Changed strcpy to strncpy, sprintf to snprintf and query parameter checks to avoid vulnerabilities.

git-svn-id: http://svn.zoneminder.com/svn/zm/trunk@1017 e3e1d417-86f3-4887-817a-d78f3d33393f

src/zm_config.cpp

@@ -138,7 +138,7 @@ void Config::Load()
 {
 	static char sql[BUFSIZ];
 
-	strcpy( sql, "select Name, Value, Type from Config order by Id" );
+	strncpy( sql, "select Name, Value, Type from Config order by Id", sizeof(sql) );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't run query: %s", mysql_error( &dbconn ) ));

src/zm_debug.c

@@ -115,7 +115,7 @@ int zmGetDebugEnv( const char * const command )
 	{
 		zm_dbg_level = atoi(env_ptr);
 	}
-	sprintf( buffer, "ZM_DBG_LOG_%s", command );
+	snprintf( buffer, sizeof(buffer), "ZM_DBG_LOG_%s", command );
 	env_ptr = getenv( buffer );
 	if ( env_ptr != (char *)NULL )
 	{
@@ -130,11 +130,11 @@ int zmGetDebugEnv( const char * const command )
 		}
 		if ( zm_dbg_add_log_id == FALSE )
 		{
-			strcpy( zm_dbg_log, env_ptr );
+			strncpy( zm_dbg_log, env_ptr, sizeof(zm_dbg_log) );
 		}
 		else
 		{
-			sprintf( zm_dbg_log, "%s.%05d", env_ptr, getpid() );
+			snprintf( zm_dbg_log, sizeof(zm_dbg_log), "%s.%05d", env_ptr, getpid() );
 		}
 	}
 
@@ -299,7 +299,7 @@ int zmDbgOutput( const char *fstring, ... )
 	{
 		zmDbgSubtractTime( &tp, &zm_dbg_start );
 
-		sprintf( time_string, "%ld.%03ld", tp.tv_sec, tp.tv_usec/1000 );
+		snprintf( time_string, sizeof(time_string), "%ld.%03ld", tp.tv_sec, tp.tv_usec/1000 );
 	}
 	else
 	{

src/zm_event.cpp

@@ -48,7 +48,7 @@ Event::Event( Monitor *p_monitor, struct timeval p_start_time ) : monitor( p_mon
 	static char start_time_str[32];
 
 	strftime( start_time_str, sizeof(start_time_str), "%Y-%m-%d %H:%M:%S", localtime( &start_time.tv_sec ) );
-	sprintf( sql, "insert into Events ( MonitorId, Name, StartTime ) values ( %d, 'New Event', '%s' )", monitor->Id(), start_time_str );
+	snprintf( sql, sizeof(sql), "insert into Events ( MonitorId, Name, StartTime ) values ( %d, 'New Event', '%s' )", monitor->Id(), start_time_str );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't insert event: %s", mysql_error( &dbconn ) ));
@@ -60,7 +60,7 @@ Event::Event( Monitor *p_monitor, struct timeval p_start_time ) : monitor( p_mon
 	alarm_frames = 0;
 	tot_score = 0;
 	max_score = 0;
-	sprintf( path, "%s/%s/%d", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id );
+	snprintf( path, sizeof(path), "%s/%s/%d", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id );
 	
 	struct stat statbuf;
 	errno = 0;
@@ -84,7 +84,7 @@ Event::~Event()
 
 	strftime( end_time_str, sizeof(end_time_str), "%Y-%m-%d %H:%M:%S", localtime( &end_time.tv_sec ) );
 
-	sprintf( sql, "update Events set Name='Event-%d', EndTime = '%s', Length = %s%ld.%02ld, Frames = %d, AlarmFrames = %d, TotScore = %d, AvgScore = %d, MaxScore = %d where Id = %d", id, end_time_str, delta_time.positive?"":"-", delta_time.sec, delta_time.fsec, frames, alarm_frames, tot_score, (int)(alarm_frames?(tot_score/alarm_frames):0), max_score, id );
+	snprintf( sql, sizeof(sql), "update Events set Name='Event-%d', EndTime = '%s', Length = %s%ld.%02ld, Frames = %d, AlarmFrames = %d, TotScore = %d, AvgScore = %d, MaxScore = %d where Id = %d", id, end_time_str, delta_time.positive?"":"-", delta_time.sec, delta_time.fsec, frames, alarm_frames, tot_score, (int)(alarm_frames?(tot_score/alarm_frames):0), max_score, id );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't update event: %s", mysql_error( &dbconn ) ));
@@ -138,11 +138,11 @@ bool Event::OpenFrameSocket( int monitor_id )
 	}
 
 	char sock_path[PATH_MAX] = "";
-	sprintf( sock_path, "%s/zmf-%d.sock", (const char *)config.Item( ZM_PATH_SOCKS ), monitor_id );
+	snprintf( sock_path, sizeof(sock_path), "%s/zmf-%d.sock", (const char *)config.Item( ZM_PATH_SOCKS ), monitor_id );
 
 	struct sockaddr_un addr;
 
