From 4387be59b3a541a3bf91546fdf396fdc76cc7a24 Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Wed, 17 Aug 2011 09:03:44 +0300 Subject: [PATCH] Take length of format width specifier into account for format string buffer - Prevents buffer overflow in case of ridiculous field width specifiers like --qf "%100000000000000000000000000{name}". There's another similar static-sized buffer in rpmtdFormat() but there we're not dealing with user-speficied format strings so its okay even if ugly. - The format string handling wants a bigger overhaul but this makes for a nice little backportable patch for starters. --- lib/headerfmt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/headerfmt.c b/lib/headerfmt.c index 45c52c2..86d2c1d 100644 --- a/lib/headerfmt.c +++ b/lib/headerfmt.c @@ -618,7 +618,7 @@ static char * formatValue(headerSprintfArgs hsa, sprintfTag tag, int element) char * val = NULL; size_t need = 0; char * t, * te; - char buf[20]; + char buf[strlen(tag->format) + 3]; /* extra for '%', fmt char and '\0' */ rpmtd td; memset(buf, 0, sizeof(buf)); -- 2.7.4