From 9457ba024ac26404f88fe170e8a22301b7d9bd6b Mon Sep 17 00:00:00 2001
From: James Turner <zakalawe@mac.com>
Date: Sat, 14 Sep 2013 17:43:24 +0100
Subject: [PATCH] Fix for #1117:

fix another issue similar to CVE-2012-2090
 In FGClouds::buildlayer(), prevent passing '%n' to snprintf().
From: Rebecca Palmer
---
 src/Environment/fgclouds.cxx | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/Environment/fgclouds.cxx b/src/Environment/fgclouds.cxx
index f83a72767..6e77d9b0e 100644
--- a/src/Environment/fgclouds.cxx
+++ b/src/Environment/fgclouds.cxx
@@ -214,11 +214,10 @@ void FGClouds::buildLayer(int iLayer, const string& name, double coverage) {
 			double count = acloud->getDoubleValue("count", 1.0);
 			tCloudVariety[CloudVarietyCount].count = count;
 			int variety = 0;
-			cloud_name = cloud_name + "-%d";
 			char variety_name[50];
 			do {
 				variety++;
-				snprintf(variety_name, sizeof(variety_name) - 1, cloud_name.c_str(), variety);
+				snprintf(variety_name, sizeof(variety_name) - 1, "%s-%d", cloud_name.c_str(), variety);
 			} while( box_def_root->getChild(variety_name, 0, false) );
 
 			totalCount += count;
-- 
2.39.5