Annotation of /trunk/openmotif/patches/openmotif-2.2.3-CAN-2004-0687-0688.patch
Parent Directory | Revision Log
Revision 153 -
(hide annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 13114 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 13114 byte(s)
-import
1 | niro | 153 | --- openMotif-2.2.3/lib/Xm/Xpmhashtab.c.CAN-2004-0687-0688 2004-09-30 11:52:40.176933831 +0200 |
2 | +++ openMotif-2.2.3/lib/Xm/Xpmhashtab.c 2004-09-30 11:53:47.288717782 +0200 | ||
3 | @@ -141,7 +141,7 @@ | ||
4 | xpmHashTable *table; | ||
5 | { | ||
6 | xpmHashAtom *atomTable = table->atomTable; | ||
7 | - int size = table->size; | ||
8 | + unsigned int size = table->size; | ||
9 | xpmHashAtom *t, *p; | ||
10 | int i; | ||
11 | int oldSize = size; | ||
12 | @@ -150,6 +150,8 @@ | ||
13 | HASH_TABLE_GROWS | ||
14 | table->size = size; | ||
15 | table->limit = size / 3; | ||
16 | + if (size >= SIZE_MAX / sizeof(*atomTable)) | ||
17 | + return (XpmNoMemory); | ||
18 | atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); | ||
19 | if (!atomTable) | ||
20 | return (XpmNoMemory); | ||
21 | @@ -210,6 +212,8 @@ | ||
22 | table->size = INITIAL_HASH_SIZE; | ||
23 | table->limit = table->size / 3; | ||
24 | table->used = 0; | ||
25 | + if (table->size >= SIZE_MAX / sizeof(*atomTable)) | ||
26 | + return (XpmNoMemory); | ||
27 | atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); | ||
28 | if (!atomTable) | ||
29 | return (XpmNoMemory); | ||
30 | --- openMotif-2.2.3/lib/Xm/XpmWrFFrI.c.CAN-2004-0687-0688 2004-09-30 11:36:04.545969020 +0200 | ||
31 | +++ openMotif-2.2.3/lib/Xm/XpmWrFFrI.c 2004-09-30 11:37:14.583312219 +0200 | ||
32 | @@ -244,6 +244,8 @@ | ||
33 | unsigned int x, y, h; | ||
34 | |||
35 | h = height - 1; | ||
36 | + if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp) | ||
37 | + return (XpmNoMemory); | ||
38 | p = buf = (char *) XpmMalloc(width * cpp + 3); | ||
39 | if (!buf) | ||
40 | return (XpmNoMemory); | ||
41 | --- openMotif-2.2.3/lib/Xm/Xpmdata.c.CAN-2004-0687-0688 2004-09-30 11:51:30.712472999 +0200 | ||
42 | +++ openMotif-2.2.3/lib/Xm/Xpmdata.c 2004-09-30 11:52:26.665789239 +0200 | ||
43 | @@ -376,7 +376,7 @@ | ||
44 | { | ||
45 | if (!mdata->type) | ||
46 | *cmt = NULL; | ||
47 | - else if (mdata->CommentLength) { | ||
48 | + else if (mdata->CommentLength != 0 && mdata->CommentLength < SIZE_MAX - 1) { | ||
49 | *cmt = (char *) XpmMalloc(mdata->CommentLength + 1); | ||
50 | strncpy(*cmt, mdata->Comment, mdata->CommentLength); | ||
51 | (*cmt)[mdata->CommentLength] = '\0'; | ||
52 | --- openMotif-2.2.3/lib/Xm/XpmI.h.CAN-2004-0687-0688 2004-09-30 11:38:09.358760225 +0200 | ||
53 | +++ openMotif-2.2.3/lib/Xm/XpmI.h 2004-09-30 11:39:58.498714150 +0200 | ||
54 | @@ -179,6 +179,18 @@ | ||
55 | boundCheckingCalloc((long)(nelem),(long) (elsize)) | ||
56 | #endif | ||
57 | |||
58 | +#if defined(SCO) || defined(__USLC__) | ||
59 | +#include <stdint.h> /* For SIZE_MAX */ | ||
60 | +#endif | ||
61 | +#include <limits.h> | ||
62 | +#ifndef SIZE_MAX | ||
63 | +# ifdef ULONG_MAX | ||
64 | +# define SIZE_MAX ULONG_MAX | ||
65 | +# else | ||
66 | +# define SIZE_MAX UINT_MAX | ||
67 | +# endif | ||
68 | +#endif | ||
69 | + | ||
70 | #define XPMMAXCMTLEN BUFSIZ | ||
71 | typedef struct { | ||
