From: Upasana <me@upasana.me>
Date: Fri, 11 Jul 2014 17:14:48 +0000 (+0530)
Subject: make sure that sscanf doesn't get too much data
X-Git-Tag: v1.5.0-rc1~63^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=144cf524ba66fa24979adf1934815b8d72f7b3a7;p=thirdparty%2Frrdtool-1.x.git

make sure that sscanf doesn't get too much data

%19[0-9e+-] makes sure that it takes only the characters required for
getting a double variable
---

diff --git a/src/rrd_graph.c b/src/rrd_graph.c
index 482e7daa..5d89cff8 100644
--- a/src/rrd_graph.c
+++ b/src/rrd_graph.c
@@ -5157,15 +5157,13 @@ int vdef_parse(
      * so the parsing is rather simple.  Change if needed.
      */
     double    param;
-    char      func[30], double_str[12];
+    char      func[30], double_str[21];
     int       n;
 
     n = 0;
-    sscanf(str, "%[-0-9.e+],%29[A-Z]%n", double_str, func, &n);
-    rrd_strtoding( double_str, 0, &param, "Function vdef_parse" );
-    if (n == (int) strlen(str)) {   /* matched */
-        ;
-    } else {
+    sscanf(str, "%20[-0-9.e+],%29[A-Z]%n", double_str, func, &n);
+    if ( rrd_strtoding( str, NULL, &param, "Function vdef_parse" ) != 2){
+        rrd_clear_error();
         n = 0;
         sscanf(str, "%29[A-Z]%n", func, &n);
         if (n == (int) strlen(str)) {   /* matched */
diff --git a/src/rrd_rpncalc.c b/src/rrd_rpncalc.c
index 12935327..0dd38715 100644
--- a/src/rrd_rpncalc.c
+++ b/src/rrd_rpncalc.c
@@ -316,7 +316,7 @@ rpnp_t   *rpn_parse(
             return NULL;
         }
 
-        else if ((sscanf(expr, "%[-0-9.e+]%n", double_str, &pos) == 1)
+        else if ((sscanf(expr, "%19[-0-9.e+]%n", double_str, &pos) == 1)
                  && (expr[pos] == ',')
                  && ( rrd_strtoding( double_str, 0, &(rpnp[steps].val), "Error while parsing double in rpn_parse" ) == 2 )) {
             rpnp[steps].op = OP_NUMBER;