Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / libjpeg-turbo / b7d6e84d6a9283dc2bc50ef9fcaadc0cdeb25c9f^! / .
commitb7d6e84d6a9283dc2bc50ef9fcaadc0cdeb25c9f[log] [tgz]
authorDRC <dcommander@users.sourceforge.net>Sun Jun 22 20:36:50 2014 +0000
committerDRC <dcommander@users.sourceforge.net>Sun Jun 22 20:36:50 2014 +0000
treee07ce48d540116ebed5c39b3684a5f74ef38844a
parenta8fb48b528baf4d19e2254ff0680336c21aa9097 [diff]
Prevent a buffer overrun if the comment begins with a literal quote character and the string exceeds 65k characters.  Also prevent comments longer than 65k characters from being written, since this will produce an incorrect JPEG file.


git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1323 632fc199-4ca6-4c93-a231-07263d6284db

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 8a70f67..e8b18af 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt

@@ -73,6 +73,11 @@
 [10] Fixed a segfault that occurred when calling output_message() with msg_code
 set to JMSG_COPYRIGHT.
 
+[11] Fixed an issue whereby wrjpgcom was allowing comments longer than 65k
+characters to be passed on the command line, which was causing it to generate
+incorrect JPEG files.
+
+
 
 1.3.1
 =====

diff --git a/wrjpgcom.c b/wrjpgcom.c
index ecebd8c..0a22f62 100644
--- a/wrjpgcom.c
+++ b/wrjpgcom.c

@@ -3,8 +3,8 @@
  *
  * This file was part of the Independent JPEG Group's software:
  * Copyright (C) 1994-1997, Thomas G. Lane.
- * It was modified by The libjpeg-turbo Project to include only code relevant
- * to libjpeg-turbo.
+ * libjpeg-turbo Modifications:
+ * Copyright (C) 2014, D. R. Commander
  * For conditions of distribution and use, see the accompanying README file.
  *
  * This file contains a very simple stand-alone application that inserts
@@ -446,6 +446,11 @@
         comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH);
         if (comment_arg == NULL)
           ERREXIT("Insufficient memory");
+        if (strlen(argv[argn]) + 2 >= (size_t) MAX_COM_LENGTH) {
+          fprintf(stderr, "Comment text may not exceed %u bytes\n",
+                  (unsigned int) MAX_COM_LENGTH);
+          exit(EXIT_FAILURE);
+        }
         strcpy(comment_arg, argv[argn]+1);
         for (;;) {
           comment_length = (unsigned int) strlen(comment_arg);
@@ -455,9 +460,19 @@
           }
           if (++argn >= argc)
             ERREXIT("Missing ending quote mark");
+          if (strlen(comment_arg) + strlen(argv[argn]) + 2 >=
+              (size_t) MAX_COM_LENGTH) {
+            fprintf(stderr, "Comment text may not exceed %u bytes\n",
+                    (unsigned int) MAX_COM_LENGTH);
+            exit(EXIT_FAILURE);
+          }
           strcat(comment_arg, " ");
           strcat(comment_arg, argv[argn]);
         }
+      } else if (strlen(argv[argn]) >= (size_t) MAX_COM_LENGTH) {
+        fprintf(stderr, "Comment text may not exceed %u bytes\n",
+                (unsigned int) MAX_COM_LENGTH);
+        exit(EXIT_FAILURE);
       }
       comment_length = (unsigned int) strlen(comment_arg);
     } else