1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
Fixes cmdline buffer overflow described in
http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/072002.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978
Index: gif2png-2.5.3/gif2png.c
===================================================================
--- gif2png-2.5.3.orig/gif2png.c
+++ gif2png-2.5.3/gif2png.c
@@ -675,7 +675,10 @@ int processfile(char *fname, FILE *fp)
strcpy(outname, fname);
- file_ext = outname+strlen(outname)-4;
+ file_ext = outname+strlen(outname);
+ if (file_ext >= outname + 4)
+ file_ext -= 4;
+
if (strcmp(file_ext, ".gif") != 0 && strcmp(file_ext, ".GIF") != 0 &&
strcmp(file_ext, "_gif") != 0 && strcmp(file_ext, "_GIF") != 0) {
/* try to derive basename */
@@ -863,6 +866,14 @@ int main(int argc, char *argv[])
}
} else {
for (i = ac;i<argc; i++) {
+ /* make sure that there is enough space for a '.p<NUM>' suffix;
+ this check catches also the '.gif' case below. */
+ if (strlen(argv[i]) >= sizeof name - sizeof ".p" - 3 * sizeof(int)) {
+ fprintf(stderr, "%s: name too long\n", argv[i]);
+ errors = 1;
+ continue;
+ }
+
strcpy(name, argv[i]);
if ((fp = fopen(name, "rb")) == NULL) {
/* retry with .gif appended */
|