diff options
author | Panu Matilainen <Panu Matilainen pmatilai@redhat.com> | 2011-08-17 09:03:44 +0300 |
---|---|---|
committer | Panu Matilainen <Panu Matilainen pmatilai@redhat.com> | 2011-08-17 09:03:44 +0300 |
commit | 4387be59b3a541a3bf91546fdf396fdc76cc7a24 (patch) | |
tree | d333a96b50134694923c657423aa1b5ab474900b /lib/headerfmt.c | |
parent | df603a246850aa2b912547ba8f20f34ba1cc3626 (diff) | |
download | rpm-4387be59b3a541a3bf91546fdf396fdc76cc7a24.tar.gz |
Take length of format width specifier into account for format string buffer
- Prevents buffer overflow in case of ridiculous field width specifiers
like --qf "%100000000000000000000000000{name}". There's another similar
static-sized buffer in rpmtdFormat() but there we're not dealing
with user-speficied format strings so its okay even if ugly.
- The format string handling wants a bigger overhaul but this makes
for a nice little backportable patch for starters.
Diffstat (limited to 'lib/headerfmt.c')
-rw-r--r-- | lib/headerfmt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/headerfmt.c b/lib/headerfmt.c index 45c52c2b0..86d2c1d4f 100644 --- a/lib/headerfmt.c +++ b/lib/headerfmt.c @@ -618,7 +618,7 @@ static char * formatValue(headerSprintfArgs hsa, sprintfTag tag, int element) char * val = NULL; size_t need = 0; char * t, * te; - char buf[20]; + char buf[strlen(tag->format) + 3]; /* extra for '%', fmt char and '\0' */ rpmtd td; memset(buf, 0, sizeof(buf)); |