The attached patch changes most of the usages of sprintf() to

snprintf() in contrib/. I didn't touch the places where pointer arithmatic was being used, or other areas where the fix wasn't trivial. I would think that few, if any, of the usages of sprintf() were actually exploitable, but it's probably better to be paranoid... Neil Conway
2002-08-15 02:58:29 +00:00 · 2002-08-15 02:58:29 +00:00 · 66eb8df6a4
parent 7f4981f4af
commit 66eb8df6a4
15 changed files with 80 additions and 70 deletions
--- a/contrib/dbase/dbf.c
+++ b/contrib/dbase/dbf.c
@ -437,7 +437,7 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where)
 	format: sprintf format-string to get the right precision with real numbers
 	NOTE: this declaration of 'foo' can cause overflow when the contents-field
-	is longer the 127 chars (which is highly unlikely, cos it is not used
+	is longer the 127 chars (which is highly unlikely, because it is not used
 	in text-fields).
 */
 /*	REMEMBER THAT THERE'S A 0x1A AT THE END OF THE FILE, SO DON'T
@ -488,11 +488,11 @@ dbf_put_record(dbhead * dbh, field * rec, u_long where)
 				if ((rec[t].db_type == 'N') && (rec[t].db_dec != 0))
 				{
 					fl = atof(rec[t].db_contents);
-					sprintf(format, "%%.%df", rec[t].db_dec);
+					snprintf(format, 32, "%%.%df", rec[t].db_dec);
-					sprintf(foo, format, fl);
+					snprintf(foo, 128, format, fl);
 				}
 				else
-					strcpy(foo, rec[t].db_contents);
+					strncpy(foo, rec[t].db_contents, 128);
 				if (strlen(foo) > rec[t].db_flen)
 					length = rec[t].db_flen;
 				else
--- a/contrib/dbase/dbf2pg.c
+++ b/contrib/dbase/dbf2pg.c
@ -308,7 +308,7 @@ do_create(PGconn *conn, char *table, dbhead * dbh)
 				if (dbh->db_fields[i].db_flen > 1)
 				{
 					strcat(query, " varchar");
-					sprintf(t, "(%d)",
+					snprintf(t, 20, "(%d)",
 							dbh->db_fields[i].db_flen);
 					strcat(query, t);
 				}
@ -361,7 +361,7 @@ do_inserts(PGconn *conn, char *table, dbhead * dbh)
 				result;
 	char	   *query,
 			   *foo;
-	char		pgdate[10];
+	char		pgdate[11];
 	if (verbose > 1)
 		printf("Inserting records\n");
@ -467,7 +467,7 @@ do_inserts(PGconn *conn, char *table, dbhead * dbh)
 				{
 					if ((strlen(foo) == 8) && isinteger(foo))
 					{
-						sprintf(pgdate, "%c%c%c%c-%c%c-%c%c",
+						snprintf(pgdate, 11, "%c%c%c%c-%c%c-%c%c",
 								foo[0], foo[1], foo[2], foo[3],
 								foo[4], foo[5], foo[6], foo[7]);
 						strcat(query, pgdate);
--- a/contrib/findoidjoins/findoidjoins.c
+++ b/contrib/findoidjoins/findoidjoins.c
@ -68,14 +68,14 @@ main(int argc, char **argv)
 		{
 			unset_result(relres);
 			if (strcmp(typname, "oid") == 0)
-				sprintf(query, "\
+				snprintf(query, 4000, "\
 					DECLARE c_matches BINARY CURSOR FOR \
 					SELECT	count(*)::int4 \
 						FROM \"%s\" t1, \"%s\" t2 \
 					WHERE t1.\"%s\" = t2.oid ",
 						relname, relname2, attname);
 			else
-				sprintf(query, "\
+				sprintf(query, 4000, "\
 					DECLARE c_matches BINARY CURSOR FOR \
 					SELECT	count(*)::int4 \
 						FROM \"%s\" t1, \"%s\" t2 \
--- a/contrib/lo/lo.c
+++ b/contrib/lo/lo.c
@ -1,7 +1,7 @@
 /*
 *	PostgreSQL type definitions for managed LargeObjects.
