From 1f2105628eac76ad23c7b4424c592a6ff78f5632 Mon Sep 17 00:00:00 2001
From: "Mun, Gwan-gyeong" <kk.moon@samsung.com>
Date: Mon, 7 Mar 2016 23:12:38 +0900
Subject: [PATCH] Replace  vulnerable function 'sprintf' to 'snprintf'

Change-Id: I746a13501ebc7f4f0df320f6639928a5f6dab494
---
 src/modules/fastpath/coregl_fastpath_gl.c    |   2 +-
 src/modules/tracepath/coregl_tracepath.c     |  12 +-
 src/modules/tracepath/coregl_tracepath_egl.c |  12 +-
 src/modules/tracepath/coregl_tracepath_gl.c  | 172 ++++++++++++++-------------
 4 files changed, 103 insertions(+), 95 deletions(-)

diff --git a/src/modules/fastpath/coregl_fastpath_gl.c b/src/modules/fastpath/coregl_fastpath_gl.c
index 9044bf5..03c8cf3 100644
--- a/src/modules/fastpath/coregl_fastpath_gl.c
+++ b/src/modules/fastpath/coregl_fastpath_gl.c
@@ -5103,7 +5103,7 @@ fastpath_glGetStringi(GLenum name, GLuint index)
 		goto finish;
 	case GL_EXTENSIONS:
 		_valid_extension_string();
-		if (index < 0 || index >= gl_extension_count) {
+		if (index >= gl_extension_count) {
 			_set_gl_error(GL_INVALID_VALUE);
 			goto finish;
 		}
diff --git a/src/modules/tracepath/coregl_tracepath.c b/src/modules/tracepath/coregl_tracepath.c
index 233c063..a112b17 100644
--- a/src/modules/tracepath/coregl_tracepath.c
+++ b/src/modules/tracepath/coregl_tracepath.c
@@ -1221,12 +1221,14 @@ _dump_surface(int force_output, int type, const char *position,
 		}
 
 		if (trace_surface_sequence_sort_flag == 1)
-			sprintf(name, "[%d (%06d)%p-%p] %s %04d (%s).png", getpid(), alldumpcount,
-				sdata->display, sdata->context, sdata->trace_data.name, sdata->dump_count,
-				position);
+			snprintf(name, sizeof(name), "[%d (%06d)%p-%p] %s %04d (%s).png", getpid(),
+				 alldumpcount,
+				 sdata->display, sdata->context, sdata->trace_data.name, sdata->dump_count,
+				 position);
 		else
-			sprintf(name, "[%d %p-%p] %s %04d (%s).png", getpid(), sdata->display,
-				sdata->context, sdata->trace_data.name, sdata->dump_count, position);
+			snprintf(name, sizeof(name), "[%d %p-%p] %s %04d (%s).png", getpid(),
+				 sdata->display,
+				 sdata->context, sdata->trace_data.name, sdata->dump_count, position);
 
