Fixes cmdline buffer overflow described in http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/072002.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978 diff -Naurp gif2png-2.5.2/gif2png.c gif2png-2.5.2.oden/gif2png.c --- gif2png-2.5.2/gif2png.c 2009-11-11 20:28:02.000000000 +0000 +++ gif2png-2.5.2.oden/gif2png.c 2011-01-14 16:39:07.000000000 +0000 @@ -682,7 +682,10 @@ int processfile(char *fname, FILE *fp) strcpy(outname, fname); - file_ext = outname+strlen(outname)-4; + file_ext = outname+strlen(outname); + if (file_ext >= outname + 4) + file_ext -= 4; + if (strcmp(file_ext, ".gif") != 0 && strcmp(file_ext, ".GIF") != 0 && strcmp(file_ext, "_gif") != 0 && strcmp(file_ext, "_GIF") != 0) { /* try to derive basename */ @@ -874,6 +877,14 @@ int main(int argc, char *argv[]) } } else { for (i = ac;i<argc; i++) { + /* make sure that there is enough space for a '.p<NUM>' suffix; + this check catches also the '.gif' case below. */ + if (strlen(argv[i]) >= sizeof name - sizeof ".p" - 3 * sizeof(int)) { + fprintf(stderr, "%s: name too long\n", argv[i]); + errors = 1; + continue; + } + strcpy(name, argv[i]); if ((fp = fopen(name, "rb")) == NULL) { /* retry with .gif appended */