diff -up rrdtool-1.4.8/src/rrd_graph.c.orig2 rrdtool-1.4.8/src/rrd_graph.c
--- rrdtool-1.4.8/src/rrd_graph.c.orig2	2013-05-23 09:55:07.000000000 +0200
+++ rrdtool-1.4.8/src/rrd_graph.c	2013-06-03 15:56:35.820593192 +0200
@@ -4022,6 +4022,12 @@ rrd_info_t *rrd_graph_v(
         char     *path;
         char     *filename;
 
+        if (bad_format_imginfo(im.imginfo)) {
+            rrd_info_free(im.grinfo);
+            im_free(&im);
+            rrd_set_error("bad format for imginfo");
+            return NULL;
+        }
         path = strdup(im.graphfile);
         filename = basename(path);
         info.u_str =
@@ -4827,6 +4833,51 @@ int bad_format(
 }
 
 
+int bad_format_imginfo(
+    char *fmt)
+{
+    char     *ptr;
+    int       n = 0;
+
+    ptr = fmt;
+    while (*ptr != '\0')
+        if (*ptr++ == '%') {
+
+            /* line cannot end with percent char */
+            if (*ptr == '\0')
+                return 1;
+            /* '%%' is allowed */
+            if (*ptr == '%')
+                ptr++;
+            /* '%s', '%S' are allowed */
+            else if (*ptr == 's' || *ptr == 'S') {
+                n = 1;
+                ptr++;
+            }
+
+            /* or else '% 4lu' and such are allowed */
+            else {
+                /* optional padding character */
+                if (*ptr == ' ')
+                    ptr++;
+                /* This should take care of 'm' */
+                while (*ptr >= '0' && *ptr <= '9')
+                    ptr++;
+                /* 'lu' must follow here */
+                if (*ptr++ != 'l')
+                    return 1;
+                if (*ptr == 'u')
+                    ptr++;
+                else
+                    return 1;
+                n++;
+            }
+        }
+
+    return (n != 3);
+}
+
+
 int vdef_parse(
     struct graph_desc_t
     *gdes,