diff options
author | Christoph Brill <egore911@egore911.de> | 2009-01-11 01:03:17 +0100 |
---|---|---|
committer | Christoph Brill <egore911@egore911.de> | 2009-01-11 01:03:17 +0100 |
commit | b4f886fcbb692e20fb4da4e6e3ead57f79444734 (patch) | |
tree | 6e2705e3e8784fcf5cb9334ca4107dd24b500685 | |
parent | 528fa5e2fb391434795cc3c23522066e5142f44b (diff) |
A buffer overflow was reported at
https://bugzilla.redhat.com/show_bug.cgi?id=226965
This patch fixes the buffer overflow (though MS-DOS is not really
a relevant target any more)
-rw-r--r-- | wrjpgcom.c | 5 |
1 files changed, 2 insertions, 3 deletions
@@ -446,12 +446,12 @@ main (int argc, char **argv) } else if (keymatch(arg, "comment", 1)) { if (++argn >= argc) usage(); comment_arg = argv[argn]; -#if 0 -#error "There is a buffer overflow in the code below" /* If the comment text starts with '"', then we are probably running * under MS-DOG and must parse out the quoted string ourselves. Sigh. */ if (comment_arg[0] == '"') { + if (strlen(argv[argn]) >= MAX_COM_LENGTH) + ERREXIT("Comment to long"); comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH); if (comment_arg == NULL) ERREXIT("Insufficient memory"); @@ -468,7 +468,6 @@ main (int argc, char **argv) strcat(comment_arg, argv[argn]); } } -#endif comment_length = (unsigned int) strlen(comment_arg); } else usage(); |