 		if (!strncmp(sdata->trace_data.name, "EGL", 3) && type != 2) {
 			// EGL
diff --git a/src/modules/tracepath/coregl_tracepath_egl.c b/src/modules/tracepath/coregl_tracepath_egl.c
index 86fcd02..95ee050 100644
--- a/src/modules/tracepath/coregl_tracepath_egl.c
+++ b/src/modules/tracepath/coregl_tracepath_egl.c
@@ -437,7 +437,7 @@ finish:
 #ifdef COREGL_TRACEPATH_TRACE_SURFACE_INFO
 	{
 		char name[256];
-		sprintf(name, "EGLSURFACE_%p", surface);
+		snprintf(name, sizeof(name), "EGLSURFACE_%p", surface);
 		tracepath_surface_trace_add(name, 0, 0, 0, 0, 0, 0, 0, 0, 0, NULL);
 	}
 #endif // COREGL_TRACEPATH_TRACE_SURFACE_INFO
@@ -609,7 +609,7 @@ finish:
 	if (unlikely(trace_ctx_flag == 1)) {
 		if (_orig_tracepath_eglCreateContext == _sym_eglCreateContext) {
 			char ment[256];
-			sprintf(ment, "eglCreateContext completed (EGLCTX=[%12p])", ret);
+			snprintf(ment, sizeof(ment), "eglCreateContext completed (EGLCTX=[%12p])", ret);
 			_dump_context_info(ment, 1);
 		}
 	}
@@ -637,7 +637,8 @@ finish:
 	if (unlikely(trace_ctx_flag == 1)) {
 		if (_orig_tracepath_eglDestroyContext == _sym_eglDestroyContext) {
 			char ment[256];
-			sprintf(ment, "eglDestroyContext completed (EGLCTX=[%12p])", ctx);
+			snprintf(ment, sizeof(ment), "eglDestroyContext completed (EGLCTX=[%12p])",
+				 ctx);
 			_dump_context_info(ment, 1);
 		}
 	}
@@ -697,8 +698,9 @@ finish:
 	if (unlikely(trace_ctx_flag == 1)) {
 		if (_orig_tracepath_eglMakeCurrent == _sym_eglMakeCurrent) {
 			char ment[256];
-			sprintf(ment, "eglMakeCurrent finished (EGLCTX=[%12p] Surf=[D:%12p R:%12p])",
-				ctx, draw, read);
+			snprintf(ment, sizeof(ment),
+				 "eglMakeCurrent finished (EGLCTX=[%12p] Surf=[D:%12p R:%12p])",
+				 ctx, draw, read);
 			_dump_context_info(ment, 0);
 		}
 	}
diff --git a/src/modules/tracepath/coregl_tracepath_gl.c b/src/modules/tracepath/coregl_tracepath_gl.c
index acde888..c5ee3db 100644
--- a/src/modules/tracepath/coregl_tracepath_gl.c
+++ b/src/modules/tracepath/coregl_tracepath_gl.c
@@ -100,23 +100,22 @@ _add_glbuf_object(Glbuf_Data **glbuf, int obj_idx, const char *obj_type,
 		__addhash_glbuf_object(glbuf, data);
 	} else {
 		// Update
-		{
-			char ment[MAX_TRACE_NAME_LENGTH];
-			sprintf(ment, "%s(%4dx%4d %s)", obj_type, data->width, data->height,
-				data->format);
-			_COREGL_TRACE_MEM_REMOVE(ment, data->width * data->height * data->bpp);
-		}
+		char ment[MAX_TRACE_NAME_LENGTH];
+		snprintf(ment, MAX_TRACE_NAME_LENGTH, "%s(%4dx%4d %s)", obj_type, data->width,
+			 data->height,
+			 data->format);
+		_COREGL_TRACE_MEM_REMOVE(ment, data->width * data->height * data->bpp);
 	}
 
 	data->width = width;
 	data->height = height;
 	data->bpp = bpp;
-	sprintf(data->format, "%s", format);
-
+	snprintf(data->format, 80, "%s", format);
 	{
 		char ment[MAX_TRACE_NAME_LENGTH];
-		sprintf(ment, "%s(%4dx%4d %s)", obj_type, data->width, data->height,
-			data->format);
+		snprintf(ment, MAX_TRACE_NAME_LENGTH, "%s(%4dx%4d %s)", obj_type, data->width,
+			 data->height,
+			 data->format);
 		_COREGL_TRACE_MEM_ADD(ment, data->width * data->height * data->bpp);
 	}
 	goto finish;
@@ -137,8 +136,9 @@ _remove_glbuf_object(Glbuf_Data **glbuf, int obj_idx, const char *obj_type)
 
 	{
 		char ment[MAX_TRACE_NAME_LENGTH];
-		sprintf(ment, "%s(%4dx%4d %s)", obj_type, data->width, data->height,
-			data->format);
+		snprintf(ment, MAX_TRACE_NAME_LENGTH, "%s(%4dx%4d %s)", obj_type, data->width,
+			 data->height,
+			 data->format);
 		_COREGL_TRACE_MEM_REMOVE(ment, data->width * data->height * data->bpp);
 	}
 