 *
- *	$Header: /cvsroot/pgsql/contrib/lo/lo.c,v 1.11 2001/12/07 04:18:31 inoue Exp $
+ *	$Header: /cvsroot/pgsql/contrib/lo/lo.c,v 1.12 2002/08/15 02:58:29 momjian Exp $
 *
 */
@ -92,7 +92,7 @@ lo_out(Blob * addr)
 		return (NULL);
 	result = (char *) palloc(32);
-	sprintf(result, "%u", *addr);
+	snprintf(result, 32, "%u", *addr);
 	return (result);
 }
--- a/contrib/mSQL-interface/mpgsql.c
+++ b/contrib/mSQL-interface/mpgsql.c
@ -106,7 +106,7 @@ msqlCreateDB(int a, char *b)
 {
 	char		tbuf[BUFSIZ];
-	sprintf(tbuf, "create database %s", b);
+	snprintf(tbuf, BUFSIZ, "create database %s", b);
 	return msqlQuery(a, tbuf) >= 0 ? 0 : -1;
 }
@ -115,7 +115,7 @@ msqlDropDB(int a, char *b)
 {
 	char		tbuf[BUFSIZ];
-	sprintf(tbuf, "drop database %s", b);
+	snprintf(tbuf, BUFSIZ, "drop database %s", b);
 	return msqlQuery(a, tbuf) >= 0 ? 0 : -1;
 }
@ -262,7 +262,9 @@ msqlListTables(int a)
 	m_result   *m;
 	char		tbuf[BUFSIZ];
-	sprintf(tbuf, "select relname from pg_class where relkind='r' and relowner=%d", getuid());
+	snprintf(tbuf, BUFSIZ,
 			 "select relname from pg_class where relkind='r' and relowner=%d",
 			 getuid());
 	if (msqlQuery(a, tbuf) > 0)
 	{
 		m = msqlStoreResult();
@ -284,7 +286,9 @@ msqlListIndex(int a, char *b, char *c)
 	m_result   *m;
 	char		tbuf[BUFSIZ];
-	sprintf(tbuf, "select relname from pg_class where relkind='i' and relowner=%d", getuid());
+	snprintf(tbuf, BUFSIZ,
 			 "select relname from pg_class where relkind='i' and relowner=%d",
 			 getuid());
 	if (msqlQuery(a, tbuf) > 0)
 	{
 		m = msqlStoreResult();
--- a/contrib/oid2name/oid2name.c
+++ b/contrib/oid2name/oid2name.c
@ -337,7 +337,7 @@ sql_exec_dumpdb(PGconn *conn)
 	char		todo[1024];
 	/* get the oid and database name from the system pg_database table */
-	sprintf(todo, "select oid,datname from pg_database");
+	snprintf(todo, 1024, "select oid,datname from pg_database");
 	sql_exec(conn, todo, 0);
 }
@ -351,9 +351,9 @@ sql_exec_dumptable(PGconn *conn, int systables)
 	/* don't exclude the systables if this is set */
 	if (systables == 1)
-		sprintf(todo, "select relfilenode,relname from pg_class order by relname");
+		snprintf(todo, 1024, "select relfilenode,relname from pg_class order by relname");
 	else
-		sprintf(todo, "select relfilenode,relname from pg_class where relname not like 'pg_%%' order by relname");
+		snprintf(todo, 1024, "select relfilenode,relname from pg_class where relname not like 'pg_%%' order by relname");
 	sql_exec(conn, todo, 0);
 }
@ -367,7 +367,7 @@ sql_exec_searchtable(PGconn *conn, const char *tablename)
 	char		todo[1024];
 	/* get the oid and tablename where the name matches tablename */
-	sprintf(todo, "select relfilenode,relname from pg_class where relname = '%s'", tablename);
+	snprintf(todo, 1024, "select relfilenode,relname from pg_class where relname = '%s'", tablename);
 	returnvalue = sql_exec(conn, todo, 1);
@ -386,7 +386,7 @@ sql_exec_searchoid(PGconn *conn, int oid)
 	int			returnvalue;
 	char		todo[1024];
-	sprintf(todo, "select relfilenode,relname from pg_class where oid = %i", oid);