-	strcpy( addr.sun_path, sock_path );
+	strncpy( addr.sun_path, sock_path, sizeof(addr.sun_path) );
 	addr.sun_family = AF_UNIX;
 
 	if ( connect( sd, (struct sockaddr *)&addr, strlen(addr.sun_path)+sizeof(addr.sun_family)) < 0 )
@@ -245,13 +245,13 @@ bool Event::WriteFrameImage( Image *image, struct timeval timestamp, const char
 void Event::AddFrames( int n_frames, Image **images, struct timeval **timestamps )
 {
 	static char sql[BUFSIZ];
-	strcpy( sql, "insert into Frames ( EventId, FrameId, Delta ) values " );
+	strncpy( sql, "insert into Frames ( EventId, FrameId, Delta ) values ", BUFSIZ );
 	for ( int i = 0; i < n_frames; i++ )
 	{
 		frames++;
 
 		static char event_file[PATH_MAX];
-		sprintf( event_file, capture_file_format, path, frames );
+		snprintf( event_file, sizeof(event_file), capture_file_format, path, frames );
 		
 		Debug( 1, ( "Writing pre-capture frame %d", frames ));
 		WriteFrameImage( images[i], *(timestamps[i]), event_file );
@@ -259,7 +259,8 @@ void Event::AddFrames( int n_frames, Image **images, struct timeval **timestamps
 		struct DeltaTimeval delta_time;
 		DELTA_TIMEVAL( delta_time, *(timestamps[i]), start_time, DT_PREC_2 );
 
-		sprintf( sql+strlen(sql), "( %d, %d, %s%ld.%02ld ), ", id, frames, delta_time.positive?"":"-", delta_time.sec, delta_time.fsec );
+		int sql_len = strlen(sql);
+		snprintf( sql+sql_len, sizeof(sql)-sql_len, "( %d, %d, %s%ld.%02ld ), ", id, frames, delta_time.positive?"":"-", delta_time.sec, delta_time.fsec );
 	}
 
 	Debug( 1, ( "Adding %d frames to DB", n_frames ));
@@ -276,7 +277,7 @@ void Event::AddFrame( Image *image, struct timeval timestamp, int score, Image *
 	frames++;
 
 	static char event_file[PATH_MAX];
-	sprintf( event_file, capture_file_format, path, frames );
+	snprintf( event_file, sizeof(event_file), capture_file_format, path, frames );
 		
 	Debug( 1, ( "Writing capture frame %d", frames ));
 	WriteFrameImage( image, timestamp, event_file );
@@ -292,7 +293,7 @@ void Event::AddFrame( Image *image, struct timeval timestamp, int score, Image *
 
 		Debug( 1, ( "Adding frame %d to DB", frames ));
 		static char sql[BUFSIZ];
-		sprintf( sql, "insert into Frames ( EventId, FrameId, Type, Delta, Score ) values ( %d, %d, '%s', %s%ld.%02ld, %d )", id, frames, frame_type, delta_time.positive?"":"-", delta_time.sec, delta_time.fsec, score );
+		snprintf( sql, sizeof(sql), "insert into Frames ( EventId, FrameId, Type, Delta, Score ) values ( %d, %d, '%s', %s%ld.%02ld, %d )", id, frames, frame_type, delta_time.positive?"":"-", delta_time.sec, delta_time.fsec, score );
 		if ( mysql_query( &dbconn, sql ) )
 		{
 			Error(( "Can't insert frame: %s", mysql_error( &dbconn ) ));
@@ -312,7 +313,7 @@ void Event::AddFrame( Image *image, struct timeval timestamp, int score, Image *
 
 		if ( alarm_image )
 		{
-			sprintf( event_file, analyse_file_format, path, frames );
+			snprintf( event_file, sizeof(event_file), analyse_file_format, path, frames );
 
 			Debug( 1, ( "Writing analysis frame %d", frames ));
 			WriteFrameImage( alarm_image, timestamp, event_file, true );
@@ -323,7 +324,7 @@ void Event::AddFrame( Image *image, struct timeval timestamp, int score, Image *
 	{
 		char diag_glob[PATH_MAX] = "";
 
-		sprintf( diag_glob, "%s/%s/diag-*.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name() );
+		snprintf( diag_glob, sizeof(diag_glob), "%s/%s/diag-*.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name() );
 		glob_t pglob;
 		int glob_status = glob( diag_glob, 0, 0, &pglob );
 		if ( glob_status != 0 )
@@ -348,7 +349,7 @@ void Event::AddFrame( Image *image, struct timeval timestamp, int score, Image *
 
 				if ( diag_file )
 				{
-					sprintf( new_diag_path, general_file_format, path, frames, diag_file );
+					snprintf( new_diag_path, sizeof(new_diag_path), general_file_format, path, frames, diag_file );
 
 					if ( rename( diag_path, new_diag_path ) < 0 )
 					{
@@ -369,7 +370,7 @@ void Event::StreamEvent( int event_id, int scale, int rate, int maxfps )
 	if ( !initialised )
 		Initialise();
 
