Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/graphviz/patches/004-495f781-format-string.patch
author Yiteng Zhang <yiteng.zhang@oracle.com>
Wed, 03 Aug 2016 15:33:19 -0700
changeset 6544 f3ddf1d33382
permissions -rw-r--r--
21465165 problem in UTILITY/GRAPHVIZ

From 495f781f91dca1fb165bbaa6abc0ced1c09535c8 Mon Sep 17 00:00:00 2001
From: Tomas Hoger <[email protected]>
Date: Wed, 20 May 2015 11:15:32 +0200
Subject: [PATCH] Fix agerr() format string issue in chkNum()

Commit 99eda42 fixed agerr() format string issue in yyerror(), but the
same fix is also needed for chkNum().  In chkNum(), format string can be
injected at least via malicious file name:

  $ cat fs4-%n%s%s%s%s%s%s.dot
  graph G { a [ weight = 0g ] }

  $ dot fs4-%n%s%s%s%s%s%s.dot
  Warning: *** %n in writable segment detected ***
  Aborted
---
 lib/cgraph/scan.l | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
index a5872f4..6aef10b 100644
--- a/lib/cgraph/scan.l
+++ b/lib/cgraph/scan.l
@@ -165,7 +165,7 @@ static int chkNum(void) {
 	agxbput(&xb,buf);
 	agxbput(&xb,fname);
 	agxbput(&xb, " splits into two tokens\n");
-	agerr(AGWARN,agxbuse(&xb));
+	agerr(AGWARN, "%s", agxbuse(&xb));
 
 	agxbfree(&xb);
 	return 1;
upstream/oracle/userland-gate