Security: Replace unsafe string functions (strcpy/strcat/sprintf)

[montge]

Summary

Replace unsafe string functions with bounds-checked alternatives throughout the codebase.

Affected Files

• spinlex.c - Multiple strcpy/strcat calls (lines 209, 227, 551, 700, 701, 1095, 1149, 1200, 1236, 1324, 1329, 1841, 1976, 1981, 1986, 1990, 2016)
• structs.c - sprintf/strcat on stack buffers (lines 385, 400, 404, 405, 407, 408, 467, 471, 472, 475, 476, 493, 495, 501, 502, 503)
• main.c - sprintf with offset accumulation (lines 296-314)
• pangen3.c - strncpy without null termination check (line 449)
• tl_mem.c - strncpy issues (line 91)

Required Changes

1. Replace strcpy() with snprintf() or bounds-checked copy
2. Replace strcat() with snprintf() or strncat() with proper length
3. Replace sprintf() with snprintf() and check return values
4. Ensure all strncpy() results are null-terminated

Testing

• Run make test after each file is updated
• Verify no regressions in example verification

Related

• Parent issue: Security: Critical buffer overflow and command injection vulnerabilities #2

[montge]

Progress Update

Fixed unsafe string functions in the most security-sensitive files:

Completed

• structs.c: Replaced sprintf with snprintf, strcpy with snprintf, strcat with strncat
• spinlex.c: Fixed unsafe functions in c_add_loc, check_inline, set_cur_scope, and select statement handling
• main.c: Added safe_append() helper, fixed pan_runtime buffer building with bounds checking

Stats

• Reduced from 537 to 481 occurrences
• Fixed the highest-risk areas first (user input handling, buffer concatenation)

Remaining Work

Many occurrences remain in generated code files (pangen*.h) and other modules. These are lower risk as they typically work with controlled internal data, but should still be addressed for full hardening.

[montge]

Progress Update: Unsafe String Functions Fixed in Source Files

All source files (.c) have been updated to use safe string functions:

Files Fixed:

• spinlex.c (32 occurrences) - strcpy/strcat → snprintf/strncat
• mesg.c (39 occurrences) - sprintf/strcpy/strcat → snprintf
• main.c (29 occurrences) - sprintf with offset → snprintf, strcat → strncat
• structs.c (17 occurrences) - sprintf/strcpy/strcat → snprintf/strncat
• sym.c (17 occurrences) - sprintf/strcpy → snprintf
• pangen1.c (17 occurrences) - sprintf → snprintf
• pangen2.c (code gen section) - sprintf/strcpy/strcat → snprintf/strncat
• run.c (12 occurrences) - strcat → strncat for GBuf
• tl_trans.c (10 occurrences) - sprintf/strcpy/strcat → snprintf/strncat
• sched.c (6 occurrences) - sprintf/strcpy → snprintf
• guided.c (6 occurrences) - sprintf/strcpy → snprintf
• vars.c (5 occurrences) - sprintf → snprintf
• msc_tcl.c (5 occurrences) - strcpy/sprintf → snprintf
• dstep.c (3 occurrences) - sprintf → snprintf
• pangen4.c (4 occurrences) - sprintf/strcat → snprintf/strncat
• pangen7.c (2 occurrences) - sprintf/strcpy → snprintf
• flow.c (2 occurrences) - sprintf → snprintf
• tl_buchi.c (3 occurrences) - sprintf → snprintf
• tl_lex.c (2 occurrences) - sprintf/strcpy → snprintf
• tl_main.c (2 occurrences) - strcpy → snprintf
• spin.y (2 occurrences) - sprintf → snprintf
• reprosrc.c - sprintf → snprintf

Remaining (Not Applicable):

• Header files (pangen*.h) - C code templates for generated pan.c verifier
• pangen2.c remaining - fprintf() writing code to generated files
• False positives: comments and string literals containing "printf"

All tests pass (27 tests). Ready for review.