1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
Author: Reiner Herrmann <reiner@reiner-h.de>
Description: don't pass error message directly as format string to error()
Build fails with -Werror=format-security enabled, because no constant string
is passed as error string.
Passing a string based on user input (regex) directly as format string is
a security issue.
--- a/src/filterdiff.c
+++ b/src/filterdiff.c
@@ -1355,7 +1355,7 @@
char errstr[300];
regerror (err, ®ex[num_regex - 1], errstr,
sizeof (errstr));
- error (EXIT_FAILURE, 0, errstr);
+ error (EXIT_FAILURE, 0, "%s", errstr);
exit (1);
}
}
@@ -1613,7 +1613,7 @@
char errstr[300];
regerror (err, ®ex[num_regex - 1], errstr,
sizeof (errstr));
- error (EXIT_FAILURE, 0, errstr);
+ error (EXIT_FAILURE, 0, "%s", errstr);
exit (1);
}
}
|
