diff options
author | Alberto Barbaro <barbaro.alberto@gmail.com> | 2022-07-05 08:04:26 +0100 |
---|---|---|
committer | Cosmin Truta <ctruta@gmail.com> | 2022-11-20 22:28:03 +0200 |
commit | 8a5732fcb30b8afc4d3c23144acf2b502bb80122 (patch) | |
tree | 628d4f9e59e824b1c31e3f5564097bce94a018a9 | |
parent | 77c3a39299eaa32acd5422a416fad7da2b3d75b5 (diff) | |
download | libpng-8a5732fcb30b8afc4d3c23144acf2b502bb80122.tar.gz |
tools: Fix a buffer overflow involving a file name in pngfix
Reported-by: Guoxiang Niu (@niugx), EaglEye Team
Reported-by: Riccardo Mori <patacca@autistici.org>
Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
-rw-r--r-- | contrib/tools/pngfix.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/contrib/tools/pngfix.c b/contrib/tools/pngfix.c index 9afe09831..54a467daf 100644 --- a/contrib/tools/pngfix.c +++ b/contrib/tools/pngfix.c @@ -3961,6 +3961,14 @@ main(int argc, const char **argv) { size_t outlen = strlen(*argv); + if (outlen > FILENAME_MAX) + { + fprintf(stderr, "%s: output file name too long: %s%s%s\n", + prog, prefix, *argv, suffix ? suffix : ""); + global.status_code |= WRITE_ERROR; + continue; + } + if (outfile == NULL) /* else this takes precedence */ { /* Consider the prefix/suffix options */ @@ -4046,4 +4054,3 @@ main(void) return 77; } #endif /* PNG_SETJMP_SUPPORTED */ - |