diff --git a/hw/usb-bus.c b/hw/usb-bus.c index ac56fbcf0d..abc7e61a59 100644 --- a/hw/usb-bus.c +++ b/hw/usb-bus.c @@ -298,20 +298,22 @@ static char *usb_get_fw_dev_path(DeviceState *qdev) { USBDevice *dev = DO_UPCAST(USBDevice, qdev, qdev); char *fw_path, *in; - int pos = 0; + ssize_t pos = 0, fw_len; long nr; - fw_path = qemu_malloc(32 + strlen(dev->port->path) * 6); + fw_len = 32 + strlen(dev->port->path) * 6; + fw_path = qemu_malloc(fw_len); in = dev->port->path; - while (true) { + while (fw_len - pos > 0) { nr = strtol(in, &in, 10); if (in[0] == '.') { /* some hub between root port and device */ - pos += sprintf(fw_path + pos, "hub@%ld/", nr); + pos += snprintf(fw_path + pos, fw_len - pos, "hub@%ld/", nr); in++; } else { /* the device itself */ - pos += sprintf(fw_path + pos, "%s@%ld", qdev_fw_name(qdev), nr); + pos += snprintf(fw_path + pos, fw_len - pos, "%s@%ld", + qdev_fw_name(qdev), nr); break; } }