@@ -169,7 +169,7 @@ _surface_trace_set(int set, GLint fbname, GLenum attachment,
 			//COREGL_LOG("FBO DUMPING BEGIN = (TEX)0x%X\n", attname);
 		{
 			char name[256];
-			sprintf(name, "FBOTEX_0x%X", attname);
+			snprintf(name, sizeof(name), "FBOTEX_0x%X", attname);
 			tracepath_surface_trace_add(name, tstate->ctx->dpy, tstate->ctx->handle,
 						    tstate->surf_draw, fbname, attname, 0, -1, -1, -1, NULL);
 		}
@@ -178,7 +178,7 @@ _surface_trace_set(int set, GLint fbname, GLenum attachment,
 			//COREGL_LOG("FBO DUMPING BEGIN = (RB)0x%X\n", attname);
 		{
 			char name[256];
-			sprintf(name, "FBORB_0x%X", attname);
+			snprintf(name, sizeof(name), "FBORB_0x%X", attname);
 			tracepath_surface_trace_add(name, tstate->ctx->dpy, tstate->ctx->handle,
 						    tstate->surf_draw, fbname, 0, attname, -1, -1, -1, NULL);
 		}
@@ -190,7 +190,7 @@ _surface_trace_set(int set, GLint fbname, GLenum attachment,
 			//COREGL_LOG("FBO DUMPING END = (TEX)0x%X\n", attname);
 		{
 			char name[256];
-			sprintf(name, "FBOTEX_0x%X", attname);
+			snprintf(name, sizeof(name), "FBOTEX_0x%X", attname);
 			tracepath_surface_trace_add(name, tstate->ctx->dpy, tstate->ctx->handle,
 						    tstate->surf_draw, 0, attname, 0, -1, -1, -1, NULL);
 		}
@@ -199,7 +199,7 @@ _surface_trace_set(int set, GLint fbname, GLenum attachment,
 			//COREGL_LOG("FBO DUMPING END = (RB)0x%X\n", attname);
 		{
 			char name[256];
-			sprintf(name, "FBORB_0x%X", attname);
+			snprintf(name, sizeof(name), "FBORB_0x%X", attname);
 			tracepath_surface_trace_add(name, tstate->ctx->dpy, tstate->ctx->handle,
 						    tstate->surf_draw, 0, 0, attname, -1, -1, -1, NULL);
 		}
@@ -839,9 +839,11 @@ finish:
 			_orig_tracepath_eglQuerySurface(_orig_tracepath_eglGetCurrentDisplay(),
 							_orig_tracepath_eglGetCurrentSurface(EGL_DRAW), EGL_RENDER_BUFFER, &btype);
 			if (btype == EGL_SINGLE_BUFFER)
-				sprintf(name, "EGLPIXMAP_%p", _orig_tracepath_eglGetCurrentSurface(EGL_DRAW));
+				snprintf(name, sizeof(name), "EGLPIXMAP_%p",
+					 _orig_tracepath_eglGetCurrentSurface(EGL_DRAW));
 			else
-				sprintf(name, "EGLWINDOW_%p", _orig_tracepath_eglGetCurrentSurface(EGL_DRAW));
+				snprintf(name, sizeof(name), "EGLWINDOW_%p",
+					 _orig_tracepath_eglGetCurrentSurface(EGL_DRAW));
 			tracepath_surface_trace_add(name, _orig_tracepath_eglGetCurrentDisplay(),
 						    _orig_tracepath_eglGetCurrentContext(),
 						    _orig_tracepath_eglGetCurrentSurface(EGL_DRAW), 0, 0, 0, 0, 0, 0, NULL);
@@ -872,9 +874,11 @@ finish:
 			_orig_tracepath_eglQuerySurface(_orig_tracepath_eglGetCurrentDisplay(),
 							_orig_tracepath_eglGetCurrentSurface(EGL_DRAW), EGL_RENDER_BUFFER, &btype);
 			if (btype == EGL_SINGLE_BUFFER)
-				sprintf(name, "EGLPIXMAP_%p", _orig_tracepath_eglGetCurrentSurface(EGL_DRAW));
+				snprintf(name, sizeof(name), "EGLPIXMAP_%p",
+					 _orig_tracepath_eglGetCurrentSurface(EGL_DRAW));
 			else
-				sprintf(name, "EGLWINDOW_%p", _orig_tracepath_eglGetCurrentSurface(EGL_DRAW));
+				snprintf(name, sizeof(name), "EGLWINDOW_%p",
+					 _orig_tracepath_eglGetCurrentSurface(EGL_DRAW));
 			tracepath_surface_trace_add(name, _orig_tracepath_eglGetCurrentDisplay(),
 						    _orig_tracepath_eglGetCurrentContext(),
 						    _orig_tracepath_eglGetCurrentSurface(EGL_DRAW), 0, 0, 0, 0, 0, 0, NULL);
@@ -1639,63 +1643,63 @@ finish:
 			char formatment[80];
 			switch (internalformat) {
 			case GL_ALPHA:
-				sprintf(formatment, "ALPHA");
+				snprintf(formatment, sizeof(formatment), "ALPHA");
 				bpp = 1;
 				break;
 			case GL_LUMINANCE:
-				sprintf(formatment, "LUMINANCE");
+				snprintf(formatment, sizeof(formatment), "LUMINANCE");
 				bpp = 1;
 				break;
 			case GL_LUMINANCE_ALPHA:
-				sprintf(formatment, "LUMINANCE_ALPHA");
+				snprintf(formatment, sizeof(formatment), "LUMINANCE_ALPHA");
 				bpp = 1;
 				break;
 			case GL_RGB:
-				sprintf(formatment, "RGB");
+				snprintf(formatment, sizeof(formatment), "RGB");
 				bpp = 2;
 				break;
 			case GL_RGBA:
-				sprintf(formatment, "RGBA");
+				snprintf(formatment, sizeof(formatment), "RGBA");
 				bpp = 4;
 				break;
 			case 0x80E1:
-				sprintf(formatment, "BGRA_EXT");
+				snprintf(formatment, sizeof(formatment), "BGRA_EXT");
 				bpp = 4;
 				break;
 			case 0x84F9:
-				sprintf(formatment, "DEPTH_STENCIL_OES");
+				snprintf(formatment, sizeof(formatment), "DEPTH_STENCIL_OES");
 				bpp = 4;
 				break;
 			case GL_DEPTH_COMPONENT :
-				sprintf(formatment, "DEPTH_COMPONENT");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT");
 				bpp = 1;
 				break;
 			case 0x81A5:
-				sprintf(formatment, "DEPTH_COMPONENT16_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT16_ARB");
 				bpp = 2;
 				break;
 			case 0x81A6:
-				sprintf(formatment, "DEPTH_COMPONENT24_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT24_ARB");
 				bpp = 3;
 				break;
 			case 0x81A7:
-				sprintf(formatment, "DEPTH_COMPONENT32_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT32_ARB");
 				bpp = 4;
 				break;
 			case 0x8D46 :
-				sprintf(formatment, "STENCIL_INDEX1_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX1_OES");
 				bpp = 1;
 				break;
 			case 0x8D47 :
-				sprintf(formatment, "STENCIL_INDEX4_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX4_OES");
 				bpp = 1;
 				break;
 			case 0x8D48 :
-				sprintf(formatment, "STENCIL_INDEX8_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX8_OES");
 				bpp = 1;
 				break;
 			default:
-				sprintf(formatment, "0x%X", internalformat);
+				snprintf(formatment, sizeof(formatment), "0x%X", internalformat);
 				bpp = 0;
 				break;
 			}
@@ -1744,7 +1748,7 @@ finish:
 				}
 
