From 77e152ad36952fe2f0659644e8ad55ed62d501d8 Mon Sep 17 00:00:00 2001 From: Jfreegman Date: Sat, 26 Jul 2014 21:22:55 -0400 Subject: [PATCH] fix security flaw where untrusted input wasn't being sanitized --- src/line_info.c | 16 +++++++++++----- src/line_info.h | 3 ++- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/line_info.c b/src/line_info.c index 424edd4..cc51422 100644 --- a/src/line_info.c +++ b/src/line_info.c @@ -133,7 +133,8 @@ static struct line_info *line_info_ret_queue(struct history *hst) return ret; } -/* creates new line_info line and puts it in the queue */ +/* creates new line_info line and puts it in the queue. + SYS_MSG lines may contain an arbitrary number of arguments for string formatting */ void line_info_add(ToxWindow *self, char *tmstmp, char *name1, char *name2, uint8_t type, uint8_t bold, uint8_t colour, const char *msg, ...) { @@ -144,11 +145,16 @@ void line_info_add(ToxWindow *self, char *tmstmp, char *name1, char *name2, uint exit_toxic_err("failed in line_info_add", FATALERR_MEMORY); char frmt_msg[MAX_STR_SIZE] = {0}; - va_list args; - va_start(args, msg); - vsnprintf(frmt_msg, sizeof(frmt_msg), msg, args); - va_end(args); + /* WARNING: SYS_MSG lines must not contain untrusted input */ + if (type == SYS_MSG) { + va_list args; + va_start(args, msg); + vsnprintf(frmt_msg, sizeof(frmt_msg), msg, args); + va_end(args); + } else { + snprintf(frmt_msg, sizeof(frmt_msg), "%s", msg); + } int len = 1; /* there will always be a newline */ diff --git a/src/line_info.h b/src/line_info.h index c2aa01d..30229d8 100644 --- a/src/line_info.h +++ b/src/line_info.h @@ -67,7 +67,8 @@ struct history { int queue_sz; }; -/* creates new line_info line and puts it in the queue */ +/* creates new line_info line and puts it in the queue. + SYS_MSG lines may contain an arbitrary number of arguments for string formatting */ void line_info_add(ToxWindow *self, char *tmstmp, char *name1, char *name2, uint8_t type, uint8_t bold, uint8_t colour, const char *msg, ...);