Gnuplot version: 4.4.4, 4.6.0
Function "gprintf" from file "util.c" does not check for buffer boundaries. Neither does the calling function "gen_tics" in "axis.c". Long format string causes stack smashing.
set format x "%e%E%g%G%x%O%t%l%s"
This leads to a tick label 54 bytes long (you can always make it longer with longer format string). Buffer is fixed 50 bytes long "char label[MAX_ID_LEN];" Gprintf does not consistently use its parameter "size_t count". Also, there is no return value to indicate an error. I do not know the architecture of gnuplot source code. How does error handling in gnuplot work? I can try to fix it if someone gives me a hint, where and how this should be fixed. Dynamic buffer reallocation? Boundary checking and error-indicating return code? Computing the needed length of the buffer before actually calling gprintf? Allowing only short format strings?
Installing Perl interface to gnuplot from CPAN triggers this bug. There is a set of self-tests, one of them uses a very long format string and crashes the whole installation.
Log in to post a comment.