Contents of /trunk/openmotif/patches/openmotif-2.2.3-CAN-2004-0687-0688.patch
Parent Directory | Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 13114 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 13114 byte(s)
-import
1 | --- openMotif-2.2.3/lib/Xm/Xpmhashtab.c.CAN-2004-0687-0688 2004-09-30 11:52:40.176933831 +0200 |
2 | +++ openMotif-2.2.3/lib/Xm/Xpmhashtab.c 2004-09-30 11:53:47.288717782 +0200 |
3 | @@ -141,7 +141,7 @@ |
4 | xpmHashTable *table; |
5 | { |
6 | xpmHashAtom *atomTable = table->atomTable; |
7 | - int size = table->size; |
8 | + unsigned int size = table->size; |
9 | xpmHashAtom *t, *p; |
10 | int i; |
11 | int oldSize = size; |
12 | @@ -150,6 +150,8 @@ |
13 | HASH_TABLE_GROWS |
14 | table->size = size; |
15 | table->limit = size / 3; |
16 | + if (size >= SIZE_MAX / sizeof(*atomTable)) |
17 | + return (XpmNoMemory); |
18 | atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); |
19 | if (!atomTable) |
20 | return (XpmNoMemory); |
21 | @@ -210,6 +212,8 @@ |
22 | table->size = INITIAL_HASH_SIZE; |
23 | table->limit = table->size / 3; |
24 | table->used = 0; |
25 | + if (table->size >= SIZE_MAX / sizeof(*atomTable)) |
26 | + return (XpmNoMemory); |
27 | atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); |
28 | if (!atomTable) |
29 | return (XpmNoMemory); |
30 | --- openMotif-2.2.3/lib/Xm/XpmWrFFrI.c.CAN-2004-0687-0688 2004-09-30 11:36:04.545969020 +0200 |
31 | +++ openMotif-2.2.3/lib/Xm/XpmWrFFrI.c 2004-09-30 11:37:14.583312219 +0200 |
32 | @@ -244,6 +244,8 @@ |
33 | unsigned int x, y, h; |
34 | |
35 | h = height - 1; |
36 | + if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp) |
37 | + return (XpmNoMemory); |
38 | p = buf = (char *) XpmMalloc(width * cpp + 3); |
39 | if (!buf) |
40 | return (XpmNoMemory); |
41 | --- openMotif-2.2.3/lib/Xm/Xpmdata.c.CAN-2004-0687-0688 2004-09-30 11:51:30.712472999 +0200 |
42 | +++ openMotif-2.2.3/lib/Xm/Xpmdata.c 2004-09-30 11:52:26.665789239 +0200 |
43 | @@ -376,7 +376,7 @@ |
44 | { |
45 | if (!mdata->type) |
46 | *cmt = NULL; |
47 | - else if (mdata->CommentLength) { |
48 | + else if (mdata->CommentLength != 0 && mdata->CommentLength < SIZE_MAX - 1) { |
49 | *cmt = (char *) XpmMalloc(mdata->CommentLength + 1); |
50 | strncpy(*cmt, mdata->Comment, mdata->CommentLength); |
51 | (*cmt)[mdata->CommentLength] = '\0'; |
52 | --- openMotif-2.2.3/lib/Xm/XpmI.h.CAN-2004-0687-0688 2004-09-30 11:38:09.358760225 +0200 |
53 | +++ openMotif-2.2.3/lib/Xm/XpmI.h 2004-09-30 11:39:58.498714150 +0200 |
54 | @@ -179,6 +179,18 @@ |
55 | boundCheckingCalloc((long)(nelem),(long) (elsize)) |
56 | #endif |
57 | |
58 | +#if defined(SCO) || defined(__USLC__) |
59 | +#include <stdint.h> /* For SIZE_MAX */ |
60 | +#endif |
61 | +#include <limits.h> |
62 | +#ifndef SIZE_MAX |
63 | +# ifdef ULONG_MAX |
64 | +# define SIZE_MAX ULONG_MAX |
65 | +# else |
66 | +# define SIZE_MAX UINT_MAX |
67 | +# endif |
68 | +#endif |
69 | + |
70 | #define XPMMAXCMTLEN BUFSIZ |
71 | typedef struct { |
72 | unsigned int type; |