72 | unsigned int type; | ||
73 | @@ -276,9 +288,9 @@ | ||
74 | } *xpmHashAtom; | ||
75 | |||
76 | typedef struct { | ||
77 | - int size; | ||
78 | - int limit; | ||
79 | - int used; | ||
80 | + unsigned int size; | ||
81 | + unsigned int limit; | ||
82 | + unsigned int used; | ||
83 | xpmHashAtom *atomTable; | ||
84 | } xpmHashTable; | ||
85 | |||
86 | --- openMotif-2.2.3/lib/Xm/XpmCrDatFrI.c.CAN-2004-0687-0688 2004-09-30 11:35:18.058379165 +0200 | ||
87 | +++ openMotif-2.2.3/lib/Xm/XpmCrDatFrI.c 2004-09-30 11:35:43.951808698 +0200 | ||
88 | @@ -134,6 +134,8 @@ | ||
89 | */ | ||
90 | header_nlines = 1 + image->ncolors; | ||
91 | header_size = sizeof(char *) * header_nlines; | ||
92 | + if (header_size >= SIZE_MAX / sizeof(char *)) | ||
93 | + return (XpmNoMemory); | ||
94 | header = (char **) XpmCalloc(header_size, sizeof(char *)); | ||
95 | if (!header) | ||
96 | return (XpmNoMemory); | ||
97 | --- openMotif-2.2.3/lib/Xm/Xpmscan.c.CAN-2004-0687-0688 2004-09-30 12:05:34.424607695 +0200 | ||
98 | +++ openMotif-2.2.3/lib/Xm/Xpmscan.c 2004-09-30 12:08:16.963282178 +0200 | ||
99 | @@ -98,7 +98,8 @@ | ||
100 | LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp, | ||
101 | XpmAttributes *attributes)); | ||
102 | |||
103 | -LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors, | ||
104 | +LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, | ||
105 | + unsigned int ncolors, | ||
106 | Pixel *pixels, unsigned int mask, | ||
107 | unsigned int cpp, XpmAttributes *attributes)); | ||
108 | |||
109 | @@ -225,11 +226,17 @@ | ||
110 | else | ||
111 | cpp = 0; | ||
112 | |||
113 | + if ((height > 0 && width >= SIZE_MAX / height) || | ||
114 | + width * height >= SIZE_MAX / sizeof(unsigned int)) | ||
115 | + RETURN(XpmNoMemory); | ||
116 | pmap.pixelindex = | ||
117 | (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); | ||
118 | if (!pmap.pixelindex) | ||
119 | RETURN(XpmNoMemory); | ||
120 | |||
121 | + if (pmap.size >= SIZE_MAX / sizeof(Pixel)) | ||
122 | + RETURN(XpmNoMemory); | ||
123 | + | ||
124 | pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); | ||
125 | if (!pmap.pixels) | ||
126 | RETURN(XpmNoMemory); | ||
127 | @@ -285,6 +292,8 @@ | ||
128 | * color | ||
129 | */ | ||
130 | |||
131 | + if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) | ||
132 | + RETURN(XpmNoMemory); | ||
133 | colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); | ||
134 | if (!colorTable) | ||
135 | RETURN(XpmNoMemory); | ||
136 | @@ -332,6 +341,8 @@ | ||
137 | |||
138 | /* first get a character string */ | ||
139 | a = 0; | ||
140 | + if (cpp >= SIZE_MAX - 1) | ||
141 | + return (XpmNoMemory); | ||
142 | if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) | ||
143 | return (XpmNoMemory); | ||
144 | *s++ = printable[c = a % MAXPRINTABLE]; | ||
145 | @@ -379,7 +390,7 @@ | ||
146 | ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) | ||
147 | Display *display; | ||
148 | XpmColor *colors; | ||
149 | - int ncolors; | ||
150 | + unsigned int ncolors; | ||
151 | Pixel *pixels; | ||
152 | unsigned int mask; | ||
153 | unsigned int cpp; | ||
154 | @@ -423,6 +434,8 @@ | ||
155 | } | ||
156 | |||
157 | /* first get character strings and rgb values */ | ||
158 | + if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) | ||
