[portmidi] Format-security patch

Mon Jun 9 18:13:53 UTC 2014

commit 4417e21ff9b8c0c5aa73818339eb7ed27263f2f7
Author: Brendan Jones <brendan.jones.it at gmail.com>
Date:   Mon Jun 9 20:13:47 2014 +0200

    Format-security patch

 portmidi-217-format-security.patch |   95 ++++++++++++++++++++++++++++++++++++
 portmidi.spec                      |    7 ++-
 2 files changed, 101 insertions(+), 1 deletions(-)
---

diff --git a/portmidi-217-format-security.patch b/portmidi-217-format-security.patch
new file mode 100644
index 0000000..01bd2f5
--- /dev/null
+++ b/portmidi-217-format-security.patch
@@ -0,0 +1,95 @@
+--- portmidi/pm_test/latency.c_old	2014-06-09 19:58:02.503837705 +0200
++++ portmidi/pm_test/latency.c	2014-06-09 19:59:15.645838404 +0200
+@@ -280,7 +280,7 @@ int get_number(char *prompt)
+ {
+     char line[STRING_MAX];
+     int n = 0, i;
+-    printf(prompt);
++    printf("%s",prompt);
+     while (n != 1) {
+         n = scanf("%d", &i);
+         fgets(line, STRING_MAX, stdin);
+diff -Nurp portmidi/pm_test/midiclock.c portmidi/pm_test.new/midiclock.c
+--- portmidi/pm_test/midiclock.c	2014-06-09 20:05:10.783841793 +0200
++++ portmidi/pm_test.new/midiclock.c	2014-06-09 20:06:05.582842316 +0200
+@@ -167,7 +167,7 @@ int get_number(char *prompt)
+ {
+     char line[STRING_MAX];
+     int n = 0, i;
+-    printf(prompt);
++    printf("%s",prompt);
+     while (n != 1) {
+         n = scanf("%d", &i);
+         fgets(line, STRING_MAX, stdin);
+@@ -256,7 +256,7 @@ int main(int argc, char **argv)
+     err = Pm_OpenOutput(&midi, outp, DRIVER_INFO, OUTPUT_BUFFER_SIZE, 
+                         TIME_PROC, TIME_INFO, LATENCY);
+     if (err) {
+-        printf(Pm_GetErrorText(err));
++        printf("%s",Pm_GetErrorText(err));
+         goto error_exit_no_device;
+     }
+     active = true;
+diff -Nurp portmidi/pm_test/mm.c portmidi/pm_test.new/mm.c
+--- portmidi/pm_test/mm.c	2010-10-05 20:49:09.000000000 +0200
++++ portmidi/pm_test.new/mm.c	2014-06-09 20:09:26.222844231 +0200
+@@ -119,7 +119,7 @@ int get_number(char *prompt)
+ {
+     char line[STRING_MAX];
+     int n = 0, i;
+-    printf(prompt);
++    printf("%s",prompt);
+     while (n != 1) {
+         n = scanf("%d", &i);
+         fgets(line, STRING_MAX, stdin);
+@@ -136,7 +136,7 @@ void receive_poll(PtTimestamp timestamp,
+     if (!active) return;
+     while ((count = Pm_Read(midi_in, &event, 1))) {
+         if (count == 1) output(event.message);
+-        else            printf(Pm_GetErrorText(count));
++        else            printf("%s",Pm_GetErrorText(count));
+     }
+ }
+ 
+@@ -168,7 +168,7 @@ int main(int argc, char **argv)
+     inp = get_number("Type input device number: ");
+     err = Pm_OpenInput(&midi_in, inp, NULL, 512, NULL, NULL);
+     if (err) {
+-        printf(Pm_GetErrorText(err));
++        printf("%s",Pm_GetErrorText(err));
+         Pt_Stop();
+         mmexit(1);
+     }
+@@ -484,7 +484,7 @@ private int put_pitch(int p)
+         "gs", "a", "bf", "b"    };
+     /* note octave correction below */
+     sprintf(result, "%s%d", ptos[p % 12], (p / 12) - 1);
+-    printf(result);
++    printf("%s",result);
+     return strlen(result);
+ }
+ 
+diff -Nurp portmidi/pm_test/test.c portmidi/pm_test.new/test.c
+--- portmidi/pm_test/test.c	2009-09-16 18:54:04.000000000 +0200
++++ portmidi/pm_test.new/test.c	2014-06-09 20:10:04.310844594 +0200
+@@ -37,7 +37,7 @@ int get_number(char *prompt)
+ {
+     char line[STRING_MAX];
+     int n = 0, i;
+-    printf(prompt);
++    printf("%s",prompt);
+     while (n != 1) {
+         n = scanf("%d", &i);
+         fgets(line, STRING_MAX, stdin);
+diff -Nurp portmidi/pm_test/sysex.c portmidi/pm_test.new/sysex.c
+--- portmidi/pm_test/sysex.c	2010-09-20 21:57:48.000000000 +0200
++++ portmidi/pm_test.new/sysex.c	2014-06-09 20:12:05.502845751 +0200
+@@ -39,7 +39,7 @@ int get_number(char *prompt)
+ {
+     char line[STRING_MAX];
+     int n = 0, i;
+-    printf(prompt);
++    printf("%s",prompt);
+     while (n != 1) {
+         n = scanf("%d", &i);
+         fgets(line, STRING_MAX, stdin);
diff --git a/portmidi.spec b/portmidi.spec
index 2125532..4d89c06 100644
--- a/portmidi.spec
+++ b/portmidi.spec
@@ -1,7 +1,7 @@
 Summary:        Real-time Midi I/O Library
 Name:           portmidi
 Version:        217
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        MIT
 Group:          System Environment/Libraries
 URL:            http://portmedia.sourceforge.net/
@@ -11,6 +11,7 @@ Source1:        pmdefaults.desktop
 Patch0:         portmidi-cmake.patch
 # Fix multilib conflict RHBZ#831432
 Patch1:         portmidi-no_date_footer.patch
+Patch2:         portmidi-217-format-security.patch
 BuildRequires:  alsa-lib-devel
 BuildRequires:  cmake
 BuildRequires:  desktop-file-utils
@@ -67,6 +68,7 @@ configuration utility "pmdefaults" and some test applications.
 %setup -q -n %{name}
 %patch0 -p1 -b .buildfix
 %patch1 -p1 -b .no.date
+%patch2 -p1 -b .fmt.security
 
 # ewwww... binaries
 rm -f portmidi_cdt.zip */*.exe */*/*.exe
@@ -184,6 +186,9 @@ rm -f %{buildroot}%{_libdir}/libportmidi_s.so
 %{_libdir}/lib*.so
 
 %changelog
+* Mon Jun 09 2014 Brendan Jones <brendan.jones.it at gmail.com> 217-11
+- -Wformat-security patch
+
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 217-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 
