ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent a buffer overrun if the comment begins with a literal quote character and the string exceeds 65k characters. Also prevent comments longer than 65k characters from being written, since this will produce an incorrect JPEG file.

Browse Source 
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1323 632fc199-4ca6-4c93-a231-07263d6284db
This commit is contained in:
DRC
2014-06-22 20:36:50 +00:00
parent a8fb48b528
commit b7d6e84d6a
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog.txt
View File

@@ -73,6 +73,11 @@ maintain and extend.
[10] Fixed a segfault that occurred when calling output_message() with msg_code [10] Fixed a segfault that occurred when calling output_message() with msg_code
set to JMSG_COPYRIGHT. set to JMSG_COPYRIGHT.
[11] Fixed an issue whereby wrjpgcom was allowing comments longer than 65k
characters to be passed on the command line, which was causing it to generate
incorrect JPEG files.
1.3.1 1.3.1
===== =====

19
wrjpgcom.c
View File

@@ -3,8 +3,8 @@
* *
* This file was part of the Independent JPEG Group's software: * This file was part of the Independent JPEG Group's software:
* Copyright (C) 1994-1997, Thomas G. Lane. * Copyright (C) 1994-1997, Thomas G. Lane.
* It was modified by The libjpeg-turbo Project to include only code relevant * libjpeg-turbo Modifications:
* to libjpeg-turbo. * Copyright (C) 2014, D. R. Commander
* For conditions of distribution and use, see the accompanying README file. * For conditions of distribution and use, see the accompanying README file.
* *
* This file contains a very simple stand-alone application that inserts * This file contains a very simple stand-alone application that inserts
@@ -446,6 +446,11 @@ main (int argc, char **argv)
comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH); comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH);
if (comment_arg == NULL) if (comment_arg == NULL)
ERREXIT("Insufficient memory"); ERREXIT("Insufficient memory");
if (strlen(argv[argn]) + 2 >= (size_t) MAX_COM_LENGTH) {
fprintf(stderr, "Comment text may not exceed %u bytes\n",
(unsigned int) MAX_COM_LENGTH);
exit(EXIT_FAILURE);
}
strcpy(comment_arg, argv[argn]+1); strcpy(comment_arg, argv[argn]+1);
for (;;) { for (;;) {
comment_length = (unsigned int) strlen(comment_arg); comment_length = (unsigned int) strlen(comment_arg);
@@ -455,9 +460,19 @@ main (int argc, char **argv)
} }
if (++argn >= argc) if (++argn >= argc)
ERREXIT("Missing ending quote mark"); ERREXIT("Missing ending quote mark");
if (strlen(comment_arg) + strlen(argv[argn]) + 2 >=
(size_t) MAX_COM_LENGTH) {
fprintf(stderr, "Comment text may not exceed %u bytes\n",
(unsigned int) MAX_COM_LENGTH);
exit(EXIT_FAILURE);
}
strcat(comment_arg, " "); strcat(comment_arg, " ");
strcat(comment_arg, argv[argn]); strcat(comment_arg, argv[argn]);
} }
} else if (strlen(argv[argn]) >= (size_t) MAX_COM_LENGTH) {
fprintf(stderr, "Comment text may not exceed %u bytes\n",
(unsigned int) MAX_COM_LENGTH);
exit(EXIT_FAILURE);
} }
comment_length = (unsigned int) strlen(comment_arg); comment_length = (unsigned int) strlen(comment_arg);
} else } else