1 files changed, 12 insertions, 10 deletions

diff --git a/src/lib/delivery/delivery_install.c b/src/lib/delivery/delivery_install.c
index 2de80cf..1e2b82c 100644
--- a/src/lib/delivery/delivery_install.c
+++ b/src/lib/delivery/delivery_install.c
@@ -145,16 +145,16 @@ int delivery_purge_packages(struct Delivery *ctx, const char *env_name, int use_
         case PKG_USE_CONDA:
             fn = conda_exec;
             list = ctx->conda.conda_packages_purge;
-            strcpy(package_manager, "conda");
+            strncpy(package_manager, "conda", sizeof(package_manager) - 1);
             // conda is already configured for "always_yes"
-            strcpy(subcommand, "remove");
+            strncpy(subcommand, "remove", sizeof(subcommand) - 1);
             break;
         case PKG_USE_PIP:
             fn = pip_exec;
             list = ctx->conda.pip_packages_purge;
-            strcpy(package_manager, "pip");
+            strncpy(package_manager, "pip", sizeof(package_manager) - 1);
             // avoid user prompt to remove packages
-            strcpy(subcommand, "uninstall -y");
+            strncpy(subcommand, "uninstall -y", sizeof(subcommand) - 1);
             break;
         default:
             SYSERROR("Unknown package manager: %d", use_pkg_manager);
@@ -203,7 +203,7 @@ int delivery_install_packages(struct Delivery *ctx, char *conda_install_dir, cha
     }
 
     memset(command_base, 0, sizeof(command_base));
-    strcat(command_base, "install");
+    strncat(command_base, "install", sizeof(command_base) - strlen(command_base) - 1);
 
     typedef int (*Runner)(const char *);
     Runner runner = NULL;
@@ -214,15 +214,17 @@ int delivery_install_packages(struct Delivery *ctx, char *conda_install_dir, cha
     }
 
     if (INSTALL_PKG_CONDA_DEFERRED & type) {
-        strcat(command_base, " --use-local");
+        strncat(command_base, " --use-local", sizeof(command_base) - strlen(command_base) - 1);
     } else if (INSTALL_PKG_PIP_DEFERRED & type) {
         // Don't change the baseline package set unless we're working with a
         // new build. Release candidates will need to keep packages as stable
         // as possible between releases.
         if (!ctx->meta.based_on) {
-            strcat(command_base, " --upgrade");
+            strncat(command_base, " --upgrade", sizeof(command_base) - strlen(command_base) - 1);
         }
-        sprintf(command_base + strlen(command_base), " --extra-index-url 'file://%s'", ctx->storage.wheel_artifact_dir);
+        const char *command_base_fmt = " --extra-index-url 'file://%s'";
+        const int len = snprintf(NULL, 0, command_base_fmt, ctx->storage.wheel_artifact_dir);
+        snprintf(command_base + strlen(command_base), sizeof(command_base) - len, command_base_fmt, ctx->storage.wheel_artifact_dir);
     }
 
     size_t args_alloc_len = STASIS_BUFSIZ;
@@ -287,9 +289,9 @@ int delivery_install_packages(struct Delivery *ctx, char *conda_install_dir, cha
 
                     char req[255] = {0};
                     if (!strcmp(name, info->name)) {
-                        strcpy(req, info->name);
+                        strncpy(req, info->name, sizeof(req) - 1);
                     } else {
-                        strcpy(req, name);
+                        strncpy(req, name, sizeof(req) - 1);
                         char *spec = find_version_spec(req);
                         if (spec) {
                             *spec = 0;