diff options
author | dcommander <dcommander@632fc199-4ca6-4c93-a231-07263d6284db> | 2014-06-22 20:36:50 +0000 |
---|---|---|
committer | dcommander <dcommander@632fc199-4ca6-4c93-a231-07263d6284db> | 2014-06-22 20:36:50 +0000 |
commit | 8801314afa614643d1d5120bf4dadd7e9964ed00 (patch) | |
tree | e07ce48d540116ebed5c39b3684a5f74ef38844a /wrjpgcom.c | |
parent | b5b7a7cdc080a20bf586f491381e8304f378fc1c (diff) |
Prevent a buffer overrun if the comment begins with a literal quote character and the string exceeds 65k characters. Also prevent comments longer than 65k characters from being written, since this will produce an incorrect JPEG file.
git-svn-id: svn://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1323 632fc199-4ca6-4c93-a231-07263d6284db
Diffstat (limited to 'wrjpgcom.c')
-rw-r--r-- | wrjpgcom.c | 19 |
1 files changed, 17 insertions, 2 deletions
@@ -3,8 +3,8 @@ * * This file was part of the Independent JPEG Group's software: * Copyright (C) 1994-1997, Thomas G. Lane. - * It was modified by The libjpeg-turbo Project to include only code relevant - * to libjpeg-turbo. + * libjpeg-turbo Modifications: + * Copyright (C) 2014, D. R. Commander * For conditions of distribution and use, see the accompanying README file. * * This file contains a very simple stand-alone application that inserts @@ -446,6 +446,11 @@ main (int argc, char **argv) comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH); if (comment_arg == NULL) ERREXIT("Insufficient memory"); + if (strlen(argv[argn]) + 2 >= (size_t) MAX_COM_LENGTH) { + fprintf(stderr, "Comment text may not exceed %u bytes\n", + (unsigned int) MAX_COM_LENGTH); + exit(EXIT_FAILURE); + } strcpy(comment_arg, argv[argn]+1); for (;;) { comment_length = (unsigned int) strlen(comment_arg); @@ -455,9 +460,19 @@ main (int argc, char **argv) } if (++argn >= argc) ERREXIT("Missing ending quote mark"); + if (strlen(comment_arg) + strlen(argv[argn]) + 2 >= + (size_t) MAX_COM_LENGTH) { + fprintf(stderr, "Comment text may not exceed %u bytes\n", + (unsigned int) MAX_COM_LENGTH); + exit(EXIT_FAILURE); + } strcat(comment_arg, " "); strcat(comment_arg, argv[argn]); } + } else if (strlen(argv[argn]) >= (size_t) MAX_COM_LENGTH) { + fprintf(stderr, "Comment text may not exceed %u bytes\n", + (unsigned int) MAX_COM_LENGTH); + exit(EXIT_FAILURE); } comment_length = (unsigned int) strlen(comment_arg); } else |