Skip to content

Commit c70a18c

Browse files
author
Cristy
committed
move boundary checks
1 parent 29e72ed commit c70a18c

File tree

1 file changed

+21
-12
lines changed

1 file changed

+21
-12
lines changed

magick/image.c

Lines changed: 21 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1674,6 +1674,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
16741674
/*
16751675
Start with a copy of the format string.
16761676
*/
1677+
assert(format != (const char *) NULL);
1678+
assert(filename != (char *) NULL);
16771679
(void) CopyMagickString(filename,format,MagickPathExtent);
16781680
if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
16791681
return(strlen(filename));
@@ -1697,7 +1699,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
16971699
/*
16981700
Skip padding digits like %03d.
16991701
*/
1700-
if (*cursor == '0')
1702+
if (isdigit((int) ((unsigned char) *cursor)) != 0)
17011703
(void) strtol(cursor,(char **) &cursor,10);
17021704
switch (*cursor)
17031705
{
@@ -1709,9 +1711,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
17091711
count;
17101712

17111713
count=FormatLocaleString(pattern,sizeof(pattern),q,value);
1712-
if ((count <= 0) || (count >= MagickPathExtent))
1713-
return(0);
1714-
if ((offset+count) >= MagickPathExtent)
1714+
if ((count <= 0) || (count >= MagickPathExtent) ||
1715+
((offset+count) >= MagickPathExtent))
17151716
return(0);
17161717
(void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
17171718
offset));
@@ -1725,7 +1726,9 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
17251726
*option = (const char *) NULL;
17261727

17271728
size_t
1728-
extent = (size_t) (end-cursor);
1729+
extent = (size_t) (end-cursor-1),
1730+
option_length,
1731+
tail_length;
17291732

17301733
/*
17311734
Handle %[key:value];
@@ -1734,21 +1737,27 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
17341737
break;
17351738
if (extent >= sizeof(pattern))
17361739
break;
1737-
(void) CopyMagickString(pattern,cursor,extent);
1740+
(void) CopyMagickString(pattern,cursor+1,extent+1);
17381741
pattern[extent]='\0';
17391742
if (image != (Image *) NULL)
1740-
option=GetImageProperty(image,pattern);
1741-
if ((option == (const char *) NULL) && (image != (Image *)NULL))
1742-
option=GetImageArtifact(image,pattern);
1743+
{
1744+
option=GetImageProperty(image,pattern);
1745+
if (option == (const char *) NULL)
1746+
option=GetImageArtifact(image,pattern);
1747+
}
17431748
if ((option == (const char *) NULL) &&
17441749
(image_info != (ImageInfo *) NULL))
17451750
option=GetImageOption(image_info,pattern);
17461751
if (option == (const char *) NULL)
17471752
break;
1753+
option_length=strlen(option);
1754+
tail_length=strlen(end+1);
1755+
if ((offset+option_length+tail_length+1) > MagickPathExtent)
1756+
return(0);
17481757
(void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
17491758
offset));
1750-
(void) ConcatenateMagickString(p+offset+strlen(option),end+1,(size_t)
1751-
(MagickPathExtent-offset-strlen(option)-strlen(end)-1));
1759+
(void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
1760+
MagickPathExtent-offset-option_length-tail_length-1));
17521761
cursor=end+1;
17531762
break;
17541763
}
@@ -1762,7 +1771,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
17621771
Replace "%%" with "%".
17631772
*/
17641773
if ((*p == '%') && (*(p+1) == '%'))
1765-
(void) memmove(p,p+1,strlen(p)); /* shift left */
1774+
(void) memmove(p,p+1,strlen(p+1)+1); /* shift left */
17661775
else
17671776
p++;
17681777
}

0 commit comments

Comments
 (0)