fix dangerous werrstr() usages

werrstr() takes a format string as its first argument.
a common error is to pass user controlled string buffers
into werrstr() that might contain format string escapes
causing werrstr() to take bogus arguments from the stack
and crash.

so instead of doing:
	werrstr(buf);

we want todo:
	werrstr("%s", buf);

or if we have a local ERRMAX sized buffer that we can override:
	errstr(buf, sizeof buf);

3 files changed, 4 insertions, 4 deletions

diff --git a/sys/src/cmd/jpg/readgif.c b/sys/src/cmd/jpg/readgif.c
index 0a5edd364..d5c0d1d7d 100644
--- a/sys/src/cmd/jpg/readgif.c
+++ b/sys/src/cmd/jpg/readgif.c
@@ -93,7 +93,7 @@ giferror(Header *h, char *fmt, ...)
 	vseprint(h->err, h->err+sizeof h->err, fmt, arg);
 	va_end(arg);
 
-	werrstr(h->err);
+	werrstr("%s", h->err);
 	giffreeall(h, 1);
 	longjmp(h->errlab, 1);
 }
diff --git a/sys/src/cmd/jpg/readjpg.c b/sys/src/cmd/jpg/readjpg.c
index a3ab3ed8a..676ce2afb 100644
--- a/sys/src/cmd/jpg/readjpg.c
+++ b/sys/src/cmd/jpg/readjpg.c
@@ -227,7 +227,7 @@ jpgerror(Header *h, char *fmt, ...)
 	vseprint(h->err, h->err+sizeof h->err, fmt, arg);
 	va_end(arg);
 
-	werrstr(h->err);
+	werrstr("%s", h->err);
 	jpgfreeall(h, 1);
 	longjmp(h->errlab, 1);
 }
diff --git a/sys/src/cmd/jpg/torgbv.c b/sys/src/cmd/jpg/torgbv.c
index ca84592b4..d1cef81a3 100644
--- a/sys/src/cmd/jpg/torgbv.c
+++ b/sys/src/cmd/jpg/torgbv.c
@@ -16,13 +16,13 @@ void*
 _remaperror(char *fmt, ...)
 {
 	va_list arg;
-	char buf[256];
+	char buf[ERRMAX];
 
 	va_start(arg, fmt);
 	vseprint(buf, buf+sizeof buf, fmt, arg);
 	va_end(arg);
 
-	werrstr(buf);
+	errstr(buf, sizeof buf);
 	return nil;
 }