Skip to content
Permalink
Browse files Browse the repository at this point in the history
prog/htmlviewer: Catch unbound memory access (CID 1386222)
rootname can have any size, so limit the amount of copied bytes.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
  • Loading branch information
stweil committed Feb 16, 2018
1 parent 68898a2 commit c1079bb
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions prog/htmlviewer.c
Expand Up @@ -171,9 +171,9 @@ SARRAY *safiles, *sathumbs, *saviews, *sahtml, *salink;
return ERROR_INT("safiles not made", procName, 1);

/* Generate output text file names */
sprintf(charbuf, "%s/%s.html", dirout, rootname);
snprintf(charbuf, sizeof(charbuf), "%s/%s.html", dirout, rootname);
mainname = stringNew(charbuf);
sprintf(charbuf, "%s/%s-links.html", dirout, rootname);
snprintf(charbuf, sizeof(charbuf), "%s/%s-links.html", dirout, rootname);
linkname = stringNew(charbuf);
linknameshort = stringJoin(rootname, "-links.html");

Expand All @@ -197,7 +197,7 @@ SARRAY *safiles, *sathumbs, *saviews, *sahtml, *salink;
pixGetDimensions(pix, &w, NULL, &d);
factor = (l_float32)thumbwidth / (l_float32)w;
pixthumb = pixScale(pix, factor, factor);
sprintf(charbuf, "%s_thumb_%03d", rootname, index);
snprintf(charbuf, sizeof(charbuf), "%s_thumb_%03d", rootname, index);
sarrayAddString(sathumbs, charbuf, L_COPY);
outname = genPathname(dirout, charbuf);
WriteFormattedPix(outname, pixthumb);
Expand Down

1 comment on commit c1079bb

@kbabioch
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been assigned: CVE-2018-7247

Please sign in to comment.