fix: sprintf→snprintf + strcpy→memcpy 缓冲区安全加固

src/driver/main.c

@@ -189,7 +189,8 @@ int main(int argc, char** argv) {
                 // 路径含空格则加引号
                 bool has_space = strchr(ld_args[i], ' ') != NULL;
                 if (has_space) *p++ = '"';
-                p += strlen(strcpy(p, ld_args[i]));
+                size_t alen = strlen(ld_args[i]);
+                memcpy(p, ld_args[i], alen); p += alen;
                 if (has_space) *p++ = '"';
             }
 

src/parser/expr.c

@@ -191,8 +191,9 @@ AstNode* parse_ident_or_call(Parser* p, ErrorInfo* error) {
                 const char** name_arr = seen_named
                     ? memcpy(arena_alloc_impl(p->arena, arg_count * sizeof(const char*)), arg_names, arg_count * sizeof(const char*))
                     : NULL;
-                char* full_name = arena_alloc_impl(p->arena, name->length + variant->length + 4);
-                sprintf(full_name, "%.*s::%.*s", name->length, name->start, variant->length, variant->start);
+                size_t fn_len = name->length + variant->length + 3;
+                char* full_name = arena_alloc_impl(p->arena, fn_len + 1);
+                snprintf(full_name, fn_len + 1, "%.*s::%.*s", name->length, name->start, variant->length, variant->start);
                 return ast_make_call(p->arena, full_name, arg_arr, name_arr, arg_count, tok_loc(name));
             }
         }

src/parser/parser.c

@@ -493,8 +493,9 @@ AstNode* parse(Arena* a, const Token* tokens, size_t count,
                 if (!m) return NULL;
                 // trait 实现: 方法名 mangled 为 TraitName$methodName
                 if (trait_name) {
-                    char* mn = arena_alloc_impl(p.arena, strlen(trait_name) + strlen(m->as.function.name) + 4);
-                    sprintf(mn, "%s$%s", trait_name, m->as.function.name);
+                    size_t mn_len = strlen(trait_name) + strlen(m->as.function.name) + 2;
+                    char* mn = arena_alloc_impl(p.arena, mn_len + 1);
+                    snprintf(mn, mn_len + 1, "%s$%s", trait_name, m->as.function.name);
                     m->as.function.name = mn;
                 }
                 methods[mcount++] = m;
@@ -516,8 +517,9 @@ AstNode* parse(Arena* a, const Token* tokens, size_t count,
             for (size_t i = 0; i < sub->as.program.fn_count; i++) {
                 AstNode* fn = sub->as.program.functions[i];
                 if (fn->as.function.is_pub) {
-                    char* mangled = arena_alloc_impl(p.arena, strlen(mod_name) + strlen(fn->as.function.name) + 4);
-                    sprintf(mangled, "%s::%s", mod_name, fn->as.function.name);
+                    size_t mg_len = strlen(mod_name) + strlen(fn->as.function.name) + 3;
+                    char* mangled = arena_alloc_impl(p.arena, mg_len + 1);
+                    snprintf(mangled, mg_len + 1, "%s::%s", mod_name, fn->as.function.name);
                     fn->as.function.name = mangled;
                     if (fn_count >= 256) { error->message = "函数过多"; error->filename = p.filename; return NULL; }
                     functions[fn_count++] = fn;