commit b78cc829a18e9436daaa859c96f3970157f3171e Author: Ethan A Merritt Date: Tue Jan 14 21:23:19 2025 -0800 use snprintf to protect against garbage user-supplied mouse format Bug 2754 diff --git src/mouse.c src/mouse.c index 4d1362130..95266738b 100644 --- src/mouse.c +++ src/mouse.c @@ -270,7 +270,7 @@ static void alert(void); static void MousePosToGraphPosReal(int xx, int yy, double *x, double *y, double *x2, double *y2); static char *xy_format(void); static char *zoombox_format(void); -static char *GetAnnotateString(char *s, double x, double y, int mode, char *fmt); +static char *GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt); static char *xDateTimeFormat(double x, char *b, int mode); static void GetRulerString(char *p, double x, double y); static void apply_zoom(struct t_zoom * z); @@ -524,7 +524,7 @@ zoombox_format() /* formats the information for an annotation (middle mouse button clicked) */ static char * -GetAnnotateString(char *s, double x, double y, int mode, char *fmt) +GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt) { if (axis_array[FIRST_X_AXIS].datatype == DT_DMS || axis_array[FIRST_Y_AXIS].datatype == DT_DMS) { @@ -579,11 +579,11 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt) r = rmin + x/cos(phi); if (fmt) - sprintf(s, fmt, theta, r); + snprintf(s, len, fmt, theta, r); else sprintf(s, "theta: %.1f%s r: %g", theta, degree_sign, r); } else if ((mode == MOUSE_COORDINATES_ALT) && fmt) { - sprintf(s, fmt, x, y); /* user defined format */ + snprintf(s, len, fmt, x, y); /* user defined format */ } else if (mode == MOUSE_COORDINATES_FUNCTION) { /* EXPERIMENTAL !!! */ t_value original_x, original_y; @@ -606,7 +606,7 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt) gpfree_string(&readout); } else { /* Default format ("set mouse mouseformat" is not active) */ - sprintf(s, xy_format(), x, y); /* usual x,y values */ + snprintf(s, len, xy_format(), x, y); /* usual x,y values */ } return s + strlen(s); } @@ -1020,10 +1020,10 @@ UpdateStatuslineWithMouseSetting(mouse_setting_t * ms) strcat(format, ms->fmt); strcat(format, ", "); strcat(format, ms->fmt); - sprintf(s0, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale); + snprintf(s0, 255, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale); } else if (!TICS_ON(axis_array[SECOND_X_AXIS].ticmode) && !TICS_ON(axis_array[SECOND_Y_AXIS].ticmode)) { /* only first X and Y axis are in use */ - sp = GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string); + sp = GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string); if (ruler.on) GetRulerString(sp, real_x, real_y); } else { @@ -2286,7 +2286,7 @@ event_buttonrelease(struct gp_event_t *ge) * only place, if the user didn't drag (rotate) the plot */ if (!is_3d_plot || !motion) { - GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string); + GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string); term->set_clipboard(s0); if (display_ipc_commands()) { fprintf(stderr, "put `%s' to clipboard.\n", s0); @@ -2302,7 +2302,7 @@ event_buttonrelease(struct gp_event_t *ge) /* draw temporary annotation or label. For 3d plots this is * only done if the user didn't drag (scale) the plot */ if (!is_3d_plot || !motion) { - GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string); + GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string); if (mouse_setting.label) { if (modifier_mask & Mod_Ctrl) { remove_label(mouse_x, mouse_y);