[Nautilus-list] Format string vulnerabilities in gnome-db2html2

From: Richard Boulton <richard tartarus org>
To: Darin Adler <darin eazel com>, nautilus-list lists eazel com
Subject: [Nautilus-list] Format string vulnerabilities in gnome-db2html2
Date: Fri, 16 Feb 2001 14:49:34 +0000

I got a few segmentation faults from gnome-db2html2, and have traced them
to occurences of the '%' character in my documentation.  Looking at the
code, there are multiple format string problems, in the form of
sect_print() being called with a user-specified string as its second
argument, which is then passed to printf (actually g_strdup_vprintf).

I attach a patch which fixes these problems, and now I can actually
generate the gstreamer documentation. :)  This patch is combined with the
previous patch I posted half an hour ago, but shouldn't be at all confusing
to examine.

I have CVS write access; if you okay it, I would be happy to commit this
patch and the previous patch.

-- 
Richard

Index: components/help/converters/gnome-db2html2/README
===================================================================
RCS file: /cvs/gnome/nautilus/components/help/converters/gnome-db2html2/README,v
retrieving revision 1.3
diff -u -p -u -r1.3 README
--- components/help/converters/gnome-db2html2/README	2000/02/11 22:43:01	1.3
+++ components/help/converters/gnome-db2html2/README	2001/02/16 14:40:09
@@ -7,7 +7,7 @@ For those doc people who want to play wi
 to configure nautilus, you can compile it with the following
 command line:
 
-gcc -o gnome-db2html2 `xml-config --cflags --libs` `gnome-config --cflags --libs glib` -Wall -g gdb3html.c toc-elements.c sect-elements.c sect-preparse.c
+gcc -o gnome-db2html2 `xml-config --cflags --libs` `gnome-config --cflags --libs gnome` -Wall -g gdb3html.c toc-elements.c sect-elements.c sect-preparse.c
 
 You can run it by doing:
 
Index: components/help/converters/gnome-db2html2/gdb3html.c
===================================================================
RCS file: /cvs/gnome/nautilus/components/help/converters/gnome-db2html2/gdb3html.c,v
retrieving revision 1.41
diff -u -p -u -r1.41 gdb3html.c
--- components/help/converters/gnome-db2html2/gdb3html.c	2001/01/02 18:29:27	1.41
+++ components/help/converters/gnome-db2html2/gdb3html.c	2001/02/16 14:40:12
@@ -1,6 +1,8 @@
 /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
 
+#ifdef HAVE_CONFIG_H
 #include <config.h>
+#endif
 
 #include "gdb3html.h"
 #include "toc-elements.h"
Index: components/help/converters/gnome-db2html2/sect-elements.c
===================================================================
RCS file: /cvs/gnome/nautilus/components/help/converters/gnome-db2html2/sect-elements.c,v
retrieving revision 1.53
diff -u -p -u -r1.53 sect-elements.c
--- components/help/converters/gnome-db2html2/sect-elements.c	2001/02/11 16:47:41	1.53
+++ components/help/converters/gnome-db2html2/sect-elements.c	2001/02/16 14:40:20
@@ -1,4 +1,8 @@
+
+#ifdef HAVE_CONFIG_H
 #include <config.h>
+#endif
+
 #include "sect-elements.h"
 #include "gnome.h"
 
@@ -241,7 +245,7 @@ sect_write_characters (Context *context,
 		
 
 	temp = g_strndup (chars, len);
-	sect_print (context, temp);
+	sect_print (context, "%s", temp);
 	g_free (temp);
 }
 
@@ -908,7 +912,7 @@ sect_title_characters (Context *context,
 	case SECTION:
 	case FORMALPARA:
 	case GLOSSENTRY:
-		sect_print (context, temp);
+		sect_print (context, "%s", temp);
 		g_free (temp);
 		break;
 	case ARTHEADER:
@@ -921,7 +925,7 @@ sect_title_characters (Context *context,
 		((SectContext *) context->data)->figure->title = temp;
 		break;
 	case TABLE:
-		sect_print (context, temp);
+		sect_print (context, "%s", temp);
 		g_free (temp);
 		break;
 	default:
@@ -2215,7 +2219,7 @@ sect_address_characters (Context *contex
 	}
 	
 	temp = g_strndup (chars, len);
-	sect_print (context, temp);
+	sect_print (context, "%s", temp);
 	g_free (temp);
 }
 void
Index: components/help/converters/gnome-db2html2/sect-preparse.c
===================================================================
RCS file: /cvs/gnome/nautilus/components/help/converters/gnome-db2html2/sect-preparse.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 sect-preparse.c
--- components/help/converters/gnome-db2html2/sect-preparse.c	2001/02/11 16:47:41	1.27
+++ components/help/converters/gnome-db2html2/sect-preparse.c	2001/02/16 14:40:22
@@ -1,5 +1,8 @@
 
+#ifdef HAVE_CONFIG_H
 #include <config.h>
+#endif
+
 #include "sect-elements.h"
 #include "gnome.h"
 
Index: components/help/converters/gnome-db2html2/toc-elements.c
===================================================================
RCS file: /cvs/gnome/nautilus/components/help/converters/gnome-db2html2/toc-elements.c,v
retrieving revision 1.41
diff -u -p -u -r1.41 toc-elements.c
--- components/help/converters/gnome-db2html2/toc-elements.c	2001/02/15 02:19:38	1.41
+++ components/help/converters/gnome-db2html2/toc-elements.c	2001/02/16 14:40:26
@@ -1,5 +1,8 @@
 
+#ifdef HAVE_CONFIG_H
 #include <config.h>
+#endif
+
 #include <gnome.h>
 #include "sect-elements.h"
 #include "toc-elements.h"
@@ -839,7 +842,7 @@ toc_tag_characters (Context *context, co
 	case TITLE:
 	case GLOSSTERM:
 		temp = g_strndup (chars, len);
-		sect_print (context, temp);
+		sect_print (context, "%s", temp);
 		g_free (temp);
 		break;
 	default:

Follow-Ups:
- Re: [Nautilus-list] Format string vulnerabilities in gnome-db2html2
  - From: Ali Abdin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]