Fortify falsely complained that the sprintf() result was unbounded.

We may as well use apr_snprintf() though, as well as comment on the
available space for "::\0" (for people like me).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@987498 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/support/htdigest.c b/support/htdigest.c
index b92d2eb4e9c4a0de57c72bc2868683bb963ac63d..6a0e26f123f95feb5edc7addb41999e1ec69b494 100644 (file)
--- a/support/htdigest.c
+++ b/support/htdigest.c
@@ -124,7 +124,7 @@ static void add_password(const char *user, const char *realm, apr_file_t *f)
     char *pw;
     apr_md5_ctx_t context;
     unsigned char digest[16];
-    char string[3 * MAX_STRING_LEN];
+    char string[3 * MAX_STRING_LEN]; /* this includes room for 2 * ':' + '\0' */
     char pwin[MAX_STRING_LEN];
     char pwv[MAX_STRING_LEN];
     unsigned int i;
@@ -144,7 +144,7 @@ static void add_password(const char *user, const char *realm, apr_file_t *f)
     apr_file_printf(f, "%s:%s:", user, realm);
 
     /* Do MD5 stuff */
-    sprintf(string, "%s:%s:%s", user, realm, pw);
+    apr_snprintf(string, sizeof(string), "%s:%s:%s", user, realm, pw);
 
     apr_md5_init(&context);
 #if APR_CHARSET_EBCDIC