--0-996703937-1104525863=:78680 Content-Type: text/plain; charset=us-ascii Content-Id: Content-Disposition: inline Hi, I was using Korganizer to look at an .ics file and it crashed. I investigated the problem and found that a buffer was not big enough to hold the text being created via sprintf. The fact that sprintf was being used and not snprintf caused a great deal of concern since kdepim handles files from untrusted sources. I decided to review all places that were using sprintf in kdepim and found several places where the wrong sized buffer was used. I also found one case where sprintf was being called directly on the arguments without a "%s" ! To briefly go over the wrong sized buffers (please refer to the attached patch): libical/src/libical/icaltime.c This is not exploitable as it writes to the heap in a formatted way. It *will* crash korganizer. 26 bytes are needed as a minimum according to ctime man page. libical/src/libical/icalvalue.c There's 2 overflows here. In both cases the overflow involves printing a floating point number. The buffers overflowed seem to be on the heap as well. I think this is hard to exploit as you would be limited to ascii values for digits. I allow 40 bytes for %f. 1 for the sign, 30 for the whole number, 1 for the decimal point, and 6 for the fraction. libical/src/libical/sspm.c This is a 1 byte overflow is on the stack. I traced it's callers and it seems related to multi-part write and mime-write. It also turns out the only caller of this in kdepim is a mime test function. Unless the function is called indirectly or by another kde application that's not in kdepim, this overflow never comes into play. Attached is a patch that removes almost all sprintf's in favor of snprintf and expands the size of the above mentioned buffers to make sure they are big enough. There very well may be other overflows because of MAX_PATH being 4096 and file name buffers seem to be 256 bytes in kdepim. snprintf at least keeps the stack from being hammered. Thanks, -Steve Grubb __________________________________ Do you Yahoo!? Jazz up your holiday email with celebrity designs. Learn more. http://celebrity.mail.yahoo.com --0-996703937-1104525863=:78680 Content-Type: text/x-patch; name="kdepim-3.3.1-buffer.patch" Content-Description: kdepim-3.3.1-buffer.patch Content-Disposition: inline; filename="kdepim-3.3.1-buffer.patch" diff -ur kdepim-3.3.1.orig/korganizer/plugins/holidays/parseholiday.c kdepim-3.3.1/korganizer/plugins/holidays/parseholiday.c --- kdepim-3.3.1.orig/korganizer/plugins/holidays/parseholiday.c 2004-12-07 10:49:37.000000000 -0500 +++ kdepim-3.3.1/korganizer/plugins/holidays/parseholiday.c 2004-12-08 11:16:45.017365216 -0500 @@ -1392,7 +1392,7 @@ fprintf(stderr, "%s: %s in line %d of %s\n", progname, msg, kcallineno+1, filename); if (!