Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 32d7a9f

Browse files
mgiuca-googletacaswell
mgiuca-google
authored and
tacaswell
committed
BUG : fix security bug reported via debian by Matt Giuca
Fixes CVE-2013-1424
1 parent 3486a67 commit 32d7a9f

File tree

3 files changed

+17
-1
lines changed

3 files changed

+17
-1
lines changed

lib/matplotlib/__init__.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1402,6 +1402,7 @@ def tk_window_focus():
14021402
'matplotlib.tests.test_lines',
14031403
'matplotlib.tests.test_mathtext',
14041404
'matplotlib.tests.test_mlab',
1405+
'matplotlib.tests.test_mplutils',
14051406
'matplotlib.tests.test_patches',
14061407
'matplotlib.tests.test_path',
14071408
'matplotlib.tests.test_patheffects',

lib/matplotlib/tests/test_mplutils.py

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
from __future__ import print_function
2+
from nose.tools import assert_raises
3+
from matplotlib import ft2font
4+
from matplotlib.testing.decorators import knownfailureif
5+
import sys
6+
7+
def test_printf_buffer():
8+
"""Tests Printf for buffer overrun."""
9+
# Use ft2font.FT2Font, which indirectly calls the Printf function in
10+
# mplutils.cpp.
11+
# Expect a RuntimeError, since the font is not found.
12+
assert_raises(RuntimeError, ft2font.FT2Font, 'x' * 2048)

src/mplutils.cpp

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,10 @@ Printf::Printf(const char *fmt, ...)
1818
{
1919
va_list ap;
2020
va_start(ap, fmt);
21-
vsprintf(buffer, fmt, ap);
21+
vsnprintf(buffer, 1024, fmt, ap);
22+
// Null-terminate the string. Non-standard C implementations (e.g.,
23+
// Microsoft Visual C++) do not do this automatically.
24+
buffer[1023] = '\0';
2225
va_end(ap); // look ma - I rememberd it this time
2326
}
2427

0 commit comments

Comments
 (0)