-	sprintf( sql, "select M.Id, M.Name, E.Frames, max(F.Delta)-min(F.Delta) as Duration from Events as E inner join Monitors as M on E.MonitorId = M.Id inner join Frames as F on E.Id = F.EventId where E.Id = %d group by E.Id", event_id );
+	snprintf( sql, sizeof(sql), "select M.Id, M.Name, E.Frames, max(F.Delta)-min(F.Delta) as Duration from Events as E inner join Monitors as M on E.MonitorId = M.Id inner join Frames as F on E.Id = F.EventId where E.Id = %d group by E.Id", event_id );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't run query: %s", mysql_error( &dbconn ) ));
@@ -390,7 +391,7 @@ void Event::StreamEvent( int event_id, int scale, int rate, int maxfps )
 		exit( mysql_errno( &dbconn ) );
 	}
 
-	sprintf( eventpath, "%s/%s/%s/%d", ZM_PATH_WEB, (const char *)config.Item( ZM_DIR_EVENTS ), dbrow[1], event_id );
+	snprintf( eventpath, sizeof(eventpath), "%s/%s/%s/%d", ZM_PATH_WEB, (const char *)config.Item( ZM_DIR_EVENTS ), dbrow[1], event_id );
 	int frames = atoi(dbrow[2]);
 	int duration = atoi(dbrow[3]);
 
@@ -411,7 +412,7 @@ void Event::StreamEvent( int event_id, int scale, int rate, int maxfps )
 
 	mysql_free_result( result );
 
-	sprintf( sql, "select FrameId, EventId, Delta from Frames where EventId = %d order by FrameId", event_id );
+	snprintf( sql, sizeof(sql), "select FrameId, EventId, Delta from Frames where EventId = %d order by FrameId", event_id );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't run query: %s", mysql_error( &dbconn ) ));
@@ -456,7 +457,7 @@ void Event::StreamEvent( int event_id, int scale, int rate, int maxfps )
 				Debug( 2, ( "I:%d, DI:%d, LDBI:%d, DD:%lf, LD:%lf, LDBD:%lf, TD:%lf, DU:%d", id, db_id, last_db_id, db_delta, last_delta, last_db_delta, this_delta, delta_us ));
 
 				static char filepath[PATH_MAX];
-				sprintf( filepath, capture_file_format, eventpath, id );
+				snprintf( filepath, sizeof(filepath), capture_file_format, eventpath, id );
 
 				if ( scale == 100 )
 				{
@@ -516,7 +517,7 @@ void Event::StreamMpeg( int event_id, const char *format, int scale, int rate, i
 
 	bool timed_frames = (bool)config.Item( ZM_VIDEO_TIMED_FRAMES );
 
-	sprintf( sql, "select M.Id, M.Name, E.Frames, max(F.Delta)-min(F.Delta) as Duration from Events as E inner join Monitors as M on E.MonitorId = M.Id inner join Frames as F on E.Id = F.EventId where E.Id = %d group by E.Id", event_id );
+	snprintf( sql, sizeof(sql), "select M.Id, M.Name, E.Frames, max(F.Delta)-min(F.Delta) as Duration from Events as E inner join Monitors as M on E.MonitorId = M.Id inner join Frames as F on E.Id = F.EventId where E.Id = %d group by E.Id", event_id );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't run query: %s", mysql_error( &dbconn ) ));
@@ -537,7 +538,7 @@ void Event::StreamMpeg( int event_id, const char *format, int scale, int rate, i
 		exit( mysql_errno( &dbconn ) );
 	}
 
-	sprintf( eventpath, "%s/%s/%s/%d", ZM_PATH_WEB, (const char *)config.Item( ZM_DIR_EVENTS ), dbrow[1], event_id );
+	snprintf( eventpath, sizeof(eventpath), "%s/%s/%s/%d", ZM_PATH_WEB, (const char *)config.Item( ZM_DIR_EVENTS ), dbrow[1], event_id );
 	int frames = atoi(dbrow[2]);
 	int duration = atoi(dbrow[3]);
 
@@ -558,7 +559,7 @@ void Event::StreamMpeg( int event_id, const char *format, int scale, int rate, i
 
 	mysql_free_result( result );
 
-	sprintf( sql, "select FrameId, EventId, Delta from Frames where EventId = %d order by FrameId", event_id );
+	snprintf( sql, sizeof(sql), "select FrameId, EventId, Delta from Frames where EventId = %d order by FrameId", event_id );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't run query: %s", mysql_error( &dbconn ) ));
@@ -614,7 +615,7 @@ void Event::StreamMpeg( int event_id, const char *format, int scale, int rate, i
 			if ( (frame_mod == 1) || (((id-1)%frame_mod) == 0) )
 			{
 				static char filepath[PATH_MAX];
-				sprintf( filepath, capture_file_format, eventpath, id );
+				snprintf( filepath, sizeof(filepath), capture_file_format, eventpath, id );
 
