Package: apngopt Version: 1.2-2 apngopt crashes with stack buffer overflow when calling with command line argument longer than 247 bytes.
Steps to replicate: ``` wget http://deb.debian.org/debian/pool/main/a/apngopt/apngopt_1.2.orig.tar.gz tar -xf apngopt_1.2.orig.tar.gz cd apngopt-1.2.orig make ./apngopt `python -c "print('a'*256)"` ``` Output: ``` APNG Optimizer 1.2 *** buffer overflow detected ***: ./apngopt terminated [1] 5965 abort ./apngopt `python -c "print('a'*256)"` ``` Bug is caused by copying command line argument into a 256-byte buffer using strcpy on line 2372: ``` 2363 szIn = argv[1]; 2364 2365 if (argc > 2) 2366 { 2367 strncpy(szOut, argv[2], 255); 2368 szOut[255] = '\0'; 2369 } 2370 else 2371 { 2372 strcpy(szOut, szIn); 2373 if ((szExt = strrchr(szOut, '.')) != NULL) *szExt = 0; 2374 strcat(szOut, ".opt.png"); 2375 } ``` Suggested fix: use strncpy or verify szIn length before copying. Proposed patch: ``` 2372c2372 < strcpy(szOut, szIn); --- > strncpy(szOut, szIn, 247); ``` Best regards, -- David Petek