159 | + return (XpmNoMemory); | ||
160 | xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); | ||
161 | if (!xcolors) | ||
162 | return (XpmNoMemory); | ||
163 | --- openMotif-2.2.3/lib/Xm/XpmAttrib.c.CAN-2004-0687-0688 2004-09-30 11:33:10.216008908 +0200 | ||
164 | +++ openMotif-2.2.3/lib/Xm/XpmAttrib.c 2004-09-30 11:33:41.187737616 +0200 | ||
165 | @@ -41,8 +41,8 @@ | ||
166 | #include "XpmI.h" | ||
167 | |||
168 | /* 3.2 backward compatibility code */ | ||
169 | -LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors, | ||
170 | - XpmColor ***oldct)); | ||
171 | +LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, | ||
172 | + XpmColor ***oldct)); | ||
173 | |||
174 | LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); | ||
175 | |||
176 | @@ -52,12 +52,15 @@ | ||
177 | static int | ||
178 | CreateOldColorTable(ct, ncolors, oldct) | ||
179 | XpmColor *ct; | ||
180 | - int ncolors; | ||
181 | + unsigned int ncolors; | ||
182 | XpmColor ***oldct; | ||
183 | { | ||
184 | XpmColor **colorTable, **color; | ||
185 | int a; | ||
186 | |||
187 | + if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) | ||
188 | + return XpmNoMemory; | ||
189 | + | ||
190 | colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); | ||
191 | if (!colorTable) { | ||
192 | *oldct = NULL; | ||
193 | --- openMotif-2.2.3/lib/Xm/Xpmcreate.c.CAN-2004-0687-0688 2004-09-30 11:40:22.122457590 +0200 | ||
194 | +++ openMotif-2.2.3/lib/Xm/Xpmcreate.c 2004-09-30 12:49:44.411019183 +0200 | ||
195 | @@ -804,6 +804,9 @@ | ||
196 | |||
197 | ErrorStatus = XpmSuccess; | ||
198 | |||
199 | + if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) | ||
200 | + return (XpmNoMemory); | ||
201 | + | ||
202 | /* malloc pixels index tables */ | ||
203 | image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); | ||
204 | if (!image_pixels) | ||
205 | @@ -947,6 +950,8 @@ | ||
206 | return (XpmNoMemory); | ||
207 | |||
208 | #ifndef FOR_MSW | ||
209 | + if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) | ||
210 | + return XpmNoMemory; | ||
211 | /* now that bytes_per_line must have been set properly alloc data */ | ||
212 | (*image_return)->data = | ||
213 | (char *) XpmMalloc((*image_return)->bytes_per_line * height); | ||
214 | @@ -1992,6 +1997,9 @@ | ||
215 | xpmGetCmt(data, &colors_cmt); | ||
216 | |||
217 | /* malloc pixels index tables */ | ||
218 | + if (ncolors >= SIZE_MAX / sizeof(Pixel)) | ||
219 | + return XpmNoMemory; | ||
220 | + | ||
221 | image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); | ||
222 | if (!image_pixels) | ||
223 | RETURN(XpmNoMemory); | ||
224 | @@ -2207,6 +2215,9 @@ | ||
225 | { | ||
226 | unsigned short colidx[256]; | ||
227 | |||
228 | + if (ncolors > 256) | ||
229 | + return (XpmFileInvalid); | ||
230 | + | ||
231 | bzero((char *)colidx, 256 * sizeof(short)); | ||
232 | for (a = 0; a < ncolors; a++) | ||
233 | colidx[(unsigned char)colorTable[a].string[0]] = a + 1; | ||
234 | @@ -2305,6 +2316,9 @@ | ||
235 | char *s; | ||
236 | char buf[BUFSIZ]; | ||
237 | |||
238 | + if (cpp >= sizeof(buf)) | ||
239 | + return (XpmFileInvalid); | ||
240 | + | ||
241 | buf[cpp] = '\0'; | ||
242 | if (USE_HASHTABLE) { | ||
243 | xpmHashAtom *slot; | ||