 				Image image( filepath );
 

src/zm_event.h

@@ -70,9 +70,9 @@ protected:
 
 		timestamp_on_capture = (bool)config.Item( ZM_TIMESTAMP_ON_CAPTURE );
 		bulk_frame_interval = (int)config.Item( ZM_BULK_FRAME_INTERVAL );
-		sprintf( capture_file_format, "%%s/%%0%dd-capture.jpg", (int)config.Item( ZM_EVENT_IMAGE_DIGITS ) );
+		snprintf( capture_file_format, sizeof(capture_file_format), "%%s/%%0%dd-capture.jpg", (int)config.Item( ZM_EVENT_IMAGE_DIGITS ) );
-		sprintf( analyse_file_format, "%%s/%%0%dd-analyse.jpg", (int)config.Item( ZM_EVENT_IMAGE_DIGITS ) );
+		snprintf( analyse_file_format, sizeof(analyse_file_format), "%%s/%%0%dd-analyse.jpg", (int)config.Item( ZM_EVENT_IMAGE_DIGITS ) );
-		sprintf( general_file_format, "%%s/%%0%dd-%%s.jpg", (int)config.Item( ZM_EVENT_IMAGE_DIGITS ) );
+		snprintf( general_file_format, sizeof(general_file_format), "%%s/%%0%dd-%%s.jpg", (int)config.Item( ZM_EVENT_IMAGE_DIGITS ) );
 	}
 
 public:

src/zm_image.cpp

@@ -711,7 +711,7 @@ void Image::Timestamp( const char *label, const time_t when, const Coord &coord
 	char text[64];
 	if ( label )
 	{
-		sprintf( text, "%s - %s", label, time_text );
+		snprintf( text, sizeof(text), "%s - %s", label, time_text );
 		Annotate( text, coord );
 	}
 	else

src/zm_local_camera.cpp

@@ -62,7 +62,7 @@ void LocalCamera::Initialise()
 {
 	char device_path[64];
 
-	sprintf( device_path, "/dev/video%d", device );
+	snprintf( device_path, sizeof(device_path), "/dev/video%d", device );
 	if ( (m_videohandle=open(device_path, O_RDWR)) < 0 )
 	{
 		Error(( "Failed to open video device %s: %s", device_path, strerror(errno) ));
@@ -256,7 +256,7 @@ bool LocalCamera::GetCurrentSettings( int device, char *output, bool verbose )
 	char device_path[64];
 
 	output[0] = 0;
-	sprintf( device_path, "/dev/video%d", device );
+	snprintf( device_path, sizeof(device_path), "/dev/video%d", device );
 	if ( verbose )
 		sprintf( output, output+strlen(output), "Checking Video Device: %s\n", device_path );
 	if ( (m_videohandle=open(device_path, O_RDWR)) <=0 )

src/zm_monitor.cpp

@@ -85,7 +85,7 @@ Monitor::Monitor(
 	name = new char[strlen(p_name)+1];
 	strcpy( name, p_name );
 
-	strcpy( label_format, p_label_format );
+	strncpy( label_format, p_label_format, sizeof(label_format) );
 
 	camera = new LocalCamera( p_device, p_channel, p_format, (p_orientation%2)?width:height, (orientation%2)?height:width, p_palette, purpose==CAPTURE );
 
@@ -141,7 +141,7 @@ Monitor::Monitor(
 	name = new char[strlen(p_name)+1];
 	strcpy( name, p_name );
 
-	strcpy( label_format, p_label_format );
+	strncpy( label_format, p_label_format, sizeof(label_format) );
 
 	camera = new RemoteCamera( p_host, p_port, p_path, (p_orientation%2)?width:height, (orientation%2)?height:width, p_palette, purpose==CAPTURE );
 
@@ -261,7 +261,7 @@ void Monitor::Setup()
 	{
 		static char	path[PATH_MAX];
 
-		strcpy( path, (const char *)config.Item( ZM_DIR_EVENTS ) );
+		strncpy( path, (const char *)config.Item( ZM_DIR_EVENTS ), sizeof(path) );
 
 		struct stat statbuf;
 		errno = 0;
@@ -274,7 +274,7 @@ void Monitor::Setup()
 			}
 		}
 
-		sprintf( path, "%s/%s", (const char *)config.Item( ZM_DIR_EVENTS ), name );
+		snprintf( path, sizeof(path), "%s/%s", (const char *)config.Item( ZM_DIR_EVENTS ), name );
 
 		errno = 0;
 		stat( path, &statbuf );
@@ -321,7 +321,7 @@ int Monitor::GetImage( int index, int scale ) const
 	}
 
 	static char filename[PATH_MAX];
-	sprintf( filename, "%s.jpg", name );
+	snprintf( filename, sizeof(filename), "%s.jpg", name );
 	if ( !timestamp_on_capture )
 	{
 		TimestampImage( &snap_image, snap->timestamp->tv_sec );
@@ -571,7 +571,7 @@ void Monitor::DumpZoneImage()
 		zone_image.Hatch( colour, &(zones[i]->Limits()) );
 	}
 	static char filename[PATH_MAX];
-	sprintf( filename, "%s-Zones.jpg", name );
+	snprintf( filename, sizeof(filename), "%s-Zones.jpg", name );
 	zone_image.WriteJpeg( filename );
 }
 