73 | @@ -276,9 +288,9 @@ |
74 | } *xpmHashAtom; |
75 | |
76 | typedef struct { |
77 | - int size; |
78 | - int limit; |
79 | - int used; |
80 | + unsigned int size; |
81 | + unsigned int limit; |
82 | + unsigned int used; |
83 | xpmHashAtom *atomTable; |
84 | } xpmHashTable; |
85 | |
86 | --- openMotif-2.2.3/lib/Xm/XpmCrDatFrI.c.CAN-2004-0687-0688 2004-09-30 11:35:18.058379165 +0200 |
87 | +++ openMotif-2.2.3/lib/Xm/XpmCrDatFrI.c 2004-09-30 11:35:43.951808698 +0200 |
88 | @@ -134,6 +134,8 @@ |
89 | */ |
90 | header_nlines = 1 + image->ncolors; |
91 | header_size = sizeof(char *) * header_nlines; |
92 | + if (header_size >= SIZE_MAX / sizeof(char *)) |
93 | + return (XpmNoMemory); |
94 | header = (char **) XpmCalloc(header_size, sizeof(char *)); |
95 | if (!header) |
96 | return (XpmNoMemory); |
97 | --- openMotif-2.2.3/lib/Xm/Xpmscan.c.CAN-2004-0687-0688 2004-09-30 12:05:34.424607695 +0200 |
98 | +++ openMotif-2.2.3/lib/Xm/Xpmscan.c 2004-09-30 12:08:16.963282178 +0200 |
99 | @@ -98,7 +98,8 @@ |
100 | LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp, |
101 | XpmAttributes *attributes)); |
102 | |
103 | -LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors, |
104 | +LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, |
105 | + unsigned int ncolors, |
106 | Pixel *pixels, unsigned int mask, |
107 | unsigned int cpp, XpmAttributes *attributes)); |
108 | |
109 | @@ -225,11 +226,17 @@ |
110 | else |
111 | cpp = 0; |
112 | |
113 | + if ((height > 0 && width >= SIZE_MAX / height) || |
114 | + width * height >= SIZE_MAX / sizeof(unsigned int)) |
115 | + RETURN(XpmNoMemory); |
116 | pmap.pixelindex = |
117 | (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); |
118 | if (!pmap.pixelindex) |
119 | RETURN(XpmNoMemory); |
120 | |
121 | + if (pmap.size >= SIZE_MAX / sizeof(Pixel)) |
122 | + RETURN(XpmNoMemory); |
123 | + |
124 | pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); |
125 | if (!pmap.pixels) |
126 | RETURN(XpmNoMemory); |
127 | @@ -285,6 +292,8 @@ |
128 | * color |
129 | */ |
130 | |
131 | + if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) |
132 | + RETURN(XpmNoMemory); |
133 | colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); |
134 | if (!colorTable) |
135 | RETURN(XpmNoMemory); |
136 | @@ -332,6 +341,8 @@ |
137 | |
138 | /* first get a character string */ |
139 | a = 0; |
140 | + if (cpp >= SIZE_MAX - 1) |
141 | + return (XpmNoMemory); |
142 | if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) |
143 | return (XpmNoMemory); |
144 | *s++ = printable[c = a % MAXPRINTABLE]; |
145 | @@ -379,7 +390,7 @@ |
146 | ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) |
147 | Display *display; |
148 | XpmColor *colors; |
149 | - int ncolors; |
150 | + unsigned int ncolors; |
151 | Pixel *pixels; |
152 | unsigned int mask; |
153 | unsigned int cpp; |
154 | @@ -423,6 +434,8 @@ |
155 | } |
156 | |
157 | /* first get character strings and rgb values */ |
158 | + if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) |