244 | --- openMotif-2.2.3/lib/Xm/Xpmparse.c.CAN-2004-0687-0688 2004-09-30 11:54:01.219804716 +0200 | ||
245 | +++ openMotif-2.2.3/lib/Xm/Xpmparse.c 2004-09-30 12:47:15.676480282 +0200 | ||
246 | @@ -46,6 +46,25 @@ | ||
247 | |||
248 | #include "XpmI.h" | ||
249 | #include <ctype.h> | ||
250 | +#include <string.h> | ||
251 | + | ||
252 | +#ifdef HAS_STRLCAT | ||
253 | +# define STRLCAT(dst, src, dstsize) { \ | ||
254 | + if (strlcat(dst, src, dstsize) >= (dstsize)) \ | ||
255 | + return (XpmFileInvalid); } | ||
256 | +# define STRLCPY(dst, src, dstsize) { \ | ||
257 | + if (strlcpy(dst, src, dstsize) >= (dstsize)) \ | ||
258 | + return (XpmFileInvalid); } | ||
259 | +#else | ||
260 | +# define STRLCAT(dst, src, dstsize) { \ | ||
261 | + if ((strlen(dst) + strlen(src)) < (dstsize)) \ | ||
262 | + strcat(dst, src); \ | ||
263 | + else return (XpmFileInvalid); } | ||
264 | +# define STRLCPY(dst, src, dstsize) { \ | ||
265 | + if (strlen(src) < (dstsize)) \ | ||
266 | + strcpy(dst, src); \ | ||
267 | + else return (XpmFileInvalid); } | ||
268 | +#endif | ||
269 | |||
270 | LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, | ||
271 | unsigned int height, unsigned int ncolors, | ||
272 | @@ -215,7 +234,7 @@ | ||
273 | unsigned int *extensions; | ||
274 | { | ||
275 | unsigned int l; | ||
276 | - char buf[BUFSIZ]; | ||
277 | + char buf[BUFSIZ + 1]; | ||
278 | |||
279 | if (!data->format) { /* XPM 2 or 3 */ | ||
280 | |||
281 | @@ -324,10 +343,10 @@ | ||
282 | XpmColor **colorTablePtr; | ||
283 | xpmHashTable *hashtable; | ||
284 | { | ||
285 | - unsigned int key, l, a, b; | ||
286 | + unsigned int key, l, a, b, len; | ||
287 | unsigned int curkey; /* current color key */ | ||
288 | unsigned int lastwaskey; /* key read */ | ||
289 | - char buf[BUFSIZ]; | ||
290 | + char buf[BUFSIZ + 1]; | ||
291 | char curbuf[BUFSIZ]; /* current buffer */ | ||
292 | char **sptr, *s; | ||
293 | XpmColor *color; | ||
294 | @@ -335,6 +354,8 @@ | ||
295 | char **defaults; | ||
296 | int ErrorStatus; | ||
297 | |||
298 | + if (ncolors >= SIZE_MAX / sizeof(XpmColor)) | ||
299 | + return (XpmNoMemory); | ||
300 | colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); | ||
301 | if (!colorTable) | ||
302 | return (XpmNoMemory); | ||
303 | @@ -346,6 +367,10 @@ | ||
304 | /* | ||
305 | * read pixel value | ||
306 | */ | ||
307 | + if (cpp >= SIZE_MAX - 1) { | ||
308 | + xpmFreeColorTable(colorTable, ncolors); | ||
309 | + return (XpmNoMemory); | ||
310 | + } | ||
311 | color->string = (char *) XpmMalloc(cpp + 1); | ||
312 | if (!color->string) { | ||
313 | xpmFreeColorTable(colorTable, ncolors); | ||
314 | @@ -383,13 +408,14 @@ | ||
315 | } | ||
316 | if (!lastwaskey && key < NKEYS) { /* open new key */ | ||
317 | if (curkey) { /* flush string */ | ||
318 | - s = (char *) XpmMalloc(strlen(curbuf) + 1); | ||
319 | + len = strlen(curbuf) + 1; | ||
320 | + s = (char *) XpmMalloc(len); | ||
321 | if (!s) { | ||
322 | xpmFreeColorTable(colorTable, ncolors); | ||
323 | return (XpmNoMemory); | ||
324 | } | ||
325 | defaults[curkey] = s; | ||
326 | - strcpy(s, curbuf); | ||
327 | + memcpy(s, curbuf, len); | ||
328 | } | ||
329 | curkey = key + 1; /* set new key */ | ||
330 | *curbuf = '\0'; /* reset curbuf */ | ||
331 | @@ -400,9 +426,9 @@ | ||
332 | return (XpmFileInvalid); | ||
333 | } | ||
334 | if (!lastwaskey) | ||
335 | - strcat(curbuf, " "); /* append space */ | ||
336 | + STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */ | ||
337 | buf[l] = '\0'; | ||
338 | - strcat(curbuf, buf);/* append buf */ | ||
339 | + STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */ | ||
340 | lastwaskey = 0; | ||
341 | } | ||
342 | } | ||
343 | @@ -410,12 +436,13 @@ | ||
344 | xpmFreeColorTable(colorTable, ncolors); | ||
345 | return (XpmFileInvalid); | ||
346 | } | ||
347 | - s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1); | ||
348 | + len = strlen(curbuf) + 1; | ||
349 | + s = defaults[curkey] = (char *) XpmMalloc(len); | ||
350 | if (!s) { | ||
351 | xpmFreeColorTable(colorTable, ncolors); | ||
352 | return (XpmNoMemory); | ||
353 | } | ||
354 | - strcpy(s, curbuf); | ||
355 | + memcpy(s, curbuf, len); | ||
356 | } | ||
357 | } else { /* XPM 1 */ | ||
358 | /* get to the beginning of the first string */ | ||
359 | @@ -428,6 +455,10 @@ | ||
360 | /* | ||
361 | * read pixel value | ||
362 | */ | ||
363 | + if (cpp >= SIZE_MAX - 1) { | ||
364 | + xpmFreeColorTable(colorTable, ncolors); | ||
365 | + return (XpmNoMemory); | ||
366 | + } | ||
367 | color->string = (char *) XpmMalloc(cpp + 1); | ||
368 | if (!color->string) { | ||
369 | xpmFreeColorTable(colorTable, ncolors); | ||
370 | @@ -456,16 +487,17 @@ | ||
371 | *curbuf = '\0'; /* init curbuf */ | ||
372 | while ((l = xpmNextWord(data, buf, BUFSIZ))) { | ||
373 | if (*curbuf != '\0') | ||
374 | - strcat(curbuf, " ");/* append space */ | ||
375 | + STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */ | ||
376 | buf[l] = '\0'; | ||
377 | - strcat(curbuf, buf); /* append buf */ | ||
378 | + STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */ | ||
379 | } | ||
380 | - s = (char *) XpmMalloc(strlen(curbuf) + 1); | ||
381 | + len = strlen(curbuf) + 1; | ||
382 | + s = (char *) XpmMalloc(len); | ||
383 | if (!s) { | ||
384 | xpmFreeColorTable(colorTable, ncolors); | ||
385 | return (XpmNoMemory); | ||
386 | } | ||
387 | - strcpy(s, curbuf); | ||
388 | + memcpy(s, curbuf, len); | ||
389 | color->c_color = s; | ||
390 | *curbuf = '\0'; /* reset curbuf */ | ||
391 | if (a < ncolors - 1) | ||
392 | @@ -490,6 +522,9 @@ | ||
393 | unsigned int *iptr, *iptr2; | ||
394 | unsigned int a, x, y; | ||
395 | |||
396 | + if ((height > 0 && width >= SIZE_MAX / height) || | ||
397 | + width * height >= SIZE_MAX / sizeof(unsigned int)) | ||
398 | + return XpmNoMemory; | ||
399 | #ifndef FOR_MSW | ||
400 | iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); | ||
401 | #else | ||
402 | @@ -513,6 +548,9 @@ | ||
403 | { | ||
404 | unsigned short colidx[256]; | ||
405 | |||
406 | + if (ncolors > 256) | ||
407 | + return (XpmFileInvalid); | ||
408 | + | ||
409 | bzero((char *)colidx, 256 * sizeof(short)); | ||
410 | for (a = 0; a < ncolors; a++) | ||
411 | colidx[(unsigned char)colorTable[a].string[0]] = a + 1; | ||
412 | @@ -590,6 +628,9 @@ | ||
413 | char *s; | ||
414 | char buf[BUFSIZ]; | ||
415 | |||
416 | + if (cpp >= sizeof(buf)) | ||
417 | + return (XpmFileInvalid); | ||
418 | + | ||
419 | buf[cpp] = '\0'; | ||
420 | if (USE_HASHTABLE) { | ||
421 | xpmHashAtom *slot; |