@@ -579,10 +579,10 @@ void Monitor::DumpImage( Image *dump_image ) const
 {
 	if ( image_count && !(image_count%10) )
 	{
-		static char new_filename[PATH_MAX];
 		static char filename[PATH_MAX];
-		sprintf( filename, "%s.jpg", name );
+		static char new_filename[PATH_MAX];
-		sprintf( new_filename, "%s-new.jpg", name );
+		snprintf( filename, sizeof(filename), "%s.jpg", name );
+		snprintf( new_filename, sizeof(new_filename), "%s-new.jpg", name );
 		dump_image->WriteJpeg( new_filename );
 		rename( new_filename, filename );
 	}
@@ -856,11 +856,11 @@ int Monitor::Load( int device, Monitor **&monitors, Purpose purpose )
 	static char sql[BUFSIZ];
 	if ( device == -1 )
 	{
-		strcpy( sql, "select Id, Name, Function+0, Device, Channel, Format, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Function != 'None' and Type = 'Local'" );
+		strncpy( sql, "select Id, Name, Function+0, Device, Channel, Format, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Function != 'None' and Type = 'Local'", sizeof(sql) );
 	}
 	else
 	{
-		sprintf( sql, "select Id, Name, Function+0, Device, Channel, Format, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Function != 'None' and Type = 'Local' and Device = %d", device );
+		snprintf( sql, sizeof(sql), "select Id, Name, Function+0, Device, Channel, Format, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Function != 'None' and Type = 'Local' and Device = %d", device );
 	}
 	if ( mysql_query( &dbconn, sql ) )
 	{
@@ -925,11 +925,11 @@ int Monitor::Load( const char *host, const char*port, const char *path, Monitor
 	static char sql[BUFSIZ];
 	if ( !host )
 	{
-		strcpy( sql, "select Id, Name, Function+0, Host, Port, Path, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Function != 'None' and Type = 'Remote'" );
+		strncpy( sql, "select Id, Name, Function+0, Host, Port, Path, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Function != 'None' and Type = 'Remote'", sizeof(sql) );
 	}
 	else
 	{
-		sprintf( sql, "select Id, Name, Function+0, Host, Port, Path, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Function != 'None' and Type = 'Remote' and Host = '%s' and Port = '%s' and Path = '%s'", host, port, path );
+		snprintf( sql, sizeof(sql), "select Id, Name, Function+0, Host, Port, Path, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Function != 'None' and Type = 'Remote' and Host = '%s' and Port = '%s' and Path = '%s'", host, port, path );
 	}
 	if ( mysql_query( &dbconn, sql ) )
 	{
@@ -992,7 +992,7 @@ int Monitor::Load( const char *host, const char*port, const char *path, Monitor
 Monitor *Monitor::Load( int id, bool load_zones, Purpose purpose )
 {
 	static char sql[BUFSIZ];
-	sprintf( sql, "select Id, Name, Type, Function+0, Device, Channel, Format, Host, Port, Path, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Id = %d", id );
+	snprintf( sql, sizeof(sql), "select Id, Name, Type, Function+0, Device, Channel, Format, Host, Port, Path, Width, Height, Palette, Orientation+0, LabelFormat, LabelX, LabelY, ImageBufferCount, WarmupCount, PreEventCount, PostEventCount, SectionLength, FrameSkip, MaxFPS, FPSReportInterval, RefBlendPerc from Monitors where Id = %d", id );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't run query: %s", mysql_error( &dbconn ) ));
@@ -1362,7 +1362,7 @@ unsigned int Monitor::Compare( const Image &comp_image )
 		static char diag_path[PATH_MAX] = "";
 		if ( !diag_path[0] )
 		{
-			sprintf( diag_path, "%s/%s/diag-r.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), name );
+			snprintf( diag_path, sizeof(diag_path), "%s/%s/diag-r.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), name );
 		}
 		ref_image.WriteJpeg( diag_path );
 	}
@@ -1374,7 +1374,7 @@ unsigned int Monitor::Compare( const Image &comp_image )
 		static char diag_path[PATH_MAX] = "";
 		if ( !diag_path[0] )
 		{
-			sprintf( diag_path, "%s/%s/diag-d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), name );
+			snprintf( diag_path, sizeof(diag_path), "%s/%s/diag-d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), name );
 		}
 		delta_image->WriteJpeg( diag_path );
 	}

src/zm_monitor.h

@@ -198,7 +198,7 @@ public:
 			static char label_text[256];
 
