Prevent a buffer overrun if the comment begins with a literal quote character and the string exceeds 65k characters. Also prevent comments longer than 65k characters from being written, since this will produce an incorrect JPEG file.
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1323 632fc199-4ca6-4c93-a231-07263d6284db
diff --git a/ChangeLog.txt b/ChangeLog.txt
index 8a70f67..e8b18af 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -73,6 +73,11 @@
[10] Fixed a segfault that occurred when calling output_message() with msg_code
set to JMSG_COPYRIGHT.
+[11] Fixed an issue whereby wrjpgcom was allowing comments longer than 65k
+characters to be passed on the command line, which was causing it to generate
+incorrect JPEG files.
+
+
1.3.1
=====
diff --git a/wrjpgcom.c b/wrjpgcom.c
index ecebd8c..0a22f62 100644
--- a/wrjpgcom.c
+++ b/wrjpgcom.c
@@ -3,8 +3,8 @@
*
* This file was part of the Independent JPEG Group's software:
* Copyright (C) 1994-1997, Thomas G. Lane.
- * It was modified by The libjpeg-turbo Project to include only code relevant
- * to libjpeg-turbo.
+ * libjpeg-turbo Modifications:
+ * Copyright (C) 2014, D. R. Commander
* For conditions of distribution and use, see the accompanying README file.
*
* This file contains a very simple stand-alone application that inserts
@@ -446,6 +446,11 @@
comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH);
if (comment_arg == NULL)
ERREXIT("Insufficient memory");
+ if (strlen(argv[argn]) + 2 >= (size_t) MAX_COM_LENGTH) {
+ fprintf(stderr, "Comment text may not exceed %u bytes\n",
+ (unsigned int) MAX_COM_LENGTH);
+ exit(EXIT_FAILURE);
+ }
strcpy(comment_arg, argv[argn]+1);
for (;;) {
comment_length = (unsigned int) strlen(comment_arg);
@@ -455,9 +460,19 @@
}
if (++argn >= argc)
ERREXIT("Missing ending quote mark");
+ if (strlen(comment_arg) + strlen(argv[argn]) + 2 >=
+ (size_t) MAX_COM_LENGTH) {
+ fprintf(stderr, "Comment text may not exceed %u bytes\n",
+ (unsigned int) MAX_COM_LENGTH);
+ exit(EXIT_FAILURE);
+ }
strcat(comment_arg, " ");
strcat(comment_arg, argv[argn]);
}
+ } else if (strlen(argv[argn]) >= (size_t) MAX_COM_LENGTH) {
+ fprintf(stderr, "Comment text may not exceed %u bytes\n",
+ (unsigned int) MAX_COM_LENGTH);
+ exit(EXIT_FAILURE);
}
comment_length = (unsigned int) strlen(comment_arg);
} else