*errormsg) - sprintf(errormsg, + snprintf(errormsg, sizeof(errormsg), "Problem with holiday file %s:\n%.80s in line %d", filename, msg, kcallineno+1); } @@ -1750,7 +1750,7 @@ progname, pathbuf, path); home = "."; } - sprintf(pathbuf, "%s/%s", home, path+1); + snprintf(pathbuf, sizeof(pathbuf), "%s/%s", home, path+1); return(pathbuf); } diff -ur kdepim-3.3.1.orig/libical/src/libical/icalderivedvalue.c.in kdepim-3.3.1/libical/src/libical/icalderivedvalue.c.in --- kdepim-3.3.1.orig/libical/src/libical/icalderivedvalue.c.in 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libical/icalderivedvalue.c.in 2004-12-08 11:47:21.229218584 -0500 @@ -39,7 +39,7 @@ #include "icalvalueimpl.h" #include /* for malloc */ -#include /* for sprintf */ +#include /* for snprintf */ #include /* For memset, others */ #include /* For offsetof() macro */ #include diff -ur kdepim-3.3.1.orig/libical/src/libical/icalduration.c kdepim-3.3.1/libical/src/libical/icalduration.c --- kdepim-3.3.1.orig/libical/src/libical/icalduration.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libical/icalduration.c 2004-12-08 11:49:17.718509520 -0500 @@ -198,7 +198,7 @@ char temp[TMP_BUF_SIZE]; - sprintf(temp,"%d",value); + snprintf(temp,sizeof(temp),"%d",value); icalmemory_append_string(buf, buf_ptr, buf_size, temp); icalmemory_append_string(buf, buf_ptr, buf_size, sep); diff -ur kdepim-3.3.1.orig/libical/src/libical/icalmime.c kdepim-3.3.1/libical/src/libical/icalmime.c --- kdepim-3.3.1.orig/libical/src/libical/icalmime.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libical/icalmime.c 2004-12-08 11:17:58.413207352 -0500 @@ -195,7 +195,7 @@ minor = parts[i].header.minor_text; } - sprintf(mimetype,"%s/%s",major,minor); + snprintf(mimetype,sizeof(mimetype),"%s/%s",major,minor); comp = icalcomponent_new(ICAL_XLICMIMEPART_COMPONENT); diff -ur kdepim-3.3.1.orig/libical/src/libical/icalparser.c kdepim-3.3.1/libical/src/libical/icalparser.c --- kdepim-3.3.1.orig/libical/src/libical/icalparser.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libical/icalparser.c 2004-12-08 11:19:19.729845344 -0500 @@ -49,7 +49,7 @@ #include "icalcomponent.h" #include /* For strncpy & size_t */ -#include /* For FILE and fgets and sprintf */ +#include /* For FILE and fgets and snprintf */ #include /* for free */ @@ -933,7 +933,7 @@ icalproperty_kind prop_kind = icalproperty_isa(prop); icalcomponent* tail = pvl_data(pvl_tail(impl->components)); - sprintf(temp,"Cant parse as %s value in %s property. Removing entire property", + snprintf(temp,sizeof(temp),"Cant parse as %s value in %s property. Removing entire property", icalvalue_kind_to_string(value_kind), icalproperty_kind_to_string(prop_kind)); @@ -961,7 +961,7 @@ icalproperty_kind prop_kind = icalproperty_isa(prop); icalcomponent *tail = pvl_data(pvl_tail(impl->components)); - sprintf(temp,"No value for %s property. Removing entire property", + snprintf(temp,sizeof(temp),"No value for %s property. Removing entire property", icalproperty_kind_to_string(prop_kind)); insert_error(tail, str, temp, diff -ur kdepim-3.3.1.orig/libical/src/libical/icalrecur.c kdepim-3.3.1/libical/src/libical/icalrecur.c --- kdepim-3.3.1.orig/libical/src/libical/icalrecur.