From cd3ce9ab4ea629f874a2b691233fbc86f5c918bb Mon Sep 17 00:00:00 2001
From: Ahmed Mohamed Abd El-MAwgood <oddcoder@users.noreply.github.com>
Date: Tue, 17 May 2016 15:44:52 +0300
Subject: [PATCH] Fixing overflow in the string array

---
 .gitignore     |  1 +
 libr/anal/cc.c | 45 +++++++++++++++++++--------------------------
 2 files changed, 20 insertions(+), 26 deletions(-)

diff --git a/.gitignore b/.gitignore
index aa726c2ff5..b7309367c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+clang-log/
 *._d
 *._o
 *.[ado]
diff --git a/libr/anal/cc.c b/libr/anal/cc.c
index 27c9fa9636..a75a40d0f0 100644
--- a/libr/anal/cc.c
+++ b/libr/anal/cc.c
@@ -74,12 +74,8 @@ R_API void r_anal_cc_reset (RAnalCC *cc) {
 R_API char *r_anal_cc_to_string (RAnal *anal, RAnalCC* cc) {
 	RSyscallItem *si;
 	RAnalFunction *fcn;
-	char str[1024], buf[64];
+	char buf[64], *str = NULL;
 	int i, eax = 0; // eax = arg0
-	int str_len = 0;
-	int buf_len = 0;
-
-	str[0] = 0;
 	switch (cc->type) {
 	case R_ANAL_CC_TYPE_FASTCALL: // INT
 		{
@@ -94,7 +90,7 @@ R_API char *r_anal_cc_to_string (RAnal *anal, RAnalCC* cc) {
 		si = r_syscall_get (anal->syscall, eax, (int)cc->jump);
 		if (si) {
 			//DEBUG r_cons_printf (" ; sc[0x%x][%d]=%s(", (int)analop.value, eax, si->name);
-			snprintf (str, sizeof (str), "%s (", si->name);
+			str = r_str_newf ("%s (", si->name);
 			for (i=0; i<si->args; i++) {
 				const char *reg = r_syscall_reg (anal->syscall, i + 1, si->args);
 				if (!reg) break; // no registers?
@@ -102,17 +98,17 @@ R_API char *r_anal_cc_to_string (RAnal *anal, RAnalCC* cc) {
 				if (item) {
 					ut64 val = r_reg_get_value (anal->reg, item);
 					snprintf (buf, sizeof (buf), "0x%"PFMT64x, val);
-					strcat (str, buf); // XXX: do not use strcat
+					str = r_str_concat (str, buf);
 				} //else eprintf ("Unknown reg '%s'\n", reg);
 				if (i < si->args-1) {
-					strcat (str, ","); // XXX: do not use strcat
+					str = r_str_concat (str, ",");
 				}
 			}
-			strcat (str, ")");
+			str = r_str_concat (str, ",");
 		} else {
 			int n = (int)cc->jump;
 			//if (n == 3) return NULL; // XXX: hack for x86
-			snprintf (str, sizeof (str), "syscall[0x%x][%d]=?", n, eax);
+			str = r_str_newf ("syscall[0x%x][%d]=?", n, eax);
 		}
 		}
 		break;
@@ -122,36 +118,33 @@ R_API char *r_anal_cc_to_string (RAnal *anal, RAnalCC* cc) {
 	case R_ANAL_CC_TYPE_STDCALL: // CALL
 		fcn = r_anal_get_fcn_in (anal, cc->jump,
 				R_ANAL_FCN_TYPE_FCN|R_ANAL_FCN_TYPE_SYM|R_ANAL_FCN_TYPE_IMP);
-		if (fcn && fcn->name)
-			snprintf (str, sizeof (str), "%s(", fcn->name);
-		else if (cc->jump != -1LL)
-			snprintf (str, sizeof (str), "0x%08"PFMT64x"(", cc->jump);
-		else strncpy (str, "unk(", sizeof (str)-1);
-		str_len = strlen (str);
+		if (fcn && fcn->name) {
+			str = r_str_newf ("%s(", fcn->name);
+		} else if (cc->jump != -1LL) {
+			str = r_str_newf ("0x%08"PFMT64x"(", cc->jump);
+		} else {
+			str = r_str_newf ("unk(");
+		}
 		if (fcn) cc->nargs = (fcn->nargs>cc->nargs?fcn->nargs:cc->nargs);
 		if (cc->nargs>8) {
 			//eprintf ("too many arguments for stdcall. chop to 8\n");
 			cc->nargs = 8;
 		}
 		// TODO: optimize string concat
-		for (i=0; i<cc->nargs; i++) {
+		for (i=0; i < cc->nargs; i++) {
 			if (cc->args[cc->nargs-i] != -1LL)
 				 snprintf (buf, sizeof (buf),
 					"0x%"PFMT64x, cc->args[cc->nargs-i]);
 			else strncpy (buf, "unk", sizeof (buf)-1);
-			buf_len = strlen (buf);
-			if ((buf_len+str_len+5)>=sizeof (str)) {
-				strcat (str, "...");
-				break;
+			str = r_str_concat (str, buf);
+			if (i < cc->nargs-1) {
+				str = r_str_concat (str, ", ");
 			}
-			strcat (str, buf);
-			str_len += buf_len;
-			if (i<cc->nargs-1) strcat (str, ", ");
 		}
-		strcat (str, ")");
+		str = r_str_concat (str, ")");
 		break;
 	}
-	return strdup (str);
+	return str;
 }
 
 R_API bool r_anal_cc_update (RAnal *anal, RAnalCC *cc, RAnalOp *op) {