f04c66a1c9
Resolves: CVE-2013-2131
69 lines
1.8 KiB
Diff
69 lines
1.8 KiB
Diff
diff -up rrdtool-1.4.8/src/rrd_graph.c.orig2 rrdtool-1.4.8/src/rrd_graph.c
|
|
--- rrdtool-1.4.8/src/rrd_graph.c.orig2 2013-05-23 09:55:07.000000000 +0200
|
|
+++ rrdtool-1.4.8/src/rrd_graph.c 2013-06-03 15:56:35.820593192 +0200
|
|
@@ -4022,6 +4022,12 @@ rrd_info_t *rrd_graph_v(
|
|
char *path;
|
|
char *filename;
|
|
|
|
+ if (bad_format_imginfo(im.imginfo)) {
|
|
+ rrd_info_free(im.grinfo);
|
|
+ im_free(&im);
|
|
+ rrd_set_error("bad format for imginfo");
|
|
+ return NULL;
|
|
+ }
|
|
path = strdup(im.graphfile);
|
|
filename = basename(path);
|
|
info.u_str =
|
|
@@ -4827,6 +4833,51 @@ int bad_format(
|
|
}
|
|
|
|
|
|
+int bad_format_imginfo(
|
|
+ char *fmt)
|
|
+{
|
|
+ char *ptr;
|
|
+ int n = 0;
|
|
+
|
|
+ ptr = fmt;
|
|
+ while (*ptr != '\0')
|
|
+ if (*ptr++ == '%') {
|
|
+
|
|
+ /* line cannot end with percent char */
|
|
+ if (*ptr == '\0')
|
|
+ return 1;
|
|
+ /* '%%' is allowed */
|
|
+ if (*ptr == '%')
|
|
+ ptr++;
|
|
+ /* '%s', '%S' are allowed */
|
|
+ else if (*ptr == 's' || *ptr == 'S') {
|
|
+ n = 1;
|
|
+ ptr++;
|
|
+ }
|
|
+
|
|
+ /* or else '% 4lu' and such are allowed */
|
|
+ else {
|
|
+ /* optional padding character */
|
|
+ if (*ptr == ' ')
|
|
+ ptr++;
|
|
+ /* This should take care of 'm' */
|
|
+ while (*ptr >= '0' && *ptr <= '9')
|
|
+ ptr++;
|
|
+ /* 'lu' must follow here */
|
|
+ if (*ptr++ != 'l')
|
|
+ return 1;
|
|
+ if (*ptr == 'u')
|
|
+ ptr++;
|
|
+ else
|
|
+ return 1;
|
|
+ n++;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return (n != 3);
|
|
+}
|
|
+
|
|
+
|
|
int vdef_parse(
|
|
struct graph_desc_t
|
|
*gdes,
|