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libical/icalrecur.c 2004-12-08 11:48:46.796210424 -0500 @@ -488,13 +488,13 @@ } if(recur->count != 0){ - sprintf(temp,"%d",recur->count); + snprintf(temp,sizeof(temp),"%d",recur->count); icalmemory_append_string(&str,&str_p,&buf_sz,";COUNT="); icalmemory_append_string(&str,&str_p,&buf_sz, temp); } if(recur->interval != 0){ - sprintf(temp,"%d",recur->interval); + snprintf(temp,sizeof(temp),"%d",recur->interval); icalmemory_append_string(&str,&str_p,&buf_sz,";INTERVAL="); icalmemory_append_string(&str,&str_p,&buf_sz, temp); } @@ -521,12 +521,12 @@ if (pos == 0) icalmemory_append_string(&str,&str_p,&buf_sz,daystr); else { - sprintf(temp,"%d%s",pos,daystr); + snprintf(temp,sizeof(temp),"%d%s",pos,daystr); icalmemory_append_string(&str,&str_p,&buf_sz,temp); } } else { - sprintf(temp,"%d",array[i]); + snprintf(temp,sizeof(temp),"%d",array[i]); icalmemory_append_string(&str,&str_p,&buf_sz, temp); } diff -ur kdepim-3.3.1.orig/libical/src/libical/icaltime.c kdepim-3.3.1/libical/src/libical/icaltime.c --- kdepim-3.3.1.orig/libical/src/libical/icaltime.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libical/icaltime.c 2004-12-08 11:23:56.583757152 -0500 @@ -341,13 +341,13 @@ } #endif -char ctime_str[20]; +static char ctime_str[28]; char* icaltime_as_ctime(struct icaltimetype t) { time_t tt; tt = icaltime_as_timet(t); - sprintf(ctime_str,"%s",ctime(&tt)); + snprintf(ctime_str,sizeof(ctime_str),"%s",ctime(&tt)); ctime_str[strlen(ctime_str)-1] = 0; @@ -355,7 +355,7 @@ } -short days_in_month[] = {0,31,28,31,30,31,30,31,31,30,31,30,31}; +static const short days_in_month[] = {0,31,28,31,30,31,30,31,31,30,31,30,31}; short icaltime_days_in_month(short month,short year) { diff -ur kdepim-3.3.1.orig/libical/src/libical/icalvalue.c kdepim-3.3.1/libical/src/libical/icalvalue.c --- kdepim-3.3.1.orig/libical/src/libical/icalvalue.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libical/icalvalue.c 2004-12-08 11:51:58.425078408 -0500 @@ -38,7 +38,7 @@ #include "icalvalueimpl.h" #include /* for malloc */ -#include /* for sprintf */ +#include /* for snprintf */ #include /* For memset, others */ #include /* For offsetof() macro */ #include @@ -269,7 +269,7 @@ if (error != 0){ char temp[TMP_BUF_SIZE]; - sprintf(temp,"%s Values are not implemented", + snprintf(temp,sizeof(temp),"%s Values are not implemented", icalparameter_kind_to_string(kind)); *error = icalproperty_vanew_xlicerror( temp, @@ -351,7 +351,7 @@ if (error != 0){ char temp[TMP_BUF_SIZE]; - sprintf(temp,"GEO Values are not implemented"); + strcpy(temp,"GEO Values are not implemented"); *error = icalproperty_vanew_xlicerror( temp, icalparameter_new_xlicerrortype( @@ -573,7 +573,7 @@ data = icalvalue_get_binary(value); str = (char*)icalmemory_tmp_buffer(60); - sprintf(str,"icalvalue_binary_as_ical_string is not implemented yet"); + strcpy(str,"icalvalue_binary_as_ical_string is not implemented yet"); return str; } @@ -614,7 +614,7 @@ m = (data - (h*3600))/ 