shithub: jbig2

Download patch

ref: b7ea9085507dcf31450067a869dc8788be00f8b8
parent: 52ea8006584ab93212a0026553ade66c1186ae78
author: Sebastian Rasmussen <[email protected]>
date: Sun Sep 29 12:26:53 EDT 2019

jbig2dec: Avoid passing NULL buffer to snprintf().

--- a/jbig2dec.c
+++ b/jbig2dec.c
@@ -376,7 +376,6 @@
 {
     jbig2dec_error_callback_state_t *state = (jbig2dec_error_callback_state_t *) error_callback_data;
     char *type;
-    char segment[22];
     int len;
     char *message;
 
@@ -403,27 +402,25 @@
         type = "unknown message";
         break;
     }
-    if (seg_idx == -1)
-        segment[0] = '\0';
-    else
-        snprintf(segment, sizeof(segment), "(segment 0x%02x)", seg_idx);
 
-    len = snprintf(NULL, 0, "jbig2dec %s %s %s", type, buf, segment);
-    if (len < 0) {
-        return;
-    }
+    /* Worst case length using format "jbig2dec %s %s (segment 0x%02x)".
+    strlen("jbig2dec ") +
+    strlen(type) + strlen(" ") +
+    strlen(buf) + strlen(" ") +
+    strlen("(segment 0x") + strlen("2147483648") + strlen(")") +
+    1 for trailing NUL. The constant parts amount to 45 bytes. */
+    len = 45;
+    len += strlen(type);
+    len += strlen(buf);
 
     message = malloc(len + 1);
     if (message == NULL) {
         return;
     }
-
-    len = snprintf(message, len + 1, "jbig2dec %s %s %s", type, buf, segment);
-    if (len < 0)
-    {
-        free(message);
-        return;
-    }
+    if (seg_idx == -1)
+        snprintf(message, len + 1, "jbig2dec %s %s", type, buf);
+    else
+        snprintf(message, len + 1, "jbig2dec %s %s (segment 0x%02x)", type, buf, seg_idx);
 
     if (state->last_message != NULL && strcmp(message, state->last_message)) {
         if (state->repeats > 1)