On Wed, Oct 09, 2013 at 06:24:54PM +0100, Wookey wrote:
> c++ -c -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -Wall -DTHLINUX -O2 -o thpoint.o thpoint.cxx
> thpoint.cxx: In member function ???virtual bool
> thpoint::export_mp(thexpmapmpxs*)???:
> thpoint.cxx:657:89: error: format not a string literal and no format
> arguments [-Werror=format-security]
>
> The code is:
>
> if (!thisnan(this->xsize)) {
> //if (double(int(this->xsize)) != this->xsize)
> // sprintf(buff,"%.1f",this->xsize);
> //else
> // sprintf(buff,"%.0f",this->xsize);
>
> fprintf(out->file,utf2tex(out->layout->units.format_human_length(this->xsize)));
> }
>
> I don't understand this beyond the issue being that a format string
> really should be supplied, otherwise it's a security risk, and it's not
> being. Can someone supply a fix please?
The problem is that the string being printed could contain %-formatting
codes, and if an attacker can control that string, they can potentially
overwrite memory (via %n). So you want to write it out the string as a
literal string by giving a format string of "%s":
fprintf(out->file,"%s",utf2tex(out->layout->units.format_human_length(this->xsize)));
Or simpler:
fputs(utf2tex(out->layout->units.format_human_length(this->xsize)),out->file);
I believe GCC actually optimises the former to the latter for you in the
case when the format is a literal string "%s".
Cheers,
Olly
