Commit a5405341 authored by Markus Steinborn's avatar Markus Steinborn Committed by Bernhard Link

Fix usage of sec_sscanf

This should fix http://bugs.debian.org/627471

Bernhard R. Link finally found the bug (excellent job!). He
describes the bug as follows:

ps.c is using some sec_sscanf (from secscanf.c) instead of
regular sscanf or instead of doing some proper parsing.

As sec_sscanf differs from regular sscanf about it variadic
arguments gcc cannot test if the arguments given match the
format string, especially it is lost about sec_sscanf
wanting a 'char *' and a 'size_t' for ever '%s' or '%256s'
it gets. Thus when ps.c does

sec_sscanf(line+lenght("%%BoundingBox:), "%256s", text);

the size of text field is not given, so some random value
is returned by the 'va_arg(ap, size_t)' in secscanf.c
If that random value is smaller than the length of "(atend)"
then this will be copied incompletely and thus
not be recognized.
parent 0ecbe97f
...@@ -491,7 +491,7 @@ unc_ok: ...@@ -491,7 +491,7 @@ unc_ok:
CHECK_MALLOCED(doc); CHECK_MALLOCED(doc);
memset(doc, 0, sizeof(struct document)); memset(doc, 0, sizeof(struct document));
*text=0; *text=0;
sec_sscanf(line, "%*s %256s", text); sec_sscanf(line, "%*s %256s", text, 256);
/*###jp###*/ /*###jp###*/
/*doc->epsf = iscomment(text, "EPSF-");*/ /*doc->epsf = iscomment(text, "EPSF-");*/
doc->epsf = iscomment(text, "EPSF"); doc->epsf = iscomment(text, "EPSF");
...@@ -669,7 +669,7 @@ scan_ok: ...@@ -669,7 +669,7 @@ scan_ok:
} else if (doc->date == NULL && iscomment(line+2, "CreationDate:")) { } else if (doc->date == NULL && iscomment(line+2, "CreationDate:")) {
doc->date = gettextline(line+length("%%CreationDate:")); doc->date = gettextline(line+length("%%CreationDate:"));
} else if (bb_set == NONE && iscomment(line+2, "BoundingBox:")) { } else if (bb_set == NONE && iscomment(line+2, "BoundingBox:")) {
sec_sscanf(line+length("%%BoundingBox:"), "%256s", text); sec_sscanf(line+length("%%BoundingBox:"), "%256s", text, 256);
if (strcmp(text, "(atend)") == 0) { if (strcmp(text, "(atend)") == 0) {
bb_set = ATEND; bb_set = ATEND;
} else { } else {
...@@ -701,7 +701,7 @@ scan_ok: ...@@ -701,7 +701,7 @@ scan_ok:
} }
} else if (orientation_set == NONE && } else if (orientation_set == NONE &&
iscomment(line+2, "Orientation:")) { iscomment(line+2, "Orientation:")) {
sec_sscanf(line+length("%%Orientation:"), "%256s", text); sec_sscanf(line+length("%%Orientation:"), "%256s", text, 256);
if (strcmp(text, "(atend)") == 0) { if (strcmp(text, "(atend)") == 0) {
orientation_set = ATEND; orientation_set = ATEND;
} else if (strcmp(text, "Portrait") == 0) { } else if (strcmp(text, "Portrait") == 0) {
...@@ -712,7 +712,7 @@ scan_ok: ...@@ -712,7 +712,7 @@ scan_ok:
orientation_set = 1; orientation_set = 1;
} }
} else if (page_order_set == NONE && iscomment(line+2, "PageOrder:")) { } else if (page_order_set == NONE && iscomment(line+2, "PageOrder:")) {
sec_sscanf(line+length("%%PageOrder:"), "%256s", text); sec_sscanf(line+length("%%PageOrder:"), "%256s", text, 256);
if (strcmp(text, "(atend)") == 0) { if (strcmp(text, "(atend)") == 0) {
page_order_set = ATEND; page_order_set = ATEND;
