| Truncate the null-terminated string from get_token to the size |
| of the input string. This involves passing the input string |
| size to get_token(), and prevents it from overwriting past |
| the end of that string. |
| |
| --- libpng-1.2.49/contrib/pngminus/pnm2png.c.orig 2013-05-07 18:50:45.271320496 -0700 |
| +++ libpng-1.2.49/contrib/pngminus/pnm2png.c 2013-05-07 18:58:38.881218666 -0700 |
| @@ -50,7 +50,7 @@ |
| int main (int argc, char *argv[]); |
| void usage (); |
| BOOL pnm2png (FILE *pnm_file, FILE *png_file, FILE *alpha_file, BOOL interlace, BOOL alpha); |
| -void get_token(FILE *pnm_file, char *token); |
| +void get_token(FILE *pnm_file, char *token, int token_size); |
| png_uint_32 get_data (FILE *pnm_file, int depth); |
| png_uint_32 get_value (FILE *pnm_file, int depth); |
| |
| @@ -212,7 +212,7 @@ |
| |
| /* read header of PNM file */ |
| |
| - get_token(pnm_file, type_token); |
| + get_token(pnm_file, type_token, sizeof(type_token)); |
| if (type_token[0] != 'P') |
| { |
| return FALSE; |
| @@ -221,9 +221,9 @@ |
| { |
| raw = (type_token[1] == '4'); |
| color_type = PNG_COLOR_TYPE_GRAY; |
| - get_token(pnm_file, width_token); |
| + get_token(pnm_file, width_token, sizeof(width_token)); |
| sscanf (width_token, "%lu", &width); |
| - get_token(pnm_file, height_token); |
| + get_token(pnm_file, height_token, sizeof(height_token)); |
| sscanf (height_token, "%lu", &height); |
| bit_depth = 1; |
| packed_bitmap = TRUE; |
| @@ -232,11 +232,11 @@ |
| { |
| raw = (type_token[1] == '5'); |
| color_type = PNG_COLOR_TYPE_GRAY; |
| - get_token(pnm_file, width_token); |
| + get_token(pnm_file, width_token, sizeof(width_token)); |
| sscanf (width_token, "%lu", &width); |
| - get_token(pnm_file, height_token); |
| + get_token(pnm_file, height_token, sizeof(height_token)); |
| sscanf (height_token, "%lu", &height); |
| - get_token(pnm_file, maxval_token); |
| + get_token(pnm_file, maxval_token, sizeof(maxval_token)); |
| sscanf (maxval_token, "%lu", &maxval); |
| if (maxval <= 1) |
| bit_depth = 1; |
| @@ -253,11 +253,11 @@ |
| { |
| raw = (type_token[1] == '6'); |
| color_type = PNG_COLOR_TYPE_RGB; |
| - get_token(pnm_file, width_token); |
| + get_token(pnm_file, width_token, sizeof(width_token)); |
| sscanf (width_token, "%lu", &width); |
| - get_token(pnm_file, height_token); |
| + get_token(pnm_file, height_token, sizeof(height_token)); |
| sscanf (height_token, "%lu", &height); |
| - get_token(pnm_file, maxval_token); |
| + get_token(pnm_file, maxval_token, sizeof(maxval_token)); |
| sscanf (maxval_token, "%lu", &maxval); |
| if (maxval <= 1) |
| bit_depth = 1; |
| @@ -284,7 +284,7 @@ |
| if (color_type == PNG_COLOR_TYPE_RGB) |
| color_type = PNG_COLOR_TYPE_RGB_ALPHA; |
| |
| - get_token(alpha_file, type_token); |
| + get_token(alpha_file, type_token, sizeof(type_token)); |
| if (type_token[0] != 'P') |
| { |
| return FALSE; |
| @@ -292,15 +292,15 @@ |
| else if ((type_token[1] == '2') || (type_token[1] == '5')) |
| { |
| alpha_raw = (type_token[1] == '5'); |
| - get_token(alpha_file, width_token); |
| + get_token(alpha_file, width_token, sizeof(width_token)); |
| sscanf (width_token, "%lu", &alpha_width); |
| if (alpha_width != width) |
| return FALSE; |
| - get_token(alpha_file, height_token); |
| + get_token(alpha_file, height_token, sizeof(height_token)); |
| sscanf (height_token, "%lu", &alpha_height); |
| if (alpha_height != height) |
| return FALSE; |
| - get_token(alpha_file, maxval_token); |
| + get_token(alpha_file, maxval_token, sizeof(maxval_token)); |
| sscanf (maxval_token, "%lu", &maxval); |
| if (maxval <= 1) |
| alpha_depth = 1; |
| @@ -464,7 +464,7 @@ |
| * get_token() - gets the first string after whitespace |
| */ |
| |
| -void get_token(FILE *pnm_file, char *token) |
| +void get_token(FILE *pnm_file, char *token, int token_size) |
| { |
| int i = 0; |
| int ret; |
| @@ -491,7 +491,7 @@ |
| { |
| ret = fgetc(pnm_file); |
| if (ret == EOF) break; |
| - i++; |
| + if (i < token_size - 1) i++; |
| token[i] = (unsigned char) ret; |
| } |
| while ((token[i] != '\n') && (token[i] != '\r') && (token[i] != ' ')); |
| @@ -551,7 +551,7 @@ |
| for (i = 0; i < depth; i++) |
| mask = (mask << 1) | 0x01; |
| |
| - get_token (pnm_file, (char *) token); |
| + get_token (pnm_file, (char *) token, sizeof(token)); |
| sscanf ((const char *) token, "%lu", &ret_value); |
| |
| ret_value &= mask; |