Fix agerr() format string issue in chkNum()

Commit 99eda42 fixed agerr() format string issue in yyerror(), but the
same fix is also needed for chkNum().  In chkNum(), format string can be
injected at least via malicious file name:

  $ cat fs4-%n%s%s%s%s%s%s.dot
  graph G { a [ weight = 0g ] }

  $ dot fs4-%n%s%s%s%s%s%s.dot
  Warning: *** %n in writable segment detected ***
  Aborted

diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
index a5872f4a3f618173ef4a580ec4bee5fb64d31710..6aef10bcdc5b3619bb23a310b037dff7190c980c 100644 (file)
--- a/lib/cgraph/scan.l
+++ b/lib/cgraph/scan.l
@@ -165,7 +165,7 @@ static int chkNum(void) {
        agxbput(&xb,buf);
        agxbput(&xb,fname);
        agxbput(&xb, " splits into two tokens\n");
-       agerr(AGWARN,agxbuse(&xb));
+       agerr(AGWARN, "%s", agxbuse(&xb));
 
        agxbfree(&xb);
        return 1;