[prev in list] [next in list] [prev in thread] [next in thread]
List: rockbox-cvs
Subject: ImageViewer: Fix buffer overflow
From: rockbox-gerrit-noreply--- via rockbox-cvs <rockbox-cvs () lists ! haxx ! se>
Date: 2022-04-18 14:58:46
Message-ID: 202204181458.23IEwkE8125388 () archos ! rockbox ! org
[Download RAW message or body]
commit e71a4417628278313584789e5c9a463bd2b4bb0a
Author: Christian Soffke <christian.soffke@gmail.com>
Date: Fri Apr 15 17:53:36 2022 +0200
ImageViewer: Fix buffer overflow
np_file is a buffer of size MAX_PATH. After
removing only the file name component and
leaving the rest of the path, the
available space may not be sufficient
for appending another file name (possibly of
size MAX_PATH itself) to it.
This can occur after a file of acceptable
length is opened in ImageViewer, and you
then advance to another file whose path
(including the file name) is longer than
MAX_PATH.
Change-Id: Ideadd9451359bd5735bce92fca5d983e61f300e9
diff --git a/apps/plugins/imageviewer/imageviewer.c b/apps/plugins/imageviewer/imageviewer.c
index 4dc7b0a07a..e30a98ef68 100644
--- a/apps/plugins/imageviewer/imageviewer.c
+++ b/apps/plugins/imageviewer/imageviewer.c
@@ -195,7 +195,11 @@ static int change_filename(int direct)
return PLUGIN_ERROR;
}
- rb->strcpy(rb->strrchr(np_file, '/')+1, file_pt[curfile]);
+ size_t np_file_length = rb->strlen(np_file);
+ size_t np_file_name_length = rb->strlen(rb->strrchr(np_file, '/')+1);
+ size_t avail_length = sizeof(np_file) - (np_file_length - np_file_name_length);
+
+ rb->snprintf(rb->strrchr(np_file, '/')+1, avail_length, "%s", file_pt[curfile]);
return PLUGIN_OTHER;
}
--
rockbox-cvs mailing list
rockbox-cvs@lists.haxx.se
https://lists.haxx.se/listinfo/rockbox-cvs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic