diff -up rrdtool-1.2.27/src/rrd_graph.c.imginfo-check rrdtool-1.2.27/src/rrd_graph.c
--- rrdtool-1.2.27/src/rrd_graph.c.imginfo-check       2008-02-17 11:26:32.000000000 +0100
+++ rrdtool-1.2.27/src/rrd_graph.c     2013-06-07 11:03:06.377011038 +0200
@@ -3084,6 +3084,11 @@ rrd_graph(int argc, char **argv, char **
     *ymin=im.minval;
     *ymax=im.maxval;
     if (im.imginfo) {
+        if (bad_format_imginfo(im.imginfo)) {
+            im_free(&im);
+            rrd_set_error("bad format for imginfo");
+            return -1;
+        }
         char *filename;
         if (!(*prdata)) {
             /* maybe prdata is not allocated yet ... lets do it now */
@@ -3688,6 +3693,51 @@ int bad_format(char *fmt) {
 }
 
 
+int bad_format_imginfo(
+    char *fmt)
+{
+    char     *ptr;
+    int       n = 0;
+
+    ptr = fmt;
+    while (*ptr != '\0')
+        if (*ptr++ == '%') {
+
+            /* line cannot end with percent char */
+            if (*ptr == '\0')
+                return 1;
+            /* '%%' is allowed */
+            if (*ptr == '%')
+                ptr++;
+            /* '%s', '%S' are allowed */
+            else if (*ptr == 's' || *ptr == 'S') {
+                n = 1;
+                ptr++;
+            }
+
+            /* or else '% 4lu' and such are allowed */
+            else {
+                /* optional padding character */
+                if (*ptr == ' ')
+                    ptr++;
+                /* This should take care of 'm' */
+                while (*ptr >= '0' && *ptr <= '9')
+                    ptr++;
+                /* 'lu' must follow here */
+                if (*ptr++ != 'l')
+                    return 1;
+                if (*ptr == 'u')
+                    ptr++;
+                else
+                    return 1;
+                n++;
+            }
+        }
+
+    return (n != 3);
+}
+
+
 int
 vdef_parse(gdes,str)
 struct graph_desc_t *gdes;