[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mass bug filing for undefined sn?printf use

On Wed, Dec 31, 2008 at 07:01:44PM -0800, Nicholas Breen wrote:
> While fixing one of the affected packages, I discovered that it was
> using similarly problematic syntax to act as a strcat replacement of the
> form 'sprintf(buf, "%s\n", buf)', which that regexp didn't catch.  I
> can't imagine that's a common mistake, but it's easy enough to match on
> as well:
>   pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*[,)]'

Oh!  Good catch, thank you.  I've started a re-run with the regex changed.
So far, it's already caught new stuff.  I'll post updated details once it
has finished.

Kees Cook                                            @debian.org

Reply to: