2013.09.20 16:24 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Bob Friesenhahn
Use of sprintf to write into a 2048 character buffer. The input is the filename, which might be over 2048 if crafted by a malicious user. However I could not determine this as the code is not easy to navigate.
This appears to be resolved already in CVS since the code now uses snprintf() instead of sprintf():
snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
Please be aware that snprintf is not assured to null-terminate the destination string. Is this being handled by subsequent statements or is the problem only changed?
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/