--- cscope-15.5/src/display.c.orig 2007-03-05 12:01:59.000000000 -0500 +++ cscope-15.5/src/display.c 2007-03-05 12:02:10.000000000 -0500 @@ -217,7 +217,7 @@ display(void) disprefs < mdisprefs && screenline <= lastdispline; ++disprefs, ++screenline) { /* read the reference line */ - if (fscanf(refsfound, "%s%s%s %[^\n]", file, function, + if (fscanf(refsfound, "%" PATHLEN_STR "s%" PATHLEN_STR "s%" NUMLEN_STR "s %" TEMPSTRING_LEN_STR "[^\n]", file, function, linenum, tempstring) < 4) { break; } --- cscope-15.5/src/build.c.orig 2007-03-05 12:01:59.000000000 -0500 +++ cscope-15.5/src/build.c 2007-03-05 12:02:10.000000000 -0500 @@ -115,7 +115,7 @@ samelist(FILE *oldrefs, char **names, in } /* see if the name list is the same */ for (i = 0; i < count; ++i) { - if (fscanf(oldrefs, "%s", oldname) != 1 || + if (! fgets(oldname, sizeof(oldname), oldrefs)|| strnotequal(oldname, names[i])) { return(NO); } @@ -223,8 +223,8 @@ build(void) /* if there is an old cross-reference and its current directory matches */ /* or this is an unconditional build */ if ((oldrefs = vpfopen(reffile, "rb")) != NULL && unconditional == NO && - fscanf(oldrefs, "cscope %d %s", &fileversion, olddir) == 2 && - (strcmp(olddir, currentdir) == 0 || /* remain compatible */ + fscanf(oldrefs, "cscope %d %" PATHLEN_STR "s", &fileversion, olddir) == 2 + && (strcmp(olddir, currentdir) == 0 || /* remain compatible */ strcmp(olddir, newdir) == 0)) { /* get the cross-reference file's modification time */ (void) fstat(fileno(oldrefs), &statstruct); @@ -292,7 +292,7 @@ build(void) /* see if the list of source files is the same and none have been changed up to the included files */ for (i = 0; i < nsrcfiles; ++i) { - if (fscanf(oldrefs, "%s", oldname) != 1 || + if (! fgets(oldname, sizeof(oldname), oldrefs) || strnotequal(oldname, srcfiles[i]) || lstat(srcfiles[i], &statstruct) != 0 || statstruct.st_mtime > reftime) { @@ -301,7 +301,7 @@ build(void) } /* the old cross-reference is up-to-date */ /* so get the list of included files */ - while (i++ < oldnum && fscanf(oldrefs, "%s", oldname) == 1) { + while (i++ < oldnum && fgets(oldname, sizeof(oldname), oldrefs)) { addsrcfile(oldname); } (void) fclose(oldrefs); --- cscope-15.5/src/dir.c.orig 2003-06-02 06:43:00.000000000 -0400 +++ cscope-15.5/src/dir.c 2007-03-05 12:02:10.000000000 -0500 @@ -319,7 +319,7 @@ makefilelist(void) /* Parse whitespace-terminated strings in line: */ point_in_line = line; - while (sscanf(point_in_line, "%s", path) == 1) { + while (sscanf(point_in_line, "%" PATHLEN_STR "s", path) == 1) { /* Have to store this length --- inviewpath() will * modify path, later! */ length_of_name = strlen(path); --- cscope-15.5/src/edit.c.orig 2001-07-18 09:49:01.000000000 -0400 +++ cscope-15.5/src/edit.c 2007-03-05 12:02:10.000000000 -0500 @@ -60,7 +60,7 @@ editref(int i) seekline(i + topline); /* get the file name and line number */ - if (fscanf(refsfound, "%s%*s%s", file, linenum) == 2) { + if (fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s", file, linenum) == 2) { edit(file, linenum); /* edit it */ } seekline(topline); /* restore the line pointer */ @@ -83,7 +83,7 @@ editall(void) seekline(1); /* get each file name and line number */ - while (fscanf(refsfound, "%s%*s%s%*[^\n]", file, linenum) == 2) { + while (fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s%*[^\n]", file, linenum) == 2) { edit(file, linenum); /* edit it */ if (editallprompt == YES) { addstr("Type ^D to stop editing all lines, or any other character to continue: "); --- cscope-15.5/src/input.c.orig 2007-03-05 12:01:59.000000000 -0500 +++ cscope-15.5/src/input.c 2007-03-05 12:02:10.000000000 -0500 @@ -293,16 +293,15 @@ shellpath(char *out, int limit, char *in /* if the login name is null, then use $HOME */ if (*out == '\0') { v = getenv("HOME"); - } - else { /* get the home directory of the login name */ + } else { /* get the home directory of the login name */ v = logdir(out); } - /* copy the directory name */ - if (v != NULL) { + /* copy the directory name if it isn't too big */ + if (v != NULL && strlen(v) < (lastchar - out)) { (void) strcpy(out - 1, v); out += strlen(v) - 1; - } - else { /* login not found, so ~ must be part of the file name */ + } else { + /* login not found, so ~ must be part of the file name */ out += strlen(out); } } @@ -322,11 +321,11 @@ shellpath(char *out, int limit, char *in *s = '\0'; /* get its value */ - if ((v = getenv(out)) != NULL) { + if ((v = getenv(out)) != NULL && strlen(v) < (lastchar - out)) { (void) strcpy(out - 1, v); out += strlen(v) - 1; - } - else { /* var not found, so $ must be part of the file name */ + } else { + /* var not found, so $ must be part of the file name */ out += strlen(out); } } --- cscope-15.5/src/main.c.orig 2007-03-05 12:01:59.000000000 -0500 +++ cscope-15.5/src/main.c 2007-03-05 12:02:10.000000000 -0500 @@ -102,10 +102,10 @@ BOOL select_large = NO; /* enable more t #endif char temp1[PATHLEN + 1]; /* temporary file name */ char temp2[PATHLEN + 1]; /* temporary file name */ -char tempdirpv[PATHLEN +1]; /* private temp directory */ +char tempdirpv[PATHLEN + 1]; /* private temp directory */ long totalterms; /* total inverted index terms */ BOOL trun_syms; /* truncate symbols to 8 characters */ -char tempstring[8192]; /* use this as a buffer, instead of 'yytext', +char tempstring[TEMPSTRING_LEN + 1]; /* use this as a buffer, instead of 'yytext', * which had better be left alone */ char *tmpdir; /* temporary directory */ @@ -264,6 +264,13 @@ main(int argc, char **argv) s[11] = '\0'; } #endif + if (strlen(reffile) > sizeof(path) - 1) { + char buffer[512]; + sprintf(buffer,"cscope: reffile too long, cannot be > %d characters\n", sizeof(path) - 1); + postmsg(buffer); + myexit(1); + /* NOTREACHED */ + } s = path + strlen(path); (void) strcpy(s, ".in"); invname = stralloc(path); @@ -491,11 +498,11 @@ lastarg: || (names = vpfopen(NAMEFILE, "r")) != NULL) { /* read any -p option from it */ - while (fscanf(names, "%s", path) == 1 && *path == '-') { + while (fgets(path, sizeof(path), names) != NULL && *path == '-') { i = path[1]; s = path + 2; /* for "-Ipath" */ if (*s == '\0') { /* if "-I path" */ - (void) fscanf(names, "%s", path); + fgets(path, sizeof(path), names); s = path; } switch (i) { @@ -512,7 +519,7 @@ lastarg: } else { for (i = 0; i < nsrcfiles; ++i) { - if (fscanf(oldrefs, "%s", path) != 1) { + if (!fgets(path, sizeof(path), oldrefs) ) { posterr("cscope: cannot read source file name from file %s\n", reffile); myexit(1); } --- cscope-15.5/src/command.c.orig 2007-03-05 12:01:59.000000000 -0500 +++ cscope-15.5/src/command.c 2007-03-05 12:02:10.000000000 -0500 @@ -727,7 +727,7 @@ changestring(void) (void) fprintf(script, "ed - <<\\!\n"); *oldfile = '\0'; seekline(1); - for (i = 0; fscanf(refsfound, "%s%*s%s%*[^\n]", newfile, linenum) == 2; + for (i = 0; fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s%*[^\n]", newfile, linenum) == 2; ++i) { /* see if the line is to be changed */ if (change[i] == YES) { --- cscope-15.5/src/constants.h.orig 2007-03-05 12:01:59.000000000 -0500 +++ cscope-15.5/src/constants.h 2007-03-05 12:02:10.000000000 -0500 @@ -68,6 +68,7 @@ #define NUMLEN 5 /* line number length */ #define PATHLEN 250 /* file pathname length */ #define PATLEN 250 /* symbol pattern length */ +#define TEMPSTRING_LEN 8191 /* max strlen() of the global temp string */ #define REFFILE "cscope.out" /* cross-reference output file */ #define NAMEFILE "cscope.files" /* default list-of-files file */ #define INVNAME "cscope.in.out" /* inverted index to the database */ @@ -77,6 +78,13 @@ #define STMTMAX 10000 /* maximum source statement length */ +#define STR2(x) #x +#define STRINGIZE(x) STR2(x) +#define PATLEN_STR STRINGIZE(PATLEN) +#define PATHLEN_STR STRINGIZE(PATHLEN) +#define NUMLEN_STR STRINGIZE(NUMLEN) +#define TEMPSTRING_LEN_STR STRINGIZE(TEMPSTRING_LEN) + /* screen lines */ #define FLDLINE (LINES - FIELDS - 1) /* first input field line */ #define MSGLINE 0 /* message line */