From 1d867ab2d0c5803290c6ba8b9c96753341901681 Mon Sep 17 00:00:00 2001
From: Fabrice Bellet <fabrice@bellet.info>
Date: Sun, 22 Sep 2013 11:56:12 +0200
Subject: [PATCH] check to be sure that %n is not being set as format type
(CVE-2012-2090)
---
simgear/scene/model/SGText.cxx | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/simgear/scene/model/SGText.cxx b/simgear/scene/model/SGText.cxx
index 1da6c57..3093d82 100644
--- a/simgear/scene/model/SGText.cxx
+++ b/simgear/scene/model/SGText.cxx
@@ -68,6 +68,16 @@ void SGText::UpdateCallback::operator()(osg::Node * node, osg::NodeVisitor *nv )
// FIXME:
// hopefully the users never specifies bad formats here
// this should better be something more robust
+ // It is never safe for format.c_str to be %n.
+ string unsafe ("%n");
+ size_t found;
+
+ found=format.find(unsafe);
+ if (found!=string::npos) {
+ SG_LOG(SG_GENERAL, SG_ALERT, "format type contained %n, but this is unsafe, reverting to %s");
+ format = "%s";
+ }
+
char buf[256];
if( numeric ) {
double d = property->getDoubleValue() * scale + offset;
--
2.5.0