From 26f918e1c382e2cc82d23b6f564183a78bb3e421 Mon Sep 17 00:00:00 2001
From: Albert Queiroz <43816241+AlbertQueiroz@users.noreply.github.com>
Date: Wed, 6 Sep 2023 14:53:20 -0300
Subject: [PATCH] refactor code to remove security leak functions

---
 Adjust/ADJAdditions/NSString+ADJAdditions.m |  7 ++++---
 Adjust/ADJPackageBuilder.m                  | 19 ++++++++++++++++---
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/Adjust/ADJAdditions/NSString+ADJAdditions.m b/Adjust/ADJAdditions/NSString+ADJAdditions.m
index bd94e6ba9..b85e29f7c 100644
--- a/Adjust/ADJAdditions/NSString+ADJAdditions.m
+++ b/Adjust/ADJAdditions/NSString+ADJAdditions.m
@@ -59,11 +59,12 @@ - (NSString *)adjUrlDecode {
 
 - (NSString *)adjSha256 {
     const char* str = [self UTF8String];
+    NSUInteger length = [self lengthOfBytesUsingEncoding:NSUTF8StringEncoding];
     unsigned char result[CC_SHA256_DIGEST_LENGTH];
-    CC_SHA256(str, (CC_LONG)strlen(str), result);
+    CC_SHA256(str, (CC_LONG)length, result);
     NSMutableString *ret = [NSMutableString stringWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];
-    for (int i = 0; i<CC_SHA256_DIGEST_LENGTH; i++) {
-        [ret appendFormat:@"%02x",result[i]];
+    for (int i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) {
+        [ret appendFormat:@"%02x", result[i]];
     }
     return ret;
 }
diff --git a/Adjust/ADJPackageBuilder.m b/Adjust/ADJPackageBuilder.m
index 922863304..3dd0d8d01 100644
--- a/Adjust/ADJPackageBuilder.m
+++ b/Adjust/ADJPackageBuilder.m
@@ -365,9 +365,22 @@ - (void)signWithSigV2Plugin:(ADJActivityPackage *)activityPackage {
     const char *sdkVersionChar = [activityPackage.clientSdk UTF8String];
 
     // Stack allocated strings to ensure their lifetime stays until the next iteration
-    static char activityKind[64], sdkVersion[64];
-    strncpy(activityKind, activityKindChar, strlen(activityKindChar) + 1);
-    strncpy(sdkVersion, sdkVersionChar, strlen(sdkVersionChar) + 1);
+    static char activityKind[64] = {0};
+    static char sdkVersion[64] = {0};
+
+    size_t activityKindCharLength = 0;
+    while (activityKindChar[activityKindCharLength] != '\0' && activityKindCharLength < sizeof(activityKind) - 1) {
+        activityKind[activityKindCharLength] = activityKindChar[activityKindCharLength];
+        activityKindCharLength++;
+    }
+    activityKind[activityKindCharLength] = '\0';
+
+    size_t sdkVersionCharLength = 0;
+    while (sdkVersionChar[sdkVersionCharLength] != '\0' && sdkVersionCharLength < sizeof(sdkVersion) - 1) {
+        sdkVersion[sdkVersionCharLength] = sdkVersionChar[sdkVersionCharLength];
+        sdkVersionCharLength++;
+    }
+    sdkVersion[sdkVersionCharLength] = '\0';
 
     // NSInvocation setArgument requires lvalue references with exact matching types to the executed function signature.
     // With this usage we ensure that the lifetime of the object remains until the next iteration, as it points to the