ImageViewer: Fix buffer overflow

np_file is a buffer of size MAX_PATH. After
removing only the file name component and
leaving the rest of the path, the
available space may not be sufficient
for appending another file name (possibly of
size MAX_PATH itself) to it.

This can occur after a file of acceptable
length is opened in ImageViewer, and you
then advance to another file whose path
(including the file name) is longer than
MAX_PATH.

Change-Id: Ideadd9451359bd5735bce92fca5d983e61f300e9

1 files changed, 5 insertions, 1 deletions

diff --git a/apps/plugins/imageviewer/imageviewer.c b/apps/plugins/imageviewer/imageviewer.c
index 4dc7b0a07a..e30a98ef68 100644
--- a/apps/plugins/imageviewer/imageviewer.c
+++ b/apps/plugins/imageviewer/imageviewer.c
@@ -195,7 +195,11 @@ static int change_filename(int direct)
         return PLUGIN_ERROR;
     }
 
-    rb->strcpy(rb->strrchr(np_file, '/')+1, file_pt[curfile]);
+    size_t np_file_length = rb->strlen(np_file);
+    size_t np_file_name_length = rb->strlen(rb->strrchr(np_file, '/')+1);
+    size_t avail_length = sizeof(np_file) - (np_file_length - np_file_name_length);
+
+    rb->snprintf(rb->strrchr(np_file, '/')+1, avail_length, "%s", file_pt[curfile]);
 
     return PLUGIN_OTHER;
 }