From 728334b013c459438d2f92b78931a7c3b6a715c3 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 23 Jul 2021 20:25:19 +0200
Subject: feh_draw_exif: Fix out of bounds array access when handling long
 lines

---
 src/imlib.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'src/imlib.c')

diff --git a/src/imlib.c b/src/imlib.c
index 140e487..5970bd2 100644
--- a/src/imlib.c
+++ b/src/imlib.c
@@ -1178,7 +1178,7 @@ void feh_draw_exif(winwidget w)
 		{
 			/* max 128 lines */
 			pos2 = 0;
-			while ( pos2 < 256 ) /* max 256 chars per line */
+			while ( pos2 < 255 ) /* max 255 chars + 1 null byte per line */
 			{
 				if ( (buffer[pos] != '\n')
 				      && (buffer[pos] != '\0') )
@@ -1188,19 +1188,18 @@ void feh_draw_exif(winwidget w)
 				else if ( buffer[pos] == '\0' )
 				{
 					pos = EXIF_MAX_DATA; /* all data seen */
-					info_line[pos2] = '\0';
 					break;
 				}
 				else
 				{
-					info_line[pos2] = '\0'; /* line finished, continue with next line*/
-					pos++;
+					pos++; /* line finished, continue with next line*/
 					break;
 				}
 
 				pos++;
 				pos2++;
 			}
+			info_line[pos2] = '\0';
 
 			gib_imlib_get_text_size(fn, info_line, NULL, &line_width,
                               &line_height, IMLIB_TEXT_TO_RIGHT);
-- 
cgit v1.2.3