From 26fcccba9b83d132f47d7b4c66baad0a1786c948 Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Sun, 22 Jul 2018 16:28:29 +0100 Subject: [PATCH] fix out of bounds write in radiance It was using a fixed 64-byte stack buffer for the RHS of format lines. Lines can be MAXLINE (2048) chars, so a long line could overflow. If we use MAXLINE for the small buffer as well, we are guaranteed to not overflow. thanks HongxuChen See https://github.com/jcupitt/libvips/issues/1039 --- libvips/foreign/radiance.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libvips/foreign/radiance.c b/libvips/foreign/radiance.c index 18d691c4..a489da5f 100644 --- a/libvips/foreign/radiance.c +++ b/libvips/foreign/radiance.c @@ -23,6 +23,7 @@ * - reduce stack use to help musl * 22/7/18 * - update code from radiance ... pasted in from rad5R1 + * - expand fs[] buffer to prevent out of bounds write */ /* @@ -168,6 +169,8 @@ * 4. make all functions static * 5. reorder to remove forward refs * 6. remove unused funcs, mostly related to HDR write + * 7. "char fs[64];" needs to be MAXLINE to stop out of bounds write on long + * lines */ #define RED 0 @@ -535,7 +538,11 @@ getheader( /* get header from file */ struct check { FILE *fp; - char fs[64]; + + /* This was 64. Expand to MAXLINE to prevent an out of bounds write + * for very long lines. + */ + char fs[MAXLINE]; }; @@ -545,9 +552,10 @@ mycheck( /* check a header line for format info. */ void *cp ) { - if (!formatval(((struct check*)cp)->fs, s) - && ((struct check*)cp)->fp != NULL) { - fputs(s, ((struct check*)cp)->fp); + struct check *p = (struct check *) cp; + + if (!formatval(p->fs, s) && p->fp != NULL) { + fputs(s, p->fp); } return(0); }