File icinga-fix-bnc797237.patch of Package icinga.1247

diff -rupN icinga-1.5.1.orig/cgi/cgiutils.c icinga-1.5.1/cgi/cgiutils.c
--- icinga-1.5.1.orig/cgi/cgiutils.c	2011-09-09 17:50:53.000000000 +0200
+++ icinga-1.5.1/cgi/cgiutils.c	2013-01-15 14:11:56.898120000 +0100
@@ -2353,6 +2353,10 @@ void print_export_link(int content_type,
 
 	/* just do stuff if some options are requested */
 	if (getenv("QUERY_STRING") != NULL && strcmp(getenv("QUERY_STRING"), "")) {
+		if(strlen(getenv("QUERY_STRING")) > MAX_INPUT_BUFFER) {
+			printf("print_export_link(): Could not allocate memory for stripped_query_string\n");
+			exit(1);
+	  }
 		strcpy(stripped_query_string, getenv("QUERY_STRING"));
 		strip_html_brackets(stripped_query_string);
 		strcat(link, "?");
diff -rupN icinga-1.5.1.orig/cgi/getcgi.c icinga-1.5.1/cgi/getcgi.c
--- icinga-1.5.1.orig/cgi/getcgi.c	2011-09-09 17:50:53.000000000 +0200
+++ icinga-1.5.1/cgi/getcgi.c	2013-01-15 14:03:01.275633000 +0100
@@ -157,13 +157,15 @@ char **getcgivars(void) {
 		/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
 		if (getenv("QUERY_STRING") == NULL) {
 			cgiinput = (char *)malloc(1);
+			if (cgiinput != NULL) {
+				cgiinput[0] = '\x0';
+			}
+		} else
+			cgiinput = strdup(getenv("QUERY_STRING"));
 			if (cgiinput == NULL) {
 				printf("getcgivars(): Could not allocate memory for CGI input.\n");
 				exit(1);
 			}
-			cgiinput[0] = '\x0';
-		} else
-			cgiinput = strdup(getenv("QUERY_STRING"));
 	}
 
 	else if (!strcmp(request_method, "POST") || !strcmp(request_method, "PUT")) {
@@ -232,7 +234,11 @@ char **getcgivars(void) {
 	paircount = 0;
 	nvpair = strtok(cgiinput, "&");
 	while (nvpair) {
-		pairlist[paircount++] = strdup(nvpair);
+		pairlist[paircount] = strdup(nvpair);
+		if(pairlist[paircount++] == NULL) {
+			printf("getcgivars(): Could not allocate memory for name-value pair element #%d.\n", paircount);
+			exit(1);
+		}
 		if (paircount > MAX_CGI_INPUT_PAIRS)
 			break;
 		if (!(paircount % 256)) {
@@ -259,12 +265,27 @@ char **getcgivars(void) {
 		/* get the variable name preceding the equal (=) sign */
 		if ((eqpos = strchr(pairlist[i], '=')) != NULL) {
 			*eqpos = '\0';
-			unescape_cgi_input(cgivars[i*2+1] = strdup(eqpos + 1));
+			cgivars[i*2+1] = strdup(eqpos + 1);
+			if(cgivars[i*2+1] == NULL) {
+				printf("getcgivars(): Could not allocate memory for cgi param value #%d.\n", i);
+				exit(1);
+			}
+			unescape_cgi_input(cgivars[i*2+1]);
 		} else
-			unescape_cgi_input(cgivars[i*2+1] = strdup(""));
+			cgivars[i*2+1] = strdup("");
+			if(cgivars[i*2+1] == NULL) {
+				printf("getcgivars(): Could not allocate memory for empty cgi param value #%d.\n", i);
+				exit(1);
+			}
+			unescape_cgi_input(cgivars[i*2+1]);
 
 		/* get the variable value (or name/value of there was no real "pair" in the first place) */
-		unescape_cgi_input(cgivars[i*2] = strdup(pairlist[i]));
+		cgivars[i*2] = strdup(pairlist[i]);
+		if(cgivars[i*2] == NULL) {
+			printf("getcgivars(): Could not allocate memory for cgi param name #%d.\n", i);
+			exit(1);
+		}
+		unescape_cgi_input(cgivars[i*2]);
 	}
 
 	/* terminate the name-value list */
diff -rupN icinga-1.5.1.orig/cgi/history.c icinga-1.5.1/cgi/history.c
--- icinga-1.5.1.orig/cgi/history.c	2011-09-09 17:50:53.000000000 +0200
+++ icinga-1.5.1/cgi/history.c	2013-01-15 14:06:14.487198000 +0100
@@ -747,14 +747,14 @@ void show_history(void) {
 				else if (display_type == DISPLAY_HOSTS) {
 
 					if (history_type == HOST_HISTORY || history_type == SERVICE_HISTORY) {
-						sprintf(match1, " HOST ALERT: %s;", host_name);
-						sprintf(match2, " SERVICE ALERT: %s;", host_name);
+						snprintf(match1, sizeof(match1), " HOST ALERT: %s;", host_name);
+						snprintf(match2, sizeof(match2), " SERVICE ALERT: %s;", host_name);
 					} else if (history_type == HOST_FLAPPING_HISTORY || history_type == SERVICE_FLAPPING_HISTORY) {
-						sprintf(match1, " HOST FLAPPING ALERT: %s;", host_name);
-						sprintf(match2, " SERVICE FLAPPING ALERT: %s;", host_name);
+						snprintf(match1, sizeof(match1), " HOST FLAPPING ALERT: %s;", host_name);
+						snprintf(match2, sizeof(match2), " SERVICE FLAPPING ALERT: %s;", host_name);
 					} else if (history_type == HOST_DOWNTIME_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY) {
-						sprintf(match1, " HOST DOWNTIME ALERT: %s;", host_name);
-						sprintf(match2, " SERVICE DOWNTIME ALERT: %s;", host_name);
+						snprintf(match1, sizeof(match1), " HOST DOWNTIME ALERT: %s;", host_name);
+						snprintf(match2, sizeof(match2), " SERVICE DOWNTIME ALERT: %s;", host_name);
 					}
 
 					if (show_all_hosts == TRUE)
@@ -793,11 +793,11 @@ void show_history(void) {
 				else if (display_type == DISPLAY_SERVICES) {
 
 					if (history_type == SERVICE_HISTORY)
-						sprintf(match1, " SERVICE ALERT: %s;%s;", host_name, service_desc);
+						snprintf(match1, sizeof(match1), " SERVICE ALERT: %s;%s;", host_name, service_desc);
 					else if (history_type == SERVICE_FLAPPING_HISTORY)
-						sprintf(match1, " SERVICE FLAPPING ALERT: %s;%s;", host_name, service_desc);
+						snprintf(match1, sizeof(match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, service_desc);
 					else if (history_type == SERVICE_DOWNTIME_HISTORY)
-						sprintf(match1, " SERVICE DOWNTIME ALERT: %s;%s;", host_name, service_desc);
+						snprintf(match1, sizeof(match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, service_desc);
 
 					if (strstr(temp_entry->entry_text, match1) && (history_type == SERVICE_HISTORY || history_type == SERVICE_FLAPPING_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY))
 						display_line = TRUE;