60; s = (data - (h*3600) - (m*60)); - sprintf(str,"%c%02d%02d%02d",sign,abs(h),abs(m),abs(s)); + snprintf(str,9,"%c%02d%02d%02d",sign,abs(h),abs(m),abs(s)); return str; } @@ -771,9 +771,9 @@ char temp[20]; if (data->is_utc == 1){ - sprintf(temp,"%02d%02d%02dZ",data->hour,data->minute,data->second); + snprintf(temp,sizeof(temp),"%02d%02d%02dZ",data->hour,data->minute,data->second); } else { - sprintf(temp,"%02d%02d%02d",data->hour,data->minute,data->second); + snprintf(temp,sizeof(temp),"%02d%02d%02d",data->hour,data->minute,data->second); } strcat(str,temp); @@ -784,7 +784,7 @@ { char temp[20]; - sprintf(temp,"%04d%02d%02d",data->year,data->month,data->day); + snprintf(temp,sizeof(temp),"%04d%02d%02d",data->year,data->month,data->day); strcat(str,temp); } @@ -847,9 +847,9 @@ icalerror_check_arg_rz( (value!=0),"value"); data = icalvalue_get_float(value); - str = (char*)icalmemory_tmp_buffer(15); + str = (char*)icalmemory_tmp_buffer(40); - sprintf(str,"%f",data); + snprintf(str,40,"%f",data); return str; } @@ -862,9 +862,9 @@ data = icalvalue_get_geo(value); - str = (char*)icalmemory_tmp_buffer(25); + str = (char*)icalmemory_tmp_buffer(80); - sprintf(str,"%f;%f",data.lat,data.lon); + snprintf(str,80,"%f;%f",data.lat,data.lon); return str; } diff -ur kdepim-3.3.1.orig/libical/src/libical/sspm.c kdepim-3.3.1/libical/src/libical/sspm.c --- kdepim-3.3.1.orig/libical/src/libical/sspm.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libical/sspm.c 2004-12-08 11:27:27.036763432 -0500 @@ -1243,9 +1243,9 @@ void sspm_append_hex(struct sspm_buffer* buf, char ch) { - char tmp[3]; + char tmp[4]; - sprintf(tmp,"=%02X",ch); + snprintf(tmp,sizeof(tmp),"=%02X",ch); sspm_append_string(buf,tmp); } @@ -1474,19 +1474,19 @@ minor = header->minor_text; } - sprintf(temp,"Content-Type: %s/%s",major,minor); + snprintf(temp,sizeof(temp),"Content-Type: %s/%s",major,minor); sspm_append_string(buf,temp); if(header->boundary != 0){ - sprintf(temp,";boundary=\"%s\"",header->boundary); + snprintf(temp,sizeof(temp),";boundary=\"%s\"",header->boundary); sspm_append_string(buf,temp); } /* Append any content type parameters */ if(header->content_type_params != 0){ for(i=0; *(header->content_type_params[i])!= 0;i++){ - sprintf(temp,header->content_type_params[i]); + snprintf(temp,sizeof(temp),"%s",header->content_type_params[i]); sspm_append_char(buf,';'); sspm_append_string(buf,temp); } @@ -1498,7 +1498,7 @@ if(header->encoding != SSPM_UNKNOWN_ENCODING && header->encoding != SSPM_NO_ENCODING){ - sprintf(temp,"Content-Transfer-Encoding: %s\n", + snprintf(temp,sizeof(temp),"Content-Transfer-Encoding: %s\n", sspm_encoding_string(header->encoding)); } diff -ur kdepim-3.3.1.orig/libical/src/libicalss/icaldirset.c kdepim-3.3.1/libical/src/libicalss/icaldirset.c --- kdepim-3.3.1.orig/libical/src/libicalss/icaldirset.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libicalss/icaldirset.c 2004-12-08 11:29:24.260942648 -0500 @@ -259,7 +259,7 @@ icalerror_check_arg_rz( (store!