ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent a buffer overrun if the comment begins with a literal quote character and the string exceeds 65k characters. Also prevent comments longer than 65k characters from being written, since this will produce an incorrect JPEG file.

Browse Source 
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1323 632fc199-4ca6-4c93-a231-07263d6284db
This commit is contained in:
DRC
2014-06-22 20:36:50 +00:00
parent a8fb48b528
commit b7d6e84d6a
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
wrjpgcom.c
View File

@@ -3,8 +3,8 @@
*
* This file was part of the Independent JPEG Group's software:
* Copyright (C) 1994-1997, Thomas G. Lane.
* It was modified by The libjpeg-turbo Project to include only code relevant
* to libjpeg-turbo.
* libjpeg-turbo Modifications:
* Copyright (C) 2014, D. R. Commander
* For conditions of distribution and use, see the accompanying README file.
*
* This file contains a very simple stand-alone application that inserts
@@ -446,6 +446,11 @@ main (int argc, char **argv)
comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH);
if (comment_arg == NULL)
ERREXIT("Insufficient memory");
if (strlen(argv[argn]) + 2 >= (size_t) MAX_COM_LENGTH) {
fprintf(stderr, "Comment text may not exceed %u bytes\n",
(unsigned int) MAX_COM_LENGTH);
exit(EXIT_FAILURE);
}
strcpy(comment_arg, argv[argn]+1);
for (;;) {
comment_length = (unsigned int) strlen(comment_arg);
@@ -455,9 +460,19 @@ main (int argc, char **argv)
}
if (++argn >= argc)
ERREXIT("Missing ending quote mark");
if (strlen(comment_arg) + strlen(argv[argn]) + 2 >=
(size_t) MAX_COM_LENGTH) {
fprintf(stderr, "Comment text may not exceed %u bytes\n",
(unsigned int) MAX_COM_LENGTH);
exit(EXIT_FAILURE);
}
strcat(comment_arg, " ");
strcat(comment_arg, argv[argn]);
}
} else if (strlen(argv[argn]) >= (size_t) MAX_COM_LENGTH) {
fprintf(stderr, "Comment text may not exceed %u bytes\n",
(unsigned int) MAX_COM_LENGTH);
exit(EXIT_FAILURE);
}
comment_length = (unsigned int) strlen(comment_arg);
} else