fixed a format string injection vulnerability in VASQ_ASSERT

nickeldan · Nov 19, 2021 · 3fb86fb · 3fb86fb
1 parent e387c80
commit 3fb86fb
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 8 deletions.
diff --git a/README.rst b/README.rst
@@ -4,7 +4,7 @@ Vanilla Squad
 
 :Author: Daniel Walker
 
-Version 5.1.1 was released on October 8, 2021.
+Version 5.1.2 was released on November 18, 2021.
 
 Overview
 ========

diff --git a/changelog b/changelog
@@ -1,5 +1,6 @@
 5.1.2:
     - PLACEHOLDER() now works as long as the C standard version is at least C99.
+    - Fixed a potential format string injection vulnerability in VASQ_ASSERT.
 
 5.1.1:
     - The PLACEHOLDER() macro no longer depends upon features.h.

diff --git a/include/vasq/logger.h b/include/vasq/logger.h
@@ -400,13 +400,13 @@ extern bool _vasq_abort_caught;
 
 #endif  // VASQ_TEST_ABORT
 
-#define VASQ_ASSERT(logger, expr)                              \
-    do {                                                       \
-        _VASQ_CLEAR_ABORT();                                   \
-        if (!(expr)) {                                         \
-            VASQ_CRITICAL(logger, "Assertion failed: " #expr); \
-            _VASQ_ABORT();                                     \
-        }                                                      \
+#define VASQ_ASSERT(logger, expr)                                 \
+    do {                                                          \
+        _VASQ_CLEAR_ABORT();                                      \
+        if (!(expr)) {                                            \
+            VASQ_CRITICAL(logger, "Assertion failed: %s", #expr); \
+            _VASQ_ABORT();                                        \
+        }                                                         \
     } while (0)
 
 #else  // DEBUG