From 87779a8c85eec0b71703ed3090a3949761396a15 Mon Sep 17 00:00:00 2001 From: Joseph Hunkeler Date: Wed, 15 Apr 2026 10:10:15 -0400 Subject: Replace sprintf with snprintf * A few strcpy and strcat changes as well --- src/lib/delivery/delivery_install.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src/lib/delivery/delivery_install.c') diff --git a/src/lib/delivery/delivery_install.c b/src/lib/delivery/delivery_install.c index 2de80cf..fe3bc66 100644 --- a/src/lib/delivery/delivery_install.c +++ b/src/lib/delivery/delivery_install.c @@ -222,7 +222,9 @@ int delivery_install_packages(struct Delivery *ctx, char *conda_install_dir, cha if (!ctx->meta.based_on) { strcat(command_base, " --upgrade"); } - sprintf(command_base + strlen(command_base), " --extra-index-url 'file://%s'", ctx->storage.wheel_artifact_dir); + const char *command_base_fmt = " --extra-index-url 'file://%s'"; + const int len = snprintf(NULL, 0, command_base_fmt, ctx->storage.wheel_artifact_dir); + snprintf(command_base + strlen(command_base), sizeof(command_base) - len, command_base_fmt, ctx->storage.wheel_artifact_dir); } size_t args_alloc_len = STASIS_BUFSIZ; -- cgit From dc6b871b419159097c272fe21cdef6acece40a99 Mon Sep 17 00:00:00 2001 From: Joseph Hunkeler Date: Thu, 16 Apr 2026 11:52:11 -0400 Subject: Convert more strcat and strcpy to strn variants --- src/lib/delivery/delivery_install.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/lib/delivery/delivery_install.c') diff --git a/src/lib/delivery/delivery_install.c b/src/lib/delivery/delivery_install.c index fe3bc66..4970749 100644 --- a/src/lib/delivery/delivery_install.c +++ b/src/lib/delivery/delivery_install.c @@ -203,7 +203,7 @@ int delivery_install_packages(struct Delivery *ctx, char *conda_install_dir, cha } memset(command_base, 0, sizeof(command_base)); - strcat(command_base, "install"); + strncat(command_base, "install", sizeof(command_base) - strlen(command_base) - 1); typedef int (*Runner)(const char *); Runner runner = NULL; @@ -214,13 +214,13 @@ int delivery_install_packages(struct Delivery *ctx, char *conda_install_dir, cha } if (INSTALL_PKG_CONDA_DEFERRED & type) { - strcat(command_base, " --use-local"); + strncat(command_base, " --use-local", sizeof(command_base) - strlen(command_base) - 1); } else if (INSTALL_PKG_PIP_DEFERRED & type) { // Don't change the baseline package set unless we're working with a // new build. Release candidates will need to keep packages as stable // as possible between releases. if (!ctx->meta.based_on) { - strcat(command_base, " --upgrade"); + strncat(command_base, " --upgrade", sizeof(command_base) - strlen(command_base) - 1); } const char *command_base_fmt = " --extra-index-url 'file://%s'"; const int len = snprintf(NULL, 0, command_base_fmt, ctx->storage.wheel_artifact_dir); -- cgit From fdad37bc1854a973424459026cc32698ff5fe532 Mon Sep 17 00:00:00 2001 From: Joseph Hunkeler Date: Thu, 16 Apr 2026 12:54:34 -0400 Subject: Convert more strcpy to strn variant --- src/lib/delivery/delivery_install.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/lib/delivery/delivery_install.c') diff --git a/src/lib/delivery/delivery_install.c b/src/lib/delivery/delivery_install.c index 4970749..1e2b82c 100644 --- a/src/lib/delivery/delivery_install.c +++ b/src/lib/delivery/delivery_install.c @@ -145,16 +145,16 @@ int delivery_purge_packages(struct Delivery *ctx, const char *env_name, int use_ case PKG_USE_CONDA: fn = conda_exec; list = ctx->conda.conda_packages_purge; - strcpy(package_manager, "conda"); + strncpy(package_manager, "conda", sizeof(package_manager) - 1); // conda is already configured for "always_yes" - strcpy(subcommand, "remove"); + strncpy(subcommand, "remove", sizeof(subcommand) - 1); break; case PKG_USE_PIP: fn = pip_exec; list = ctx->conda.pip_packages_purge; - strcpy(package_manager, "pip"); + strncpy(package_manager, "pip", sizeof(package_manager) - 1); // avoid user prompt to remove packages - strcpy(subcommand, "uninstall -y"); + strncpy(subcommand, "uninstall -y", sizeof(subcommand) - 1); break; default: SYSERROR("Unknown package manager: %d", use_pkg_manager); @@ -289,9 +289,9 @@ int delivery_install_packages(struct Delivery *ctx, char *conda_install_dir, cha char req[255] = {0}; if (!strcmp(name, info->name)) { - strcpy(req, info->name); + strncpy(req, info->name, sizeof(req) - 1); } else { - strcpy(req, name); + strncpy(req, name, sizeof(req) - 1); char *spec = find_version_spec(req); if (spec) { *spec = 0; -- cgit