+	snprintf(todo, 1024, "select relfilenode,relname from pg_class where oid = %i", oid);
 	returnvalue = sql_exec(conn, todo, 1);
--- a/contrib/pg_dumplo/lo_export.c
+++ b/contrib/pg_dumplo/lo_export.c
@ -1,7 +1,7 @@
 /* -------------------------------------------------------------------------
 * pg_dumplo
 *
- * $Header: /cvsroot/pgsql/contrib/pg_dumplo/Attic/lo_export.c,v 1.8 2001/10/25 05:49:19 momjian Exp $
+ * $Header: /cvsroot/pgsql/contrib/pg_dumplo/Attic/lo_export.c,v 1.9 2002/08/15 02:58:29 momjian Exp $
 *
 *					Karel Zak 1999-2000
 * -------------------------------------------------------------------------
@ -110,8 +110,9 @@ pglo_export(LODumpMaster * pgLO)
 		/*
 		 * Query: find the LOs referenced by this column
 		 */
-		sprintf(Qbuff, "SELECT DISTINCT l.loid FROM \"%s\" x, pg_largeobject l WHERE x.\"%s\" = l.loid",
+		snprintf(Qbuff, QUERY_BUFSIZ,
-				ll->lo_table, ll->lo_attr);
+				 "SELECT DISTINCT l.loid FROM \"%s\" x, pg_largeobject l WHERE x.\"%s\" = l.loid",
 				 ll->lo_table, ll->lo_attr);
 		/* puts(Qbuff); */
@ -140,7 +141,7 @@ pglo_export(LODumpMaster * pgLO)
 			if (pgLO->action != ACTION_SHOW)
 			{
-				sprintf(path, "%s/%s/%s", pgLO->space, pgLO->db,
+				snprintf(path, BUFSIZ, "%s/%s/%s", pgLO->space, pgLO->db,
 						ll->lo_table);
 				if (mkdir(path, DIR_UMASK) == -1)
@ -152,7 +153,7 @@ pglo_export(LODumpMaster * pgLO)
 					}
 				}
-				sprintf(path, "%s/%s/%s/%s", pgLO->space, pgLO->db,
+				snprintf(path, BUFSIZ, "%s/%s/%s/%s", pgLO->space, pgLO->db,
 						ll->lo_table, ll->lo_attr);
 				if (mkdir(path, DIR_UMASK) == -1)
@ -185,7 +186,7 @@ pglo_export(LODumpMaster * pgLO)
 					continue;
 				}
-				sprintf(path, "%s/%s/%s/%s/%s", pgLO->space,
+				snprintf(path, BUFSIZ, "%s/%s/%s/%s/%s", pgLO->space,
 						pgLO->db, ll->lo_table, ll->lo_attr, val);
 				if (lo_export(pgLO->conn, lo, path) < 0)
--- a/contrib/pg_dumplo/lo_import.c
+++ b/contrib/pg_dumplo/lo_import.c
@ -1,7 +1,7 @@
 /* -------------------------------------------------------------------------
 * pg_dumplo
 *
- * $Header: /cvsroot/pgsql/contrib/pg_dumplo/Attic/lo_import.c,v 1.6 2001/10/25 05:49:19 momjian Exp $
+ * $Header: /cvsroot/pgsql/contrib/pg_dumplo/Attic/lo_import.c,v 1.7 2002/08/15 02:58:29 momjian Exp $
 *
 *					Karel Zak 1999-2000
 * -------------------------------------------------------------------------
@ -48,7 +48,7 @@ pglo_import(LODumpMaster * pgLO)
 		loa.lo_table = tab;
 		loa.lo_attr = attr;
-		sprintf(lo_path, "%s/%s", pgLO->space, path);
+		snprintf(lo_path, BUFSIZ, "%s/%s", pgLO->space, path);
 		/*
 		 * Import LO
@ -81,7 +81,8 @@ pglo_import(LODumpMaster * pgLO)
 		/*
 		 * UPDATE oid in tab
 		 */
-		sprintf(Qbuff, "UPDATE \"%s\" SET \"%s\"=%u WHERE \"%s\"=%u",
+		snprintf(Qbuff, QUERY_BUFSIZ,
 			"UPDATE \"%s\" SET \"%s\"=%u WHERE \"%s\"=%u",
 			loa.lo_table, loa.lo_attr, new_oid, loa.lo_attr, loa.lo_oid);
 		/* fprintf(stderr, Qbuff); */
--- a/contrib/pg_dumplo/utils.c
+++ b/contrib/pg_dumplo/utils.c
@ -1,7 +1,7 @@