 				char name[256];
-				sprintf(name, "FBORB_%d", objidx);
+				snprintf(name, sizeof(name), "FBORB_%d", objidx);
 				tracepath_surface_trace_add(name, tstate->ctx->dpy, tstate->ctx->handle,
 							    tstate->surf_draw, -1, 0, objidx, width, height, channel, NULL);
 			}
@@ -1906,63 +1910,63 @@ finish:
 			char formatment[80];
 			switch (internalformat) {
 			case GL_ALPHA:
-				sprintf(formatment, "ALPHA");
+				snprintf(formatment, sizeof(formatment), "ALPHA");
 				bpp = 1;
 				break;
 			case GL_LUMINANCE:
-				sprintf(formatment, "LUMINANCE");
+				snprintf(formatment, sizeof(formatment), "LUMINANCE");
 				bpp = 1;
 				break;
 			case GL_LUMINANCE_ALPHA:
-				sprintf(formatment, "LUMINANCE_ALPHA");
+				snprintf(formatment, sizeof(formatment), "LUMINANCE_ALPHA");
 				bpp = 1;
 				break;
 			case GL_RGB:
-				sprintf(formatment, "RGB");
+				snprintf(formatment, sizeof(formatment), "RGB");
 				bpp = 2;
 				break;
 			case GL_RGBA:
-				sprintf(formatment, "RGBA");
+				snprintf(formatment, sizeof(formatment), "RGBA");
 				bpp = 4;
 				break;
 			case 0x80E1:
-				sprintf(formatment, "BGRA_EXT");
+				snprintf(formatment, sizeof(formatment), "BGRA_EXT");
 				bpp = 4;
 				break;
 			case 0x84F9:
-				sprintf(formatment, "DEPTH_STENCIL_OES");
+				snprintf(formatment, sizeof(formatment), "DEPTH_STENCIL_OES");
 				bpp = 4;
 				break;
 			case GL_DEPTH_COMPONENT :
-				sprintf(formatment, "DEPTH_COMPONENT");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT");
 				bpp = 1;
 				break;
 			case 0x81A5:
-				sprintf(formatment, "DEPTH_COMPONENT16_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT16_ARB");
 				bpp = 2;
 				break;
 			case 0x81A6:
-				sprintf(formatment, "DEPTH_COMPONENT24_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT24_ARB");
 				bpp = 3;
 				break;
 			case 0x81A7:
-				sprintf(formatment, "DEPTH_COMPONENT32_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT32_ARB");
 				bpp = 4;
 				break;
 			case 0x8D46 :
-				sprintf(formatment, "STENCIL_INDEX1_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX1_OES");
 				bpp = 1;
 				break;
 			case 0x8D47 :
-				sprintf(formatment, "STENCIL_INDEX4_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX4_OES");
 				bpp = 1;
 				break;
 			case 0x8D48 :
-				sprintf(formatment, "STENCIL_INDEX8_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX8_OES");
 				bpp = 1;
 				break;
 			default:
-				sprintf(formatment, "0x%X", internalformat);
+				snprintf(formatment, sizeof(formatment), "0x%X", internalformat);
 				bpp = 0;
 				break;
 			}
@@ -2011,7 +2015,7 @@ finish:
 				}
 
