Blob Blame Raw
The following issue has been found by Coverity static analysis tool.

Error: STRING_OVERFLOW (CWE-120): [#def53]
gd-2.0.35/annotate.c:42: cond_false: Condition "argc != 3", taking false branch
gd-2.0.35/annotate.c:60: if_end: End of if statement
gd-2.0.35/annotate.c:64: cond_false: Condition "!in", taking false branch
gd-2.0.35/annotate.c:68: if_end: End of if statement
gd-2.0.35/annotate.c:75: cond_false: Condition "!im", taking false branch
gd-2.0.35/annotate.c:79: if_end: End of if statement
gd-2.0.35/annotate.c:80: cond_true: Condition "fgets(s, 1024 /* sizeof (s) */, stdin)", taking true branch
gd-2.0.35/annotate.c:85: cond_false: Condition "!st", taking false branch
gd-2.0.35/annotate.c:89: if_end: End of if statement
gd-2.0.35/annotate.c:90: cond_true: Condition "!__coverity_strcmp(st, "font")", taking true branch
gd-2.0.35/annotate.c:93: cond_false: Condition "!st", taking false branch
gd-2.0.35/annotate.c:96: if_end: End of if statement
gd-2.0.35/annotate.c:97: fixed_size_dest: You might overrun the 1024 byte fixed-size string "font" by copying "st" without checking the length.

diff -up gd-2.0.35/annotate.c.sa3 gd-2.0.35/annotate.c
--- gd-2.0.35/annotate.c.sa3	2012-12-05 17:26:21.157729019 +0100
+++ gd-2.0.35/annotate.c	2012-12-05 17:27:31.762762209 +0100
@@ -94,6 +94,10 @@ main (int argc, char *argv[])
 	    {
 	      goto badLine;
 	    }
+	  if (strlen(st) >= sizeof(font) - 1)
+	    {
+	      goto badLine;
+	    }
 	  strcpy (font, st);
 	}
       else if (!strcmp (st, "align"))