 /* -------------------------------------------------------------------------
 * pg_dumplo
 *
- * $Header: /cvsroot/pgsql/contrib/pg_dumplo/Attic/utils.c,v 1.4 2001/03/22 03:59:10 momjian Exp $
+ * $Header: /cvsroot/pgsql/contrib/pg_dumplo/Attic/utils.c,v 1.5 2002/08/15 02:58:29 momjian Exp $
 *
 *					Karel Zak 1999-2000
 * -------------------------------------------------------------------------
@ -36,7 +36,7 @@ index_file(LODumpMaster * pgLO)
 	if (pgLO->action == ACTION_SHOW)
 		return;
-	sprintf(path, "%s/%s", pgLO->space, pgLO->db);
+	snprintf(path, BUFSIZ, "%s/%s", pgLO->space, pgLO->db);
 	if (pgLO->action == ACTION_EXPORT_ATTR ||
 		pgLO->action == ACTION_EXPORT_ALL)
@ -51,7 +51,7 @@ index_file(LODumpMaster * pgLO)
 			}
 		}
-		sprintf(path, "%s/lo_dump.index", path);
+		snprintf(path, BUFSIZ, "%s/lo_dump.index", path);
 		if ((pgLO->index = fopen(path, "w")) == NULL)
 		{
@ -63,7 +63,7 @@ index_file(LODumpMaster * pgLO)
 	else if (pgLO->action != ACTION_NONE)
 	{
-		sprintf(path, "%s/lo_dump.index", path);
+		snprintf(path, BUFSIZ, "%s/lo_dump.index", path);
 		if ((pgLO->index = fopen(path, "r")) == NULL)
 		{
--- a/contrib/pg_resetxlog/pg_resetxlog.c
+++ b/contrib/pg_resetxlog/pg_resetxlog.c
@ -23,7 +23,7 @@
 * Portions Copyright (c) 1996-2002, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $Header: /cvsroot/pgsql/contrib/pg_resetxlog/Attic/pg_resetxlog.c,v 1.18 2002/06/20 20:29:24 momjian Exp $
+ * $Header: /cvsroot/pgsql/contrib/pg_resetxlog/Attic/pg_resetxlog.c,v 1.19 2002/08/15 02:58:29 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -352,7 +352,7 @@ KillExistingXLOG(void)
 		if (strlen(xlde->d_name) == 16 &&
 			strspn(xlde->d_name, "0123456789ABCDEF") == 16)
 		{
-			sprintf(path, "%s/%s", XLogDir, xlde->d_name);
+			snprintf(path, MAXPGPATH, "%s/%s", XLogDir, xlde->d_name);
 			if (unlink(path) < 0)
 			{
 				perror(path);
--- a/contrib/pgbench/pgbench.c
+++ b/contrib/pgbench/pgbench.c
@ -1,5 +1,5 @@
 /*
- * $Header: /cvsroot/pgsql/contrib/pgbench/pgbench.c,v 1.17 2002/07/20 03:02:01 ishii Exp $
+ * $Header: /cvsroot/pgsql/contrib/pgbench/pgbench.c,v 1.18 2002/08/15 02:58:29 momjian Exp $
 *
 * pgbench: a simple TPC-B like benchmark program for PostgreSQL
 * written by Tatsuo Ishii
@ -310,26 +310,26 @@ doOne(CState * state, int n, int debug, int ttype)
 				gettimeofday(&(st->txn_begin), 0);
 			break;
 		case 1:
-			sprintf(sql, "update accounts set abalance = abalance + %d where aid = %d\n", st->delta, st->aid);
+			snprintf(sql, 256, "update accounts set abalance = abalance + %d where aid = %d\n", st->delta, st->aid);
 			break;
 		case 2:
-			sprintf(sql, "select abalance from accounts where aid = %d", st->aid);
+			snprintf(sql, 256, "select abalance from accounts where aid = %d", st->aid);
 			break;
 		case 3:
 			if (ttype == 0)
 			{
-			    sprintf(sql, "update tellers set tbalance = tbalance + %d where tid = %d\n",
+			    snprintf(sql, 256, "update tellers set tbalance = tbalance + %d where tid = %d\n",
 				    st->delta, st->tid);
 			    break;
 			}