 				char name[256];
-				sprintf(name, "FBOTEX_0x%X", objidx);
+				snprintf(name, sizeof(name), "FBOTEX_0x%X", objidx);
 				tracepath_surface_trace_add(name, tstate->ctx->dpy, tstate->ctx->handle,
 							    tstate->surf_draw, -1, objidx, 0, width, height, channel, NULL);
 			}
@@ -2884,63 +2888,63 @@ finish:
 			char formatment[80];
 			switch (internalformat) {
 			case GL_ALPHA:
-				sprintf(formatment, "ALPHA");
+				snprintf(formatment, sizeof(formatment), "ALPHA");
 				bpp = 1;
 				break;
 			case GL_LUMINANCE:
-				sprintf(formatment, "LUMINANCE");
+				snprintf(formatment, sizeof(formatment), "LUMINANCE");
 				bpp = 1;
 				break;
 			case GL_LUMINANCE_ALPHA:
-				sprintf(formatment, "LUMINANCE_ALPHA");
+				snprintf(formatment, sizeof(formatment), "LUMINANCE_ALPHA");
 				bpp = 1;
 				break;
 			case GL_RGB:
-				sprintf(formatment, "RGB");
+				snprintf(formatment, sizeof(formatment), "RGB");
 				bpp = 2;
 				break;
 			case GL_RGBA:
-				sprintf(formatment, "RGBA");
+				snprintf(formatment, sizeof(formatment), "RGBA");
 				bpp = 4;
 				break;
 			case 0x80E1:
-				sprintf(formatment, "BGRA_EXT");
+				snprintf(formatment, sizeof(formatment), "BGRA_EXT");
 				bpp = 4;
 				break;
 			case 0x84F9:
-				sprintf(formatment, "DEPTH_STENCIL_OES");
+				snprintf(formatment, sizeof(formatment), "DEPTH_STENCIL_OES");
 				bpp = 4;
 				break;
 			case GL_DEPTH_COMPONENT :
-				sprintf(formatment, "DEPTH_COMPONENT");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT");
 				bpp = 1;
 				break;
 			case 0x81A5:
-				sprintf(formatment, "DEPTH_COMPONENT16_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT16_ARB");
 				bpp = 2;
 				break;
 			case 0x81A6:
-				sprintf(formatment, "DEPTH_COMPONENT24_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT24_ARB");
 				bpp = 3;
 				break;
 			case 0x81A7:
-				sprintf(formatment, "DEPTH_COMPONENT32_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT32_ARB");
 				bpp = 4;
 				break;
 			case 0x8D46 :
-				sprintf(formatment, "STENCIL_INDEX1_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX1_OES");
 				bpp = 1;
 				break;
 			case 0x8D47 :
-				sprintf(formatment, "STENCIL_INDEX4_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX4_OES");
 				bpp = 1;
 				break;
 			case 0x8D48 :
-				sprintf(formatment, "STENCIL_INDEX8_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX8_OES");
 				bpp = 1;
 				break;
 			default:
-				sprintf(formatment, "0x%X", internalformat);
+				snprintf(formatment, sizeof(formatment), "0x%X", internalformat);
 				bpp = 0;
 				break;
 			}
@@ -2989,7 +2993,7 @@ finish:
 				}
 