} else if (strcmp(text, "Ascend") == 0) { } else if (strcmp(text, "Ascend") == 0) {
...@@ -726,7 +726,7 @@ scan_ok: ...@@ -726,7 +726,7 @@ scan_ok:
page_order_set = 1; page_order_set = 1;
} }
} else if (pages_set == NONE && iscomment(line+2, "Pages:")) { } else if (pages_set == NONE && iscomment(line+2, "Pages:")) {
sec_sscanf(line+length("%%Pages:"), "%256s", text); sec_sscanf(line+length("%%Pages:"), "%256s", text, 256);
if (strcmp(text, "(atend)") == 0) { if (strcmp(text, "(atend)") == 0) {
pages_set = ATEND; pages_set = ATEND;
} else { } else {
...@@ -946,7 +946,7 @@ scan_ok: ...@@ -946,7 +946,7 @@ scan_ok:
/* Do nothing */ /* Do nothing */
} else if (doc->default_page_orientation == NONE && } else if (doc->default_page_orientation == NONE &&
iscomment(line+2, "PageOrientation:")) { iscomment(line+2, "PageOrientation:")) {
sec_sscanf(line+length("%%PageOrientation:"), "%256s", text); sec_sscanf(line+length("%%PageOrientation:"), "%256s", text, 256);
if (strcmp(text, "Portrait") == 0) { if (strcmp(text, "Portrait") == 0) {
doc->default_page_orientation = PORTRAIT; doc->default_page_orientation = PORTRAIT;
} else if (strcmp(text, "Landscape") == 0) { } else if (strcmp(text, "Landscape") == 0) {
...@@ -1068,7 +1068,7 @@ scan_ok: ...@@ -1068,7 +1068,7 @@ scan_ok:
/* Do nothing */ /* Do nothing */
} else if (doc->default_page_orientation == NONE && } else if (doc->default_page_orientation == NONE &&
iscomment(line+2, "PageOrientation:")) { iscomment(line+2, "PageOrientation:")) {
sec_sscanf(line+length("%%PageOrientation:"), "%256s", text); sec_sscanf(line+length("%%PageOrientation:"), "%256s", text, 256);
if (strcmp(text, "Portrait") == 0) { if (strcmp(text, "Portrait") == 0) {
doc->default_page_orientation = PORTRAIT; doc->default_page_orientation = PORTRAIT;
} else if (strcmp(text, "Landscape") == 0) { } else if (strcmp(text, "Landscape") == 0) {
...@@ -1205,7 +1205,7 @@ continuepage: ...@@ -1205,7 +1205,7 @@ continuepage:
/* Do nothing */ /* Do nothing */
} else if (doc->pages[doc->numpages].orientation == NONE && } else if (doc->pages[doc->numpages].orientation == NONE &&
iscomment(line+2, "PageOrientation:")) { iscomment(line+2, "PageOrientation:")) {
sec_sscanf(line+length("%%PageOrientation:"), "%256s", text); sec_sscanf(line+length("%%PageOrientation:"), "%256s", text, 256);
if (strcmp(text, "Portrait") == 0) { if (strcmp(text, "Portrait") == 0) {
doc->pages[doc->numpages].orientation = PORTRAIT; doc->pages[doc->numpages].orientation = PORTRAIT;
} else if (strcmp(text, "Landscape") == 0) { } else if (strcmp(text, "Landscape") == 0) {
...@@ -1237,7 +1237,7 @@ continuepage: ...@@ -1237,7 +1237,7 @@ continuepage:
free(cp); free(cp);
} else if ((page_bb_set == NONE || page_bb_set == ATEND) && } else if ((page_bb_set == NONE || page_bb_set == ATEND) &&
iscomment(line+2, "PageBoundingBox:")) { iscomment(line+2, "PageBoundingBox:")) {
sec_sscanf(line+length("%%PageBoundingBox:"), "%256s", text); sec_sscanf(line+length("%%PageBoundingBox:"), "%256s", text, 256);
if (strcmp(text, "(atend)") == 0) { if (strcmp(text, "(atend)") == 0) {
page_bb_set = ATEND; page_bb_set = ATEND;
} else { } else {
