Guard against printf-style formatting attacks by malicious translation files.

2026-04-16 06:18:47 +02:00 · 2024-12-11 09:43:04 -05:00
parent 3d97f87bcd
commit 0ab93f2dea
1 changed files with 43 additions and 1 deletions
--- a/src/main.c
+++ b/src/main.c
@@ -2030,10 +2030,52 @@ int GetOnceDate(void)
    return OnceDate;
 }

+static void
+get_printf_escapes(char const *str, DynamicBuffer *out)
+{
+    char const *s = str;
+    while(*s) {
+        if (*s == '%' && *(s+1) != 0) {
+            s++;
+            DBufPutc(out, *s);
+        }
+        s++;
+    }
+}
+
 char const *GetErr(int r)
 {
+    char const *msg;
+    DynamicBuffer origEscapes;
+    DynamicBuffer translatedEscapes;
+    int dangerous;
+
    if (r < 0 || r >= NumErrs) {
        r = E_SWERR;
    }
-    return t(ErrMsg[r]);
+
+    msg = GetTranslatedString(ErrMsg[r]);
+    if (!msg) {
+        return ErrMsg[r];
+    }
+
+    /* We need to make sure both the original and translated version
+       have the *SAME* printf-style escapes to avoid a malicious
+       translation file doing a format-string attack */
+    DBufInit(&origEscapes);
+    DBufInit(&translatedEscapes);
+
+    get_printf_escapes(ErrMsg[r], &origEscapes);
+    get_printf_escapes(msg, &translatedEscapes);
+
+    dangerous = strcmp(DBufValue(&origEscapes), DBufValue(&translatedEscapes));
+
+    DBufFree(&origEscapes);
+    DBufFree(&translatedEscapes);
+
+    if (dangerous) {
+        return ErrMsg[r];
+    } else {
+        return msg;
+    }
 }