Permalink
Browse files

FileIO: Fix invalid write of 1 in PNG

Strcopy wants to copy the additional termination character at the end of a string. Std string doesn't report that in its own size.
  • Loading branch information...
1 parent 7559afc commit 93e023c761a0007429e86216c0710eedea3bd98d Zack Moratto committed Oct 5, 2012
Showing with 4 additions and 4 deletions.
  1. +4 −4 src/vw/FileIO/DiskImageResourcePNG.cc
@@ -499,17 +499,17 @@ struct DiskImageResourcePNG::vw_png_write_context:
// Convert vector of comments into the PNG format
png_textp text = new png_text[comments.size()];
for ( size_t i = 0; i < comments.size(); i++ ) {
- text[i].key = strcpy( new char[comments[i].key.size()],
+ text[i].key = strcpy( new char[comments[i].key.size() + 1],
comments[i].key.c_str() );
- text[i].text = strcpy( new char[comments[i].text.size()],
+ text[i].text = strcpy( new char[comments[i].text.size() + 1],
comments[i].text.c_str() );
text[i].text_length = comments[i].text.size();
text[i].compression = comments[i].compressed;
#ifdef PNG_iTXt_SUPPORTED
text[i].itxt_length = 0;
- text[i].lang = strcpy( new char[comments[i].lang.size()],
+ text[i].lang = strcpy( new char[comments[i].lang.size() + 1],
comments[i].lang.c_str() );
- text[i].lang_key = strcpy( new char[comments[i].lang_key.size()],
+ text[i].lang_key = strcpy( new char[comments[i].lang_key.size() + 1],
comments[i].lang_key.c_str() );
#endif
}

0 comments on commit 93e023c

Please sign in to comment.