diff options
| author | Kurt Schwehr <schwehr@google.com> | 2018-05-29 22:33:36 -0700 |
|---|---|---|
| committer | Kurt Schwehr <schwehr@google.com> | 2018-05-29 22:33:36 -0700 |
| commit | fb92dea72cea64e32743dffdcc3a382e64153935 (patch) | |
| tree | 631914f75b70cd5b59aea3a3f812988a9e2e32c7 /src | |
| parent | e692e1567fb6117bd3e1380a80e10b72b7af3710 (diff) | |
| download | PROJ-fb92dea72cea64e32743dffdcc3a382e64153935.tar.gz PROJ-fb92dea72cea64e32743dffdcc3a382e64153935.zip | |
Ensure that operations are less than MAX_OPERATION long.
Buffer overflow found with autofuzz.
Diffstat (limited to 'src')
| -rw-r--r-- | src/gie.c | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -170,8 +170,10 @@ static const char *err_const_from_errno (int err); #define SKIP -1 +#define MAX_OPERATION 10000 + typedef struct { - char operation[10000]; + char operation[MAX_OPERATION+1]; PJ *P; PJ_COORD a, b, c, e; PJ_DIRECTION dir; @@ -552,7 +554,8 @@ either a conversion or a transformation) T.operation_lineno = F->lineno; - strcpy (&(T.operation[0]), F->args); + strncpy (&(T.operation[0]), F->args, MAX_OPERATION); + T.operation[MAX_OPERATION] = '\0'; if (T.verbosity > 1) { finish_previous_operation (F->args); |