1 http://pkgs.fedoraproject.org/cgit/sane-backends.git/plain/sane-backends-1.0.24-format-security.patch
3 From d1c0b7d119bb9dd2c51143b44cc86a369f453746 Mon Sep 17 00:00:00 2001
4 From: Nils Philippsen <nils@redhat.com>
5 Date: Wed, 4 Dec 2013 15:21:19 +0100
6 Subject: [PATCH] patch: format-security
8 Squashed commit of the following:
10 commit 19e071b9f6d477462a0f4afbbd17acd15268ddfa
11 Author: Nils Philippsen <nils@redhat.com>
12 Date: Wed Dec 4 15:04:12 2013 +0100
14 avoid using string formats insecurely with "-f"
16 In the process, simplify processing the device list format: don't copy
17 the format string for writing \0 into it, just iterate over chunks in
20 (cherry picked from commit 8082a42ec4f3b3cf2cffc30a45dda5fc41d55576)
22 frontend/scanimage.c | 52 ++++++++++++++++++++--------------------------------
23 1 file changed, 20 insertions(+), 32 deletions(-)
25 diff --git a/frontend/scanimage.c b/frontend/scanimage.c
26 index d41c849..9e1bcfb 100644
27 --- a/frontend/scanimage.c
28 +++ b/frontend/scanimage.c
29 @@ -1826,23 +1826,16 @@ main (int argc, char **argv)
32 int i = 0, int_arg = 0;
33 - char *percent, *start, *fmt;
34 + const char *percent, *start;
35 const char *text_arg = 0;
38 - fmt = malloc (strlen (optarg) + 1);
41 - fprintf (stderr, "%s: not enough memory\n", prog_name);
46 for (i = 0; device_list[i]; ++i)
48 - strcpy (fmt, optarg);
51 while (*start && (percent = strchr (start, '%')))
53 + int start_len = percent - start;
57 @@ -1850,19 +1843,19 @@ main (int argc, char **argv)
60 text_arg = device_list[i]->name;
61 - ftype = *percent = 's';
65 text_arg = device_list[i]->vendor;
66 - ftype = *percent = 's';
70 text_arg = device_list[i]->model;
71 - ftype = *percent = 's';
75 text_arg = device_list[i]->type;
76 - ftype = *percent = 's';
81 @@ -1870,45 +1863,40 @@ main (int argc, char **argv)
85 - ftype = *percent = 's';
95 "%s: unknown format specifier %%%c\n",
105 + printf ("%.*s", start_len, start);
109 - printf (start, text_arg);
110 + printf ("%s", text_arg);
113 - printf (start, int_arg);
117 + printf ("%i", int_arg);
122 + start = percent + 1;
126 - /* last char of the string is a '%', suppress it */
128 + /* last char of the string is a '%', ignore it */
135 + printf ("%s", start);
138 if (i == 0 && ch != 'f')