 		case 4:
 			if (ttype == 0)
 			{
-			    sprintf(sql, "update branches set bbalance = bbalance + %d where bid = %d", st->delta, st->bid);
+			    snprintf(sql, 256, "update branches set bbalance = bbalance + %d where bid = %d", st->delta, st->bid);
 			    break;
 			}
 		case 5:
-			sprintf(sql, "insert into history(tid,bid,aid,delta,mtime) values(%d,%d,%d,%d,'now')",
+			snprintf(sql, 256, "insert into history(tid,bid,aid,delta,mtime) values(%d,%d,%d,%d,'now')",
 					st->tid, st->bid, st->aid, st->delta);
 			break;
 		case 6:
@ -426,7 +426,7 @@ doSelectOnly(CState * state, int n, int debug)
 	{
 		case 0:
 			st->aid = getrand(1, naccounts * tps);
-			sprintf(sql, "select abalance from accounts where aid = %d", st->aid);
+			snprintf(sql, 256, "select abalance from accounts where aid = %d", st->aid);
 			break;
 	}
@ -500,7 +500,7 @@ init(void)
 	for (i = 0; i < nbranches * tps; i++)
 	{
-		sprintf(sql, "insert into branches(bid,bbalance) values(%d,0)", i + 1);
+		snprintf(sql, 256, "insert into branches(bid,bbalance) values(%d,0)", i + 1);
 		res = PQexec(con, sql);
 		if (PQresultStatus(res) != PGRES_COMMAND_OK)
 		{
@ -512,7 +512,7 @@ init(void)
 	for (i = 0; i < ntellers * tps; i++)
 	{
-		sprintf(sql, "insert into tellers(tid,bid,tbalance) values (%d,%d,0)"
+		snprintf(sql, 256, "insert into tellers(tid,bid,tbalance) values (%d,%d,0)"
 				,i + 1, i / ntellers + 1);
 		res = PQexec(con, sql);
 		if (PQresultStatus(res) != PGRES_COMMAND_OK)
@ -550,7 +550,7 @@ init(void)
 			PQclear(res);
 		}
-		sprintf(sql, "%d\t%d\t%d\t\n", j, j / naccounts, 0);
+		snprintf(sql, 256, "%d\t%d\t%d\t\n", j, j / naccounts, 0);
 		if (PQputline(con, sql))
 		{
 			fprintf(stderr, "PQputline failed\n");
--- a/contrib/rserv/rserv.c
+++ b/contrib/rserv/rserv.c
@ -102,9 +102,10 @@ _rserv_log_()
 	if (keynum == ObjectIdAttributeNumber)
 	{
-		sprintf(oidbuf, "%u", rel->rd_rel->relhasoids
+		snprintf(oidbuf, "%u", 64,
-		                      ? HeapTupleGetOid(tuple)
+				 rel->rd_rel->relhasoids
-		                      : InvalidOid);
+		         ? HeapTupleGetOid(tuple)
 		         : InvalidOid);
 		key = oidbuf;
 	}
 	else
@ -129,7 +130,7 @@ _rserv_log_()
 	else
 		okey = key;
-	sprintf(sql, "update _RSERV_LOG_ set logid = %d, logtime = now(), "
+	snprintf(sql, 8192, "update _RSERV_LOG_ set logid = %d, logtime = now(), "
 			"deleted = %d where reloid = %u and key = '%s'",
 			GetCurrentTransactionId(), deleted, rel->rd_id, okey);
@ -148,7 +149,7 @@ _rserv_log_()
 		elog(ERROR, "_rserv_log_: duplicate tuples");
 	else if (SPI_processed == 0)
 	{
-		sprintf(sql, "insert into _RSERV_LOG_ "
+		snprintf(sql, 8192, "insert into _RSERV_LOG_ "
 				"(reloid, logid, logtime, deleted, key) "
 				"values (%u, %d, now(), %d, '%s')",
 				rel->rd_id, GetCurrentTransactionId(),
@ -173,7 +174,7 @@ _rserv_log_()
 		else
 			okey = newkey;
-		sprintf(sql, "insert into _RSERV_LOG_ "
+		snprintf(sql, 8192, "insert into _RSERV_LOG_ "
 				"(reloid, logid, logtime, deleted, key) "
 				"values (%u, %d, now(), 0, '%s')",
