Under several circumstances, overly large filenames (or overly long command line arguments) cause buffer overflows due to the lack of bounds checking in the original xv source code. This patch is a first pass attempt at fixing that. Signed-off-by: Gabriel Somlo diff -NarU5 a/xv.c b/xv.c --- a/xv.c 2013-03-28 12:59:56.364082302 -0400 +++ b/xv.c 2013-03-28 13:22:10.312576922 -0400 @@ -62,11 +62,11 @@ static double vexpand = 1.0; /* '-expand' argument */ static const char *maingeom = NULL; static const char *icongeom = NULL; static Atom __SWM_VROOT = None; -static char basefname[128]; /* just the current fname, no path */ +static char basefname[NAME_MAX+1]; /* just the current fname, no path */ #ifdef TV_L10N # ifndef TV_FONTSET # define TV_FONTSET "-*-fixed-medium-r-normal--%d-*" # endif @@ -2167,15 +2167,17 @@ else if (filenum == PADDED) { /* need fullfname (used for window/icon name), basefname(compute from fullfname) */ i = LoadPad(&pinfo, fullfname); + if (!i) goto FAILED; /* shouldn't happen */ + fullname = fullfname; strcpy(filename, fullfname); + if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED; strcpy(basefname, BaseName(fullfname)); - if (!i) goto FAILED; /* shouldn't happen */ if (killpage) { /* kill old page files, if any */ KillPageFiles(pageBaseName, numPages); pageBaseName[0] = '\0'; numPages = 1; @@ -2236,10 +2238,11 @@ #else else fullname = namelist[filenum]; #endif strcpy(fullfname, fullname); + if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED; strcpy(basefname, BaseName(fullname)); /* chop off trailing ".Z", ".z", or ".gz" from displayed basefname, if any */ if (strlen(basefname)>2 && strcmp(basefname+strlen(basefname)-2,".Z")==0) @@ -3998,11 +4001,11 @@ /***********************************/ static void setWinIconNames(name) const char *name; { - char winname[256], iconname[256]; + char winname[NAME_MAX+sizeof("xv : ")+sizeof(VERSTR)+sizeof(" ")+1], iconname[NAME_MAX+1]; if (winTitle) { strcpy(winname, winTitle); strcpy(iconname, winTitle); } diff -NarU5 a/xvtext.c b/xvtext.c --- a/xvtext.c 2013-03-28 12:59:56.400084367 -0400 +++ b/xvtext.c 2013-03-28 13:02:26.056666623 -0400 @@ -51,11 +51,11 @@ # define TV_MSCODE 7 # define TV_J_NBUTTS 8 #endif -#define TITLELEN 128 +#define TITLELEN (NAME_MAX+sizeof("File: ''")+1) #ifdef TV_MULTILINGUAL struct coding_spec { struct coding_system coding_system; char *(*converter)PARM((char *, int, int *));