File GraphicsMagick-1.3.15-debian-fixed.patch of Package GraphicsMagick

Index: GraphicsMagick-1.3.8/magick/delegate.c
===================================================================
--- GraphicsMagick-1.3.8.orig/magick/delegate.c
+++ GraphicsMagick-1.3.8/magick/delegate.c
@@ -531,7 +531,10 @@ MagickExport unsigned int InvokeDelegate
   char
     *command,
     **commands,
-    filename[MaxTextExtent];
+    linkedname[MaxTextExtent],
+    linkedinfoname[MaxTextExtent],
+    filename[MaxTextExtent],
+    safechars[]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.,-_+ /";
 
   const DelegateInfo
     *delegate_info;
@@ -551,6 +554,10 @@ MagickExport unsigned int InvokeDelegate
   assert(image != (Image *) NULL);
   assert(image->signature == MagickSignature);
   temporary_image_filename=(*image->filename == '\0');
+  linkedname[0]='\0';
+  linkedname[MaxTextExtent-1]='\0';
+  linkedinfoname[0]='\0';
+  linkedinfoname[MaxTextExtent-1]='\0';
   if (temporary_image_filename)
     {
       /* Allocate a temporary filename if image is unnamed.  */
@@ -560,12 +567,24 @@ MagickExport unsigned int InvokeDelegate
           return(False);
         }
     }
+  else if (strspn(image->filename, safechars) != strlen(image->filename))
+    {
+      strncpy(linkedname,image->filename,MaxTextExtent-1);
+      if (!AcquireTemporarySymlink(image->filename,linkedname))
+	{
+          (void) ThrowException(exception,FileOpenError,UnableToCreateTemporaryFile,image->filename);
+	  return (False);
+	}
+    }
+
   (void) strlcpy(filename,image->filename,MaxTextExtent);
   delegate_info=GetDelegateInfo(decode,encode,exception);
   if (delegate_info == (DelegateInfo *) NULL)
     {
       if (temporary_image_filename)
         (void) LiberateTemporaryFile(image->filename);
+      if (*linkedname)
+	strncpy(image->filename,linkedname,MaxTextExtent-1);
       (void) ThrowException(exception,DelegateError,NoTagFound,
         decode ? decode : encode);
       return(False);
@@ -586,6 +605,18 @@ MagickExport unsigned int InvokeDelegate
         }
       image_info->temporary=True;
     }
+  else if (strspn(image_info->filename, safechars) != strlen(image_info->filename))
+    {
+      strncpy(linkedinfoname,image_info->filename,MaxTextExtent-1);
+      if (!AcquireTemporarySymlink(image_info->filename,linkedinfoname))
+	{
+          if (temporary_image_filename)
+            LiberateTemporaryFile(image->filename);
+          (void) ThrowException(exception,FileOpenError,UnableToCreateTemporaryFile,image_info->filename);
+          return(False);
+        }
+      temporary_image_filename=True;
+    }
 
