From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001 From: Su_Laus <sulau@freenet.de> Date: Sat, 2 Apr 2022 22:33:31 +0200 Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) --- tools/tiffcp.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/tools/tiffcp.c b/tools/tiffcp.c index fd129bb7..8d944ff6 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c @@ -274,19 +274,34 @@ main(int argc, char* argv[]) deftilewidth = atoi(optarg); break; case 'B': - *mp++ = 'b'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode) - 1)) + { + *mp++ = 'b'; *mp = '\0'; + } break; case 'L': - *mp++ = 'l'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode) - 1)) + { + *mp++ = 'l'; *mp = '\0'; + } break; case 'M': - *mp++ = 'm'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode) - 1)) + { + *mp++ = 'm'; *mp = '\0'; + } break; case 'C': - *mp++ = 'c'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode) - 1)) + { + *mp++ = 'c'; *mp = '\0'; + } break; case '8': - *mp++ = '8'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode)-1)) + { + *mp++ = '8'; *mp = '\0'; + } break; case 'x': pageInSeq = 1; -- GitLab