Nyaaori/rockbox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

ImageViewer: Fix buffer overflow

Browse source 
np_file is a buffer of size MAX_PATH. After
removing only the file name component and
leaving the rest of the path, the
available space may not be sufficient
for appending another file name (possibly of
size MAX_PATH itself) to it.

This can occur after a file of acceptable
length is opened in ImageViewer, and you
then advance to another file whose path
(including the file name) is longer than
MAX_PATH.

Change-Id: Ideadd9451359bd5735bce92fca5d983e61f300e9
This commit is contained in:
Christian Soffke 2022-04-15 17:53:36 +02:00 committed by Solomon Peachy
parent 1c66e97522
commit e71a441762
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
apps/plugins/imageviewer/imageviewer.c
View file

@ -195,7 +195,11 @@ static int change_filename(int direct)
return PLUGIN_ERROR;
}
rb->strcpy(rb->strrchr(np_file, '/')+1, file_pt[curfile]);
size_t np_file_length = rb->strlen(np_file);
size_t np_file_name_length = rb->strlen(rb->strrchr(np_file, '/')+1);
size_t avail_length = sizeof(np_file) - (np_file_length - np_file_name_length);
rb->snprintf(rb->strrchr(np_file, '/')+1, avail_length, "%s", file_pt[curfile]);
return PLUGIN_OTHER;
}