Fix for #1117:

fix another issue similar to CVE-2012-2090
 In FGClouds::buildlayer(), prevent passing '%n' to snprintf().
From: Rebecca Palmer

diff --git a/src/Environment/fgclouds.cxx b/src/Environment/fgclouds.cxx
index f83a7276740d0b5c3b2b53e6870e5069a2602699..6e77d9b0e96629a49d51ff8df56e20080447f3e2 100644 (file)
--- a/src/Environment/fgclouds.cxx
+++ b/src/Environment/fgclouds.cxx
@@ -214,11 +214,10 @@ void FGClouds::buildLayer(int iLayer, const string& name, double coverage) {
                        double count = acloud->getDoubleValue("count", 1.0);
                        tCloudVariety[CloudVarietyCount].count = count;
                        int variety = 0;
-                       cloud_name = cloud_name + "-%d";
                        char variety_name[50];
                        do {
                                variety++;
-                               snprintf(variety_name, sizeof(variety_name) - 1, cloud_name.c_str(), variety);
+                               snprintf(variety_name, sizeof(variety_name) - 1, "%s-%d", cloud_name.c_str(), variety);
                        } while( box_def_root->getChild(variety_name, 0, false) );
 
                        totalCount += count;