 				char name[256];
-				sprintf(name, "FBORB_0x%X", objidx);
+				snprintf(name, sizeof(name), "FBORB_0x%X", objidx);
 				tracepath_surface_trace_add(name, tstate->ctx->dpy, tstate->ctx->handle,
 							    tstate->surf_draw, -1, 0, objidx, width, height, channel, NULL);
 			}
@@ -3026,63 +3030,63 @@ finish:
 			char formatment[80];
 			switch (internalformat) {
 			case GL_ALPHA:
-				sprintf(formatment, "ALPHA");
+				snprintf(formatment, sizeof(formatment), "ALPHA");
 				bpp = 1;
 				break;
 			case GL_LUMINANCE:
-				sprintf(formatment, "LUMINANCE");
+				snprintf(formatment, sizeof(formatment), "LUMINANCE");
 				bpp = 1;
 				break;
 			case GL_LUMINANCE_ALPHA:
-				sprintf(formatment, "LUMINANCE_ALPHA");
+				snprintf(formatment, sizeof(formatment), "LUMINANCE_ALPHA");
 				bpp = 1;
 				break;
 			case GL_RGB:
-				sprintf(formatment, "RGB");
+				snprintf(formatment, sizeof(formatment), "RGB");
 				bpp = 2;
 				break;
 			case GL_RGBA:
-				sprintf(formatment, "RGBA");
+				snprintf(formatment, sizeof(formatment), "RGBA");
 				bpp = 4;
 				break;
 			case 0x80E1:
-				sprintf(formatment, "BGRA_EXT");
+				snprintf(formatment, sizeof(formatment), "BGRA_EXT");
 				bpp = 4;
 				break;
 			case 0x84F9:
-				sprintf(formatment, "DEPTH_STENCIL_OES");
+				snprintf(formatment, sizeof(formatment), "DEPTH_STENCIL_OES");
 				bpp = 4;
 				break;
 			case GL_DEPTH_COMPONENT :
-				sprintf(formatment, "DEPTH_COMPONENT");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT");
 				bpp = 1;
 				break;
 			case 0x81A5:
-				sprintf(formatment, "DEPTH_COMPONENT16_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT16_ARB");
 				bpp = 2;
 				break;
 			case 0x81A6:
-				sprintf(formatment, "DEPTH_COMPONENT24_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT24_ARB");
 				bpp = 3;
 				break;
 			case 0x81A7:
-				sprintf(formatment, "DEPTH_COMPONENT32_ARB");
+				snprintf(formatment, sizeof(formatment), "DEPTH_COMPONENT32_ARB");
 				bpp = 4;
 				break;
 			case 0x8D46 :
-				sprintf(formatment, "STENCIL_INDEX1_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX1_OES");
 				bpp = 1;
 				break;
 			case 0x8D47 :
-				sprintf(formatment, "STENCIL_INDEX4_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX4_OES");
 				bpp = 1;
 				break;
 			case 0x8D48 :
-				sprintf(formatment, "STENCIL_INDEX8_OES");
+				snprintf(formatment, sizeof(formatment), "STENCIL_INDEX8_OES");
 				bpp = 1;
 				break;
 			default:
-				sprintf(formatment, "0x%X", internalformat);
+				snprintf(formatment, sizeof(formatment), "0x%X", internalformat);
 				bpp = 0;
 				break;
 			}
@@ -3131,7 +3135,7 @@ finish:
 				}
 
 				char name[256];
-				sprintf(name, "FBORB_0x%X", objidx);
+				snprintf(name, sizeof(name), "FBORB_0x%X", objidx);
 				tracepath_surface_trace_add(name, tstate->ctx->dpy, tstate->ctx->handle,
 							    tstate->surf_draw, -1, 0, objidx, width, height, channel, NULL);
 			}
-- 
2.7.4