From b43def1519d18fecb6f23778e045838e30e027cc Mon Sep 17 00:00:00 2001 From: Su_Laus Date: Sat, 2 Apr 2022 22:33:31 +0200 Subject: [PATCH] (CVE-2022-1355) tiffcp: avoid buffer overflow in "mode" string (fixes #400) (cherry picked from commit fb1db384959698edd6caeea84e28253d272a0f96) --- tools/tiffcp.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/tools/tiffcp.c b/tools/tiffcp.c index d5f1d248..fb98bd57 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c @@ -249,19 +249,34 @@ main(int argc, char* argv[]) deftilewidth = atoi(optarg); break; case 'B': - *mp++ = 'b'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode) - 1)) + { + *mp++ = 'b'; *mp = '\0'; + } break; case 'L': - *mp++ = 'l'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode) - 1)) + { + *mp++ = 'l'; *mp = '\0'; + } break; case 'M': - *mp++ = 'm'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode) - 1)) + { + *mp++ = 'm'; *mp = '\0'; + } break; case 'C': - *mp++ = 'c'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode) - 1)) + { + *mp++ = 'c'; *mp = '\0'; + } break; case '8': - *mp++ = '8'; *mp = '\0'; + if (strlen(mode) < (sizeof(mode)-1)) + { + *mp++ = '8'; *mp = '\0'; + } break; case 'x': pageInSeq = 1; -- 2.34.1