Merge pull request #4433 from larsewi/CFE-3525

CFE-3525: Fixed buffer overflow vulnerabillity in policy function format()
cfengine · Jan 4, 2021 · 38ea5f6 · 38ea5f6
2 parents 412acbd + 3fb5736
commit 38ea5f6
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c
@@ -5417,7 +5417,7 @@ static FnCallResult FnCallFormat(EvalContext *ctx, ARG_UNUSED const Policy *poli
                     if (strrchr(format_piece, 'd') != NULL || strrchr(format_piece, 'o') != NULL || strrchr(format_piece, 'x') != NULL)
                     {
                         long x = 0;
-                        sscanf(data, "%ld%s", &x, piece); // we don't care about the remainder and will overwrite it
+                        sscanf(data, "%ld", &x);
                         snprintf(piece, CF_BUFSIZE, format_piece, x);
                         BufferAppend(buf, piece, strlen(piece));
                     }
@@ -5429,7 +5429,7 @@ static FnCallResult FnCallFormat(EvalContext *ctx, ARG_UNUSED const Policy *poli
                     else if (strrchr(format_piece, 'f') != NULL)
                     {
                         double x = 0;
-                        sscanf(data, "%lf%s", &x, piece); // we don't care about the remainder and will overwrite it
+                        sscanf(data, "%lf", &x);
                         snprintf(piece, CF_BUFSIZE, format_piece, x);
                         BufferAppend(buf, piece, strlen(piece));
                     }