Petr Gajdos
233cdd1a7c
OBS-URL: https://build.opensuse.org/package/show/graphics/ImageMagick?expand=0&rev=769
100 lines
3.9 KiB
Diff
100 lines
3.9 KiB
Diff
From 6c7c8d5866b9c0ce6cc76a741e05b9482716101e Mon Sep 17 00:00:00 2001
|
|
From: Cristy <urban-warrior@imagemagick.org>
|
|
Date: Sat, 19 Jul 2025 16:07:21 -0400
|
|
Subject: [PATCH] more boundary checks
|
|
|
|
---
|
|
MagickCore/image.c | 35 ++++++++++++++++++++++-------------
|
|
1 file changed, 22 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/MagickCore/image.c b/MagickCore/image.c
|
|
index c19ac09f2b5..a1283ed5f19 100644
|
|
--- a/MagickCore/image.c
|
|
+++ b/MagickCore/image.c
|
|
@@ -1660,6 +1660,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
|
|
/*
|
|
Start with a copy of the format string.
|
|
*/
|
|
+ assert(format != (const char *) NULL);
|
|
+ assert(filename != (char *) NULL);
|
|
(void) CopyMagickString(filename,format,MagickPathExtent);
|
|
if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
|
|
return(strlen(filename));
|
|
@@ -1683,7 +1685,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
|
|
/*
|
|
Skip padding digits like %03d.
|
|
*/
|
|
- if (*cursor == '0')
|
|
+ if (isdigit((int) ((unsigned char) *cursor)) != 0)
|
|
(void) strtol(cursor,(char **) &cursor,10);
|
|
switch (*cursor)
|
|
{
|
|
@@ -1695,9 +1697,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
|
|
count;
|
|
|
|
count=FormatLocaleString(pattern,sizeof(pattern),q,value);
|
|
- if ((count <= 0) || (count >= MagickPathExtent))
|
|
- return(0);
|
|
- if ((offset+count) >= MagickPathExtent)
|
|
+ if ((count <= 0) || (count >= MagickPathExtent) ||
|
|
+ ((offset+count) >= MagickPathExtent))
|
|
return(0);
|
|
(void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
|
|
offset));
|
|
@@ -1711,7 +1712,9 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
|
|
*option = (const char *) NULL;
|
|
|
|
size_t
|
|
- extent = (size_t) (end-cursor);
|
|
+ extent = (size_t) (end-cursor-1),
|
|
+ option_length,
|
|
+ tail_length;
|
|
|
|
/*
|
|
Handle %[key:value];
|
|
@@ -1720,21 +1723,27 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
|
|
break;
|
|
if (extent >= sizeof(pattern))
|
|
break;
|
|
- (void) CopyMagickString(pattern,cursor,extent);
|
|
+ (void) CopyMagickString(pattern,cursor+1,extent+1);
|
|
pattern[extent]='\0';
|
|
if (image != (Image *) NULL)
|
|
- option=GetImageProperty(image,pattern,exception);
|
|
- if ((option == (const char *) NULL) && (image != (Image *)NULL))
|
|
- option=GetImageArtifact(image,pattern);
|
|
- if ((option == (const char *) NULL) &&
|
|
+ {
|
|
+ option=GetImageProperty(image,pattern,exception);
|
|
+ if (option == (const char *) NULL)
|
|
+ option=GetImageArtifact(image,pattern);
|
|
+ }
|
|
+ if ((option == (const char *) NULL) &&
|
|
(image_info != (ImageInfo *) NULL))
|
|
option=GetImageOption(image_info,pattern);
|
|
if (option == (const char *) NULL)
|
|
break;
|
|
+ option_length=strlen(option);
|
|
+ tail_length=strlen(end+1);
|
|
+ if ((offset+option_length+tail_length+1) > MagickPathExtent)
|
|
+ return(0);
|
|
(void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
|
|
offset));
|
|
- (void) ConcatenateMagickString(p+offset+strlen(option),end+1,(size_t)
|
|
- (MagickPathExtent-offset-strlen(option)-strlen(end)-1));
|
|
+ (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
|
|
+ MagickPathExtent-offset-option_length-tail_length-1));
|
|
cursor=end+1;
|
|
break;
|
|
}
|
|
@@ -1748,7 +1757,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
|
|
Replace "%%" with "%".
|
|
*/
|
|
if ((*p == '%') && (*(p+1) == '%'))
|
|
- (void) memmove(p,p+1,strlen(p)); /* shift left */
|
|
+ (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */
|
|
else
|
|
p++;
|
|
}
|
|
|