From: Colin Watson <cjwatson@debian.org>
Date: Sun, 3 Jan 2021 02:06:39 -0800
Subject: Fix some non-exploitable buffer overflows in mkbootmsg (LP: #27011).

---
 gfxboot-compile.c | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/gfxboot-compile.c b/gfxboot-compile.c
index dd882e8..835450e 100644
--- a/gfxboot-compile.c
+++ b/gfxboot-compile.c
@@ -1763,7 +1763,7 @@ void log_cline(FILE *lf)
 }
 
 
-char *add_to_line(char *s)
+char *add_to_line(const char *s)
 {
   static char buf[10240] = {};
   static int ind = 0;
@@ -1812,7 +1812,7 @@ void decompile(unsigned char *data, unsigned size)
   unsigned inst_size;
   dict_t *d;
   unsigned type;
-  char *s, buf[1024];
+  char *s, *buf;
   unsigned char *p;
 
   // setup initial vocabulary
@@ -1889,13 +1889,15 @@ void decompile(unsigned char *data, unsigned size)
         }
 
       case t_unsigned:
-        sprintf(buf, "%d", val);
+        asprintf(&buf, "%d", val);
         add_to_line(buf);
+        free(buf);
         break;
 
       case t_string:
+        buf = malloc(strlen((char *) data + i + u + 1) * 4 + 3);
         buf[0] = '"';
-        for(j = 1, p = data + i + u + 1; *p && j < sizeof buf - 10; p++) {
+        for(j = 1, p = data + i + u + 1; *p; p++) {
           if(*p == '\n') {
             buf[j++] = '\\';
             buf[j++] = 'n';
@@ -1917,16 +1919,18 @@ void decompile(unsigned char *data, unsigned size)
         buf[j++] = '"';
         buf[j] = 0;
         s = add_to_line(buf);
+        free(buf);
         break;
 
       case t_sec:
         if(val < dict_size && dict[val].name) {
-          sprintf(buf, "%s", dict[val].name);
+          asprintf(&buf, "%s", dict[val].name);
         }
         else {
-          sprintf(buf, "name_%d", val);
+          asprintf(&buf, "name_%d", val);
         }
         s = add_to_line(buf);
+        free(buf);
         printf("%s\n", s);
         add_to_line("");
         break;
@@ -1939,38 +1943,42 @@ void decompile(unsigned char *data, unsigned size)
           }
         }
         if(s) {
-          sprintf(buf, "%s", s);
+          asprintf(&buf, "%s", s);
         }
         else {
-          sprintf(buf, "prim_<%d>", val);
+          asprintf(&buf, "prim_<%d>", val);
         }
         s = add_to_line(buf);
+        free(buf);
         printf("%s\n", s);
         add_to_line("");
         break;
 
       case t_bool:
-        sprintf(buf, "%s", val ? "true" : "false");
+        asprintf(&buf, "%s", val ? "true" : "false");
         s = add_to_line(buf);
+        free(buf);
         printf("%s\n", s);
         add_to_line("");
         break;
 
       case t_none:
-        sprintf(buf, ".undef");
+        asprintf(&buf, ".undef");
         s = add_to_line(buf);
+        free(buf);
         printf("%s\n", s);
         add_to_line("");
         break;
 
       case t_dict_idx:
         if(val < dict_size && dict[val].name) {
-          sprintf(buf, "/%s", dict[val].name);
+          asprintf(&buf, "/%s", dict[val].name);
         }
         else {
-          sprintf(buf, "/name_%d", val);
+          asprintf(&buf, "/name_%d", val);
         }
         add_to_line(buf);
+        free(buf);
         break;
 
       default: