from sprintf to snprintf PolMine#70

Andreas Blätte · Andreas Blätte · commit ac8a3b76164a · 2023-01-24T13:37:45.000+01:00
diff --git a/DESCRIPTION b/DESCRIPTION
@@ -1,8 +1,8 @@
 Package: RcppCWB
 Type: Package
 Title: 'Rcpp' Bindings for the 'Corpus Workbench' ('CWB')
-Version: 0.5.4
-Date: 2022-08-30
+Version: 0.5.4.9001
+Date: 2023-01-24
 Author: Andreas Blaette [aut, cre],
   Bernard Desgraupes [aut],
   Sylvain Loiseau [aut],
@@ -45,7 +45,7 @@ SystemRequirements: GNU make, pcre (>= 7 < 10), GLib (>= 2.0.0). On Windows, no
   (<https://github.com/PolMine/libcl>) during installation. On macOS, static libraries of Glib are downloaded
   (<https://github.com/PolMine/libglib>) if Glib is not present.
 Imports:
-    Rcpp (>= 1.0.7),
+    Rcpp (>= 1.0.10),
     fs
 Suggests:
     knitr,
diff --git a/NEWS.md b/NEWS.md
@@ -1,3 +1,10 @@
+# RcppCWB 0.5.5
+
+* C++ code replaces `sprintf()` with `snprintf()` to address security issue.
+* Package now depends on Rcpp v1.0.10, which replaces one remaining `sprintf()`
+#70.
+
+
 # RcppCWB 0.5.4
 
 * Fixed package configuration that prevented that compiler is used for compiling
diff --git a/src/cqp.cpp b/src/cqp.cpp
@@ -132,7 +132,7 @@ SEXP cqp_query(SEXP corpus, SEXP subcorpus, SEXP query){
   int len = strlen(child) + strlen(q) + 10;
   cqp_query = (char *) cl_malloc(len);
   
-  sprintf(cqp_query, "%s = %s", child, q);
+  snprintf(cqp_query, len, "%s = %s", child, q);
 
   if (!cqi_activate_corpus(mother)){
     Rprintf("activation failed");
