ImageMagick
/
CVE-2020-29599-1.patch

From a7b2d8328c539da6e79a118a0b8e97462c7daa77 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 10 Nov 2019 14:53:23 -0500
Subject: [PATCH] Santize ';' from SHOW and WIN delegates

---
 magick/delegate.c | 26 +++++++++++++++++++++++++-
 magick/string.c   |  4 ++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/magick/delegate.c b/magick/delegate.c
index 37cd77b39..4fec87fc6 100644
--- a/magick/delegate.c
+++ b/magick/delegate.c
@@ -507,6 +507,30 @@ MagickExport int ExternalDelegateCommand(const MagickBooleanType asynchronous,
 %
 */

+static char *SanitizeDelegateString(const char *source)
+{
+  char
+    *sanitize_source;
+
+  const char
+    *q;
+
+  register char
+    *p;
+
+  static char
+    whitelist[] =
+      "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 "
+      "$-_.+!*'(),{}|\\^~[]`\"><#%/?:@&=";
+
+  sanitize_source=AcquireString(source);
+  p=sanitize_source;
+  q=sanitize_source+strlen(sanitize_source);
+  for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
+    *p='_';
+  return(sanitize_source);
+}
+
 static char *GetMagickPropertyLetter(const ImageInfo *image_info,Image *image,
   const char letter)
 {
@@ -918,7 +942,7 @@ static char *GetMagickPropertyLetter(const ImageInfo *image_info,Image *image,
       break;
     }
   }
-  return(SanitizeString(string));
+  return(SanitizeDelegateString(string));
 }

 static char *InterpretDelegateProperties(const ImageInfo *image_info,
diff --git a/magick/string.c b/magick/string.c
index 828f12a0c..1e4ae55cb 100644
--- a/magick/string.c
+++ b/magick/string.c
@@ -1588,10 +1588,10 @@ MagickExport void ResetStringInfo(StringInfo *string_info)
 %                                                                             %
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %
-%  SanitizeString() returns an new string removes all characters except
+%  SanitizeString() returns a new string removes all characters except
 %  letters, digits and !#$%&'*+-=?^_`{|}~@.[].
 %
-%  The returned string shoud be freed using DestoryString().
+%  Free the sanitized string with DestroyString().
 %
 %  The format of the SanitizeString method is:
 %