Take length of format width specifier into account for format string buffer

- Prevents buffer overflow in case of ridiculous field width specifiers
  like --qf "%100000000000000000000000000{name}". There's another similar
  static-sized buffer in rpmtdFormat() but there we're not dealing
  with user-speficied format strings so its okay even if ugly.
- The format string handling wants a bigger overhaul but this makes
  for a nice little backportable patch for starters.

diff --git a/lib/headerfmt.c b/lib/headerfmt.c
index 45c52c2..86d2c1d 100644 (file)
--- a/lib/headerfmt.c
+++ b/lib/headerfmt.c
@@ -618,7 +618,7 @@ static char * formatValue(headerSprintfArgs hsa, sprintfTag tag, int element)
     char * val = NULL;
     size_t need = 0;
     char * t, * te;
-    char buf[20];
+    char buf[strlen(tag->format) + 3]; /* extra for '%', fmt char and '\0' */
     rpmtd td;
 
     memset(buf, 0, sizeof(buf));