speakup: replace sprintf() by scnprintf()

Replace sprintf() by scnprintf() in order to avoid buffer overflows.

Signed-off-by: Salah Triki <salah.triki@gmail.com>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Link: https://lore.kernel.org/r/20210630224248.2iq6o6krecx4cz5j@begin
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/accessibility/speakup/speakup_soft.c b/drivers/accessibility/speakup/speakup_soft.c
index c3f97c5..19824e7 100644 (file)
--- a/drivers/accessibility/speakup/speakup_soft.c
+++ b/drivers/accessibility/speakup/speakup_soft.c
@@ -153,18 +153,25 @@ static char *get_initstring(void)
        static char buf[40];
        char *cp;
        struct var_t *var;
+       size_t len;
+       size_t n;
 
        memset(buf, 0, sizeof(buf));
        cp = buf;
+       len = sizeof(buf);
+
        var = synth_soft.vars;
        while (var->var_id != MAXVARS) {
                if (var->var_id != CAPS_START && var->var_id != CAPS_STOP &&
-                   var->var_id != PAUSE && var->var_id != DIRECT)
-                       cp = cp + sprintf(cp, var->u.n.synth_fmt,
-                                         var->u.n.value);
+                   var->var_id != PAUSE && var->var_id != DIRECT) {
+                       n = scnprintf(cp, len, var->u.n.synth_fmt,
+                                     var->u.n.value);
+                       cp = cp + n;
+                       len = len - n;
+               }
                var++;
        }
-       cp = cp + sprintf(cp, "\n");
+       cp = cp + scnprintf(cp, len, "\n");
        return buf;
 }