Fix one more use of wsprintf

...that would fall into the same trap as
50bd5c11f551f5274be9a4411c5ddcbd32bd9a03 "wsprintf is broken by design and never
writes more than 1024 characters" if the length were not currently bounded by
2 * MAX_PATH + x < 1024 anyway.

Change-Id: I2503ba0a9df960f2fdb51925d5fbbcff5bdb998a

1 files changed, 7 insertions, 8 deletions

diff --git a/extensions/source/nsplugin/source/npshell.cxx b/extensions/source/nsplugin/source/npshell.cxx
index 644222d12df4..42b99ae35474 100644
--- a/extensions/source/nsplugin/source/npshell.cxx
+++ b/extensions/source/nsplugin/source/npshell.cxx
@@ -274,14 +274,13 @@ int do_init_pipe()
         if (iniEnd == NULL) {
             return NPERR_GENERIC_ERROR;
         }
-        boost::scoped_array< WCHAR > args(
-            new WCHAR[
-                MY_LENGTH(L"\"") + (exeEnd - exe) + MY_LENGTH(L"\" ") +
-                wcslen(s_read_fd) + MY_LENGTH(L" ") + wcslen(s_write_fd) +
-                MY_LENGTH(L" \"-env:INIFILENAME=vnd.sun.star.pathname:") +
-                (iniEnd - ini) + MY_LENGTH(L"\"") + 1]); //TODO: overflow
-        wsprintfW(
-            args.get(),
+        size_t len = MY_LENGTH(L"\"") + (exeEnd - exe) + MY_LENGTH(L"\" ") +
+            wcslen(s_read_fd) + MY_LENGTH(L" ") + wcslen(s_write_fd) +
+            MY_LENGTH(L" \"-env:INIFILENAME=vnd.sun.star.pathname:") +
+            (iniEnd - ini) + MY_LENGTH(L"\"") + 1; //TODO: overflow
+        boost::scoped_array< WCHAR > args(new WCHAR[len]);
+        _snwprintf(
+            args.get(), len,
             L"\"%s\" %s %s \"-env:INIFILENAME=vnd.sun.star.pathname:%s\"", exe,
             s_read_fd, s_write_fd, ini);
         STARTUPINFOW NSP_StarInfo;