From 37d3050caed517538efa1f6fc28fda48aee3d53e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jaroslav=20=C5=A0karvada?= Date: Mon, 3 Jun 2013 17:06:26 +0200 Subject: [PATCH] Added imginfo format check MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Resolves: http://bugzilla.redhat.com/show_bug.cgi?id=969296 (CVE-2013-2131) Signed-off-by: Jaroslav Å karvada --- src/rrd_graph.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/src/rrd_graph.c b/src/rrd_graph.c index 25ae4854..e714e4f4 100644 --- a/src/rrd_graph.c +++ b/src/rrd_graph.c @@ -4144,6 +4144,12 @@ rrd_info_t *rrd_graph_v( char *path; char *filename; + if (bad_format_imginfo(im.imginfo)) { + rrd_info_free(im.grinfo); + im_free(&im); + rrd_set_error("bad format for imginfo"); + return NULL; + } path = strdup(im.graphfile); filename = basename(path); info.u_str = @@ -4961,6 +4967,51 @@ int bad_format( } +int bad_format_imginfo( + char *fmt) +{ + char *ptr; + int n = 0; + + ptr = fmt; + while (*ptr != '\0') + if (*ptr++ == '%') { + + /* line cannot end with percent char */ + if (*ptr == '\0') + return 1; + /* '%%' is allowed */ + if (*ptr == '%') + ptr++; + /* '%s', '%S' are allowed */ + else if (*ptr == 's' || *ptr == 'S') { + n = 1; + ptr++; + } + + /* or else '% 4lu' and such are allowed */ + else { + /* optional padding character */ + if (*ptr == ' ') + ptr++; + /* This should take care of 'm' */ + while (*ptr >= '0' && *ptr <= '9') + ptr++; + /* 'lu' must follow here */ + if (*ptr++ != 'l') + return 1; + if (*ptr == 'u') + ptr++; + else + return 1; + n++; + } + } + + return (n != 3); +} + + int vdef_parse( struct graph_desc_t *gdes, -- 2.47.2