 			strftime( label_time_text, sizeof(label_time_text), label_format, localtime( &ts_time ) );
-			sprintf( label_text, label_time_text, name );
+			snprintf( label_text, sizeof(label_text), label_time_text, name );
 
 			ts_image->Annotate( label_text, label_coord );
 		}

src/zm_remote_camera.cpp

@@ -108,15 +108,15 @@ void RemoteCamera::Initialise()
 
 	if ( !request[0] )
 	{
-		sprintf( request, "GET %s HTTP/%s\n", path, (const char *)config.Item( ZM_HTTP_VERSION ) );
+		snprintf( request, sizeof(request), "GET %s HTTP/%s\n", path, (const char *)config.Item( ZM_HTTP_VERSION ) );
-		sprintf( &(request[strlen(request)]), "User-Agent: %s/%s\n", (const char *)config.Item( ZM_HTTP_UA ), ZM_VERSION );
+		snprintf( &(request[strlen(request)]), sizeof(request)-strlen(request), "User-Agent: %s/%s\n", (const char *)config.Item( ZM_HTTP_UA ), ZM_VERSION );
-		sprintf( &(request[strlen(request)]), "Host: %s\n", host );
+		snprintf( &(request[strlen(request)]), sizeof(request)-strlen(request), "Host: %s\n", host );
-		sprintf( &(request[strlen(request)]), "Connection: Keep-Alive\n" );
+		snprintf( &(request[strlen(request)]), sizeof(request)-strlen(request), "Connection: Keep-Alive\n" );
 		if ( auth )
 		{
-			sprintf( &(request[strlen(request)]), "Authorization: Basic %s\n", auth64 );
+			snprintf( &(request[strlen(request)]), sizeof(request)-strlen(request), "Authorization: Basic %s\n", auth64 );
 		}
-		sprintf( &(request[strlen(request)]), "\n" );
+		snprintf( &(request[strlen(request)]), sizeof(request)-strlen(request), "\n" );
 		Debug( 2, ( "Request: %s", request ));
 	}
 	if ( !timeout.tv_sec )
@@ -369,7 +369,7 @@ int RemoteCamera::GetResponse()
 				if ( !subheader_expr )
 				{
 					char subheader_pattern[256] = "";
-					sprintf( subheader_pattern, "^((?:\r?\n){0,2}?(?:--)?%s\r?\n.+?\r?\n\r?\n)", content_boundary );
+					snprintf( subheader_pattern, sizeof(subheader_pattern), "^((?:\r?\n){0,2}?(?:--)?%s\r?\n.+?\r?\n\r?\n)", content_boundary );
 					subheader_expr = new RegExpr( subheader_pattern, PCRE_DOTALL );
 				}
 				if ( subheader_expr->Match( (char *)buffer, (int)buffer ) == 2 )
@@ -452,7 +452,7 @@ int RemoteCamera::GetResponse()
 							if ( !content_expr )
 							{
 								char content_pattern[256] = "";
-								sprintf( content_pattern, "^(.+?)(?:\r?\n){1,2}?(?:--)?%s\r?\n", content_boundary );
+								snprintf( content_pattern, sizeof(content_pattern), "^(.+?)(?:\r?\n){1,2}?(?:--)?%s\r?\n", content_boundary );
 								content_expr = new RegExpr( content_pattern, PCRE_DOTALL );
 							}
 						}

