Annotation of /trunk/openmotif/patches/openmotif-2.2.3-CAN-2004-0914-newer.patch
Parent Directory | Revision Log
Revision 153 -
(hide annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 52479 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 52479 byte(s)
-import
1 | niro | 153 | diff -Nur lib/Xm/Imakefile lib/Xm/Imakefile |
2 | --- lib/Xm/Imakefile 2002-01-15 18:30:40.000000000 +0100 | ||
3 | +++ lib/Xm/Imakefile 2005-02-14 14:24:12.000000000 +0100 | ||
4 | @@ -211,7 +211,8 @@ | ||
5 | XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \ | ||
6 | XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \ | ||
7 | XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \ | ||
8 | - XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c | ||
9 | + XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c \ | ||
10 | + Xpms_popen.c | ||
11 | |||
12 | #if UseLocalRegex | ||
13 | REGEX_SRCS = regexp.c | ||
14 | @@ -274,7 +275,8 @@ | ||
15 | XpmCrBufFrP.o XpmCrPFrBuf.o XpmRdFToDat.o XpmWrFFrP.o Xpmrgb.o \ | ||
16 | XpmCrDatFrI.o XpmCrPFrDat.o XpmRdFToI.o Xpmcreate.o Xpmscan.o \ | ||
17 | XpmCrDatFrP.o XpmCrPFrI.o XpmRdFToP.o Xpmdata.o \ | ||
18 | - XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o | ||
19 | + XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o \ | ||
20 | + Xpms_popen.o | ||
21 | |||
22 | #if UseLocalRegex | ||
23 | REGEX_OBJS = regexp.o | ||
24 | --- lib/Xm/Makefile.am 2004-11-17 19:03:26.962797006 +0100 | ||
25 | +++ lib/Xm/Makefile.am 2004-11-17 19:03:49.421724642 +0100 | ||
26 | @@ -241,7 +241,8 @@ | ||
27 | XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \ | ||
28 | XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \ | ||
29 | XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \ | ||
30 | - XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c | ||
31 | + XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c \ | ||
32 | + Xpms_popen.c | ||
33 | |||
34 | NEW_WID_SRCS = IconH.c Container.c IconG.c \ | ||
35 | Notebook.c ComboBox.c GrabShell.c SpinB.c \ | ||
36 | --- /dev/null 1970-01-01 01:00:00.000000000 +0100 | ||
37 | +++ lib/Xm/Xpms_popen.c 2005-02-14 14:24:12.942319466 +0100 | ||
38 | @@ -0,0 +1,182 @@ | ||
39 | +/* | ||
40 | + * Copyright (C) 2004 The X.Org fundation | ||
41 | + * | ||
42 | + * Permission is hereby granted, free of charge, to any person | ||
43 | + * obtaining a copy of this software and associated documentation | ||
44 | + * files (the "Software"), to deal in the Software without | ||
45 | + * restriction, including without limitation the rights to use, copy, | ||
46 | + * modify, merge, publish, distribute, sublicense, and/or sell copies | ||
47 | + * of the Software, and to permit persons to whom the Software is fur- | ||
48 | + * nished to do so, subject to the following conditions: | ||
49 | + * | ||
50 | + * The above copyright notice and this permission notice shall be | ||
51 | + * included in all copies or substantial portions of the Software. | ||
52 | + * | ||
53 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | ||
54 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | ||
55 | + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND | ||
56 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR | ||
57 | + * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF | ||
58 | + * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION | ||
59 | + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ||
60 | + * | ||
61 | + * Except as contained in this notice, the name of the X.Org fundation | ||
62 | + * shall not be used in advertising or otherwise to promote the sale, | ||
63 | + * use or other dealings in this Software without prior written | ||
64 | + * authorization from the X.Org fundation. | ||
65 | + */ | ||
66 | + | ||
67 | +/* | ||
68 | +** This is a secure but NOT 100% compatible replacement for popen() | ||
69 | +** Note: - don't use pclose() use fclose() for closing the returned | ||
70 | +** filedesc.!!! | ||
71 | +** | ||
72 | +** Known Bugs: - unable to use i/o-redirection like > or < | ||
73 | +** Author: - Thomas Biege <thomas@suse.de> | ||
74 | +** Credits: - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when | ||
75 | +** calling strtok() | ||
76 | +*/ | ||
77 | + | ||
78 | +#include <sys/types.h> | ||
79 | +#include <sys/wait.h> | ||
80 | +#include <stdio.h> | ||
81 | +#include <stdlib.h> | ||
