From e89560dada3a83e1e39bdae2eedeea5650489309 Mon Sep 17 00:00:00 2001
From: pabs <pabs@1f10aa63-cdf2-0310-b900-c93c546f37ac>
Date: Thu, 6 Dec 2007 03:41:36 +0000
Subject: [PATCH] Security fix: mod_ffmpeg target used popen to run ffmpeg,
 change it to use pipe, fork and exec. SIF files with a malicious <name>
 parameter or with a strange filename could previously have executed arbitrary
 shell commands.

git-svn-id: http://svn.voria.com/code@1181 1f10aa63-cdf2-0310-b900-c93c546f37ac
---
 .../trunk/src/modules/mod_ffmpeg/trgt_ffmpeg.cpp   | 36 +++++++++++++++++++---
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/synfig-core/trunk/src/modules/mod_ffmpeg/trgt_ffmpeg.cpp b/synfig-core/trunk/src/modules/mod_ffmpeg/trgt_ffmpeg.cpp
index e41d1a5..251dc3a 100644
--- a/synfig-core/trunk/src/modules/mod_ffmpeg/trgt_ffmpeg.cpp
+++ b/synfig-core/trunk/src/modules/mod_ffmpeg/trgt_ffmpeg.cpp
@@ -124,11 +124,39 @@ ffmpeg_trgt::init()
 	imagecount=desc.get_frame_start();
 	if(desc.get_frame_end()-desc.get_frame_start()>0)
 		multi_image=true;
-	string command;
 
-	command=strprintf("ffmpeg -f image2pipe -vcodec ppm -an -r %f -i pipe: -loop -hq -title \"%s\" -vcodec mpeg1video -y \"%s\"\n",desc.get_frame_rate(),get_canvas()->get_name().c_str(),filename.c_str());
-
-	file=popen(command.c_str(),POPEN_BINARY_WRITE_TYPE);
+	int p[2];
+  
+	if (pipe(p)) {
+		synfig::error(_("Unable to open pipe to ffmpeg"));
+		return false;
+	};
+  
+	pid_t pid = fork();
+  
+	if (pid == -1) {
+		synfig::error(_("Unable to open pipe to ffmpeg"));
+		return false;
+	}
+  
+	if (pid == 0){
+		// Child process
+		// Dup pipeout to stdin
+		if( dup2( p[0], STDIN_FILENO ) == -1 ){
+			synfig::error(_("Unable to open pipe to ffmpeg"));
+			return false;
+		}
+		execlp("ffmpeg", "ffmpeg", "-f", "image2pipe", "-vcodec", "ppm", "-an", "-r", strprintf("%f", desc.get_frame_rate()).c_str(), "-i", "pipe:", "-loop", "-hq", "-title", get_canvas()->get_name().c_str(), "-vcodec", "mpeg1video", "-y", filename.c_str(), (const char *)NULL);
+		// We should never reach here unless the exec failed
+		synfig::error(_("Unable to open pipe to ffmpeg"));
+		return false;
+	} else {
+		// Parent process
+		// Close pipein, not needed
+		close(p[0]);
+		// Save pipeout to file handle, will write to it later
+		file = fdopen(p[1], "wb");
+	}
 
 	// etl::yield();
 
-- 
2.7.4