On 05/23/2012 10:08 AM, Crístian Viana wrote: >> So when you posted the previous version of your patch it was pointed >> out that this is a buffer overflow: >> http://lists.gnu.org/archive/html/qemu-devel/2012-04/msg01657.html >> >> You need to fix this. > > I have sent a reply to that thread explaining that the user actually > doesn't have control of that string, that is only used internally in the > code (just like the QEMU_VERSION macro). > I fixed the code now with snprintf copying at most 12 chars to the > string (the array size). I can't think of why pstrcat would be better in > this case, as suggested by Erik.
s/Erik/Eric/, but you're not the first to make that typo. pstrcat is more efficient than snprintf() - the former is dedicated to a single task, while the latter has to parse a format string and decode that it is doing a single %s expansion. In other words, just because *printf can do string concatenation doesn't make it the best tool for the job. -- Eric Blake ebl...@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