 				rel->rd_id, GetCurrentTransactionId(), okey);
@ -222,14 +223,15 @@ _rserv_sync_(int32 server)
 	buf[0] = 0;
 	for (xcnt = 0; xcnt < SerializableSnapshot->xcnt; xcnt++)
 	{
-		sprintf(buf + strlen(buf), "%s%u", (xcnt) ? ", " : "",
+		snprintf(buf + strlen(buf), 8192 - strlen(buf),
 				"%s%u", (xcnt) ? ", " : "",
 				SerializableSnapshot->xip[xcnt]);
 	}
 	if ((ret = SPI_connect()) < 0)
 		elog(ERROR, "_rserv_sync_: SPI_connect returned %d", ret);
-	sprintf(sql, "insert into _RSERV_SYNC_ "
+	snprintf(sql, 8192, "insert into _RSERV_SYNC_ "
 			"(server, syncid, synctime, status, minid, maxid, active) "
 	  "values (%u, currval('_rserv_sync_seq_'), now(), 0, %d, %d, '%s')",
 			server, SerializableSnapshot->xmin, SerializableSnapshot->xmax, active);
--- a/contrib/spi/refint.c
+++ b/contrib/spi/refint.c
@ -112,7 +112,7 @@ check_primary_key(PG_FUNCTION_ARGS)
 	 * Construct ident string as TriggerName $ TriggeredRelationId and try
 	 * to find prepared execution plan.
 	 */
-	sprintf(ident, "%s$%u", trigger->tgname, rel->rd_id);
+	snprintf(ident, 2 * NAMEDATALEN, "%s$%u", trigger->tgname, rel->rd_id);
 	plan = find_plan(ident, &PPlans, &nPPlans);
 	/* if there is no plan then allocate argtypes for preparation */
@ -160,10 +160,10 @@ check_primary_key(PG_FUNCTION_ARGS)
 		 * Construct query: SELECT 1 FROM _referenced_relation_ WHERE
 		 * Pkey1 = $1 [AND Pkey2 = $2 [...]]
 		 */
-		sprintf(sql, "select 1 from %s where ", relname);
+		snprintf(sql, 8192, "select 1 from %s where ", relname);
 		for (i = 0; i < nkeys; i++)
 		{
-			sprintf(sql + strlen(sql), "%s = $%d %s",
+			snprintf(sql + strlen(sql), 8192 - strlen(sql), "%s = $%d %s",
 			  args[i + nkeys + 1], i + 1, (i < nkeys - 1) ? "and " : "");
 		}
@ -320,7 +320,7 @@ check_foreign_key(PG_FUNCTION_ARGS)
 	 * Construct ident string as TriggerName $ TriggeredRelationId and try
 	 * to find prepared execution plan(s).
 	 */
-	sprintf(ident, "%s$%u", trigger->tgname, rel->rd_id);
+	snprintf(ident, 2 * NAMEDATALEN, "%s$%u", trigger->tgname, rel->rd_id);
 	plan = find_plan(ident, &FPlans, &nFPlans);
 	/* if there is no plan(s) then allocate argtypes for preparation */
@ -411,7 +411,7 @@ check_foreign_key(PG_FUNCTION_ARGS)
 			 */
 			if (action == 'r')
-				sprintf(sql, "select 1 from %s where ", relname);
+				snprintf(sql, 8192, "select 1 from %s where ", relname);
 			/*---------
 			 * For 'C'ascade action we construct DELETE query
@ -438,7 +438,7 @@ check_foreign_key(PG_FUNCTION_ARGS)
 					char	   *nv;
 					int			k;
-					sprintf(sql, "update %s set ", relname);
+					snprintf(sql, 8192, "update %s set ", relname);
 					for (k = 1; k <= nkeys; k++)
 					{
 						int			is_char_type = 0;
@ -461,7 +461,8 @@ check_foreign_key(PG_FUNCTION_ARGS)
 						 * is_char_type =1 i set ' ' for define a new
 						 * value
 						 */
-						sprintf(sql + strlen(sql), " %s = %s%s%s %s ",
+						snprintf(sql + strlen(sql), 8192 - strlen(sql),
 								" %s = %s%s%s %s ",
 								args2[k], (is_char_type > 0) ? "'" : "",
