fix out of bounds write in radiance

It was using a fixed 64-byte stack buffer for the RHS of format lines. Lines can be MAXLINE (2048) chars, so a long line could overflow. If we use MAXLINE for the small buffer as well, we are guaranteed to not overflow. thanks HongxuChen See https://github.com/jcupitt/libvips/issues/1039
2018-07-22 16:28:29 +01:00 · 2018-07-22 16:28:29 +01:00 · 26fcccba9b
commit 26fcccba9b
parent 927f92a8bb
1 changed files with 12 additions and 4 deletions
--- a/libvips/foreign/radiance.c
+++ b/libvips/foreign/radiance.c
@ -23,6 +23,7 @@
 * 	- reduce stack use to help musl
 * 22/7/18
 * 	- update code from radiance ... pasted in from rad5R1
+ * 	- expand fs[] buffer to prevent out of bounds write
 */

 /*
@ -168,6 +169,8 @@
 * 4. make all functions static
 * 5. reorder to remove forward refs
 * 6. remove unused funcs, mostly related to HDR write
+ * 7. "char fs[64];" needs to be MAXLINE to stop out of bounds write on long
+ * lines
 */

 #define  RED		0
@ -535,7 +538,11 @@ getheader(		/* get header from file */

 struct check {
 	FILE	*fp;
-	char	fs[64];
+
+	/* This was 64. Expand to MAXLINE to prevent an out of bounds write
+	 * for very long lines.
+	 */
+	char	fs[MAXLINE];
 };


@ -545,9 +552,10 @@ mycheck(			/* check a header line for format info. */
 	void  *cp
 )
 {
-	if (!formatval(((struct check*)cp)->fs, s)
-			&& ((struct check*)cp)->fp != NULL) {
-		fputs(s, ((struct check*)cp)->fp);
+	struct check *p = (struct check *) cp;
+
+	if (!formatval(p->fs, s) && p->fp != NULL) {
+		fputs(s, p->fp);
 	}
 	return(0);
 }