make sure that sscanf doesn't get too much data

%19[0-9e+-] makes sure that it takes only the characters required for
getting a double variable

diff --git a/src/rrd_graph.c b/src/rrd_graph.c
index 482e7daa6ab6ade0f8213bbe97e730ac50e3776e..5d89cff85a25cdaf1ab1087bc13846c0a833abb7 100644 (file)
--- a/src/rrd_graph.c
+++ b/src/rrd_graph.c
@@ -5157,15 +5157,13 @@ int vdef_parse(
      * so the parsing is rather simple.  Change if needed.
      */
     double    param;
-    char      func[30], double_str[12];
+    char      func[30], double_str[21];
     int       n;
 
     n = 0;
-    sscanf(str, "%[-0-9.e+],%29[A-Z]%n", double_str, func, &n);
-    rrd_strtoding( double_str, 0, &param, "Function vdef_parse" );
-    if (n == (int) strlen(str)) {   /* matched */
-        ;
-    } else {
+    sscanf(str, "%20[-0-9.e+],%29[A-Z]%n", double_str, func, &n);
+    if ( rrd_strtoding( str, NULL, &param, "Function vdef_parse" ) != 2){
+        rrd_clear_error();
         n = 0;
         sscanf(str, "%29[A-Z]%n", func, &n);
         if (n == (int) strlen(str)) {   /* matched */

diff --git a/src/rrd_rpncalc.c b/src/rrd_rpncalc.c
index 129353278e92891335732a066807603ec025854f..0dd38715e6d6729c7fdee9de5c9a0710299ed9be 100644 (file)
--- a/src/rrd_rpncalc.c
+++ b/src/rrd_rpncalc.c
@@ -316,7 +316,7 @@ rpnp_t   *rpn_parse(
             return NULL;
         }
 
-        else if ((sscanf(expr, "%[-0-9.e+]%n", double_str, &pos) == 1)
+        else if ((sscanf(expr, "%19[-0-9.e+]%n", double_str, &pos) == 1)
                  && (expr[pos] == ',')
                  && ( rrd_strtoding( double_str, 0, &(rpnp[steps].val), "Error while parsing double in rpn_parse" ) == 2 )) {
             rpnp[steps].op = OP_NUMBER;