From 8a5732fcb30b8afc4d3c23144acf2b502bb80122 Mon Sep 17 00:00:00 2001
From: Alberto Barbaro <barbaro.alberto@gmail.com>
Date: Tue, 5 Jul 2022 08:04:26 +0100
Subject: [PATCH] tools: Fix a buffer overflow involving a file name in pngfix

Reported-by: Guoxiang Niu (@niugx), EaglEye Team
Reported-by: Riccardo Mori <patacca@autistici.org>
Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
---
 contrib/tools/pngfix.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/contrib/tools/pngfix.c b/contrib/tools/pngfix.c
index 9afe09831..54a467daf 100644
--- a/contrib/tools/pngfix.c
+++ b/contrib/tools/pngfix.c
@@ -3961,6 +3961,14 @@ main(int argc, const char **argv)
       {
          size_t outlen = strlen(*argv);
 
+         if (outlen > FILENAME_MAX)
+         {
+            fprintf(stderr, "%s: output file name too long: %s%s%s\n",
+               prog, prefix, *argv, suffix ? suffix : "");
+            global.status_code |= WRITE_ERROR;
+            continue;
+         }
+
          if (outfile == NULL) /* else this takes precedence */
          {
             /* Consider the prefix/suffix options */
@@ -4046,4 +4054,3 @@ main(void)
    return 77;
 }
 #endif /* PNG_SETJMP_SUPPORTED */
-