1 From 495f781f91dca1fb165bbaa6abc0ced1c09535c8 Mon Sep 17 00:00:00 2001

     2 From: Tomas Hoger <[email protected]>

     3 Date: Wed, 20 May 2015 11:15:32 +0200

     4 Subject: [PATCH] Fix agerr() format string issue in chkNum()

     5 

     6 Commit 99eda42 fixed agerr() format string issue in yyerror(), but the

     7 same fix is also needed for chkNum().  In chkNum(), format string can be

     8 injected at least via malicious file name:

     9 

    10   $ cat fs4-%n%s%s%s%s%s%s.dot

    11   graph G { a [ weight = 0g ] }

    12 

    13   $ dot fs4-%n%s%s%s%s%s%s.dot

    14   Warning: *** %n in writable segment detected ***

    15   Aborted

    16 ---

    17  lib/cgraph/scan.l | 2 +-

    18  1 file changed, 1 insertion(+), 1 deletion(-)

    19 

    20 diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l

    21 index a5872f4..6aef10b 100644

    22 --- a/lib/cgraph/scan.l

    23 +++ b/lib/cgraph/scan.l

    24 @@ -165,7 +165,7 @@ static int chkNum(void) {

    25  	agxbput(&xb,buf);

    26  	agxbput(&xb,fname);

    27  	agxbput(&xb, " splits into two tokens\n");

    28 -	agerr(AGWARN,agxbuse(&xb));

    29 +	agerr(AGWARN, "%s", agxbuse(&xb));

    30  

    31  	agxbfree(&xb);

    32  	return 1;

    33