diff options
author | dcommander <dcommander@632fc199-4ca6-4c93-a231-07263d6284db> | 2014-06-22 20:36:50 +0000 |
---|---|---|
committer | dcommander <dcommander@632fc199-4ca6-4c93-a231-07263d6284db> | 2014-06-22 20:36:50 +0000 |
commit | 8801314afa614643d1d5120bf4dadd7e9964ed00 (patch) | |
tree | e07ce48d540116ebed5c39b3684a5f74ef38844a | |
parent | b5b7a7cdc080a20bf586f491381e8304f378fc1c (diff) |
Prevent a buffer overrun if the comment begins with a literal quote character and the string exceeds 65k characters. Also prevent comments longer than 65k characters from being written, since this will produce an incorrect JPEG file.
git-svn-id: svn://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1323 632fc199-4ca6-4c93-a231-07263d6284db
-rw-r--r-- | ChangeLog.txt | 5 | ||||
-rw-r--r-- | wrjpgcom.c | 19 |
2 files changed, 22 insertions, 2 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt index 8a70f67..e8b18af 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -73,6 +73,11 @@ maintain and extend. [10] Fixed a segfault that occurred when calling output_message() with msg_code set to JMSG_COPYRIGHT. +[11] Fixed an issue whereby wrjpgcom was allowing comments longer than 65k +characters to be passed on the command line, which was causing it to generate +incorrect JPEG files. + + 1.3.1 ===== @@ -3,8 +3,8 @@ * * This file was part of the Independent JPEG Group's software: * Copyright (C) 1994-1997, Thomas G. Lane. - * It was modified by The libjpeg-turbo Project to include only code relevant - * to libjpeg-turbo. + * libjpeg-turbo Modifications: + * Copyright (C) 2014, D. R. Commander * For conditions of distribution and use, see the accompanying README file. * * This file contains a very simple stand-alone application that inserts @@ -446,6 +446,11 @@ main (int argc, char **argv) comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH); if (comment_arg == NULL) ERREXIT("Insufficient memory"); + if (strlen(argv[argn]) + 2 >= (size_t) MAX_COM_LENGTH) { + fprintf(stderr, "Comment text may not exceed %u bytes\n", + (unsigned int) MAX_COM_LENGTH); + exit(EXIT_FAILURE); + } strcpy(comment_arg, argv[argn]+1); for (;;) { comment_length = (unsigned int) strlen(comment_arg); @@ -455,9 +460,19 @@ main (int argc, char **argv) } if (++argn >= argc) ERREXIT("Missing ending quote mark"); + if (strlen(comment_arg) + strlen(argv[argn]) + 2 >= + (size_t) MAX_COM_LENGTH) { + fprintf(stderr, "Comment text may not exceed %u bytes\n", + (unsigned int) MAX_COM_LENGTH); + exit(EXIT_FAILURE); + } strcat(comment_arg, " "); strcat(comment_arg, argv[argn]); } + } else if (strlen(argv[argn]) >= (size_t) MAX_COM_LENGTH) { + fprintf(stderr, "Comment text may not exceed %u bytes\n", + (unsigned int) MAX_COM_LENGTH); + exit(EXIT_FAILURE); } comment_length = (unsigned int) strlen(comment_arg); } else |