From 33dc06b61c0816854193f006c35a9e797f098a22 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Tue, 13 Mar 2012 19:38:56 +0000
Subject: Bug 692882 - fix buffer overflow.

Long doctitles (filenames in this case) can cause a buffer overflow.
Fix here. Thanks to Hin-Tak and Pavel Zhukov.
---
 apps/pdfapp.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

(limited to 'apps')

diff --git a/apps/pdfapp.c b/apps/pdfapp.c
index 0afd5d15..acad7c9f 100644
--- a/apps/pdfapp.c
+++ b/apps/pdfapp.c
@@ -256,9 +256,11 @@ static void pdfapp_loadpage(pdfapp_t *app)
 	}
 }
 
+#define MAX_TITLE 256
+
 static void pdfapp_showpage(pdfapp_t *app, int loadpage, int drawpage, int repaint)
 {
-	char buf[256];
+	char buf[MAX_TITLE];
 	fz_device *idev;
 	fz_device *tdev;
 	fz_colorspace *colorspace;
@@ -285,8 +287,20 @@ static void pdfapp_showpage(pdfapp_t *app, int loadpage, int drawpage, int repai
 
 	if (drawpage)
 	{
-		sprintf(buf, "%s - %d/%d (%d dpi)", app->doctitle,
+		char buf2[64];
+		int len;
+
+		sprintf(buf2, " - %d/%d (%d dpi)",
 				app->pageno, app->pagecount, app->resolution);
+		len = MAX_TITLE-strlen(buf2);
+		if (strlen(app->doctitle) > len)
+		{
+			snprintf(buf, len-3, "%s", app->doctitle);
+			strcat(buf, "...");
+			strcat(buf, buf2);
+		}
+		else
+			sprintf(buf, "%s%s", app->doctitle, buf2);
 		wintitle(app, buf);
 
 		ctm = pdfapp_viewctm(app);
-- 
cgit v1.2.3