graphics/gimp/patches/patch-bb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

$NetBSD: patch-bb,v 1.1 2011/04/15 16:39:09 drochner Exp $

CVE-2010-4541

--- plug-ins/common/sphere-designer.c.orig	2010-07-02 22:51:56.000000000 +0000
+++ plug-ins/common/sphere-designer.c
@@ -1992,6 +1992,7 @@ loadit (const gchar * fn)
   gchar    endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)];
   gchar   *end = endbuf;
   gchar    line[1024];
+  gchar    fmt_str[16];
   gint     i;
   texture *t;
   gint     majtype, type;
@@ -2016,6 +2017,8 @@ loadit (const gchar * fn)
 
   s.com.numtexture = 0;
 
+  snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1);
+
   while (!feof (f))
     {
 
@@ -2026,7 +2029,7 @@ loadit (const gchar * fn)
       t = &s.com.texture[i];
       setdefaults (t);
 
-      if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3)
+      if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3)
         t->color1.x = g_ascii_strtod (end, &end);
       if (end && errno != ERANGE)
         t->color1.y = g_ascii_strtod (end, &end);