[Plplot-cvs] SF.net SVN: plplot:[9470] trunk/src/plctrl.c

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 9470
          http://plplot.svn.sourceforge.net/plplot/?rev=9470&view=rev
Author:   andrewross
Date:     2009-02-07 17:26:32 +0000 (Sat, 07 Feb 2009)

Log Message:
-----------
Update plP_getmember so familying works even where filename includes %. Avoid using 
user-supplied strings as format strings in sprintf. This removes potential security 
issue.

Modified Paths:
--------------
    trunk/src/plctrl.c

Modified: trunk/src/plctrl.c
===================================================================

--- trunk/src/plctrl.c	2009-02-07 13:54:45 UTC (rev 9469)
+++ trunk/src/plctrl.c	2009-02-07 17:26:32 UTC (rev 9470)
@@ -1838,6 +1838,7 @@
     char tmp[256];
     char prefix[256];
     char* suffix;
+    char num[12];
 
     if (pls->FileName == NULL)
       {
@@ -1849,15 +1850,17 @@
 
     suffix = strstr (pls->BaseName, "%n");
 
+    sprintf(tmp, "%%0%1ii", (int) pls->fflen);
+    sprintf(num, tmp, pls->member);
+
     if (suffix == NULL)
-      sprintf (tmp, "%s.%%0%1ii", pls->BaseName, (int) pls->fflen);
+      sprintf (pls->FileName, "%s.%s", pls->BaseName, num);
     else {
       strncpy (prefix, pls->BaseName, 256);
       prefix [suffix - pls->BaseName] = 0;
-      sprintf (tmp, "%s%%0%1ii%s", prefix, (int) pls->fflen, suffix + 2);
+      sprintf (pls->FileName, "%s%s%s", prefix, num, suffix + 2);
     }
 
-    sprintf(pls->FileName, tmp, pls->member);
 }
 
 /*--------------------------------------------------------------------------*\


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.




[Plplot-cvs] SF.net SVN: plplot:[9470] trunk/src/plctrl.c

Cross-platform, scientific graphics plotting library

[Plplot-cvs] SF.net SVN: plplot:[9470] trunk/src/plctrl.c