From fc6080f1321fd21e86ef916195cc110b05d9effb Mon Sep 17 00:00:00 2001 From: Cristy Date: Thu, 2 Jun 2016 13:44:20 -0400 Subject: [PATCH] Coder path traversal is not authorized, bug report provided by Masaaki Chida --- ChangeLog | 5 +++++ magick/module.c | 9 +++++++++ magick/xml-tree.c | 5 ++++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 16b58533887..0a6aefdf345 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2016-06-02 6.9.4-7 Cristy + * Fix small memory leak (patch provided by Андрей Черный). + * Coder path traversal is not authorized (bug report provided by + Masaaki Chida). + 2016-05-31 6.9.4-6 Cristy * Release ImageMagick version 6.9.4-6, GIT revision 18334:97775b5:20160531. diff --git a/magick/module.c b/magick/module.c index f8878b63526..a00b76d6401 100644 --- a/magick/module.c +++ b/magick/module.c @@ -547,6 +547,15 @@ static MagickBooleanType GetMagickModulePath(const char *filename, assert(path != (char *) NULL); assert(exception != (ExceptionInfo *) NULL); (void) CopyMagickString(path,filename,MaxTextExtent); +#if defined(MAGICKCORE_INSTALLED_SUPPORT) + if (strstr(path,"../") != (char *) NULL) + { + errno=EPERM; + (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, + "NotAuthorized","`%s'",path); + return(MagickFalse); + } +#endif module_path=(char *) NULL; switch (module_type) { diff --git a/magick/xml-tree.c b/magick/xml-tree.c index 3edca5db735..efe48065ed5 100644 --- a/magick/xml-tree.c +++ b/magick/xml-tree.c @@ -2140,7 +2140,10 @@ MagickExport XMLTreeInfo *NewXMLTree(const char *xml,ExceptionInfo *exception) if ((ignore_depth == 0) && (IsSkipTag(tag) == MagickFalse)) ParseOpenTag(root,tag,attributes); else - ignore_depth++; + { + ignore_depth++; + (void) DestroyXMLTreeAttributes(attributes); + } *p=c; } else