From e71a4417628278313584789e5c9a463bd2b4bb0a Mon Sep 17 00:00:00 2001 From: Christian Soffke Date: Fri, 15 Apr 2022 17:53:36 +0200 Subject: [PATCH] ImageViewer: Fix buffer overflow np_file is a buffer of size MAX_PATH. After removing only the file name component and leaving the rest of the path, the available space may not be sufficient for appending another file name (possibly of size MAX_PATH itself) to it. This can occur after a file of acceptable length is opened in ImageViewer, and you then advance to another file whose path (including the file name) is longer than MAX_PATH. Change-Id: Ideadd9451359bd5735bce92fca5d983e61f300e9 --- apps/plugins/imageviewer/imageviewer.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apps/plugins/imageviewer/imageviewer.c b/apps/plugins/imageviewer/imageviewer.c index 4dc7b0a07a..e30a98ef68 100644 --- a/apps/plugins/imageviewer/imageviewer.c +++ b/apps/plugins/imageviewer/imageviewer.c @@ -195,7 +195,11 @@ static int change_filename(int direct) return PLUGIN_ERROR; } - rb->strcpy(rb->strrchr(np_file, '/')+1, file_pt[curfile]); + size_t np_file_length = rb->strlen(np_file); + size_t np_file_name_length = rb->strlen(rb->strrchr(np_file, '/')+1); + size_t avail_length = sizeof(np_file) - (np_file_length - np_file_name_length); + + rb->snprintf(rb->strrchr(np_file, '/')+1, avail_length, "%s", file_pt[curfile]); return PLUGIN_OTHER; }