Coder path traversal is not authorized, bug report provided by Masaak…

…i Chida
ImageMagick · Jun 2, 2016 · fc6080f · fc6080f
1 parent 96b300c
commit fc6080f
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+2016-06-02  6.9.4-7 Cristy  <quetzlzacatenango@image...>
+  * Fix small memory leak (patch provided by Андрей Черный).
+  * Coder path traversal is not authorized (bug report provided by
+    Masaaki Chida).
+
 2016-05-31  6.9.4-6 Cristy  <quetzlzacatenango@image...>
   * Release ImageMagick version 6.9.4-6, GIT revision 18334:97775b5:20160531.
 

diff --git a/magick/module.c b/magick/module.c
@@ -547,6 +547,15 @@ static MagickBooleanType GetMagickModulePath(const char *filename,
   assert(path != (char *) NULL);
   assert(exception != (ExceptionInfo *) NULL);
   (void) CopyMagickString(path,filename,MaxTextExtent);
+#if defined(MAGICKCORE_INSTALLED_SUPPORT)
+  if (strstr(path,"../") != (char *) NULL)
+    {
+      errno=EPERM;
+      (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
+        "NotAuthorized","`%s'",path);
+      return(MagickFalse);
+    }
+#endif
   module_path=(char *) NULL;
   switch (module_type)
   {

diff --git a/magick/xml-tree.c b/magick/xml-tree.c
@@ -2140,7 +2140,10 @@ MagickExport XMLTreeInfo *NewXMLTree(const char *xml,ExceptionInfo *exception)
                 if ((ignore_depth == 0) && (IsSkipTag(tag) == MagickFalse))
                   ParseOpenTag(root,tag,attributes);
                 else
-                  ignore_depth++;
+                  {
+                    ignore_depth++;
+                    (void) DestroyXMLTreeAttributes(attributes);
+                  }
                 *p=c;
               }
             else