On Mon, Jan 24, 2011 at 9:41 AM, Simon Budig <si...@budig.de> wrote:
> Ah sorry, should have mentioned that. The bug report is older than your
> mail to the list. We had a report on the %s conversion earlier which is
> what the patch attached to the bug attempts to fix.

Here (also from your patch):

snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds",
          sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1,
          sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);

sscanf (ptr, fmt_str, colorstr_r, colorstr_g, colorstr_b, colorstr_a);

It will protects against the overflow, but there is a chance to get
wrong data (if the first string is also very big). For example, with
this ugly example code that I think that is similar to the one from
your patch:

#include <stdio.h>
int main()
  char str1[16];
  char str2[16];
  char str3[16];
  char str4[16];
  char fmt[128];
  char buf[] = 
bbbbbbbbbbbbbbb ccccccccccccccc ddddddddddddddd";

  snprintf(fmt, sizeof(fmt), "%%%lds %%%lds %%%lds %%%lds",
sizeof(str1) - 1, sizeof(str2) - 1, sizeof(str3) - 1, sizeof(str4) -
  sscanf(buf, fmt, str1, str2, str3, str4);
  printf("*%s* *%s* *%s* *%s*", str1, str2, str3, str4);
  return 0;

See that we have one big string first and all the four vars (wrongly)
were used by it:
*aaaaaaaaaaaaaaa* *aaaaaaaaaaaaaaa* *aaaaaaaaaaaaaaa* *aaaaaaaaaaaaaaa*


Best regards,
Gimp-developer mailing list

Reply via email to