Prevent a buffer overrun if the comment begins with a literal quote character and the string exceeds 65k characters. Also prevent comments longer than 65k characters from being written, since this will produce an incorrect JPEG file.

2014-06-22 20:36:50 +00:00
parent b8f2b72acb
commit e3d3cc073d
2 changed files with 22 additions and 2 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -73,6 +73,11 @@ maintain and extend.
 [10] Fixed a segfault that occurred when calling output_message() with msg_code
 set to JMSG_COPYRIGHT.

+[11] Fixed an issue whereby wrjpgcom was allowing comments longer than 65k
+characters to be passed on the command line, which was causing it to generate
+incorrect JPEG files.
+
+

 1.3.1
 =====
--- a/wrjpgcom.c
+++ b/wrjpgcom.c
@@ -3,8 +3,8 @@
 *
 * This file was part of the Independent JPEG Group's software:
 * Copyright (C) 1994-1997, Thomas G. Lane.
- * It was modified by The libjpeg-turbo Project to include only code relevant
- * to libjpeg-turbo.
+ * libjpeg-turbo Modifications:
+ * Copyright (C) 2014, D. R. Commander
 * For conditions of distribution and use, see the accompanying README file.
 *
 * This file contains a very simple stand-alone application that inserts
@@ -446,6 +446,11 @@ main (int argc, char **argv)
        comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH);
        if (comment_arg == NULL)
          ERREXIT("Insufficient memory");
+        if (strlen(argv[argn]) + 2 >= (size_t) MAX_COM_LENGTH) {
+          fprintf(stderr, "Comment text may not exceed %u bytes\n",
+                  (unsigned int) MAX_COM_LENGTH);
+          exit(EXIT_FAILURE);
+        }
        strcpy(comment_arg, argv[argn]+1);
        for (;;) {
          comment_length = (unsigned int) strlen(comment_arg);
@@ -455,9 +460,19 @@ main (int argc, char **argv)
          }
          if (++argn >= argc)
            ERREXIT("Missing ending quote mark");
+          if (strlen(comment_arg) + strlen(argv[argn]) + 2 >=
+              (size_t) MAX_COM_LENGTH) {
+            fprintf(stderr, "Comment text may not exceed %u bytes\n",
+                    (unsigned int) MAX_COM_LENGTH);
+            exit(EXIT_FAILURE);
+          }
          strcat(comment_arg, " ");
          strcat(comment_arg, argv[argn]);
        }
+      } else if (strlen(argv[argn]) >= (size_t) MAX_COM_LENGTH) {
+        fprintf(stderr, "Comment text may not exceed %u bytes\n",
+                (unsigned int) MAX_COM_LENGTH);
+        exit(EXIT_FAILURE);
      }
      comment_length = (unsigned int) strlen(comment_arg);
    } else