Convert more sprintf calls to snprintf

You could analyze most of these and quickly recognize that there was no
chance of buffer overflow already, but why make everyone spend time doing
that when we can just make it obviously safe?

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

4 files changed, 11 insertions, 10 deletions

diff --git a/src/ErrDes.c b/src/ErrDes.c
index 9a5b1805..ef5edad6 100644
--- a/src/ErrDes.c
+++ b/src/ErrDes.c
@@ -109,7 +109,7 @@ XGetErrorText(
 
     if (nbytes == 0) return 0;
     if (code <= BadImplementation && code > 0) {
-	sprintf(buf, "%d", code);
+        snprintf(buf, sizeof(buf), "%d", code);
         (void) XGetErrorDatabaseText(dpy, "XProtoError", buf,
                                      _XErrorList + _XErrorOffsets[code],
 				     buffer, nbytes);
@@ -125,11 +125,12 @@ XGetErrorText(
 	    bext = ext;
     }
     if (!buffer[0] && bext) {
-	sprintf(buf, "%s.%d", bext->name, code - bext->codes.first_error);
+	snprintf(buf, sizeof(buf), "%s.%d",
+                 bext->name, code - bext->codes.first_error);
 	(void) XGetErrorDatabaseText(dpy, "XProtoError", buf, "", buffer, nbytes);
     }
     if (!buffer[0])
-	sprintf(buffer, "%d", code);
+	snprintf(buffer, nbytes, "%d", code);
     return 0;
 }
 
@@ -190,7 +191,7 @@ XGetErrorDatabaseText(
 	else
 	    tptr = Xmalloc (tlen);
 	if (tptr) {
-	    sprintf(tptr, "%s.%s", name, type);
+	    snprintf(tptr, tlen, "%s.%s", name, type);
 	    XrmGetResource(db, tptr, "ErrorType.ErrorNumber",
 	      &type_str, &result);
 	    if (tptr != temp)
diff --git a/src/GetDflt.c b/src/GetDflt.c
index dfda1c64..6f62cd82 100644
--- a/src/GetDflt.c
+++ b/src/GetDflt.c
@@ -110,7 +110,7 @@ GetHomeDir(
 	len2 = strlen (ptr2);
     }
     if ((len1 + len2 + 1) < len)
-	sprintf (dest, "%s%s", ptr1, (ptr2) ? ptr2 : "");
+	snprintf (dest, len, "%s%s", ptr1, (ptr2) ? ptr2 : "");
     else
 	*dest = '\0';
 #else
diff --git a/src/KeysymStr.c b/src/KeysymStr.c
index f24f3b1d..c7c47046 100644
--- a/src/KeysymStr.c
+++ b/src/KeysymStr.c
@@ -107,7 +107,7 @@ char *XKeysymToString(KeySym ks)
 	XrmQuark empty = NULLQUARK;
 	GRNData data;
 
-	sprintf(buf, "%lX", ks);
+	snprintf(buf, sizeof(buf), "%lX", ks);
 	resval.addr = (XPointer)buf;
 	resval.size = strlen(buf) + 1;
 	data.name = (char *)NULL;
diff --git a/src/XlibInt.c b/src/XlibInt.c
index e4d35fdc..c4368426 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -1432,7 +1432,7 @@ static int _XPrintDefaultError(
 	mesg, BUFSIZ);
     (void) fprintf(fp, mesg, event->request_code);
     if (event->request_code < 128) {
-	sprintf(number, "%d", event->request_code);
+	snprintf(number, sizeof(number), "%d", event->request_code);
 	XGetErrorDatabaseText(dpy, "XRequest", number, "", buffer, BUFSIZ);
     } else {
 	for (ext = dpy->ext_procs;
@@ -1452,7 +1452,7 @@ static int _XPrintDefaultError(
 	fputs("  ", fp);
 	(void) fprintf(fp, mesg, event->minor_code);
 	if (ext) {
-	    sprintf(mesg, "%s.%d", ext->name, event->minor_code);
+	    snprintf(mesg, sizeof(mesg), "%s.%d", ext->name, event->minor_code);
 	    XGetErrorDatabaseText(dpy, "XRequest", mesg, "", buffer, BUFSIZ);
 	    (void) fprintf(fp, " (%s)", buffer);
 	}
@@ -1475,8 +1475,8 @@ static int _XPrintDefaultError(
 		bext = ext;
 	}
 	if (bext)
-	    sprintf(buffer, "%s.%d", bext->name,
-		    event->error_code - bext->codes.first_error);
+	    snprintf(buffer, sizeof(buffer), "%s.%d", bext->name,
+                     event->error_code - bext->codes.first_error);
 	else
 	    strcpy(buffer, "Value");
 	XGetErrorDatabaseText(dpy, mtype, buffer, "", mesg, BUFSIZ);