src/zm_zone.cpp

@@ -75,7 +75,7 @@ Zone::~Zone()
 void Zone::RecordStats( const Event *event )
 {
 	static char sql[BUFSIZ];
-	sprintf( sql, "insert into Stats set MonitorId=%d, ZoneId=%d, EventId=%d, FrameId=%d, AlarmPixels=%d, FilterPixels=%d, BlobPixels=%d, Blobs=%d, MinBlobSize=%d, MaxBlobSize=%d, MinX=%d, MinY=%d, MaxX=%d, MaxY=%d, Score=%d", monitor->Id(), id, event->Id(), event->Frames()+1, alarm_pixels, alarm_filter_pixels, alarm_blob_pixels, alarm_blobs, min_blob_size, max_blob_size, alarm_box.LoX(), alarm_box.LoY(), alarm_box.HiX(), alarm_box.HiY(), score );
+	snprintf( sql, sizeof(sql), "insert into Stats set MonitorId=%d, ZoneId=%d, EventId=%d, FrameId=%d, AlarmPixels=%d, FilterPixels=%d, BlobPixels=%d, Blobs=%d, MinBlobSize=%d, MaxBlobSize=%d, MinX=%d, MinY=%d, MaxX=%d, MaxY=%d, Score=%d", monitor->Id(), id, event->Id(), event->Frames()+1, alarm_pixels, alarm_filter_pixels, alarm_blob_pixels, alarm_blobs, min_blob_size, max_blob_size, alarm_box.LoX(), alarm_box.LoY(), alarm_box.HiX(), alarm_box.HiY(), score );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't insert event stats: %s", mysql_error( &dbconn ) ));
@@ -125,7 +125,7 @@ bool Zone::CheckAlarms( const Image *delta_image )
 		static char diag_path[PATH_MAX] = "";
 		if ( !diag_path[0] )
 		{
-			sprintf( diag_path, "%s/%s/diag-%d-%d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id, 1 );
+			snprintf( diag_path, sizeof(diag_path), "%s/%s/diag-%d-%d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id, 1 );
 		}
 		diff_image->WriteJpeg( diag_path );
 	}
@@ -197,7 +197,7 @@ bool Zone::CheckAlarms( const Image *delta_image )
 			static char diag_path[PATH_MAX] = "";
 			if ( !diag_path[0] )
 			{
-				sprintf( diag_path, "%s/%s/diag-%d-%d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id, 2 );
+				snprintf( diag_path, sizeof(diag_path), "%s/%s/diag-%d-%d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id, 2 );
 			}
 			diff_image->WriteJpeg( diag_path );
 		}
@@ -341,7 +341,7 @@ bool Zone::CheckAlarms( const Image *delta_image )
 				static char diag_path[PATH_MAX] = "";
 				if ( !diag_path[0] )
 				{
-					sprintf( diag_path, "%s/%s/diag-%d-%d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id, 3 );
+					snprintf( diag_path, sizeof(diag_path), "%s/%s/diag-%d-%d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id, 3 );
 				}
 				diff_image->WriteJpeg( diag_path );
 			}
@@ -391,7 +391,7 @@ bool Zone::CheckAlarms( const Image *delta_image )
 				static char diag_path[PATH_MAX] = "";
 				if ( !diag_path[0] )
 				{
-					sprintf( diag_path, "%s/%s/diag-%d-%d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id, 4 );
+					snprintf( diag_path, sizeof(diag_path), "%s/%s/diag-%d-%d.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), id, 4 );
 				}
 				diff_image->WriteJpeg( diag_path );
 			}
@@ -455,7 +455,7 @@ bool Zone::CheckAlarms( const Image *delta_image )
 int Zone::Load( Monitor *monitor, Zone **&zones )
 {
 	static char sql[BUFSIZ];
-	sprintf( sql, "select Id,Name,Type+0,Units,LoX,LoY,HiX,HiY,AlarmRGB,CheckMethod+0,MinPixelThreshold,MaxPixelThreshold,MinAlarmPixels,MaxAlarmPixels,FilterX,FilterY,MinFilterPixels,MaxFilterPixels,MinBlobPixels,MaxBlobPixels,MinBlobs,MaxBlobs from Zones where MonitorId = %d order by Type, Id", monitor->Id() );
+	snprintf( sql, sizeof(sql), "select Id,Name,Type+0,Units,LoX,LoY,HiX,HiY,AlarmRGB,CheckMethod+0,MinPixelThreshold,MaxPixelThreshold,MinAlarmPixels,MaxAlarmPixels,FilterX,FilterY,MinFilterPixels,MaxFilterPixels,MinBlobPixels,MaxBlobPixels,MinBlobs,MaxBlobs from Zones where MonitorId = %d order by Type, Id", monitor->Id() );
 	if ( mysql_query( &dbconn, sql ) )
 	{
 		Error(( "Can't run query: %s", mysql_error( &dbconn ) ));

src/zma.cpp

@@ -119,9 +119,9 @@ int main( int argc, char *argv[] )
 	}
 
 	char dbg_name_string[16];
-	sprintf( dbg_name_string, "zma-m%d", id );
+	snprintf( dbg_name_string, sizeof(dbg_name_string), "zma-m%d", id );
 	zm_dbg_name = dbg_name_string;
-	//sprintf( zm_dbg_log, "/tmp/zma-%d.log", id );
+	//snprintf( zm_dbg_log, sizeof(zm_dbg_log), "/tmp/zma-%d.log", id );
 	//zm_dbg_level = 1;
 
 	zmDbgInit();

src/zmc.cpp

@@ -130,15 +130,15 @@ int main( int argc, char *argv[] )
 	char dbg_name_string[16];
 	if ( device >= 0 )
 	{
-		sprintf( dbg_name_string, "zmc-d%d", device );
+		snprintf( dbg_name_string, sizeof(dbg_name_string), "zmc-d%d", device );
 	}
 	else if ( host[0] )
 	{
-		sprintf( dbg_name_string, "zmc-h%s", host );
+		snprintf( dbg_name_string, sizeof(dbg_name_string), "zmc-h%s", host );
 	}
 	else
 	{
-		sprintf( dbg_name_string, "zmc-m%d", monitor_id );
+		snprintf( dbg_name_string, sizeof(dbg_name_string), "zmc-m%d", monitor_id );
 	}
 	zm_dbg_name = dbg_name_string;
 

src/zmf.cpp

@@ -80,7 +80,7 @@ int OpenSocket( int monitor_id )
 	}
 
 	char sock_path[PATH_MAX] = "";
-	sprintf( sock_path, "%s/zmf-%d.sock", (const char *)config.Item( ZM_PATH_SOCKS ), monitor_id );
+	snprintf( sock_path, sizeof(sock_path), "%s/zmf-%d.sock", (const char *)config.Item( ZM_PATH_SOCKS ), monitor_id );
 	if ( unlink( sock_path ) < 0 )
 	{
 		Warning(( "Can't unlink '%s': %s", sock_path, strerror(errno) ));
@@ -88,7 +88,7 @@ int OpenSocket( int monitor_id )
 
 	struct sockaddr_un addr;
 
