format string protection/clean up (CVE-2007-1463, CVE-2007-1464)

(bzr r2720)
author: Kees Cook <kees@outflux.net> 2007-03-20 17:16:36 +0000
committer: keescook <keescook@users.sourceforge.net> 2007-03-20 17:16:36 +0000
commit: 4687a1c9ffe0d1d3f6ea01f360faa542a5b6491c (patch)
tree: 734a4d35a4e7b90593ae86a6c9006e58ce23d7d1 /src/pedro/pedroxmpp.cpp
parent: patch by cilix42 for bug 1671665 (diff)
download: inkscape-4687a1c9ffe0d1d3f6ea01f360faa542a5b6491c.tar.gz
inkscape-4687a1c9ffe0d1d3f6ea01f360faa542a5b6491c.zip
1 files changed, 24 insertions, 20 deletions
diff --git a/src/pedro/pedroxmpp.cpp b/src/pedro/pedroxmpp.cpp
index efe51d277..1dc1d7ced 100644
--- a/src/pedro/pedroxmpp.cpp
+++ b/src/pedro/pedroxmpp.cpp
@@ -295,12 +295,13 @@ void XmppEventTarget::error(char *fmt, ...)
 {
     va_list args;
     va_start(args,fmt);
-    vsnprintf(targetWriteBuf, targetWriteBufLen, fmt, args);
+    gchar * buffer = g_strdup_vprintf(fmt, args);
     va_end(args) ;
-    fprintf(stderr, "Error:%s\n", targetWriteBuf);
+    fprintf(stderr, "Error:%s\n", buffer);
     XmppEvent evt(XmppEvent::EVENT_ERROR);
-    evt.setData(targetWriteBuf);
+    evt.setData(buffer);
     dispatchXmppEvent(evt);
+    g_free(buffer);
 }
 
 
@@ -312,12 +313,13 @@ void XmppEventTarget::status(char *fmt, ...)
 {
     va_list args;
     va_start(args,fmt);
-    vsnprintf(targetWriteBuf, targetWriteBufLen, fmt, args);
+    gchar * buffer = g_strdup_vprintf(fmt, args);
     va_end(args) ;
-    //printf("Status:%s\n", targetWriteBuf);
+    //printf("Status:%s\n", buffer);
     XmppEvent evt(XmppEvent::EVENT_STATUS);
-    evt.setData(targetWriteBuf);
+    evt.setData(buffer);
     dispatchXmppEvent(evt);
+    g_free(buffer);
 }
 
 
@@ -1158,7 +1160,7 @@ bool XmppClient::processIq(Element *root)
              "IQ set does not contain a 'from' address because "
              "the entity is not registered with the server");
             }
-        error((char *)errMsg.c_str());
+        error("%s",(char *)errMsg.c_str());
         }
 
     else if (id.find("regcancel") != id.npos)
@@ -1197,7 +1199,7 @@ bool XmppClient::processIq(Element *root)
                  "IQ set does not contain a 'from' address because "
                  "the entity is not registered with the server");
             }
-        error((char *)errMsg.c_str());
+        error("%s",(char *)errMsg.c_str());
         }
 
     return true;
@@ -1287,17 +1289,19 @@ bool XmppClient::receiveAndProcessLoop()
 
 bool XmppClient::write(char *fmt, ...)
 {
+    bool rc = true;
     va_list args;
     va_start(args,fmt);
-    vsnprintf((char *)writeBuf, writeBufLen, fmt,args);
+    gchar * buffer = g_strdup_vprintf(fmt,args);
     va_end(args) ;
-    status("SEND: %s", writeBuf);
-    if (!sock->write((char *)writeBuf))
+    status("SEND: %s", buffer);
+    if (!sock->write(buffer))
         {
         error("Cannot write to socket");
-        return false;
+        rc = false;
         }
-    return true;
+    g_free(buffer);
+    return rc;
 }
 
 
@@ -1388,7 +1392,7 @@ bool XmppClient::inBandRegistrationNew()
             {
             errMsg.append("some registration information was not provided");
             }
-        error((char *)errMsg.c_str());
+        error("%s",(char *)errMsg.c_str());
         delete elem;
         return false;
         }
@@ -1612,7 +1616,7 @@ bool XmppClient::saslMd5Authenticate()
     char *fmt =
     "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' "
         "mechanism='DIGEST-MD5'/>\n";
-    if (!write(fmt))
+    if (!write("%s",fmt))
         return false;
 
     DOMString recbuf = readStanza();
@@ -1760,7 +1764,7 @@ bool XmppClient::saslMd5Authenticate()
 
     fmt =
     "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>\n";
-    if (!write(fmt))
+    if (!write("%s",fmt))
         return false;
 
     recbuf = readStanza();
@@ -1843,7 +1847,7 @@ bool XmppClient::saslAuthenticate()
         delete elem;
         char *fmt =
         "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\n";
-        if (!write(fmt))
+        if (!write("%s",fmt))
             return false;
         recbuf = readStanza();
         status("RECV: '%s'\n", recbuf.c_str());
@@ -2087,7 +2091,7 @@ bool XmppClient::createSession()
         DOMString givenJid, givenResource;
         parseJid(givenFullJid, givenJid, givenResource);
         status("given user: %s realm: %s, rsrc: %s",
-           givenJid.c_str(), givenResource.c_str());
+           givenJid.c_str(), realm.c_str(), givenResource.c_str());
         setResource(givenResource);
         }
         
@@ -2143,7 +2147,7 @@ bool XmppClient::createSession()
 
     fmt =
      "<presence/>\n";
-    if (!write(fmt))
+    if (!write("%s",fmt))
         return false;
 
     /*
@@ -2217,7 +2221,7 @@ bool XmppClient::disconnect()
         {
         char *fmt =
         "<presence type='unavailable'/>\n";
-        write(fmt);
+        write("%s",fmt);
         }
     keepGoing = false;
     connected = false;
author	Kees Cook <kees@outflux.net>	2007-03-20 17:16:36 +0000
committer	keescook <keescook@users.sourceforge.net>	2007-03-20 17:16:36 +0000
commit	4687a1c9ffe0d1d3f6ea01f360faa542a5b6491c (patch)
tree	734a4d35a4e7b90593ae86a6c9006e58ce23d7d1 /src/pedro/pedroxmpp.cpp
parent	patch by cilix42 for bug 1671665 (diff)
download	inkscape-4687a1c9ffe0d1d3f6ea01f360faa542a5b6491c.tar.gz inkscape-4687a1c9ffe0d1d3f6ea01f360faa542a5b6491c.zip