fltk: Fix formatting escapes.
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Thu, 7 Feb 2019 23:11:19 +0000 (23:11 +0000)
committerDamien Goutte-Gattat <dgouttegattat@incenp.org>
Sun, 10 Feb 2019 17:57:08 +0000 (17:57 +0000)
* fltk/main.cxx (fltk_cmd_handler): Fix calls to fl_message()
and fl_choice() functions.
--

The fl_message and fl_choice functions expect a format string as
their first argument; passing the message directly might cause a
crash (or worse) if the message happens to contain formatting
escape chars.

GnuPG-bug-id: 4337
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
fltk/main.cxx

index 8e7e726..5d226ed 100644 (file)
@@ -241,12 +241,12 @@ static int fltk_cmd_handler(pinentry_t pe)
                                if (pe->one_button)
                                {
                                        fl_ok = ok.c_str();
-                                       fl_message(message);
+                                       fl_message("%s", message);
                                        result = 1; // OK
                                }
                                else if (pe->notok)
                                {
-                                       switch (fl_choice(message, ok.c_str(), cancel.c_str(), pe->notok))
+                                       switch (fl_choice("%s", ok.c_str(), cancel.c_str(), pe->notok, message))
                                        {
                                        case 0: result = 1; break;
                                        case 2: result = 0; break;
@@ -256,7 +256,7 @@ static int fltk_cmd_handler(pinentry_t pe)
                                }
                                else
                                {
-                                       switch (fl_choice(message, ok.c_str(), cancel.c_str(), NULL))
+                                       switch (fl_choice("%s", ok.c_str(), cancel.c_str(), NULL, message))
                                        {
                                        case 0: result = 1; break;
                                        default: