SHA256
1
0
forked from pool/rrdtool
rrdtool/rrdtool-1.4.7-CVE-2013-2131-imginfo_format_check.patch

70 lines
1.8 KiB
Diff
Raw Normal View History

Index: rrdtool-1.4.7/src/rrd_graph.c
===================================================================
--- rrdtool-1.4.7.orig/src/rrd_graph.c
+++ rrdtool-1.4.7/src/rrd_graph.c
@@ -4016,6 +4016,12 @@ rrd_info_t *rrd_graph_v(
char *path;
char *filename;
+ if (bad_format_imginfo(im.imginfo)) {
+ rrd_info_free(im.grinfo);
+ im_free(&im);
+ rrd_set_error("bad format for imginfo");
+ return NULL;
+ }
path = strdup(im.graphfile);
filename = basename(path);
info.u_str =
@@ -4820,6 +4826,51 @@ int bad_format(
}
+int bad_format_imginfo(
+ char *fmt)
+{
+ char *ptr;
+ int n = 0;
+
+ ptr = fmt;
+ while (*ptr != '\0')
+ if (*ptr++ == '%') {
+
+ /* line cannot end with percent char */
+ if (*ptr == '\0')
+ return 1;
+ /* '%%' is allowed */
+ if (*ptr == '%')
+ ptr++;
+ /* '%s', '%S' are allowed */
+ else if (*ptr == 's' || *ptr == 'S') {
+ n = 1;
+ ptr++;
+ }
+
+ /* or else '% 4lu' and such are allowed */
+ else {
+ /* optional padding character */
+ if (*ptr == ' ')
+ ptr++;
+ /* This should take care of 'm' */
+ while (*ptr >= '0' && *ptr <= '9')
+ ptr++;
+ /* 'lu' must follow here */
+ if (*ptr++ != 'l')
+ return 1;
+ if (*ptr == 'u')
+ ptr++;
+ else
+ return 1;
+ n++;
+ }
+ }
+
+ return (n != 3);
+}
+
+
int vdef_parse(
struct graph_desc_t
*gdes,