From: Tomas Hoger <thoger@redhat.com>
Date: Wed, 20 May 2015 09:15:32 +0000 (+0200)
Subject: Fix agerr() format string issue in chkNum()
X-Git-Tag: TRAVIS_CI_BUILD_EXPERIMENTAL~109^2~11^2~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=495f781f91dca1fb165bbaa6abc0ced1c09535c8;p=graphviz

Fix agerr() format string issue in chkNum()

Commit 99eda42 fixed agerr() format string issue in yyerror(), but the
same fix is also needed for chkNum().  In chkNum(), format string can be
injected at least via malicious file name:

  $ cat fs4-%n%s%s%s%s%s%s.dot
  graph G { a [ weight = 0g ] }

  $ dot fs4-%n%s%s%s%s%s%s.dot
  Warning: *** %n in writable segment detected ***
  Aborted
---

diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
index a5872f4a3..6aef10bcd 100644
--- a/lib/cgraph/scan.l
+++ b/lib/cgraph/scan.l
@@ -165,7 +165,7 @@ static int chkNum(void) {
 	agxbput(&xb,buf);
 	agxbput(&xb,fname);
 	agxbput(&xb, " splits into two tokens\n");
-	agerr(AGWARN,agxbuse(&xb));
+	agerr(AGWARN, "%s", agxbuse(&xb));
 
 	agxbfree(&xb);
 	return 1;