From: Jeff Trawick <trawick@apache.org>
Date: Fri, 20 Aug 2010 13:16:24 +0000 (+0000)
Subject: Fortify falsely complained that the sprintf() result was unbounded.
X-Git-Tag: 2.3.8~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=82d1497a6e2f3325dd135d6c0402911f1caf2e2a;p=thirdparty%2Fapache%2Fhttpd.git

Fortify falsely complained that the sprintf() result was unbounded.
We may as well use apr_snprintf() though, as well as comment on the
available space for "::\0" (for people like me).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@987498 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/support/htdigest.c b/support/htdigest.c
index b92d2eb4e9c..6a0e26f123f 100644
--- a/support/htdigest.c
+++ b/support/htdigest.c
@@ -124,7 +124,7 @@ static void add_password(const char *user, const char *realm, apr_file_t *f)
     char *pw;
     apr_md5_ctx_t context;
     unsigned char digest[16];
-    char string[3 * MAX_STRING_LEN];
+    char string[3 * MAX_STRING_LEN]; /* this includes room for 2 * ':' + '\0' */
     char pwin[MAX_STRING_LEN];
     char pwv[MAX_STRING_LEN];
     unsigned int i;
@@ -144,7 +144,7 @@ static void add_password(const char *user, const char *realm, apr_file_t *f)
     apr_file_printf(f, "%s:%s:", user, realm);
 
     /* Do MD5 stuff */
-    sprintf(string, "%s:%s:%s", user, realm, pw);
+    apr_snprintf(string, sizeof(string), "%s:%s:%s", user, realm, pw);
 
     apr_md5_init(&context);
 #if APR_CHARSET_EBCDIC