159 | + return (XpmNoMemory); |
160 | xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); |
161 | if (!xcolors) |
162 | return (XpmNoMemory); |
163 | --- openMotif-2.2.3/lib/Xm/XpmAttrib.c.CAN-2004-0687-0688 2004-09-30 11:33:10.216008908 +0200 |
164 | +++ openMotif-2.2.3/lib/Xm/XpmAttrib.c 2004-09-30 11:33:41.187737616 +0200 |
165 | @@ -41,8 +41,8 @@ |
166 | #include "XpmI.h" |
167 | |
168 | /* 3.2 backward compatibility code */ |
169 | -LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors, |
170 | - XpmColor ***oldct)); |
171 | +LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, |
172 | + XpmColor ***oldct)); |
173 | |
174 | LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); |
175 | |
176 | @@ -52,12 +52,15 @@ |
177 | static int |
178 | CreateOldColorTable(ct, ncolors, oldct) |
179 | XpmColor *ct; |
180 | - int ncolors; |
181 | + unsigned int ncolors; |
182 | XpmColor ***oldct; |
183 | { |
184 | XpmColor **colorTable, **color; |
185 | int a; |
186 | |
187 | + if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) |
188 | + return XpmNoMemory; |
189 | + |
190 | colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); |
191 | if (!colorTable) { |
192 | *oldct = NULL; |
193 | --- openMotif-2.2.3/lib/Xm/Xpmcreate.c.CAN-2004-0687-0688 2004-09-30 11:40:22.122457590 +0200 |
194 | +++ openMotif-2.2.3/lib/Xm/Xpmcreate.c 2004-09-30 12:49:44.411019183 +0200 |
195 | @@ -804,6 +804,9 @@ |
196 | |
197 | ErrorStatus = XpmSuccess; |
198 | |
199 | + if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) |
200 | + return (XpmNoMemory); |
201 | + |
202 | /* malloc pixels index tables */ |
203 | image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); |
204 | if (!image_pixels) |
205 | @@ -947,6 +950,8 @@ |
206 | return (XpmNoMemory); |
207 | |
208 | #ifndef FOR_MSW |
209 | + if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) |
210 | + return XpmNoMemory; |
211 | /* now that bytes_per_line must have been set properly alloc data */ |
212 | (*image_return)->data = |
213 | (char *) XpmMalloc((*image_return)->bytes_per_line * height); |
214 | @@ -1992,6 +1997,9 @@ |
215 | xpmGetCmt(data, &colors_cmt); |
216 | |
217 | /* malloc pixels index tables */ |
218 | + if (ncolors >= SIZE_MAX / sizeof(Pixel)) |
219 | + return XpmNoMemory; |
220 | + |
221 | image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); |
222 | if (!image_pixels) |
223 | RETURN(XpmNoMemory); |
224 | @@ -2207,6 +2215,9 @@ |
225 | { |
226 | unsigned short colidx[256]; |
227 | |
228 | + if (ncolors > 256) |
229 | + return (XpmFileInvalid); |
230 | + |
231 | bzero((char *)colidx, 256 * sizeof(short)); |
232 | for (a = 0; a < ncolors; a++) |
233 | colidx[(unsigned char)colorTable[a].string[0]] = a + 1; |
234 | @@ -2305,6 +2316,9 @@ |
235 | char *s; |
236 | char buf[BUFSIZ]; |
237 | |
238 | + if (cpp >= sizeof(buf)) |
239 | + return (XpmFileInvalid); |
240 | + |
241 | buf[cpp] = '\0'; |
242 | if (USE_HASHTABLE) { |
243 | xpmHashAtom *slot; |
