$NetBSD: patch-bc,v 1.1 2011/04/15 16:39:10 drochner Exp $ CVE-2010-4542 --- plug-ins/gfig/gfig-style.c.orig 2010-07-02 22:51:59.000000000 +0000 +++ plug-ins/gfig/gfig-style.c @@ -165,6 +165,7 @@ gfig_read_parameter_gimp_rgb (gchar gchar *ptr; gchar *tmpstr; gchar *endptr; + gchar fmt_str[32]; gchar colorstr_r[G_ASCII_DTOSTR_BUF_SIZE]; gchar colorstr_g[G_ASCII_DTOSTR_BUF_SIZE]; gchar colorstr_b[G_ASCII_DTOSTR_BUF_SIZE]; @@ -172,6 +173,10 @@ gfig_read_parameter_gimp_rgb (gchar style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.; + snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds", + sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1, + sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1); + while (n < nitems) { ptr = strchr (text[n], ':'); @@ -181,7 +186,8 @@ gfig_read_parameter_gimp_rgb (gchar ptr++; if (!strcmp (tmpstr, name)) { - sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a); + sscanf (ptr, fmt_str, + colorstr_r, colorstr_g, colorstr_b, colorstr_a); style_entry->r = g_ascii_strtod (colorstr_r, &endptr); style_entry->g = g_ascii_strtod (colorstr_g, &endptr); style_entry->b = g_ascii_strtod (colorstr_b, &endptr);