Take length of format width specifier into account for format string buffer

- Prevents buffer overflow in case of ridiculous field width specifiers like --qf "%100000000000000000000000000{name}". There's another similar static-sized buffer in rpmtdFormat() but there we're not dealing with user-speficied format strings so its okay even if ugly. - The format string handling wants a bigger overhaul but this makes for a nice little backportable patch for starters.
author: Panu Matilainen <Panu Matilainen pmatilai@redhat.com> 2011-08-17 09:03:44 +0300
committer: Panu Matilainen <Panu Matilainen pmatilai@redhat.com> 2011-08-17 09:03:44 +0300
commit: 4387be59b3a541a3bf91546fdf396fdc76cc7a24 (patch)
tree: d333a96b50134694923c657423aa1b5ab474900b /lib/headerfmt.c
parent: df603a246850aa2b912547ba8f20f34ba1cc3626 (diff)
download: rpm-4387be59b3a541a3bf91546fdf396fdc76cc7a24.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/headerfmt.c b/lib/headerfmt.c
index 45c52c2b0..86d2c1d4f 100644
--- a/lib/headerfmt.c
+++ b/lib/headerfmt.c
@@ -618,7 +618,7 @@ static char * formatValue(headerSprintfArgs hsa, sprintfTag tag, int element)
     char * val = NULL;
     size_t need = 0;
     char * t, * te;
-    char buf[20];
+    char buf[strlen(tag->format) + 3]; /* extra for '%', fmt char and '\0' */
     rpmtd td;
 
     memset(buf, 0, sizeof(buf));
author	Panu Matilainen <Panu Matilainen pmatilai@redhat.com>	2011-08-17 09:03:44 +0300
committer	Panu Matilainen <Panu Matilainen pmatilai@redhat.com>	2011-08-17 09:03:44 +0300
commit	4387be59b3a541a3bf91546fdf396fdc76cc7a24 (patch)
tree	d333a96b50134694923c657423aa1b5ab474900b /lib/headerfmt.c
parent	df603a246850aa2b912547ba8f20f34ba1cc3626 (diff)
download	rpm-4387be59b3a541a3bf91546fdf396fdc76cc7a24.tar.gz