summaryrefslogtreecommitdiff
blob: 4ed8ff5c715b2a8bbe119852d4baf657e15a31bb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
this patch fixes gentoo bug #243238 (CVE-2008-{4640,4641})

diff -ru jhead-2.84.orig/jhead.c jhead-2.84/jhead.c
--- jhead-2.84.orig/jhead.c	2008-10-04 18:10:35.000000000 +0200
+++ jhead-2.84/jhead.c	2008-11-28 18:51:52.000000000 +0100
@@ -295,44 +295,88 @@
 
 
 //--------------------------------------------------------------------------
+// Escape an argument such that it is interpreted literally by the shell
+// (returns the number of written characters)
+//--------------------------------------------------------------------------
+static int shellescape(char* to, const char* from)
+{
+    int i, j;
+    i = j = 0;
+
+    // Enclosing characters in double quotes preserves the literal value of
+    // all characters within the quotes, with the exception of $, `, and \.
+    to[j++] = '"';
+    while(from[i])
+    {
+#ifdef _WIN32
+        // Under WIN32, there isn't really anything dangerous you can do with 
+        // escape characters, plus windows users aren't as sercurity paranoid.
+        // Hence, no need to do fancy escaping.
+        to[j++] = from[i++];
+#else
+        switch(from[i]) {
+            case '"':
+            case '$':
+            case '`':
+            case '\\':
+                to[j++] = '\\';
+            default:
+                to[j++] = from[i++];
+        }
+#endif 
+        if (j >= PATH_MAX) ErrFatal("max path exceeded");
+    }
+    to[j++] = '"';
+    return j;
+}
+
+
+//--------------------------------------------------------------------------
 // Apply the specified command to the JPEG file.
 //--------------------------------------------------------------------------
 static void DoCommand(const char * FileName, int ShowIt)
 {
     int a,e;
-    char ExecString[PATH_MAX*2];
-    char TempName[PATH_MAX+1];
+    char ExecString[PATH_MAX*3];
+    char TempName[PATH_MAX+10];
     int TempUsed = FALSE;
 
     e = 0;
 
-    // Make a temporary file in the destination directory by changing last char.
-    strcpy(TempName, FileName);
-    a = strlen(TempName)-1;
-    TempName[a] = (char)(TempName[a] == 't' ? 'z' : 't');
+    // Generate an unused temporary file name in the destination directory
+    // (a is the number of characters to copy from FileName)
+    a = strlen(FileName)-1;
+    while(a > 0 && FileName[a-1] != '/') a--;
+    memcpy(TempName, FileName, a);
+    strcpy(TempName+a, "XXXXXX");
+    mkstemp(TempName);
+    if(!TempName[0]) {
+        ErrFatal("Cannot find available temporary file name");
+    }
+
+
 
     // Build the exec string.  &i and &o in the exec string get replaced by input and output files.
     for (a=0;;a++){
         if (ApplyCommand[a] == '&'){
             if (ApplyCommand[a+1] == 'i'){
                 // Input file.
-                e += sprintf(ExecString+e, "\"%s\"",FileName);
+                e += shellescape(ExecString+e, FileName);
                 a += 1;
                 continue;
             }
             if (ApplyCommand[a+1] == 'o'){
                 // Needs an output file distinct from the input file.
-                e += sprintf(ExecString+e, "\"%s\"",TempName);
+                e += shellescape(ExecString+e, TempName);
                 a += 1;
                 TempUsed = TRUE;
-                unlink(TempName);// Remove any pre-existing temp file
                 continue;
             }
         }
         ExecString[e++] = ApplyCommand[a];
         if (ApplyCommand[a] == 0) break;
     }
-
+ShowIt = 1;
     if (ShowIt) printf("Cmd:%s\n",ExecString);
 
     errno = 0;
@@ -638,7 +682,7 @@
                 ErrFatal("Orientation screwup");
             }
 
-            sprintf(RotateCommand, "jpegtran -%s -outfile &o &i", Argument);
+            sprintf(RotateCommand, "jpegtran -trim -%s -outfile &o &i", Argument);
             ApplyCommand = RotateCommand;
             DoCommand(FileName, FALSE);
             ApplyCommand = NULL;
@@ -657,7 +701,7 @@
                 strcpy(ThumbTempName_out, FileName);
                 strcat(ThumbTempName_out, ".tho");
                 SaveThumbnail(ThumbTempName_in);
-                sprintf(RotateCommand,"jpegtran -%s -outfile \"%s\" \"%s\"",
+                sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"",
                     Argument, ThumbTempName_out, ThumbTempName_in);
 
                 if (system(RotateCommand) == 0){