changed sprintf to more secure snprintf to prevent vulnerability to buffer

overflow exploits.

diff --git a/disasm.c b/disasm.c
index dd63568..9c5209e 100644 (file)
--- a/disasm.c
+++ b/disasm.c
@@ -484,8 +484,8 @@ static int matches (struct itemplate *t, unsigned char *data, int asize,
     return data - origdata;
 }
 
-long disasm (unsigned char *data, char *output, int segsize, long offset,
-            int autosync, unsigned long prefer)
+long disasm (unsigned char *data, char *output, int outbufsize, int segsize, 
+            long offset, int autosync, unsigned long prefer)
 {
     struct itemplate **p, **best_p;
     int length, best_length = 0;
@@ -583,26 +583,26 @@ long disasm (unsigned char *data, char *output, int segsize, long offset,
     slen = 0;
 
     if (lock)
-       slen += sprintf(output+slen, "lock ");
+       slen += snprintf(output+slen, outbuflen-slen, "lock ");
     for (i = 0; i < ins.nprefix; i++)
        switch (ins.prefixes[i]) {
-         case P_REP:   slen += sprintf(output+slen, "rep "); break;
-         case P_REPE:  slen += sprintf(output+slen, "repe "); break;
-         case P_REPNE: slen += sprintf(output+slen, "repne "); break;
-         case P_A16:   slen += sprintf(output+slen, "a16 "); break;
-         case P_A32:   slen += sprintf(output+slen, "a32 "); break;
-         case P_O16:   slen += sprintf(output+slen, "o16 "); break;
-         case P_O32:   slen += sprintf(output+slen, "o32 "); break;
+         case P_REP:   slen += snprintf(output+slen, outbuflen-slen, "rep "); break;
+         case P_REPE:  slen += snprintf(output+slen, outbuflen-slen, "repe "); break;
+         case P_REPNE: slen += snprintf(output+slen, outbuflen-slen, "repne "); break;
+         case P_A16:   slen += snprintf(output+slen, outbuflen-slen, "a16 "); break;
+         case P_A32:   slen += snprintf(output+slen, outbuflen-slen, "a32 "); break;
+         case P_O16:   slen += snprintf(output+slen, outbuflen-slen, "o16 "); break;
+         case P_O32:   slen += snprintf(output+slen, outbuflen-slen, "o32 "); break;
        }
 
