@@ -1242,8 +1242,9 @@ class CallProcedureAsyncWorker : public ODBCAsyncWorker {
12421242
12431243 #ifndef UNICODE
12441244 char *combinedProcedureName = new char [1024 ]();
1245- sprintf (
1245+ snprintf (
12461246 combinedProcedureName,
1247+ 1024 ,
12471248 " %s%s%s%s%s" ,
12481249 data->catalog ? (const char *)data->catalog : " " ,
12491250 data->catalog ? " ." : " " ,
@@ -1329,9 +1330,9 @@ class CallProcedureAsyncWorker : public ODBCAsyncWorker {
13291330 if (data->storedRows .size () == 0 ) {
13301331 char errorString[255 ];
13311332 #ifndef UNICODE
1332- sprintf (errorString, " [odbc] CallProcedureAsyncWorker::Execute: Stored procedure '%s' doesn't exist" , combinedProcedureName);
1333+ snprintf (errorString, sizeof (errorString) , " [odbc] CallProcedureAsyncWorker::Execute: Stored procedure '%s' doesn't exist" , combinedProcedureName);
13331334 #else
1334- sprintf (errorString, " [odbc] CallProcedureAsyncWorker::Execute: Stored procedure '%S' doesn't exist" , combinedProcedureName);
1335+ snprintf (errorString, sizeof (errorString) , " [odbc] CallProcedureAsyncWorker::Execute: Stored procedure '%S' doesn't exist" , combinedProcedureName);
13351336 #endif
13361337 SetError (errorString);
13371338 return ;
@@ -1845,7 +1846,7 @@ class CallProcedureAsyncWorker : public ODBCAsyncWorker {
18451846 size_t sqlStringSize = 1024 + parameterStringSize + sizeof (" { CALL () }" );
18461847 data->sql = new SQLTCHAR[sqlStringSize];
18471848#ifndef UNICODE
1848- sprintf ((char *)data->sql , " { CALL %s (%s) }" , combinedProcedureName, parameterString);
1849+ snprintf ((char *)data->sql , sqlStringSize , " { CALL %s (%s) }" , combinedProcedureName, parameterString);
18491850#else
18501851 // Note: On Windows, %s and %S change their behavior depending on whether
18511852 // it's passed to a printf function or a wprintf function. Since we're passing
0 commit comments