From: James Turner <zakalawe@mac.com>
Date: Sat, 14 Sep 2013 16:43:24 +0000 (+0100)
Subject: Fix for #1117:
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=9457ba024ac26404f88fe170e8a22301b7d9bd6b;p=flightgear.git

Fix for #1117:

fix another issue similar to CVE-2012-2090
 In FGClouds::buildlayer(), prevent passing '%n' to snprintf().
From: Rebecca Palmer
---

diff --git a/src/Environment/fgclouds.cxx b/src/Environment/fgclouds.cxx
index f83a72767..6e77d9b0e 100644
--- a/src/Environment/fgclouds.cxx
+++ b/src/Environment/fgclouds.cxx
@@ -214,11 +214,10 @@ void FGClouds::buildLayer(int iLayer, const string& name, double coverage) {
 			double count = acloud->getDoubleValue("count", 1.0);
 			tCloudVariety[CloudVarietyCount].count = count;
 			int variety = 0;
-			cloud_name = cloud_name + "-%d";
 			char variety_name[50];
 			do {
 				variety++;
-				snprintf(variety_name, sizeof(variety_name) - 1, cloud_name.c_str(), variety);
+				snprintf(variety_name, sizeof(variety_name) - 1, "%s-%d", cloud_name.c_str(), variety);
 			} while( box_def_root->getChild(variety_name, 0, false) );
 
 			totalCount += count;