244 | --- openMotif-2.2.3/lib/Xm/Xpmparse.c.CAN-2004-0687-0688 2004-09-30 11:54:01.219804716 +0200 |
245 | +++ openMotif-2.2.3/lib/Xm/Xpmparse.c 2004-09-30 12:47:15.676480282 +0200 |
246 | @@ -46,6 +46,25 @@ |
247 | |
248 | #include "XpmI.h" |
249 | #include <ctype.h> |
250 | +#include <string.h> |
251 | + |
252 | +#ifdef HAS_STRLCAT |
253 | +# define STRLCAT(dst, src, dstsize) { \ |
254 | + if (strlcat(dst, src, dstsize) >= (dstsize)) \ |
255 | + return (XpmFileInvalid); } |
256 | +# define STRLCPY(dst, src, dstsize) { \ |
257 | + if (strlcpy(dst, src, dstsize) >= (dstsize)) \ |
258 | + return (XpmFileInvalid); } |
259 | +#else |
260 | +# define STRLCAT(dst, src, dstsize) { \ |
261 | + if ((strlen(dst) + strlen(src)) < (dstsize)) \ |
262 | + strcat(dst, src); \ |
263 | + else return (XpmFileInvalid); } |
264 | +# define STRLCPY(dst, src, dstsize) { \ |
265 | + if (strlen(src) < (dstsize)) \ |
266 | + strcpy(dst, src); \ |
267 | + else return (XpmFileInvalid); } |
268 | +#endif |
269 | |
270 | LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, |
271 | unsigned int height, unsigned int ncolors, |
272 | @@ -215,7 +234,7 @@ |
273 | unsigned int *extensions; |
274 | { |
275 | unsigned int l; |
276 | - char buf[BUFSIZ]; |
277 | + char buf[BUFSIZ + 1]; |
278 | |
279 | if (!data->format) { /* XPM 2 or 3 */ |
280 | |
281 | @@ -324,10 +343,10 @@ |
282 | XpmColor **colorTablePtr; |
283 | xpmHashTable *hashtable; |
284 | { |
285 | - unsigned int key, l, a, b; |
286 | + unsigned int key, l, a, b, len; |
287 | unsigned int curkey; /* current color key */ |
288 | unsigned int lastwaskey; /* key read */ |
289 | - char buf[BUFSIZ]; |
290 | + char buf[BUFSIZ + 1]; |
291 | char curbuf[BUFSIZ]; /* current buffer */ |
292 | char **sptr, *s; |
293 | XpmColor *color; |
294 | @@ -335,6 +354,8 @@ |
295 | char **defaults; |
296 | int ErrorStatus; |
297 | |
298 | + if (ncolors >= SIZE_MAX / sizeof(XpmColor)) |
299 | + return (XpmNoMemory); |
300 | colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); |
301 | if (!colorTable) |
302 | return (XpmNoMemory); |
303 | @@ -346,6 +367,10 @@ |
304 | /* |
305 | * read pixel value |
306 | */ |
307 | + if (cpp >= SIZE_MAX - 1) { |
308 | + xpmFreeColorTable(colorTable, ncolors); |
309 | + return (XpmNoMemory); |
310 | + } |
311 | color->string = (char *) XpmMalloc(cpp + 1); |
312 | if (!color->string) { |
313 | xpmFreeColorTable(colorTable, ncolors); |
314 | @@ -383,13 +408,14 @@ |
315 | } |
316 | if (!lastwaskey && key < NKEYS) { /* open new key */ |
317 | if (curkey) { /* flush string */ |
318 | - s = (char *) XpmMalloc(strlen(curbuf) + 1); |
319 | + len = strlen(curbuf) + 1; |
320 | + s = (char *) XpmMalloc(len); |
321 | if (!s) { |
322 | xpmFreeColorTable(colorTable, ncolors); |
323 | return (XpmNoMemory); |
324 | } |
325 | defaults[curkey] = s; |
326 | - strcpy(s, curbuf); |
327 | + memcpy(s, curbuf, len); |
328 | } |
329 | curkey = key + 1; /* set new key */ |
330 | *curbuf = '\0'; /* reset curbuf */ |
331 | @@ -400,9 +426,9 @@ |
332 | return (XpmFileInvalid); |
333 | } |
334 | if (!lastwaskey) |
335 | - strcat(curbuf, " "); /* append space */ |
336 | + STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */ |
337 | buf[l] = '\0'; |
338 | - strcat(curbuf, buf);/* append buf */ |
339 | + STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */ |
340 | lastwaskey = 0; |
341 | } |
342 | } |
343 | @@ -410,12 +436,13 @@ |
344 | xpmFreeColorTable(colorTable, ncolors); |
345 | return (XpmFileInvalid); |
346 | } |
347 | - s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1); |
348 | + len = strlen(curbuf) + 1; |
349 | + s = defaults[curkey] = (char *) XpmMalloc(len); |
350 | if (!s) { |
351 | xpmFreeColorTable(colorTable, ncolors); |
352 | return (XpmNoMemory); |
353 | } |
354 | - strcpy(s, curbuf); |
355 | + memcpy(s, curbuf, len); |
356 | } |
357 | } else { /* XPM 1 */ |
358 | /* get to the beginning of the first string */ |
359 | @@ -428,6 +455,10 @@ |
360 | /* |
361 | * read pixel value |
362 | */ |
363 | + if (cpp >= SIZE_MAX - 1) { |
364 | + xpmFreeColorTable(colorTable, ncolors); |
365 | + return (XpmNoMemory); |
366 | + } |
367 | color->string = (char *) XpmMalloc(cpp + 1); |
368 | if (!color->string) { |
369 | xpmFreeColorTable(colorTable, ncolors); |
370 | @@ -456,16 +487,17 @@ |
371 | *curbuf = '\0'; /* init curbuf */ |
372 | while ((l = xpmNextWord(data, buf, BUFSIZ))) { |
373 | if (*curbuf != '\0') |
374 | - strcat(curbuf, " ");/* append space */ |
375 | + STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */ |
376 | buf[l] = '\0'; |
377 | - strcat(curbuf, buf); /* append buf */ |
378 | + STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */ |
379 | } |
380 | - s = (char *) XpmMalloc(strlen(curbuf) + 1); |
381 | + len = strlen(curbuf) + 1; |
382 | + s = (char *) XpmMalloc(len); |
383 | if (!s) { |
384 | xpmFreeColorTable(colorTable, ncolors); |
385 | return (XpmNoMemory); |
386 | } |
387 | - strcpy(s, curbuf); |
388 | + memcpy(s, curbuf, len); |
389 | color->c_color = s; |
390 | *curbuf = '\0'; /* reset curbuf */ |
391 | if (a < ncolors - 1) |
392 | @@ -490,6 +522,9 @@ |
393 | unsigned int *iptr, *iptr2; |
394 | unsigned int a, x, y; |
395 | |
396 | + if ((height > 0 && width >= SIZE_MAX / height) || |
397 | + width * height >= SIZE_MAX / sizeof(unsigned int)) |
398 | + return XpmNoMemory; |
399 | #ifndef FOR_MSW |
400 | iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); |
401 | #else |
402 | @@ -513,6 +548,9 @@ |
403 | { |
404 | unsigned short colidx[256]; |
405 | |
406 | + if (ncolors > 256) |
407 | + return (XpmFileInvalid); |
408 | + |
409 | bzero((char *)colidx, 256 * sizeof(short)); |
410 | for (a = 0; a < ncolors; a++) |
411 | colidx[(unsigned char)colorTable[a].string[0]] = a + 1; |
412 | @@ -590,6 +628,9 @@ |
413 | char *s; |
414 | char buf[BUFSIZ]; |
415 | |
416 | + if (cpp >= sizeof(buf)) |
417 | + return (XpmFileInvalid); |
418 | + |
419 | buf[cpp] = '\0'; |
420 | if (USE_HASHTABLE) { |
421 | xpmHashAtom *slot; |