Description: fix hardening bugs due to missing formatting strings
Forwarded: Unknown
Author: Frédéric Bonnard <frediz@linux.vnet.ibm.com>

--- a/src/servicelog.c
+++ b/src/servicelog.c
@@ -279,7 +279,7 @@
 			if (newline != NULL) {
 				prnt_len = newline - &tmpbuf[offset] + 1;
 				snprintf(buf + buf_offset, prnt_len,
-					 &tmpbuf[offset]);
+					 "%s", &tmpbuf[offset]);
 				buf_offset = strlen(buf);
 				buf_offset += sprintf(buf + buf_offset, "\n");
 				offset += prnt_len;
@@ -297,7 +297,7 @@
 			}
 
 			/* print up to the last brkpt */
-			snprintf(buf + buf_offset, prnt_len, &tmpbuf[offset]);
+			snprintf(buf + buf_offset, prnt_len, "%s", &tmpbuf[offset]);
 			buf_offset = strlen(buf);
 			buf_offset += sprintf(buf + buf_offset, "\n");
 			offset += prnt_len;
@@ -305,10 +305,10 @@
 		}
 	}
 
-	prnt_len = sprintf(buf + buf_offset, &tmpbuf[offset]);
+	prnt_len = sprintf(buf + buf_offset, "%s", &tmpbuf[offset]);
 	line_offset += prnt_len;
 
-	return fprintf(stream, buf);
+	return fprintf(stream, "%s", buf);
 }
 
 /**
@@ -583,7 +583,7 @@
 
 	rc = sqlite3_open(log->location, &(log->db));
 	if (rc) {
-		snprintf(log->error, SL_MAX_ERR, sqlite3_errmsg(log->db));
+		snprintf(log->error, SL_MAX_ERR, "%s", sqlite3_errmsg(log->db));
 		servicelog_close(log);
 		return ENOENT;
 	}
--- a/src/v29_print.c
+++ b/src/v29_print.c
@@ -152,7 +152,7 @@
 
             if (newline != NULL) {
                 prnt_len = newline - &tmpbuf[offset] + 1;
-                snprintf(buf + buf_offset, prnt_len, &tmpbuf[offset]);
+                snprintf(buf + buf_offset, prnt_len, "%s", &tmpbuf[offset]);
                 buf_offset = strlen(buf);
                 buf_offset += sprintf(buf + buf_offset, "\n");
                 offset += prnt_len;
@@ -171,7 +171,7 @@
             }
 
             /* print up to the last brkpt */
-            snprintf(buf + buf_offset, prnt_len, &tmpbuf[offset]);
+            snprintf(buf + buf_offset, prnt_len, "%s", &tmpbuf[offset]);
             buf_offset = strlen(buf);
             buf_offset += sprintf(buf + buf_offset, "\n");
             offset += prnt_len;
@@ -180,10 +180,10 @@
 
     }
 
-    prnt_len = sprintf(buf + buf_offset, &tmpbuf[offset]);
+    prnt_len = sprintf(buf + buf_offset, "%s", &tmpbuf[offset]);
     line_offset += prnt_len;
 
-    len = fprintf(stream, buf);
+    len = fprintf(stream, "%s", buf);
 
     return len;
 }
