Author : KaDaL-X

http://kandangjamur.net

Software tested

Dia v 0.94 on fedora Core 4

Dia v 0.94 on Mandriva

http://www.gnome.org/projects/dia

PoC :

------

[ph03n1x@kaiten ~]$ touch %p%p%p%p.bmp

Now, open %p%p%p%p.bmp using dia then error something like this will happen

Failed to load:

Couldn't recognize the image file format for file

'0xbfec1a480xc0cf670x89608b00x9f247e.bmp'

Code analisys:

--------------

in plug-ins/pixbuf/pixbuf.c line 152

else if (error) /* otherwise a pixbuf misbehaviour */

{

message_warning ("Failed to load:\n%s", error->message);

g_error_free (error);

}

then in lib/message.c line 220

message_warning(const char *format, ...)

{

va_list args, args2;

va_start (args, format);

va_start (args2, format);

message_internal(_("Warning"), format, &args, &args2);

va_end (args);

va_end (args2);

}

On lib/message.c line 187 message_internal has been defined as

static MessageInternal message_internal = gtk_message_internal;

Now, analizyng gtk_message_internal() function on lib/message.c on line

157

vsprintf() function was used incorrectly

vsprintf (buf, fmt, *args2);

The second argument of vsprintf must be a constant string, based on

/usr/include/stdio.h

[ reply ]