$NetBSD: patch-bc,v 1.1 2011/04/15 16:39:10 drochner Exp $

CVE-2010-4542

--- plug-ins/gfig/gfig-style.c.orig	2010-07-02 22:51:59.000000000 +0000
+++ plug-ins/gfig/gfig-style.c
@@ -165,6 +165,7 @@ gfig_read_parameter_gimp_rgb (gchar     
   gchar *ptr;
   gchar *tmpstr;
   gchar *endptr;
+  gchar  fmt_str[32];
   gchar  colorstr_r[G_ASCII_DTOSTR_BUF_SIZE];
   gchar  colorstr_g[G_ASCII_DTOSTR_BUF_SIZE];
   gchar  colorstr_b[G_ASCII_DTOSTR_BUF_SIZE];
@@ -172,6 +173,10 @@ gfig_read_parameter_gimp_rgb (gchar     
 
   style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.;
 
+  snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds",
+            sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1,
+            sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);
+
   while (n < nitems)
     {
       ptr = strchr (text[n], ':');
@@ -181,7 +186,8 @@ gfig_read_parameter_gimp_rgb (gchar     
           ptr++;
           if (!strcmp (tmpstr, name))
             {
-              sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a);
+              sscanf (ptr, fmt_str,
+                      colorstr_r, colorstr_g, colorstr_b, colorstr_a);
               style_entry->r = g_ascii_strtod (colorstr_r, &endptr);
               style_entry->g = g_ascii_strtod (colorstr_g, &endptr);
               style_entry->b = g_ascii_strtod (colorstr_b, &endptr);
