Package: patchutils / 0.3.4-2

format_string Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Author: Reiner Herrmann <reiner@reiner-h.de>
Description: don't pass error message directly as format string to error()
 Build fails with -Werror=format-security enabled, because no constant string
 is passed as error string.
 Passing a string based on user input (regex) directly as format string is
 a security issue.

--- a/src/filterdiff.c
+++ b/src/filterdiff.c
@@ -1355,7 +1355,7 @@
 			char errstr[300];
 			regerror (err, &regex[num_regex - 1], errstr,
 				  sizeof (errstr));
-			error (EXIT_FAILURE, 0, errstr);
+			error (EXIT_FAILURE, 0, "%s", errstr);
 			exit (1);
 		}
 	}
@@ -1613,7 +1613,7 @@
 			char errstr[300];
 			regerror (err, &regex[num_regex - 1], errstr,
 				  sizeof (errstr));
-			error (EXIT_FAILURE, 0, errstr);
+			error (EXIT_FAILURE, 0, "%s", errstr);
 			exit (1);
 		}
 	}