jp3d/jpwl convert: fix write stack buffer overflow

Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow.

fixes #1044 (CVE-2017-17480)

diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c
index 23fd70b04365ea0d2628b2e17b10b5e7f4fcf50b..acad8f82a84fc4f64d2beef67a4ddb9c8122ed29 100644 (file)
--- a/src/bin/jp3d/convert.c
+++ b/src/bin/jp3d/convert.c
@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters)
         fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
 
         fseek(f, 0, SEEK_SET);
-        fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
-               signtmp, &prec, temp, &w, temp, &h);
+        fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+               &endian2, signtmp, &prec, temp, &w, temp, &h);
 
         i = 0;
         sign = '+';

diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c
index f3bb670b0a14c230d721862bc447dbf29179ac06..73c1be72988d6a11e2825d8a45ad4186a1b859e4 100644 (file)
--- a/src/bin/jpwl/convert.c
+++ b/src/bin/jpwl/convert.c
@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
     }
 
     fseek(f, 0, SEEK_SET);
-    if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
+    if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
                &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
         fprintf(stderr,
                 "ERROR: Failed to read the right number of element from the fscanf() function!\n");