   if (delegate_info->mode != 0)
     if ((decode && (delegate_info->encode != (char *) NULL)) ||
@@ -609,6 +640,13 @@ MagickExport unsigned int InvokeDelegate
         {
           if (temporary_image_filename)
             (void) LiberateTemporaryFile(image->filename);
+	  if (*linkedname)
+            strncpy(image->filename,linkedname,MaxTextExtent-1);
+	  if (*linkedinfoname)
+            {
+              LiberateTemporaryFile(linkedinfoname);
+              strncpy(image_info->filename,linkedinfoname,MaxTextExtent-1);
+	    }
           (void) ThrowException(exception,FileOpenError,UnableToCreateTemporaryFile,image_info->unique);
           return(False);
         }
@@ -617,6 +655,13 @@ MagickExport unsigned int InvokeDelegate
         {
           if (temporary_image_filename)
             (void) LiberateTemporaryFile(image->filename);
+	  if (*linkedname)
+            strncpy(image->filename,linkedname,MaxTextExtent-1);
+	  if (*linkedinfoname)
+            {
+              LiberateTemporaryFile(linkedinfoname);
+              strncpy(image_info->filename,linkedinfoname,MaxTextExtent-1);
+	    }
           (void) LiberateTemporaryFile(image_info->unique);
           (void) ThrowException(exception,FileOpenError,UnableToCreateTemporaryFile,image_info->zero);
           return(False);
@@ -630,6 +675,13 @@ MagickExport unsigned int InvokeDelegate
             (void) LiberateTemporaryFile(image_info->zero);
             if (temporary_image_filename)
               (void) LiberateTemporaryFile(image->filename);
+	    if (*linkedname)
+              strncpy(image->filename,linkedname,MaxTextExtent-1);
+	    if (*linkedinfoname)
+              {
+                LiberateTemporaryFile(linkedinfoname);
+                strncpy(image_info->filename,linkedinfoname,MaxTextExtent-1);
+	      }
             (void) ThrowException(exception,DelegateError,DelegateFailed,
               decode ? decode : encode);
             return(False);
@@ -655,6 +707,13 @@ MagickExport unsigned int InvokeDelegate
               (void) LiberateTemporaryFile(image_info->zero);
               if (temporary_image_filename)
                 (void) LiberateTemporaryFile(image->filename);
+	      if (*linkedname)
+                strncpy(image->filename,linkedname,MaxTextExtent-1);
+	      if (*linkedinfoname)
+                {
+                  LiberateTemporaryFile(linkedinfoname);
+                  strncpy(image_info->filename,linkedinfoname,MaxTextExtent-1);
+	        }
               DestroyImageInfo(clone_info);
               (void) ThrowException(exception,DelegateError,DelegateFailed,
                 decode ? decode : encode);
@@ -676,6 +735,13 @@ MagickExport unsigned int InvokeDelegate
     {
       if (temporary_image_filename)
         (void) LiberateTemporaryFile(image->filename);
+      if (*linkedname)
+        strncpy(image->filename,linkedname,MaxTextExtent-1);
+      if (*linkedinfoname)
+        {
+          LiberateTemporaryFile(linkedinfoname);
+          strncpy(image_info->filename,linkedinfoname,MaxTextExtent-1);
+        }
       (void) ThrowException(exception,ResourceLimitError,MemoryAllocationFailed,decode ? decode : encode);
       return(False);
     }
@@ -802,6 +868,13 @@ MagickExport unsigned int InvokeDelegate
  error_exit:
   if (temporary_image_filename)
     (void) LiberateTemporaryFile(image->filename);
+  if (*linkedname)
+    strncpy(image->filename,linkedname,MaxTextExtent-1);
+  if (*linkedinfoname)
+    {
+      LiberateTemporaryFile(linkedinfoname);
+      strncpy(image_info->filename,linkedinfoname,MaxTextExtent-1);
+    }
   for ( ; commands[i] != (char *) NULL; i++)
     MagickFreeMemory(commands[i]);
   MagickFreeMemory(commands);
Index: GraphicsMagick-1.3.8/magick/symbols.h
===================================================================
--- GraphicsMagick-1.3.8.orig/magick/symbols.h
+++ GraphicsMagick-1.3.8/magick/symbols.h
@@ -29,6 +29,7 @@
 #define AcquireTemporaryFileDescriptor GmAcquireTemporaryFileDescriptor
 #define AcquireTemporaryFileName GmAcquireTemporaryFileName
 #define AcquireTemporaryFileStream GmAcquireTemporaryFileStream
+#define AcquireTemporarySymlink GmAcquireTemporarySymlink
 #define AdaptiveThresholdImage GmAdaptiveThresholdImage
 #define AddDefinitions GmAddDefinitions
 #define AddNoiseImage GmAddNoiseImage
Index: GraphicsMagick-1.3.8/magick/tempfile.c
===================================================================
--- GraphicsMagick-1.3.8.orig/magick/tempfile.c
+++ GraphicsMagick-1.3.8/magick/tempfile.c
@@ -192,6 +192,93 @@ MagickExport MagickPassFail AcquireTempo
 %                                                                             %
 %                                                                             %
 %                                                                             %
++   A c q u i r e T e m p o r a r y S y m l i n k                             %
+%                                                                             %
+%                                                                             %
+%                                                                             %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% AcquireTemporarySymlink replaces the contents of the string buffer pointed
+% to by filename with the unique name of a symbolic link.  True is returned
+% if a symlink waas created, or False is returned if there is a failure.
+% The allocated symlink should be recovered via the LiberateTemporaryFile()
+% function once it is no longer required.
+%
+% The format of the AcquireTemporarySymlink method is:
+%
+%     unsigned int AcquireTemporarySymlink(char *linkname, const char *name,
+%                                          ExceptionInfo *exception)
+%
+%  A description of each parameter follows.
+%
+%   o linkname: Specifies a pointer to an array of characters that must be
+%               MaxTextExtent characters of size.  The unique
+%               name of the symlink is returned in this array.
+%   o name: Specifies a file name the symlink should point to.
+*/
+MagickExport unsigned int AcquireTemporarySymlink(char *linkname, const char *name)
+{
+  char
+    *tempdir,
+    tempname[MaxTextExtent];
+
+  int
+    fd,
+    tries;
+  
+  assert(linkname != (char *)NULL);
+  linkname[0]='\0';
+  tempname[MaxTextExtent-1]='\0';
+
+  tempdir=getenv("MAGICK_TMPDIR");
+#if defined(POSIX)
+  if (!tempdir)
+    tempdir=getenv("TMPDIR");
+#endif /* POSIX */
+#if defined(WIN32)
+  if (!tempdir)
+    tempdir=getenv("TMP");
+  if (!tempdir)
+    tempdir=getenv("TEMP");
+#endif /* WIN32 */
+#if defined(P_tmpdir)
+  if (!tempdir)
+    tempdir=P_tmpdir;
+#endif
+
+  for (tries=0; tries < 15; tries++)
+    {
+      strncpy(tempname,"gmXXXXXX",MaxTextExtent-1);
+      ComposeTemporaryFileName(tempname);
+      strncpy(linkname,tempdir,MaxTextExtent-1);
+      if (tempdir[strlen(tempdir)-1] != DirectorySeparator[0])
+	strncat(linkname,DirectorySeparator,MaxTextExtent-1);
+      strncat(linkname,tempname,MaxTextExtent-1);
+      if (*name == '/')
+        fd=symlink(name, linkname);
+      else
+        {
+          char cname[MaxTextExtent];
+	  if (!getcwd(cname,(size_t)MaxTextExtent))
+	    return (False);
+	  strncat(cname,DirectorySeparator,MaxTextExtent-1);
+	  strncat(cname,name,MaxTextExtent-1);
+	  fd=symlink(cname,linkname);
+	}
+      if (fd != -1)
+	{
+	  AddTemporaryFileToList(linkname);
+	  return (True);
+	}
+    }
+  return (False);
+}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%                                                                             %
+%                                                                             %
+%                                                                             %
 +   A c q u i r e T e m p o r a r y F i l e D e s c r i p t o r               %
 %                                                                             %
 %                                                                             %
Index: GraphicsMagick-1.3.8/magick/tempfile.h
===================================================================
--- GraphicsMagick-1.3.8.orig/magick/tempfile.h
+++ GraphicsMagick-1.3.8/magick/tempfile.h
@@ -24,6 +24,7 @@ typedef enum
 