     for (i = 0; i < elements(ico); i++)
        if ((*p)->opcode == ico[i]) {
-           slen += sprintf(output+slen, "%s%s", icn[i],
+           slen += snprintf(output+slen, outbuflen-slen, "%s%s", icn[i],
                            whichcond(ins.condition));
            break;
        }
     if (i >= elements(ico))
-       slen += sprintf(output+slen, "%s", insn_names[(*p)->opcode]);
+       slen += snprintf(output+slen, outbuflen-slen, "%s", insn_names[(*p)->opcode]);
     colon = FALSE;
     length += data - origdata;        /* fix up for prefixes */
     for (i=0; i<(*p)->operands; i++) {
@@ -633,14 +633,14 @@ long disasm (unsigned char *data, char *output, int segsize, long offset,
            ins.oprs[i].basereg = whichreg ((*p)->opd[i],
                                            ins.oprs[i].basereg);
            if ( (*p)->opd[i] & TO )
-               slen += sprintf(output+slen, "to ");
-           slen += sprintf(output+slen, "%s",
+               slen += snprintf(output+slen, outbuflen-slen, "to ");
+           slen += snprintf(output+slen, outbuflen-slen, "%s",
                            reg_names[ins.oprs[i].basereg-EXPR_REG_START]);
        } else if (!(UNITY & ~(*p)->opd[i])) {
            output[slen++] = '1';
        } else if ( (*p)->opd[i] & IMMEDIATE ) {
            if ( (*p)->opd[i] & BITS8 ) {
-               slen += sprintf(output+slen, "byte ");
+               slen += snprintf(output+slen, outbuflen-slen, "byte ");
                if (ins.oprs[i].segment & SEG_SIGNED) {
                    if (ins.oprs[i].offset < 0) {
                        ins.oprs[i].offset *= -1;
@@ -649,17 +649,17 @@ long disasm (unsigned char *data, char *output, int segsize, long offset,
                        output[slen++] = '+';
                }
            } else if ( (*p)->opd[i] & BITS16 ) {
-               slen += sprintf(output+slen, "word ");
+               slen += snprintf(output+slen, outbuflen-slen, "word ");
            } else if ( (*p)->opd[i] & BITS32 ) {
-               slen += sprintf(output+slen, "dword ");
+               slen += snprintf(output+slen, outbuflen-slen, "dword ");
            } else if ( (*p)->opd[i] & NEAR ) {
-               slen += sprintf(output+slen, "near ");
+               slen += snprintf(output+slen, outbuflen-slen, "near ");
            } else if ( (*p)->opd[i] & SHORT ) {
-               slen += sprintf(output+slen, "short ");
+               slen += snprintf(output+slen, outbuflen-slen, "short ");
            }
-           slen += sprintf(output+slen, "0x%lx", ins.oprs[i].offset);
+           slen += snprintf(output+slen, outbuflen-slen, "0x%lx", ins.oprs[i].offset);
        } else if ( !(MEM_OFFS & ~(*p)->opd[i]) ) {
-           slen += sprintf(output+slen, "[%s%s%s0x%lx]",
+           slen += snprintf(output+slen, outbuflen-slen, "[%s%s%s0x%lx]",
                            (segover ? segover : ""),
                            (segover ? ":" : ""),
                            (ins.oprs[i].addr_size == 32 ? "dword " :
@@ -669,30 +669,30 @@ long disasm (unsigned char *data, char *output, int segsize, long offset,
        } else if ( !(REGMEM & ~(*p)->opd[i]) ) {
            int started = FALSE;
            if ( (*p)->opd[i] & BITS8 )
-               slen += sprintf(output+slen, "byte ");
+               slen += snprintf(output+slen, outbuflen-slen, "byte ");
            if ( (*p)->opd[i] & BITS16 )
-               slen += sprintf(output+slen, "word ");
+               slen += snprintf(output+slen, outbuflen-slen, "word ");
            if ( (*p)->opd[i] & BITS32 )
-               slen += sprintf(output+slen, "dword ");
+               slen += snprintf(output+slen, outbuflen-slen, "dword ");
            if ( (*p)->opd[i] & BITS64 )
-               slen += sprintf(output+slen, "qword ");
+               slen += snprintf(output+slen, outbuflen-slen, "qword ");
            if ( (*p)->opd[i] & BITS80 )
-               slen += sprintf(output+slen, "tword ");
+               slen += snprintf(output+slen, outbuflen-slen, "tword ");
            if ( (*p)->opd[i] & FAR )
-               slen += sprintf(output+slen, "far ");
+               slen += snprintf(output+slen, outbuflen-slen, "far ");
            if ( (*p)->opd[i] & NEAR )
-               slen += sprintf(output+slen, "near ");
+               slen += snprintf(output+slen, outbuflen-slen, "near ");
            output[slen++] = '[';
            if (ins.oprs[i].addr_size)
-               slen += sprintf(output+slen, "%s",
+               slen += snprintf(output+slen, outbuflen-slen, "%s",
                                (ins.oprs[i].addr_size == 32 ? "dword " :
                                 ins.oprs[i].addr_size == 16 ? "word " : ""));
            if (segover) {
-               slen += sprintf(output+slen, "%s:", segover);
+               slen += snprintf(output+slen, outbuflen-slen, "%s:", segover);
                segover = NULL;
            }
            if (ins.oprs[i].basereg != -1) {
-               slen += sprintf(output+slen, "%s",
+               slen += snprintf(output+slen, outbuflen-slen, "%s",
                                reg_names[(ins.oprs[i].basereg -
                                           EXPR_REG_START)]);
                started = TRUE;
@@ -700,11 +700,11 @@ long disasm (unsigned char *data, char *output, int segsize, long offset,
            if (ins.oprs[i].indexreg != -1) {
                if (started)
                    output[slen++] = '+';
-               slen += sprintf(output+slen, "%s",
+               slen += snprintf(output+slen, outbuflen-slen, "%s",
                                reg_names[(ins.oprs[i].indexreg -
                                           EXPR_REG_START)]);
                if (ins.oprs[i].scale > 1)
-                   slen += sprintf(output+slen, "*%d", ins.oprs[i].scale);
+                   slen += snprintf(output+slen, outbuflen-slen, "*%d", ins.oprs[i].scale);
                started = TRUE;
            }
            if (ins.oprs[i].segment & SEG_DISP8) {
@@ -713,20 +713,20 @@ long disasm (unsigned char *data, char *output, int segsize, long offset,
                    ins.oprs[i].offset = - (signed char) ins.oprs[i].offset;
                    sign = '-';
                }
-               slen += sprintf(output+slen, "%c0x%lx", sign,
+               slen += snprintf(output+slen, outbuflen-slen, "%c0x%lx", sign,
                                ins.oprs[i].offset);
            } else if (ins.oprs[i].segment & SEG_DISP16) {
                if (started)
                    output[slen++] = '+';
-               slen += sprintf(output+slen, "0x%lx", ins.oprs[i].offset);
+               slen += snprintf(output+slen, outbuflen-slen, "0x%lx", ins.oprs[i].offset);
            } else if (ins.oprs[i].segment & SEG_DISP32) {
                if (started)
                    output[slen++] = '+';
-               slen += sprintf(output+slen, "0x%lx", ins.oprs[i].offset);
+               slen += snprintf(output+slen, outbuflen-slen, "0x%lx", ins.oprs[i].offset);
            }
            output[slen++] = ']';
        } else {
-           slen += sprintf(output+slen, "<operand%d>", i);
+           slen += snprintf(output+slen, outbuflen-slen, "<operand%d>", i);
        }
     }
     output[slen] = '\0';
@@ -741,8 +741,8 @@ long disasm (unsigned char *data, char *output, int segsize, long offset,
     return length;
 }
 
-long eatbyte (unsigned char *data, char *output) 
+long eatbyte (unsigned char *data, char *output, int outbufsize) 
 {
-    sprintf(output, "db 0x%02X", *data);
+    snprintf(output, outbufsize, "db 0x%02X", *data);
     return 1;
 }