use string literals as format strings (#1037316)

This commit is contained in:
Nils Philippsen 2013-12-04 15:27:07 +01:00
parent b04b61c441
commit c49ab916be
2 changed files with 145 additions and 1 deletions

View File

@ -0,0 +1,139 @@
From d1c0b7d119bb9dd2c51143b44cc86a369f453746 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Wed, 4 Dec 2013 15:21:19 +0100
Subject: [PATCH] patch: format-security
Squashed commit of the following:
commit 19e071b9f6d477462a0f4afbbd17acd15268ddfa
Author: Nils Philippsen <nils@redhat.com>
Date: Wed Dec 4 15:04:12 2013 +0100
avoid using string formats insecurely with "-f"
In the process, simplify processing the device list format: don't copy
the format string for writing \0 into it, just iterate over chunks in
the original string.
(cherry picked from commit 8082a42ec4f3b3cf2cffc30a45dda5fc41d55576)
---
frontend/scanimage.c | 52 ++++++++++++++++++++--------------------------------
1 file changed, 20 insertions(+), 32 deletions(-)
diff --git a/frontend/scanimage.c b/frontend/scanimage.c
index d41c849..9e1bcfb 100644
--- a/frontend/scanimage.c
+++ b/frontend/scanimage.c
@@ -1826,23 +1826,16 @@ main (int argc, char **argv)
else
{
int i = 0, int_arg = 0;
- char *percent, *start, *fmt;
+ const char *percent, *start;
const char *text_arg = 0;
- char cc, ftype;
-
- fmt = malloc (strlen (optarg) + 1);
- if (fmt == 0)
- {
- fprintf (stderr, "%s: not enough memory\n", prog_name);
- exit (1);
- }
+ char ftype;
for (i = 0; device_list[i]; ++i)
{
- strcpy (fmt, optarg);
- start = fmt;
+ start = optarg;
while (*start && (percent = strchr (start, '%')))
{
+ int start_len = percent - start;
percent++;
if (*percent)
{
@@ -1850,19 +1843,19 @@ main (int argc, char **argv)
{
case 'd':
text_arg = device_list[i]->name;
- ftype = *percent = 's';
+ ftype = 's';
break;
case 'v':
text_arg = device_list[i]->vendor;
- ftype = *percent = 's';
+ ftype = 's';
break;
case 'm':
text_arg = device_list[i]->model;
- ftype = *percent = 's';
+ ftype = 's';
break;
case 't':
text_arg = device_list[i]->type;
- ftype = *percent = 's';
+ ftype = 's';
break;
case 'i':
int_arg = i;
@@ -1870,45 +1863,40 @@ main (int argc, char **argv)
break;
case 'n':
text_arg = "\n";
- ftype = *percent = 's';
+ ftype = 's';
break;
case '%':
- ftype = 0;
+ text_arg = "%";
+ ftype = 's';
break;
default:
fprintf (stderr,
"%s: unknown format specifier %%%c\n",
prog_name, *percent);
- *percent = '%';
- ftype = 0;
+ text_arg = "%";
+ ftype = 's';
}
- percent++;
- cc = *percent;
- *percent = 0;
+ printf ("%.*s", start_len, start);
switch (ftype)
{
case 's':
- printf (start, text_arg);
+ printf ("%s", text_arg);
break;
case 'i':
- printf (start, int_arg);
- break;
- case 0:
- printf (start);
+ printf ("%i", int_arg);
break;
}
- *percent = cc;
- start = percent;
+ start = percent + 1;
}
else
{
- /* last char of the string is a '%', suppress it */
- *start = 0;
+ /* last char of the string is a '%', ignore it */
+ start++;
break;
}
}
if (*start)
- printf (start);
+ printf ("%s", start);
}
}
if (i == 0 && ch != 'f')
--
1.8.4.2

View File

@ -37,7 +37,7 @@
Summary: Scanner access software
Name: sane-backends
Version: 1.0.24
Release: 7%{?dist}
Release: 8%{?dist}
# lib/ is LGPLv2+, backends are GPLv2+ with exceptions
# Tools are GPLv2+, docs are public domain
# see LICENSE for details
@ -75,6 +75,8 @@ Patch5: sane-backends-1.0.24-pixma_bjnp-crash.patch
Patch6: sane-backends-1.0.24-static-code-check.patch
# Upstream commit 758731489d0d58bab6e4b70db9556038c9f4bb67
Patch7: sane-backends-1.0.24-scsi-permissions.patch
# Upstream commit 8082a42ec4f3b3cf2cffc30a45dda5fc41d55576
Patch8: sane-backends-1.0.24-format-security.patch
URL: http://www.sane-project.org
@ -312,6 +314,9 @@ udevadm hwdb --update >/dev/null 2>&1 || :
%{_libdir}/sane/*gphoto2.so*
%changelog
* Wed Dec 04 2013 Nils Philippsen <nils@redhat.com> - 1.0.24-8
- use string literals as format strings (#1037316)
* Wed Nov 20 2013 Nils Philippsen <nils@redhat.com> - 1.0.24-7
- set correct permissions for SCSI devices (#1028549)