=0), "store"); - sprintf(filename,"%s/%s",impl->dir,"SEQUENCE"); + snprintf(filename,sizeof(filename),"%s/%s",impl->dir,"SEQUENCE"); /* Create the file if it does not exist.*/ if (stat(filename,&sbuf) == -1 || !S_ISREG(sbuf.st_mode)){ @@ -321,7 +321,7 @@ return ICAL_NO_ERROR; } - sprintf(path,"%s/%s",impl->dir,(char*)pvl_data(impl->directory_iterator)); + snprintf(path,sizeof(path),"%s/%s",impl->dir,(char*)pvl_data(impl->directory_iterator)); icalfileset_free(impl->cluster); @@ -345,7 +345,7 @@ uname(&unamebuf); - sprintf(uidstring,"%d-%s",(int)getpid(),unamebuf.nodename); + snprintf(uidstring,sizeof(uidstring),"%d-%s",(int)getpid(),unamebuf.nodename); uid = icalproperty_new_uid(uidstring); icalcomponent_add_property(comp,uid); diff -ur kdepim-3.3.1.orig/libical/src/libicalss/icalmessage.c kdepim-3.3.1/libical/src/libicalss/icalmessage.c --- kdepim-3.3.1.orig/libical/src/libicalss/icalmessage.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libical/src/libicalss/icalmessage.c 2004-12-08 11:30:30.015946368 -0500 @@ -158,7 +158,7 @@ icalcomponent_add_property(reply,icalproperty_new_version("2.0")); - sprintf(tmp, + snprintf(tmp,sizeof(tmp), "-//SoftwareStudio//NONSGML %s %s //EN",PACKAGE,VERSION); icalcomponent_add_property(reply,icalproperty_new_prodid(tmp)); diff -ur kdepim-3.3.1.orig/libkcal/versit/vcc.c kdepim-3.3.1/libkcal/versit/vcc.c --- kdepim-3.3.1.orig/libkcal/versit/vcc.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libkcal/versit/vcc.c 2004-12-08 11:12:48.541315040 -0500 @@ -2115,7 +2115,7 @@ } else { char msg[255]; - sprintf(msg, "can't open file '%s' for reading\n", fname); + snprintf(msg, sizeof(msg), "can't open file '%s' for reading\n", fname); mime_error_(msg); return 0; } @@ -2139,7 +2139,7 @@ { char msg[256]; if (mimeErrorHandler) { - sprintf(msg,"%s at line %d", s, mime_lineNum); + snprintf(msg, sizeof(msg), "%s at line %d", s, mime_lineNum); mimeErrorHandler(msg); } } diff -ur kdepim-3.3.1.orig/libkcal/versit/vobject.c kdepim-3.3.1/libkcal/versit/vobject.c --- kdepim-3.3.1.orig/libkcal/versit/vobject.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libkcal/versit/vobject.c 2004-12-08 11:45:13.289668352 -0500 @@ -1181,13 +1181,13 @@ } case VCVT_UINT: { char buf[16]; - sprintf(buf,"%u", INTEGER_VALUE_OF(o)); + snprintf(buf,sizeof(buf),"%u", INTEGER_VALUE_OF(o)); appendsOFile(fp,buf); break; } case VCVT_ULONG: { char buf[16]; - sprintf(buf,"%lu", LONG_VALUE_OF(o)); + snprintf(buf,sizeof(buf),"%lu", LONG_VALUE_OF(o)); appendsOFile(fp,buf); break; } diff -ur kdepim-3.3.1.orig/libkdenetwork/libgpgme-copy/assuan/assuan-handler.c kdepim-3.3.1/libkdenetwork/libgpgme-copy/assuan/assuan-handler.c --- kdepim-3.3.1.orig/libkdenetwork/libgpgme-copy/assuan/assuan-handler.