis)

        tenpowmag = pow(10.0, (double) mag3);

-	*buf = 0;
-
 	i = (mag3 + 18) / 3;

 	if (i < 0)
@ -349,24 +347,28 @@ lingrid(GRAPH *graph, double lo, double hi, double delta, int type, Axis axis)
 	else if (j == 2)
 		(void) sprintf(buf, "x100 ");
 	else if (j)
-		(void) sprintf(buf, "x10^%d ", j);
+		(void) snprintf(buf, sizeof(buf) - 1, "x10^%d ", j);
+	else
+		buf[0] = '\0';

 	if (scaleletters[i]) {
 		for (p = buf; *p; p++)
 			;
 		*p++ = scaleletters[i];
-		*p++ = 0;
+		*p++ = '\0';
 	}

    } else if (mag > 1) {
        tenpowmag = pow(10.0, (double) mag);
-	(void) sprintf(buf, "x10^%d ", mag);
+	(void) snprintf(buf, sizeof(buf), "x10^%d ", mag);
+    } else {
+	buf[0] = '\0';
    }

    if ((s = ft_typabbrev(type)) != NULL) {
-	(void) strcat(buf, s);
+	(void) strncat(buf, s, sizeof(buf) - 1);
    } else {
-	(void) strcat(buf, "Units");
+	(void) strncat(buf, "Units", sizeof(buf) - 1);
    }

    if (delta == 0.0) {