Package: apngopt
Version: 1.2-2

apngopt crashes with stack buffer overflow when calling with command line
argument longer than 247 bytes.

Steps to replicate:
```
wget
http://deb.debian.org/debian/pool/main/a/apngopt/apngopt_1.2.orig.tar.gz
tar -xf apngopt_1.2.orig.tar.gz
cd apngopt-1.2.orig
make
./apngopt `python -c "print('a'*256)"`
```

Output:
```
APNG Optimizer 1.2

*** buffer overflow detected ***: ./apngopt terminated
[1]    5965 abort      ./apngopt `python -c "print('a'*256)"`
```

Bug is caused by copying command line argument into a 256-byte buffer using
strcpy on line 2372:
```
2363  szIn = argv[1];
2364
2365  if (argc > 2)
2366  {
2367    strncpy(szOut, argv[2], 255);
2368    szOut[255] = '\0';
2369  }
2370  else
2371  {
2372    strcpy(szOut, szIn);
2373    if ((szExt = strrchr(szOut, '.')) != NULL) *szExt = 0;
2374    strcat(szOut, ".opt.png");
2375  }
```

Suggested fix: use strncpy or verify szIn length before copying.

Proposed patch:
```
2372c2372
<     strcpy(szOut, szIn);
---
>     strncpy(szOut, szIn, 247);
```

Best regards,

-- 
David Petek

Reply via email to