{
USBDevice *dev = DO_UPCAST(USBDevice, qdev, qdev);
char *fw_path, *in;
- int pos = 0;
+ ssize_t pos = 0, fw_len;
long nr;
- fw_path = qemu_malloc(32 + strlen(dev->port->path) * 6);
+ fw_len = 32 + strlen(dev->port->path) * 6;
+ fw_path = qemu_malloc(fw_len);
in = dev->port->path;
- while (true) {
+ while (fw_len - pos > 0) {
nr = strtol(in, &in, 10);
if (in[0] == '.') {
/* some hub between root port and device */
- pos += sprintf(fw_path + pos, "hub@%ld/", nr);
+ pos += snprintf(fw_path + pos, fw_len - pos, "hub@%ld/", nr);
in++;
} else {
/* the device itself */
- pos += sprintf(fw_path + pos, "%s@%ld", qdev_fw_name(qdev), nr);
+ pos += snprintf(fw_path + pos, fw_len - pos, "%s@%ld",
+ qdev_fw_name(qdev), nr);
break;
}
}