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libkdenetwork/libgpgme-copy/assuan/assuan-handler.c 2004-12-08 11:42:40.807849112 -0500 @@ -487,13 +487,13 @@ char errline[256]; if (rc < 100) - sprintf (errline, "ERR %d server fault (%.50s)", + snprintf (errline, sizeof(errline), "ERR %d server fault (%.50s)", ASSUAN_Server_Fault, assuan_strerror (rc)); else { const char *text = ctx->err_no == rc? ctx->err_str:NULL; - sprintf (errline, "ERR %d %.50s%s%.100s", + snprintf (errline, sizeof(errline),"ERR %d %.50s%s%.100s", rc, assuan_strerror (rc), text? " - ":"", text?text:""); } rc = assuan_write_line (ctx, errline); diff -ur kdepim-3.3.1.orig/libkdenetwork/libgpgme-copy/gpgme/rungpg.c kdepim-3.3.1/libkdenetwork/libgpgme-copy/gpgme/rungpg.c --- kdepim-3.3.1.orig/libkdenetwork/libgpgme-copy/gpgme/rungpg.c 2004-12-07 10:49:41.000000000 -0500 +++ kdepim-3.3.1/libkdenetwork/libgpgme-copy/gpgme/rungpg.c 2004-12-08 11:41:15.487819728 -0500 @@ -386,7 +386,7 @@ { char buf[25]; - sprintf (buf, "%d", gpg->status.fd[1]); + snprintf (buf, sizeof(buf), "%d", gpg->status.fd[1]); rc = add_arg (gpg, buf); if (rc) goto leave; @@ -701,7 +701,7 @@ free_argv (argv); return gpg_error_from_errno (saved_errno); } - sprintf (argv[argc], + snprintf (argv[argc], 25, a->print_fd ? "%d" : "-&%d", fd_data_map[datac].peer_fd); argc++; diff -ur kdepim-3.3.1.orig/mimelib/datetime.cpp kdepim-3.3.1/mimelib/datetime.cpp --- kdepim-3.3.1.orig/mimelib/datetime.cpp 2004-12-07 10:49:42.000000000 -0500 +++ kdepim-3.3.1/mimelib/datetime.cpp 2004-12-08 11:37:47.768397880 -0500 @@ -315,7 +315,7 @@ char sgn = (mZone < 0) ? '-' : '+'; int z = (mZone < 0) ? -mZone : mZone; char buffer[80]; - sprintf(buffer, "%s, %d %s %4d %02d:%02d:%02d %c%02d%02d", + snprintf(buffer, sizeof(buffer), "%s, %d %s %4d %02d:%02d:%02d %c%02d%02d", lWeekDay[dow], mDay, lMonth[(mMonth-1)%12], mYear, mHour, mMinute, mSecond, sgn, z/60%24, z%60); mString = buffer; diff -ur kdepim-3.3.1.orig/mimelib/dw_date.cpp kdepim-3.3.1/mimelib/dw_date.cpp --- kdepim-3.3.1.orig/mimelib/dw_date.cpp 2004-12-07 10:49:42.000000000 -0500 +++ kdepim-3.3.1/mimelib/dw_date.cpp 2004-12-08 11:37:10.233104112 -0500 @@ -688,7 +688,7 @@ gmtime(&tt, &ptms); tms1 = *ptms; sgn = (zone1 >= 0) ? '+' : '-'; - sprintf(buf, "%s, %2d %s %d %d%d:%d%d:%d%d %c%d%d%d%d", + snprintf(buf, sizeof(buf), "%s, %2d %s %d %d%d:%d%d:%d%d %c%d%d%d%d", wdays[tms1.tm_wday], tms1.tm_mday, months[tms1.tm_mon], tms1.tm_year+1900, tms1.tm_hour/10, tms1.tm_hour%10, diff -ur kdepim-3.3.1.orig/mimelib/nntp.cpp kdepim-3.3.1/mimelib/nntp.cpp --- kdepim-3.3.1.orig/mimelib/nntp.cpp 2004-12-07 10:49:42.000000000 -0500 +++ kdepim-3.3.1/mimelib/nntp.cpp 2004-12-08 11:36:37.629060680 -0500 @@ -111,7 +111,7 @@ mStatusResponse = mTextResponse = ""; mLastCommand = kCmdArticle; if (aArticleNum >= 0) { - sprintf(mSendBuffer, "ARTICLE %d\r\n", aArticleNum); + snprintf(mSendBuffer, SEND_BUFFER_SIZE, "ARTICLE %d\r\n", aArticleNum); } else { strcpy(mSendBuffer, "ARTICLE\r\n"); @@ -160,7 +160,7 @@ mStatusResponse = mTextResponse = ""; mLastCommand = kCmdHead; if (aArticleNum >= 0) { - sprintf(mSendBuffer, "HEAD %d\r\n", aArticleNum); + snprintf(mSendBuffer, SEND_BUFFER_SIZE, "HEAD %d\r\n", aArticleNum); } else { strcpy(mSendBuffer, "HEAD\r\n"); @@ -208,7 +208,7 @@ mStatusResponse = mTextResponse = ""; mLastCommand = kCmdBody; if (articleNum >= 0) { - sprintf(mSendBuffer, "BODY %d\r\n", articleNum); + snprintf(mSendBuffer, SEND_BUFFER_SIZE, "BODY %d\r\n", articleNum); } else { strcpy(mSendBuffer, "BODY\r\n"); @@ -256,7 +256,7 @@ mStatusResponse = mTextResponse = ""; mLastCommand = kCmdStat; if (articleNum >= 0) { - sprintf(mSendBuffer, "STAT %d\r\n", articleNum); + snprintf(mSendBuffer, SEND_BUFFER_SIZE, "STAT %d\r\n", articleNum); } else { strcpy(mSendBuffer, "STAT\r\n"); diff -ur kdepim-3.3.1.orig/mimelib/pop.cpp kdepim-3.3.1/mimelib/pop.cpp --- kdepim-3.3.1.orig/mimelib/pop.cpp 2004-12-07 10:49:42.000000000 -0500 +++ kdepim-3.3.1/mimelib/pop.cpp 2004-12-08 11:35:14.139752984 -0500 @@ -195,7 +195,7 @@ mStatusCode = 0; mSingleLineResponse = mMultiLineResponse = ""; mLastCommand = kCmdList; - sprintf(mSendBuffer, "LIST %d\r\n", aMsg); + snprintf(mSendBuffer, SEND_BUFFER_SIZE, "LIST %d\r\n", aMsg); DBG_POP_STMT(cout << "C: " << mSendBuffer << flush;) int bufferLen = strlen(mSendBuffer); int numSent = PSend(mSendBuffer, bufferLen); @@ -211,7 +211,7 @@ mStatusCode = 0; mSingleLineResponse = mMultiLineResponse = ""; mLastCommand = kCmdRetr; - sprintf(mSendBuffer, "RETR %d\r\n", aMsg); + snprintf(mSendBuffer, SEND_BUFFER_SIZE, "RETR %d\r\n", aMsg); DBG_POP_STMT(cout << "C: " << mSendBuffer << flush;) int bufferLen = strlen(mSendBuffer); int numSent = PSend(mSendBuffer, bufferLen); @@ -230,7 +230,7 @@ mStatusCode = 0; mSingleLineResponse = mMultiLineResponse = ""; mLastCommand = kCmdDele; - sprintf(mSendBuffer, "DELE %d\r\n", aMsg); + snprintf(mSendBuffer, SEND_BUFFER_SIZE, "DELE %d\r\n", aMsg); DBG_POP_STMT(cout << "C: " << mSendBuffer << flush;) int bufferLen = strlen(mSendBuffer); int numSent = PSend(mSendBuffer, bufferLen); @@ -314,7 +314,7 @@ mStatusCode = 0; mSingleLineResponse = mMultiLineResponse = ""; mLastCommand = kCmdTop; - sprintf(mSendBuffer, "TOP %d %d\r\n", aMsg, aNumLines); + snprintf(mSendBuffer, SEND_BUFFER_SIZE, "TOP %d %d\r\n", aMsg, aNumLines); DBG_POP_STMT(cout << "C: " << mSendBuffer << flush;) int bufferLen = strlen(mSendBuffer); int numSent = PSend(mSendBuffer, bufferLen); @@ -352,7 +352,7 @@ mStatusCode = 0; mSingleLineResponse = mMultiLineResponse = ""; mLastCommand = kCmdUidl; - sprintf(mSendBuffer, "UIDL %d\r\n", aMsg); + snprintf(mSendBuffer, SEND_BUFFER_SIZE, "UIDL %d\r\n", aMsg); DBG_POP_STMT(cout << "C: " << mSendBuffer << flush); int bufferLen = strlen(mSendBuffer); int numSent = PSend(mSendBuffer, bufferLen); diff -ur kdepim-3.3.1.orig/mimelib/uuencode.cpp kdepim-3.3.1/mimelib/uuencode.cpp --- kdepim-3.3.1.orig/mimelib/uuencode.cpp 2004-12-07 10:49:42.000000000 -0500 +++ kdepim-3.3.1/mimelib/uuencode.cpp 2004-12-08 11:33:12.191291968 -0500 @@ -125,7 +125,7 @@ // Write the "begin" line - sprintf(ascBuf, "begin %o %s" DW_EOL, mMode, mFileName); + snprintf(ascBuf, ascSize, "begin %o %s" DW_EOL, mMode, mFileName); ascPos = strlen(ascBuf); // Encode the binary chars --0-996703937-1104525863=:78680--