 MagickExport MagickPassFail
   AcquireTemporaryFileName(char *filename),
+  AcquireTemporarySymlink(char *linkname, const char *name),
   LiberateTemporaryFile(char *filename);
 
 MagickExport int
Index: GraphicsMagick-1.3.8/magick/utility.c
===================================================================
--- GraphicsMagick-1.3.8.orig/magick/utility.c
+++ GraphicsMagick-1.3.8/magick/utility.c
@@ -1244,6 +1244,72 @@ MagickExport void FormatString(char *str
 %                                                                             %
 %                                                                             %
 %                                                                             %
+%  F o r m a t S t r i n g N u m e r i c                                      %
+%                                                                             %
+%                                                                             %
+%                                                                             %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%  Method FormatStringNumeric formats output for a single numeric argument.
+%  It takes into account that the format string given might be untrusted
+%  user input, and returns a pointer to the formatted string.
+%
+%  The format of the FormatStringNumeric method is:
+%
+%      char * FormatStringNumeric(char *string,const char *format,int value)
+%
+%  A description of each parameter follows.
+%
+%   o  format:  A string describing the format to use to write the numeric
+%      argument. Only the first numeric format identifier is replaced.
+%
+%   o  value:  Numeric value to substitute into format string.
+%
+%
+*/
+MagickExport char *FormatStringNumeric(const char *format,int value)
+{
+  char
+    *p,
+    *string;
+
+  string = NULL;
+
+  (void) CloneString(&string, format);
+
+  for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+  {  
+    char
+      *q;
+
+    q=(char *) p+1;
+    if (*q == '0')
+      (void) strtol(q,&q,10);
+    if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
+    {
+      char
+        c;
+
+      q++;
+      c=*q;
+      *q='\0';
+      (void) snprintf(string+(p-format),MaxTextExtent-(p-format),p,value);
+      *q=c;
+      (void) ConcatenateString(&string,q);
+      if (*(q-1) == '%')
+        p++;
+      else
+        break;
+    }
+  }
+  return string;
+}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%                                                                             %
+%                                                                             %
+%                                                                             %
 %   G e t E x e c u t i o n P a t h                                           %
 %                                                                             %
 %                                                                             %
Index: GraphicsMagick-1.3.8/magick/utility.h
===================================================================
--- GraphicsMagick-1.3.8.orig/magick/utility.h
+++ GraphicsMagick-1.3.8/magick/utility.h
@@ -72,6 +72,7 @@ extern MagickExport char
   *AllocateString(const char *),
   *Base64Encode(const unsigned char *,const size_t,size_t *),
   *EscapeString(const char *,const char),
+  *FormatStringNumeric(const char *,int),
   *GetPageGeometry(const char *),
   **ListFiles(const char *,const char *,long *),
   **StringToArgv(const char *,int *),