Additional check for more string specifiers than arguments.

(closes issue #13299)
 Reported by: adomjan
 Patches:
       20080813__bug13299.diff.txt uploaded by Corydon76 (license 14)
       func_strings.c-sprintf.patch uploaded by adomjan (license 487)
 Tested by: adomjan

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@138023 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/funcs/func_strings.c b/funcs/func_strings.c
index 10c274efd89cf3b67facefc64431c0c14efbdc99..793b016b17db7bd71d58a301351b91683b49a929 100644 (file)
--- a/funcs/func_strings.c
+++ b/funcs/func_strings.c
@@ -300,8 +300,13 @@ static int acf_sprintf(struct ast_channel *chan, char *cmd, char *data, char *bu
                                formatbuf[&arg.format[i] - formatstart + 1] = '\0';
 
                                /* Convert the argument into the required type */
-                               if (sscanf(arg.var[argcount++], "%d", &tmpi) != 1) {
-                                       ast_log(LOG_ERROR, "Argument '%s' is not an integer number for format '%s'\n", arg.var[argcount - 1], formatbuf);
+                               if (arg.var[argcount]) {
+                                       if (sscanf(arg.var[argcount++], "%d", &tmpi) != 1) {
+                                               ast_log(LOG_ERROR, "Argument '%s' is not an integer number for format '%s'\n", arg.var[argcount - 1], formatbuf);
+                                               goto sprintf_fail;
+                                       }
+                               } else {
+                                       ast_log(LOG_ERROR, "SPRINTF() has more format specifiers than arguments!\n");
                                        goto sprintf_fail;
                                }
 
@@ -318,8 +323,13 @@ static int acf_sprintf(struct ast_channel *chan, char *cmd, char *data, char *bu
                                formatbuf[&arg.format[i] - formatstart + 1] = '\0';
 
                                /* Convert the argument into the required type */
-                               if (sscanf(arg.var[argcount++], "%lf", &tmpd) != 1) {
-                                       ast_log(LOG_ERROR, "Argument '%s' is not a floating point number for format '%s'\n", arg.var[argcount - 1], formatbuf);
+                               if (arg.var[argcount]) {
+                                       if (sscanf(arg.var[argcount++], "%lf", &tmpd) != 1) {
+                                               ast_log(LOG_ERROR, "Argument '%s' is not a floating point number for format '%s'\n", arg.var[argcount - 1], formatbuf);
+                                               goto sprintf_fail;
+                                       }
+                               } else {
+                                       ast_log(LOG_ERROR, "SPRINTF() has more format specifiers than arguments!\n");
                                        goto sprintf_fail;
                                }
 
@@ -366,6 +376,7 @@ static int acf_sprintf(struct ast_channel *chan, char *cmd, char *data, char *bu
                        }
                }
        }
+       *bufptr = '\0';
        return 0;
 sprintf_fail:
        return -1;