From 554e55b0f07e7913afad6b374e30661df9db617a Mon Sep 17 00:00:00 2001
From: Jacob Garber <jgarber1@ualberta.ca>
Date: Wed, 8 May 2019 09:32:00 -0600
Subject: util/kconfig: Use snprintf to avoid buffer overflow

'name' and 'env' are supposed to be file system paths,
but could overflow the buffer if configured incorrectly.
Let's avoid that entirely.

Found-by: Coverity Scan #1362515
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Change-Id: I1aef36819d49ebcbde1c51995dc0961c85e74150
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32686
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
---
 util/kconfig/zconf.l             | 3 ++-
 util/kconfig/zconf.lex.c_shipped | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

(limited to 'util/kconfig')

diff --git a/util/kconfig/zconf.l b/util/kconfig/zconf.l
index 0b45c19db9..f2636d2955 100644
--- a/util/kconfig/zconf.l
+++ b/util/kconfig/zconf.l
@@ -273,7 +273,8 @@ FILE *zconf_fopen(const char *name)
 	if (!f && name != NULL && name[0] != '/') {
 		env = getenv(SRCTREE);
 		if (env) {
-			sprintf(fullname, "%s/%s", env, name);
+			snprintf(fullname, sizeof(fullname),
+					"%s/%s", env, name);
 			f = fopen(fullname, "r");
 		}
 	}
diff --git a/util/kconfig/zconf.lex.c_shipped b/util/kconfig/zconf.lex.c_shipped
index 72e3a5fca2..4133f71dd2 100644
--- a/util/kconfig/zconf.lex.c_shipped
+++ b/util/kconfig/zconf.lex.c_shipped
@@ -2351,7 +2351,8 @@ FILE *zconf_fopen(const char *name)
 	if (!f && name != NULL && name[0] != '/') {
 		env = getenv(SRCTREE);
 		if (env) {
-			sprintf(fullname, "%s/%s", env, name);
+			snprintf(fullname, sizeof(fullname),
+					"%s/%s", env, name);
 			f = fopen(fullname, "r");
 		}
 	}
-- 
cgit v1.2.3