From: cristy <urban-warrior@git.imagemagick.org>
Date: Sat, 17 May 2014 11:53:50 +0000 (+0000)
Subject: (no commit message)
X-Git-Tag: 7.0.1-0~2335
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2867b87b5c4f5d1ef966355436a1c149723dd6f5;p=imagemagick

---

diff --git a/MagickCore/property.c b/MagickCore/property.c
index 9868e822c..284ae1a39 100644
--- a/MagickCore/property.c
+++ b/MagickCore/property.c
@@ -3284,9 +3284,8 @@ MagickExport char *InterpretImageProperties(ImageInfo *image_info,
           default:
             p++;
             *q++=(*p);
-            continue;
         }
-        continue; /* never reached! */
+        continue;
       case '&':
         if (LocaleNCompare("&lt;",p,4) == 0)
           *q++='<', p+=3;
diff --git a/MagickCore/utility.c b/MagickCore/utility.c
index 9faa024ed..78aa53c34 100644
--- a/MagickCore/utility.c
+++ b/MagickCore/utility.c
@@ -1916,12 +1916,37 @@ MagickPrivate MagickBooleanType ShredFile(const char *path)
 %    o exception: return any errors here.
 %
 */
+
+static char *SanitizeSystemCommand(const char *command)
+{
+  char
+    *sanitize_command;
+
+  const char
+    *q;
+
+  register char
+    *p;
+
+  static char
+    whitelist[] = 
+      "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-"
+      ".@&;<>|\\\'\":%";
+
+  sanitize_command=AcquireString(command);
+  p=sanitize_command;
+  q=sanitize_command+strlen(sanitize_command);
+  for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
+    *p='_';
+  return(sanitize_command);
+}
+
 MagickExport int SystemCommand(const MagickBooleanType asynchronous,
   const MagickBooleanType verbose,const char *command,ExceptionInfo *exception)
 {
   char
     **arguments,
-    *shell_command;
+    *sanitize_command;
 
   int
     number_arguments,
@@ -1964,19 +1989,16 @@ MagickExport int SystemCommand(const MagickBooleanType asynchronous,
       (void) FormatLocaleFile(stderr,"%s\n",command);
       (void) fflush(stderr);
     }
-  shell_command=(char *) command;
+  sanitize_command=SanitizeSystemCommand(command);
   if (asynchronous != MagickFalse)
-    {
-      shell_command=AcquireString(command);
-      (void) ConcatenateMagickString(shell_command,"&",MaxTextExtent);
-    }
+    (void) ConcatenateMagickString(sanitize_command,"&",MaxTextExtent);
 #if defined(MAGICKCORE_POSIX_SUPPORT)
 #if !defined(MAGICKCORE_HAVE_EXECVP)
-  status=system(shell_command);
+  status=system(sanitize_command);
 #else
   if ((asynchronous != MagickFalse) ||
-      (strpbrk(shell_command,"&;<>|") != (char *) NULL))
-    status=system(shell_command);
+      (strpbrk(sanitize_command,"&;<>|") != (char *) NULL))
+    status=system(sanitize_command);
   else
     {
       pid_t
@@ -1987,7 +2009,7 @@ MagickExport int SystemCommand(const MagickBooleanType asynchronous,
       */
       child_pid=(pid_t) fork();
       if (child_pid == (pid_t) -1)
-        status=system(command);
+        status=system(sanitize_command);
       else
         if (child_pid == 0)
           {
@@ -2018,19 +2040,18 @@ MagickExport int SystemCommand(const MagickBooleanType asynchronous,
     }
 #endif
 #elif defined(MAGICKCORE_WINDOWS_SUPPORT)
-  status=NTSystemCommand(shell_command);
+  status=NTSystemCommand(sanitize_command);
 #elif defined(macintosh)
-  status=MACSystemCommand(shell_command);
+  status=MACSystemCommand(sanitize_command);
 #elif defined(vms)
-  status=system(shell_command);
+  status=system(sanitize_command);
 #else
 #  error No suitable system() method.
 #endif
   if (status < 0)
     (void) ThrowMagickException(exception,GetMagickModule(),DelegateError,
       "FailedToExecuteCommand","`%s' (%d)",command,status);
-  if (shell_command != command)
-    shell_command=DestroyString(shell_command);
+  sanitize_command=DestroyString(sanitize_command);
   for (i=0; i < (ssize_t) number_arguments; i++)
     arguments[i]=DestroyString(arguments[i]);
   arguments=(char **) RelinquishMagickMemory(arguments);
diff --git a/coders/meta.c b/coders/meta.c
index f659ce180..7e5d51b3a 100644
--- a/coders/meta.c
+++ b/coders/meta.c
@@ -2011,6 +2011,8 @@ static int formatIPTCfromBuffer(Image *ofile, char *s, ssize_t len)
       }
     if (taglen < 0)
       return(-1);
+    if (taglen > 65535)
+      return(-1);
     /* make a buffer to hold the tag datand snag it from the input stream */
     str=(unsigned char *) AcquireQuantumMemory((size_t) (taglen+MaxTextExtent),
       sizeof(*str));
diff --git a/coders/pcd.c b/coders/pcd.c
index 0355e981a..a823c641b 100644
--- a/coders/pcd.c
+++ b/coders/pcd.c
@@ -552,6 +552,8 @@ static Image *ReadPCDImage(const ImageInfo *image_info,ExceptionInfo *exception)
     ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   rotate=header[0x0e02] & 0x03;
   number_images=(header[10] << 8) | header[11];
+  if (number_images > 65535)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   header=(unsigned char *) RelinquishMagickMemory(header);
   /*
     Determine resolution by scene specification.