Fix the buffer overflow in MS-DOS caseHEAD master

A buffer overflow was reported at https://bugzilla.redhat.com/show_bug.cgi?id=226965 This patch fixes the buffer overflow (though MS-DOS is not really a relevant target any more)
author: Christoph Brill <egore911@egore911.de> 2009-01-11 01:03:17 +0100
committer: Christoph Brill <egore911@egore911.de> 2009-01-11 01:03:17 +0100
commit: b4f886fcbb692e20fb4da4e6e3ead57f79444734 (patch)
tree: 6e2705e3e8784fcf5cb9334ca4107dd24b500685
parent: 528fa5e2fb391434795cc3c23522066e5142f44b (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/wrjpgcom.c b/wrjpgcom.c
index b7b5a1a..81403aa 100644
--- a/wrjpgcom.c
+++ b/wrjpgcom.c
@@ -446,12 +446,12 @@ main (int argc, char **argv)
     } else if (keymatch(arg, "comment", 1)) {
       if (++argn >= argc) usage();
       comment_arg = argv[argn];
-#if 0
-#error "There is a buffer overflow in the code below"
       /* If the comment text starts with '"', then we are probably running
        * under MS-DOG and must parse out the quoted string ourselves.  Sigh.
        */
       if (comment_arg[0] == '"') {
+	if (strlen(argv[argn]) >= MAX_COM_LENGTH)
+	  ERREXIT("Comment to long");
 	comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH);
 	if (comment_arg == NULL)
 	  ERREXIT("Insufficient memory");
@@ -468,7 +468,6 @@ main (int argc, char **argv)
 	  strcat(comment_arg, argv[argn]);
 	}
       }
-#endif
       comment_length = (unsigned int) strlen(comment_arg);
     } else
       usage();
author	Christoph Brill <egore911@egore911.de>	2009-01-11 01:03:17 +0100
committer	Christoph Brill <egore911@egore911.de>	2009-01-11 01:03:17 +0100
commit	b4f886fcbb692e20fb4da4e6e3ead57f79444734 (patch)
tree	6e2705e3e8784fcf5cb9334ca4107dd24b500685
parent	528fa5e2fb391434795cc3c23522066e5142f44b (diff)