1 diff -Naur gimp-2.6.11/plug-ins/common/file-psp.c gimp-2.6.11-sec//plug-ins/common/file-psp.c
2 --- gimp-2.6.11/plug-ins/common/file-psp.c 2010-07-03 00:51:56.000000000 +0200
3 +++ gimp-2.6.11-sec//plug-ins/common/file-psp.c 2011-02-16 11:58:38.195883063 +0100
7 fread (buf, runcount, 1, f);
9 + /* prevent buffer overflow for bogus data */
10 + runcount = MIN (runcount, endq - q);
14 memmove (q, buf, runcount);
15 diff -Naur gimp-2.6.11/plug-ins/common/sphere-designer.c gimp-2.6.11-sec//plug-ins/common/sphere-designer.c
16 --- gimp-2.6.11/plug-ins/common/sphere-designer.c 2010-07-03 00:51:56.000000000 +0200
17 +++ gimp-2.6.11-sec//plug-ins/common/sphere-designer.c 2011-02-16 11:58:32.967912810 +0100
19 gchar endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)];
30 + snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1);
36 t = &s.com.texture[i];
39 - if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3)
40 + if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3)
41 t->color1.x = g_ascii_strtod (end, &end);
42 if (end && errno != ERANGE)
43 t->color1.y = g_ascii_strtod (end, &end);
44 diff -Naur gimp-2.6.11/plug-ins/gfig/gfig-style.c gimp-2.6.11-sec//plug-ins/gfig/gfig-style.c
45 --- gimp-2.6.11/plug-ins/gfig/gfig-style.c 2010-07-03 00:51:59.000000000 +0200
46 +++ gimp-2.6.11-sec//plug-ins/gfig/gfig-style.c 2011-02-16 11:58:32.967912810 +0100
52 gchar colorstr_r[G_ASCII_DTOSTR_BUF_SIZE];
53 gchar colorstr_g[G_ASCII_DTOSTR_BUF_SIZE];
54 gchar colorstr_b[G_ASCII_DTOSTR_BUF_SIZE];
57 style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.;
59 + snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds",
60 + sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1,
61 + sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);
65 ptr = strchr (text[n], ':');
68 if (!strcmp (tmpstr, name))
70 - sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a);
71 + sscanf (ptr, fmt_str,
72 + colorstr_r, colorstr_g, colorstr_b, colorstr_a);
73 style_entry->r = g_ascii_strtod (colorstr_r, &endptr);
74 style_entry->g = g_ascii_strtod (colorstr_g, &endptr);
75 style_entry->b = g_ascii_strtod (colorstr_b, &endptr);
76 diff -Naur gimp-2.6.11/plug-ins/lighting/lighting-ui.c gimp-2.6.11-sec//plug-ins/lighting/lighting-ui.c
77 --- gimp-2.6.11/plug-ins/lighting/lighting-ui.c 2010-07-03 00:51:59.000000000 +0200
78 +++ gimp-2.6.11-sec//plug-ins/lighting/lighting-ui.c 2011-02-16 11:58:32.968912815 +0100
80 gchar buffer3[G_ASCII_DTOSTR_BUF_SIZE];
85 if (response_id == GTK_RESPONSE_OK)
87 @@ -1381,23 +1382,41 @@
91 - fscanf (fp, " Position: %s %s %s", buffer1, buffer2, buffer3);
92 + snprintf (fmt_str, sizeof (fmt_str),
93 + " Position: %%%lds %%%lds %%%lds",
94 + sizeof (buffer1) - 1,
95 + sizeof (buffer2) - 1,
96 + sizeof (buffer3) - 1);
97 + fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
98 source->position.x = g_ascii_strtod (buffer1, &endptr);
99 source->position.y = g_ascii_strtod (buffer2, &endptr);
100 source->position.z = g_ascii_strtod (buffer3, &endptr);
102 - fscanf (fp, " Direction: %s %s %s", buffer1, buffer2, buffer3);
103 + snprintf (fmt_str, sizeof (fmt_str),
104 + " Direction: %%%lds %%%lds %%%lds",
105 + sizeof (buffer1) - 1,
106 + sizeof (buffer2) - 1,
107 + sizeof (buffer3) - 1);
108 + fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
109 source->direction.x = g_ascii_strtod (buffer1, &endptr);
110 source->direction.y = g_ascii_strtod (buffer2, &endptr);
111 source->direction.z = g_ascii_strtod (buffer3, &endptr);
113 - fscanf (fp, " Color: %s %s %s", buffer1, buffer2, buffer3);
114 + snprintf (fmt_str, sizeof (fmt_str),
115 + " Color: %%%lds %%%lds %%%lds",
116 + sizeof (buffer1) - 1,
117 + sizeof (buffer2) - 1,
118 + sizeof (buffer3) - 1);
119 + fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
120 source->color.r = g_ascii_strtod (buffer1, &endptr);
121 source->color.g = g_ascii_strtod (buffer2, &endptr);
122 source->color.b = g_ascii_strtod (buffer3, &endptr);
123 source->color.a = 1.0;
125 - fscanf (fp, " Intensity: %s", buffer1);
126 + snprintf (fmt_str, sizeof (fmt_str),
127 + " Intensity: %%%lds",
128 + sizeof (buffer1) - 1);
129 + fscanf (fp, fmt_str, buffer1);
130 source->intensity = g_ascii_strtod (buffer1, &endptr);