 								nv, (is_char_type > 0) ? "'" : "", (k < nkeys) ? ", " : "");
 						is_char_type = 0;
@ -471,7 +472,7 @@ check_foreign_key(PG_FUNCTION_ARGS)
 				}
 				else
 /* DELETE */
-					sprintf(sql, "delete from %s where ", relname);
+					snprintf(sql, 8192, "delete from %s where ", relname);
 			}
@ -483,10 +484,11 @@ check_foreign_key(PG_FUNCTION_ARGS)
 			 */
 			else if (action == 's')
 			{
-				sprintf(sql, "update %s set ", relname);
+				snprintf(sql, 8192, "update %s set ", relname);
 				for (i = 1; i <= nkeys; i++)
 				{
-					sprintf(sql + strlen(sql), "%s = null%s",
+					snprintf(sql + strlen(sql), 8192 - strlen(sql),
 							"%s = null%s",
 							args2[i], (i < nkeys) ? ", " : "");
 				}
 				strcat(sql, " where ");
@ -495,7 +497,7 @@ check_foreign_key(PG_FUNCTION_ARGS)
 			/* Construct WHERE qual */
 			for (i = 1; i <= nkeys; i++)
 			{
-				sprintf(sql + strlen(sql), "%s = $%d %s",
+				snprintf(sql + strlen(sql), 8192 - strlen(sql), "%s = $%d %s",
 						args2[i], i, (i < nkeys) ? "and " : "");
 			}
@ -545,7 +547,7 @@ check_foreign_key(PG_FUNCTION_ARGS)
 		relname = args[0];
-		sprintf(ident, "%s$%u", trigger->tgname, rel->rd_id);
+		snprintf(ident, 2 * NAMEDATALEN, "%s$%u", trigger->tgname, rel->rd_id);
 		plan = find_plan(ident, &FPlans, &nFPlans);
 		ret = SPI_execp(plan->splan[r], kvals, NULL, tcount);
 		/* we have no NULLs - so we pass   ^^^^  here */
--- a/contrib/spi/timetravel.c
+++ b/contrib/spi/timetravel.c
@ -250,7 +250,7 @@ timetravel(PG_FUNCTION_ARGS)
 	 * Construct ident string as TriggerName $ TriggeredRelationId and try
 	 * to find prepared execution plan.
 	 */
-	sprintf(ident, "%s$%u", trigger->tgname, rel->rd_id);
+	snprintf(ident, 2 * NAMEDATALEN, "%s$%u", trigger->tgname, rel->rd_id);
 	plan = find_plan(ident, &Plans, &nPlans);
 	/* if there is no plan ... */
@ -266,10 +266,10 @@ timetravel(PG_FUNCTION_ARGS)
 		/*
 		 * Construct query: INSERT INTO _relation_ VALUES ($1, ...)
 		 */
-		sprintf(sql, "INSERT INTO %s VALUES (", relname);
+		snprintf(sql, 8192, "INSERT INTO %s VALUES (", relname);
 		for (i = 1; i <= natts; i++)
 		{
-			sprintf(sql + strlen(sql), "$%d%s",
+			snprintf(sql + strlen(sql), 8192 - strlen(sql), "$%d%s",
 					i, (i < natts) ? ", " : ")");
 			ctypes[i - 1] = SPI_gettypeid(tupdesc, i);
 		}
--- a/contrib/vacuumlo/vacuumlo.c
+++ b/contrib/vacuumlo/vacuumlo.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/contrib/vacuumlo/vacuumlo.c,v 1.12 2002/06/20 20:29:24 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/contrib/vacuumlo/vacuumlo.c,v 1.13 2002/08/15 02:58:29 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -288,7 +288,7 @@ vacuumlo(char *database, struct _param *param)
 		 * Postgres-ism and not portable to other DBMSs, but then this
 		 * whole program is a Postgres-ism.
 		 */
-		sprintf(buf, "DELETE FROM vacuum_l WHERE lo = \"%s\".\"%s\" ",
+		snprintf(buf, BUFSIZE, "DELETE FROM vacuum_l WHERE lo = \"%s\".\"%s\" ",
 				table, field);
 		res2 = PQexec(conn, buf);
 		if (PQresultStatus(res2) != PGRES_COMMAND_OK)