...@@ -1353,14 +1353,14 @@ continuepage: ...@@ -1353,14 +1353,14 @@ continuepage:
} }
} else if (orientation_set == ATEND && } else if (orientation_set == ATEND &&
iscomment(line+2, "Orientation:")) { iscomment(line+2, "Orientation:")) {
sec_sscanf(line+length("%%Orientation:"), "%256s", text); sec_sscanf(line+length("%%Orientation:"), "%256s", text, 256);
if (strcmp(text, "Portrait") == 0) { if (strcmp(text, "Portrait") == 0) {
doc->orientation = PORTRAIT; doc->orientation = PORTRAIT;
} else if (strcmp(text, "Landscape") == 0) { } else if (strcmp(text, "Landscape") == 0) {
doc->orientation = LANDSCAPE; doc->orientation = LANDSCAPE;
} }
} else if (page_order_set == ATEND && iscomment(line+2, "PageOrder:")) { } else if (page_order_set == ATEND && iscomment(line+2, "PageOrder:")) {
sec_sscanf(line+length("%%PageOrder:"), "%256s", text); sec_sscanf(line+length("%%PageOrder:"), "%256s", text, 256);
if (strcmp(text, "Ascend") == 0) { if (strcmp(text, "Ascend") == 0) {
doc->pageorder = ASCEND; doc->pageorder = ASCEND;
} else if (strcmp(text, "Descend") == 0) { } else if (strcmp(text, "Descend") == 0) {
...@@ -1898,7 +1898,7 @@ static char * readline(FileData fd, char **lineP, gv_off_t *positionP, unsigned ...@@ -1898,7 +1898,7 @@ static char * readline(FileData fd, char **lineP, gv_off_t *positionP, unsigned
INFMESSAGE(encountered "BeginData:") INFMESSAGE(encountered "BeginData:")
if (FD_LINE_LEN > 100) FD_BUF[100] = '\0'; if (FD_LINE_LEN > 100) FD_BUF[100] = '\0';
text[0] = '\0'; text[0] = '\0';
if (sec_sscanf(line+length("%%BeginData:"), "%d %*s %100s", &num, text) >= 1) { if (sec_sscanf(line+length("%%BeginData:"), "%d %*s %100s", &num, text, 100) >= 1) {
if (strcmp(text, "Lines") == 0) { if (strcmp(text, "Lines") == 0) {
INFIMESSAGE(number of lines to skip:,num) INFIMESSAGE(number of lines to skip:,num)
while (num) { while (num) {
...@@ -1993,7 +1993,7 @@ pscopyuntil(FileData fd, FILE *to, long begin, long end, char *comment) ...@@ -1993,7 +1993,7 @@ pscopyuntil(FileData fd, FILE *to, long begin, long end, char *comment)
INFMESSAGE(encountered "BeginData:") INFMESSAGE(encountered "BeginData:")
if (FD_LINE_LEN > 100) FD_BUF[100] = '\0'; if (FD_LINE_LEN > 100) FD_BUF[100] = '\0';
text[0] = '\0'; text[0] = '\0';
if (sec_sscanf(line+length("%%BeginData:"), "%d %*s %100s", &num, text) >= 1) { if (sec_sscanf(line+length("%%BeginData:"), "%d %*s %100s", &num, text, 100) >= 1) {
if (strcmp(text, "Lines") == 0) { if (strcmp(text, "Lines") == 0) {
INFIMESSAGE(number of lines:,num) INFIMESSAGE(number of lines:,num)
while (num) { while (num) {
...@@ -2085,7 +2085,7 @@ pscopydoc(FILE *dest_file, char *src_filename, Document d, char *pagelist) ...@@ -2085,7 +2085,7 @@ pscopydoc(FILE *dest_file, char *src_filename, Document d, char *pagelist)
free(comment); free(comment);
continue; continue;
} }
sec_sscanf(comment+length("%%Pages:"), "%256s", text); sec_sscanf(comment+length("%%Pages:"), "%256s", text, 256);
if (strcmp(text, "(atend)") == 0) { if (strcmp(text, "(atend)") == 0) {
fputs(comment, dest_file); fputs(comment, dest_file);
pages_atend = True; pages_atend = True;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment