Added imginfo format check

Resolves: http://bugzilla.redhat.com/show_bug.cgi?id=969296
(CVE-2013-2131)

Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>

diff --git a/src/rrd_graph.c b/src/rrd_graph.c
index 25ae4854644f48ef4a9e2dcd7b026d2e92e5add7..e714e4f483a651883f23a1311077697b1bbf8330 100644 (file)
--- a/src/rrd_graph.c
+++ b/src/rrd_graph.c
@@ -4144,6 +4144,12 @@ rrd_info_t *rrd_graph_v(
         char     *path;
         char     *filename;
 
+        if (bad_format_imginfo(im.imginfo)) {
+            rrd_info_free(im.grinfo);
+            im_free(&im);
+            rrd_set_error("bad format for imginfo");
+            return NULL;
+        }
         path = strdup(im.graphfile);
         filename = basename(path);
         info.u_str =
@@ -4961,6 +4967,51 @@ int bad_format(
 }
 
 
+int bad_format_imginfo(
+    char *fmt)
+{
+    char     *ptr;
+    int       n = 0;
+
+    ptr = fmt;
+    while (*ptr != '\0')
+        if (*ptr++ == '%') {
+
+            /* line cannot end with percent char */
+            if (*ptr == '\0')
+                return 1;
+            /* '%%' is allowed */
+            if (*ptr == '%')
+                ptr++;
+            /* '%s', '%S' are allowed */
+            else if (*ptr == 's' || *ptr == 'S') {
+                n = 1;
+                ptr++;
+            }
+
+            /* or else '% 4lu' and such are allowed */
+            else {
+                /* optional padding character */
+                if (*ptr == ' ')
+                    ptr++;
+                /* This should take care of 'm' */
+                while (*ptr >= '0' && *ptr <= '9')
+                    ptr++;
+                /* 'lu' must follow here */
+                if (*ptr++ != 'l')
+                    return 1;
+                if (*ptr == 'u')
+                    ptr++;
+                else
+                    return 1;
+                n++;
+            }
+        }
+
+    return (n != 3);
+}
+
+
 int vdef_parse(
     struct graph_desc_t
     *gdes,