From 7df761c0410c2815a81844acd939072a4b3379eb Mon Sep 17 00:00:00 2001
From: nick black <dankamongmen@gmail.com>
Date: Wed, 23 Jun 2021 13:37:14 -0400
Subject: [PATCH] don't allow a format string attack via endasu sequence, heh

---
 src/lib/render.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/render.c b/src/lib/render.c
index 4037de477..65841e306 100644
--- a/src/lib/render.c
+++ b/src/lib/render.c
@@ -1139,7 +1139,7 @@ notcurses_rasterize_inner(notcurses* nc, ncpile* p, FILE* out, unsigned* asu){
     if(nc->rstate.mstrsize >= MIN_ASU_SIZE){
       const char* endasu = get_escape(&nc->tcache, ESCAPE_ESU);
       if(endasu){
-        if(fprintf(out, endasu) < 0 || fflush(out)){
+        if(fprintf(out, "%s", endasu) < 0 || fflush(out)){
           return -1;
         }
       }else{