[LIBJPEG]

[reactos.git] / reactos / dll / 3rdparty / libjpeg / wrjpgcom.c

diff --git a/reactos/dll/3rdparty/libjpeg/wrjpgcom.c b/reactos/dll/3rdparty/libjpeg/wrjpgcom.c
index 8c04b05..d1bfcc9 100644 (file)
--- a/reactos/dll/3rdparty/libjpeg/wrjpgcom.c
+++ b/reactos/dll/3rdparty/libjpeg/wrjpgcom.c
@@ -2,6 +2,7 @@
  * wrjpgcom.c
  *
  * Copyright (C) 1994-1997, Thomas G. Lane.
+ * Modified 2015 by Guido Vollbeding.
  * This file is part of the Independent JPEG Group's software.
  * For conditions of distribution and use, see the accompanying README file.
  *
@@ -453,6 +454,11 @@ main (int argc, char **argv)
        comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH);
        if (comment_arg == NULL)
          ERREXIT("Insufficient memory");
+       if (strlen(argv[argn]+1) >= (size_t) MAX_COM_LENGTH) {
+         fprintf(stderr, "Comment text may not exceed %u bytes\n",
+                 (unsigned int) MAX_COM_LENGTH);
+         exit(EXIT_FAILURE);
+       }
        strcpy(comment_arg, argv[argn]+1);
        for (;;) {
          comment_length = (unsigned int) strlen(comment_arg);
@@ -462,9 +468,19 @@ main (int argc, char **argv)
          }
          if (++argn >= argc)
            ERREXIT("Missing ending quote mark");
+         if (strlen(comment_arg) + 1 + strlen(argv[argn]) >=
+             (size_t) MAX_COM_LENGTH) {
+           fprintf(stderr, "Comment text may not exceed %u bytes\n",
+                   (unsigned int) MAX_COM_LENGTH);
+           exit(EXIT_FAILURE);
+         }
          strcat(comment_arg, " ");
          strcat(comment_arg, argv[argn]);
        }
+      } else if (strlen(comment_arg) >= (size_t) MAX_COM_LENGTH) {
+       fprintf(stderr, "Comment text may not exceed %u bytes\n",
+               (unsigned int) MAX_COM_LENGTH);
+       exit(EXIT_FAILURE);
       }
       comment_length = (unsigned int) strlen(comment_arg);
     } else