tools: Fix a buffer overflow involving a file name in pngfix
Reported-by: Guoxiang Niu (@niugx), EaglEye Team
Reported-by: Riccardo Mori <patacca@autistici.org>
Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
diff --git a/contrib/tools/pngfix.c b/contrib/tools/pngfix.c
index 9afe098..54a467d 100644
--- a/contrib/tools/pngfix.c
+++ b/contrib/tools/pngfix.c
@@ -3961,6 +3961,14 @@
{
size_t outlen = strlen(*argv);
+ if (outlen > FILENAME_MAX)
+ {
+ fprintf(stderr, "%s: output file name too long: %s%s%s\n",
+ prog, prefix, *argv, suffix ? suffix : "");
+ global.status_code |= WRITE_ERROR;
+ continue;
+ }
+
if (outfile == NULL) /* else this takes precedence */
{
/* Consider the prefix/suffix options */
@@ -4046,4 +4054,3 @@
return 77;
}
#endif /* PNG_SETJMP_SUPPORTED */
-