Commit be99ffaa5 for imagemagick.org
commit be99ffaa57c8f91ed8897c2221ff0940c561a368
Author: Cristy <urban-warrior@imagemagick.org>
Date: Mon Jun 22 06:54:13 2026 -0400
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-422r-8c97-xcg4
diff --git a/MagickCore/fx.c b/MagickCore/fx.c
index dc96e9bdd..329527377 100644
--- a/MagickCore/fx.c
+++ b/MagickCore/fx.c
@@ -875,26 +875,63 @@ static ElementTypeE TypeOfOpr (int op)
return (ElementTypeE) 0;
}
-static char * SetPtrShortExp (FxInfo * pfx, char * pExp, size_t len)
+static char *SetPtrShortExp(FxInfo *pfx, const char *pExp, size_t len)
{
- #define MaxLen 20
+#define MaxLen 20
- size_t slen;
- char * p;
+ char *dst = pfx->ShortExp;
+ size_t dst_size = MagickPathExtent; // actual buffer size
+ size_t copy_len;
+
+ if (dst_size == 0)
+ return dst;
+
+ dst[0] = '\0';
- *pfx->ShortExp = '\0';
+ if (pExp && len)
+ {
+ /* Clamp to buffer size - 1 */
+ copy_len = len;
+ if (copy_len > dst_size - 1)
+ copy_len = dst_size - 1;
+
+ memcpy(dst, pExp, copy_len);
+ dst[copy_len] = '\0';
- if (pExp && len) {
- slen = CopyMagickString (pfx->ShortExp, pExp, len);
- if (slen > MaxLen) {
- (void) CopyMagickString (pfx->ShortExp+MaxLen, "...", 4);
+ /* Logical truncation to MaxLen */
+ if (copy_len > MaxLen)
+ {
+ if (MaxLen + 3 < dst_size)
+ {
+ memcpy(dst + MaxLen, "...", 3);
+ dst[MaxLen + 3] = '\0';
+ }
+ else
+ {
+ dst[dst_size - 1] = '\0';
+ }
+ }
+
+ /* Replace newline / carriage return safely */
+ char *p;
+
+ if ((p = strchr(dst, '\n')) != NULL ||
+ (p = strchr(dst, '\r')) != NULL)
+ {
+ size_t offset = (size_t)(p - dst);
+ if (offset + 3 < dst_size)
+ {
+ memcpy(p, "...", 3);
+ dst[offset + 3] = '\0';
+ }
+ else
+ {
+ dst[dst_size - 1] = '\0';
+ }
+ }
}
- p = strchr (pfx->ShortExp, '\n');
- if (p) (void) CopyMagickString (p, "...", 4);
- p = strchr (pfx->ShortExp, '\r');
- if (p) (void) CopyMagickString (p, "...", 4);
- }
- return pfx->ShortExp;
+
+ return dst;
}
static char * SetShortExp (FxInfo * pfx)