1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 19 Jul 2025 16:07:21 -0400
Subject: CVE-2025-55298 prepare
more boundary checks
(cherry picked from commit 6c7c8d5866b9c0ce6cc76a741e05b9482716101e)
origin: https://github.com/ImageMagick/ImageMagick/commit/6c7c8d5866b9c0ce6cc76a741e05b9482716101e
---
MagickCore/image.c | 35 ++++++++++++++++++++++-------------
1 file changed, 22 insertions(+), 13 deletions(-)
diff --git a/MagickCore/image.c b/MagickCore/image.c
index 53bc2fb..0e94f78 100644
--- a/MagickCore/image.c
+++ b/MagickCore/image.c
@@ -1662,6 +1662,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
/*
Start with a copy of the format string.
*/
+ assert(format != (const char *) NULL);
+ assert(filename != (char *) NULL);
(void) CopyMagickString(filename,format,MagickPathExtent);
if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
return(strlen(filename));
@@ -1685,7 +1687,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
/*
Skip padding digits like %03d.
*/
- if (*cursor == '0')
+ if (isdigit((int) ((unsigned char) *cursor)) != 0)
(void) strtol(cursor,(char **) &cursor,10);
switch (*cursor)
{
@@ -1697,9 +1699,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
count;
count=FormatLocaleString(pattern,sizeof(pattern),q,value);
- if ((count <= 0) || (count >= MagickPathExtent))
- return(0);
- if ((offset+count) >= MagickPathExtent)
+ if ((count <= 0) || (count >= MagickPathExtent) ||
+ ((offset+count) >= MagickPathExtent))
return(0);
(void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
offset));
@@ -1713,7 +1714,9 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
*option = (const char *) NULL;
size_t
- extent = (size_t) (end-cursor);
+ extent = (size_t) (end-cursor-1),
+ option_length,
+ tail_length;
/*
Handle %[key:value];
@@ -1722,21 +1725,27 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
break;
if (extent >= sizeof(pattern))
break;
- (void) CopyMagickString(pattern,cursor,extent);
+ (void) CopyMagickString(pattern,cursor+1,extent+1);
pattern[extent]='\0';
if (image != (Image *) NULL)
- option=GetImageProperty(image,pattern,exception);
- if ((option == (const char *) NULL) && (image != (Image *)NULL))
- option=GetImageArtifact(image,pattern);
- if ((option == (const char *) NULL) &&
+ {
+ option=GetImageProperty(image,pattern,exception);
+ if (option == (const char *) NULL)
+ option=GetImageArtifact(image,pattern);
+ }
+ if ((option == (const char *) NULL) &&
(image_info != (ImageInfo *) NULL))
option=GetImageOption(image_info,pattern);
if (option == (const char *) NULL)
break;
+ option_length=strlen(option);
+ tail_length=strlen(end+1);
+ if ((offset+option_length+tail_length+1) > MagickPathExtent)
+ return(0);
(void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
offset));
- (void) ConcatenateMagickString(p+offset+strlen(option),end+1,(size_t)
- (MagickPathExtent-offset-strlen(option)-strlen(end)-1));
+ (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
+ MagickPathExtent-offset-option_length-tail_length-1));
cursor=end+1;
break;
}
@@ -1750,7 +1759,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
Replace "%%" with "%".
*/
if ((*p == '%') && (*(p+1) == '%'))
- (void) memmove(p,p+1,strlen(p)); /* shift left */
+ (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */
else
p++;
}
|
