Signed-off-by: Cai Fan --- libavformat/img2enc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/img2enc.c b/libavformat/img2enc.c index 41638d92b8..a1eb0c688d 100644 --- a/libavformat/img2enc.c +++ b/libavformat/img2enc.c @@ -180,7 +180,12 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) } for (i = 0; i < 4; i++) { av_dict_copy(&options, img->protocol_opts, 0); - snprintf(img->temp[i], sizeof(img->tmp[i]), "%s.tmp", filename); + int len = snprintf(img->tmp[i], sizeof(img->tmp[i]), "%s.tmp", filename); + if (len < 0 || len >= sizeof(img->tmp[i])) { + av_log(s, AV_LOG_ERROR, "filename '%s' exceeds buffer size %zu\n", filename, sizeof(img->tmp[i])); + ret = AVERROR(EINVAL); + goto fail; + } av_strlcpy(img->target[i], filename, sizeof(img->target[i])); if (s->io_open(s, &pb[i], img->use_rename ? img->tmp[i] : filename, AVIO_FLAG_WRITE, &options) < 0) { av_log(s, AV_LOG_ERROR, "Could not open file : %s\n", img->use_rename ? img->tmp[i] : filename); -- > On Jul 31, 2025, at 10:13, Cai Fan wrote: > > Signed-off-by: Cai Fan > --- > libavformat/img2enc.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/libavformat/img2enc.c b/libavformat/img2enc.c > index 41638d92b8..a1eb0c688d 100644 > --- a/libavformat/img2enc.c > +++ b/libavformat/img2enc.c > @@ -180,7 +180,12 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) > } > for (i = 0; i < 4; i++) { > av_dict_copy(&options, img->protocol_opts, 0); > - snprintf(img->tmp[i], sizeof(img->tmp[i]), "%s.tmp", filename); > + int len = snprintf(img->tmp[i], sizeof(img->tmp[i]), "%s.tmp", filename); > + if (len < 0 || len >= sizeof(img->tmp[i])) { > + av_log(s, AV_LOG_ERROR, "Filename too long: %s\n", filename); ˇ°filename exceeds buffer size %zu\nˇ±. > + ret = AVERROR(EINVAL); > + goto fail; > + } > av_strlcpy(img->target[i], filename, sizeof(img->target[i])); > if (s->io_open(s, &pb[i], img->use_rename ? img->tmp[i] : filename, AVIO_FLAG_WRITE, &options) < 0) { > av_log(s, AV_LOG_ERROR, "Could not open file : %s\n", img->use_rename ? img->tmp[i] : filename); > -- > 2.34.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".