Hi Pedro, thank you for reporting this security issue.
On 2013-08-04 10:35:46, Pedro R wrote:
> diff -urb lcms-1.19.dfsg/samples/icctrans.c
> lcms-1.19.dfsg-patched/samples/icctrans.c
> --- lcms-1.19.dfsg/samples/icctrans.c 2009-10-30 15:57:45.000000000 +0000
> +++ lcms-1.19.dfsg-patched/samples/icctrans.c 2013-08-04 10:31:36.608445149
> +0100
> @@ -500,7 +500,7 @@
>
> Prefix[0] = 0;
> if (!lTerse)
> - sprintf(Prefix, "%s=", C);
> + snprintf(Prefix, 20, "%s=", C);
>
> if (InHexa)
> {
> @@ -648,7 +648,9 @@
> static
> void GetLine(char* Buffer)
> {
> - scanf("%s", Buffer);
> + size_t Buffer_size = sizeof(Buffer);
> + fgets(Buffer, (Buffer_size - 1), stdin);
> + sscanf("%s", Buffer);
This sscanf call is wrong and introduces a format string vulnerability.
sscanf's signature is int sscanf(const char* str, const char* fmt, ...)
where str is used as input and format is the second argument.
Regards
--
Sebastian Ramacher
signature.asc
Description: Digital signature
