Printf format sanitising.

Refactored version for next, use a new helper in simgear::strutils.
FlightGear · Sep 15, 2013 · a18792c · a18792c
1 parent 0e2ddb2
commit a18792c
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/simgear/misc/strutils.cxx b/simgear/misc/strutils.cxx
@@ -26,6 +26,8 @@
 
 #include "strutils.hxx"
 
+#include <simgear/debug/logstream.hxx>
+
 using std::string;
 using std::vector;
 using std::stringstream;
@@ -484,6 +486,17 @@ std::string unescape(const char* s)
   return r;
 }
 
+string sanitizePrintfFormat(const string& input)
+{
+    string::size_type i = input.find("%n");
+    if (i != string::npos) {
+        SG_LOG(SG_IO, SG_WARN, "sanitizePrintfFormat: bad format string:" << input);
+        return string();
+    }
+
+    return input;
+}
+
 } // end namespace strutils
 
 } // end namespace simgear
diff --git a/simgear/misc/strutils.hxx b/simgear/misc/strutils.hxx
@@ -137,7 +137,7 @@ namespace simgear {
 
     /**
      * Like strcmp(), but for dotted versions strings NN.NN.NN
-     * any number of terms are support.
+     * any number of terms are supported.
      * @return 0 if versions match, -ve number if v1 is lower, +ve if v1
      * is greater
      */
@@ -180,6 +180,13 @@ namespace simgear {
 
     inline std::string unescape(const std::string& str)
     { return unescape(str.c_str()); }
+
+      /**
+       * Check a printf-style format string for dangerous (buffer-overflowing,
+       * memory re-writing) format tokens. If a problematic token is
+       * found, logs an error (SG_WARN) and returns an empty format string.
+       */
+      std::string sanitizePrintfFormat(const std::string& input);
 
   } // end namespace strutils
 } // end namespace simgear

diff --git a/simgear/scene/model/SGText.cxx b/simgear/scene/model/SGText.cxx
@@ -26,6 +26,7 @@
 
 #include <simgear/math/SGMath.hxx>
 #include <simgear/misc/sg_path.hxx>
+#include <simgear/misc/strutils.hxx>
 
 #include <osg/Geode>
 #include <osg/MatrixTransform>
@@ -43,7 +44,7 @@ class SGText::UpdateCallback : public osg::NodeCallback {
     offset( aOffset ),
     truncate( aTruncate ),
     numeric( aNumeric ),
-    format( aFormat )
+    format( simgear::strutils::sanitizePrintfFormat( aFormat ) )
   {
     if( format.empty() ) {
       if( numeric ) format = "%f";