tools: Fix a buffer overflow involving a file name in pngfix Reported-by: Guoxiang Niu (@niugx), EaglEye Team Reported-by: Riccardo Mori <patacca@autistici.org> Reviewed-by: John Bowler <jbowler@acm.org> Signed-off-by: Cosmin Truta <ctruta@gmail.com>

commit: 8a5732fcb30b8afc4d3c23144acf2b502bb80122 [log] [tgz]
author: Alberto Barbaro <barbaro.alberto@gmail.com> Tue Jul 05 08:04:26 2022 +0100
committer: Cosmin Truta <ctruta@gmail.com> Sun Nov 20 22:28:03 2022 +0200
tree: 628d4f9e59e824b1c31e3f5564097bce94a018a9
parent: 77c3a39299eaa32acd5422a416fad7da2b3d75b5 [diff]
diff --git a/contrib/tools/pngfix.c b/contrib/tools/pngfix.c
index 9afe098..54a467d 100644
--- a/contrib/tools/pngfix.c
+++ b/contrib/tools/pngfix.c

@@ -3961,6 +3961,14 @@
       {
          size_t outlen = strlen(*argv);
 
+         if (outlen > FILENAME_MAX)
+         {
+            fprintf(stderr, "%s: output file name too long: %s%s%s\n",
+               prog, prefix, *argv, suffix ? suffix : "");
+            global.status_code |= WRITE_ERROR;
+            continue;
+         }
+
          if (outfile == NULL) /* else this takes precedence */
          {
             /* Consider the prefix/suffix options */
@@ -4046,4 +4054,3 @@
    return 77;
 }
 #endif /* PNG_SETJMP_SUPPORTED */
-
commit	8a5732fcb30b8afc4d3c23144acf2b502bb80122	[log] [tgz]
author	Alberto Barbaro <barbaro.alberto@gmail.com>	Tue Jul 05 08:04:26 2022 +0100
committer	Cosmin Truta <ctruta@gmail.com>	Sun Nov 20 22:28:03 2022 +0200
tree	628d4f9e59e824b1c31e3f5564097bce94a018a9
parent	77c3a39299eaa32acd5422a416fad7da2b3d75b5 [diff]