-	strcpy( addr.sun_path, sock_path );
+	strncpy( addr.sun_path, sock_path, sizeof(addr.sun_path) );
 	addr.sun_family = AF_UNIX;
 
 	if ( bind( sd, (struct sockaddr *)&addr, strlen(addr.sun_path)+sizeof(addr.sun_family)) < 0 )
@@ -186,9 +186,9 @@ int main( int argc, char *argv[] )
 	}
 
 	char dbg_name_string[16];
-	sprintf( dbg_name_string, "zmf-m%d", id );
+	snprintf( dbg_name_string, sizeof(dbg_name_string), "zmf-m%d", id );
 	zm_dbg_name = dbg_name_string;
-	//sprintf( zm_dbg_log, "/tmp/zmf-%d.log", id );
+	//snprintf( zm_dbg_log, sizeof(zm_dbg_log), "/tmp/zmf-%d.log", id );
 	//zm_dbg_level = 1;
 
 	zmDbgInit();
@@ -288,7 +288,7 @@ int main( int argc, char *argv[] )
 			continue;
 		}
 		static char path[PATH_MAX] = "";
-		sprintf( path, "%s/%s/%ld/%03ld-%s.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), frame_header.event_id, frame_header.frame_id, frame_header.alarm_frame?"analyse":"capture" );
+		snprintf( path, sizeof(path), "%s/%s/%ld/%03ld-%s.jpg", (const char *)config.Item( ZM_DIR_EVENTS ), monitor->Name(), frame_header.event_id, frame_header.frame_id, frame_header.alarm_frame?"analyse":"capture" );
 		Debug( 1, ( "Got image, writing to %s", path ));
 
 		FILE *fd = 0;

src/zmfix.cpp

@@ -35,7 +35,7 @@ bool fixDevice( int device )
 {
 	char device_path[64];
 
-	sprintf( device_path, "/dev/video%d", device );
+	snprintf( device_path, sizeof(device_path), "/dev/video%d", device );
 
 	struct stat stat_buf;
 
@@ -106,8 +106,8 @@ int main( int argc, char *argv[] )
 		zmDbConnect( ZM_DB_USERA, ZM_DB_PASSA );
 
 		static char sql[BUFSIZ];
-		//sprintf( sql, "select distinct Device from Monitors where Function != 'None' and Type = 'Local'" );
+		//snprintf( sql, sizeof(sql), "select distinct Device from Monitors where Function != 'None' and Type = 'Local'" );
-		sprintf( sql, "select distinct Device from Monitors where Type = 'Local'" );
+		snprintf( sql, sizeof(sql), "select distinct Device from Monitors where Type = 'Local'" );
 		if ( mysql_query( &dbconn, sql ) )
 		{
 			Error(( "Can't run query: %s", mysql_error( &dbconn ) ));

src/zms.cpp

@@ -52,11 +52,11 @@ int main( int argc, const char *argv[] )
 		Debug( 1, ( "Query: %s", query ));
 	
 		char temp_query[1024];
-		strcpy( temp_query, query );
+		strncpy( temp_query, query, sizeof(temp_query) );
 		char *q_ptr = temp_query;
 		char *parms[16]; // Shouldn't be more than this
 		int parm_no = 0;
-		while( (parms[parm_no] = strtok( q_ptr, "&" )) )
+		while( (parm_no < 16) && (parms[parm_no] = strtok( q_ptr, "&" )) )
 		{
 			parm_no++;
 			q_ptr = NULL;

src/zmu.cpp

@@ -92,7 +92,7 @@ bool ValidateAccess( const char *username, const char *password, int mon_id, Fun
 		}
 
 		char sql[BUFSIZ] = "";
-		sprintf( sql, "select Username, Stream+0, Events+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Password = password('%s') and Enabled = 1", username, password );
+		snprintf( sql, sizeof(sql), "select Username, Stream+0, Events+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Password = password('%s') and Enabled = 1", username, password );
 
 		if ( mysql_query( &dbconn, sql ) )
 		{
@@ -145,7 +145,7 @@ bool ValidateAccess( const char *username, const char *password, int mon_id, Fun
 		if ( monitor_ids && monitor_ids[0] )
 		{
 			char mon_id_str[256] = "";
-			strcpy( mon_id_str, monitor_ids );
+			strncpy( mon_id_str, monitor_ids, sizeof(mon_id_str) );
 			char *mon_id_str_ptr = mon_id_str;
 			char *mon_id_ptr = 0;
 			bool found_mon_id = false;