82 | +#include <unistd.h> | ||
83 | +#include <string.h> | ||
84 | +#include "XpmI.h" | ||
85 | + | ||
86 | +#define __SEC_POPEN_TOKEN " " | ||
87 | + | ||
88 | +FILE *Xpms_popen(char *cmd, const char *type) | ||
89 | +{ | ||
90 | + pid_t pid; | ||
91 | + int pfd[2]; | ||
92 | + int rpipe = 0, wpipe = 0, i; | ||
93 | + char **argv; | ||
94 | + char *ptr; | ||
95 | + char *cmdcpy; | ||
96 | + | ||
97 | + | ||
98 | + if(cmd == NULL || cmd == "") | ||
99 | + return(NULL); | ||
100 | + | ||
101 | + if(type[0] != 'r' && type[0] != 'w') | ||
102 | + return(NULL); | ||
103 | + | ||
104 | + if ((cmdcpy = strdup(cmd)) == NULL) | ||
105 | + return(NULL); | ||
106 | + | ||
107 | + argv = NULL; | ||
108 | + if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL) | ||
109 | + { | ||
110 | + free(cmdcpy); | ||
111 | + return(NULL); | ||
112 | + } | ||
113 | + | ||
114 | + for(i = 0;; i++) | ||
115 | + { | ||
116 | + if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL) | ||
117 | + { | ||
118 | + free(cmdcpy); | ||
119 | + return(NULL); | ||
120 | + } | ||
121 | + | ||
122 | + if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL) | ||
123 | + { | ||
124 | + free(cmdcpy); | ||
125 | + return(NULL); | ||
126 | + } | ||
127 | + | ||
128 | + strcpy(argv[i], ptr); | ||
129 | + | ||
130 | + if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL) | ||
131 | + { | ||
132 | + if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL) | ||
133 | + { | ||
134 | + free(cmdcpy); | ||
135 | + return(NULL); | ||
136 | + } | ||
137 | + argv[i+1] = NULL; | ||
138 | + break; | ||
139 | + } | ||
140 | + } | ||
141 | + | ||
142 | + | ||
143 | + if(type[0] == 'r') | ||
144 | + rpipe = 1; | ||
145 | + else | ||
146 | + wpipe = 1; | ||
147 | + | ||
148 | + if (pipe(pfd) < 0) | ||
149 | + { | ||
150 | + free(cmdcpy); | ||
151 | + return(NULL); | ||
152 | + } | ||
153 | + | ||
154 | + if((pid = fork()) < 0) | ||
155 | + { | ||
156 | + close(pfd[0]); | ||
157 | + close(pfd[1]); | ||
158 | + free(cmdcpy); | ||
159 | + return(NULL); | ||
160 | + } | ||
161 | + | ||
162 | + if(pid == 0) /* child */ | ||
163 | + { | ||
164 | + if((pid = fork()) < 0) | ||
165 | + { | ||
166 | + close(pfd[0]); | ||
167 | + close(pfd[1]); | ||
168 | + free(cmdcpy); | ||
169 | + return(NULL); | ||
170 | + } | ||
171 | + if(pid > 0) | ||
172 | + { | ||
173 | + exit(0); /* child nr. 1 exits */ | ||
174 | + } | ||
175 | + | ||
176 | + /* child nr. 2 */ | ||
177 | + if(rpipe) | ||
178 | + { | ||
179 | + close(pfd[0]); /* close reading end, we don't need it */ | ||
180 | + dup2(STDOUT_FILENO, STDERR_FILENO); | ||
181 | + if (pfd[1] != STDOUT_FILENO) | ||
182 | + dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */ | ||
183 | + } | ||
184 | + else | ||
185 | + { | ||
186 | + close(pfd[1]); /* close writing end, we don't need it */ | ||
187 | + if (pfd[0] != STDIN_FILENO) | ||
188 | + dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */ | ||
189 | + } | ||
190 | + | ||
191 | + if(strchr(argv[0], '/') == NULL) | ||
192 | + execvp(argv[0], argv); /* search in $PATH */ | ||
193 | + else | ||
194 | + execv(argv[0], argv); | ||
195 | + | ||
196 | + close(pfd[0]); | ||
197 | + close(pfd[1]); | ||
198 | + free(cmdcpy); | ||
199 | + return(NULL); /* exec failed.. ooops! */ | ||
200 | + } | ||
201 | + else /* parent */ | ||
202 | + { | ||
203 | + waitpid(pid, NULL, 0); /* wait for child nr. 1 */ | ||
204 | + | ||
205 | + if(rpipe) | ||
206 | + { | ||
207 | + close(pfd[1]); | ||
208 | + free(cmdcpy); | ||
209 | + return(fdopen(pfd[0], "r")); | ||
210 | + } | ||
211 | + else | ||
212 | + { | ||
213 | + close(pfd[0]); | ||
214 | + free(cmdcpy); | ||
215 | + return(fdopen(pfd[1], "w")); | ||
216 | + } | ||
217 | + | ||
218 | + } | ||
219 | +} | ||
220 | + | ||
221 | diff -Nur lib/Xm/XpmAttrib.c lib/Xm/XpmAttrib.c | ||
222 | --- lib/Xm/XpmAttrib.c 2005-02-14 15:20:49.346039704 +0100 | ||
223 | +++ lib/Xm/XpmAttrib.c 2005-02-14 14:26:42.742624081 +0100 | ||
224 | @@ -44,7 +44,7 @@ | ||
225 | LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, | ||
226 | XpmColor ***oldct)); | ||
227 | |||
228 | -LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); | ||
229 | +LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors)); | ||
230 | |||
231 | /* | ||
232 | * Create a colortable compatible with the old style colortable | ||
233 | @@ -56,9 +56,9 @@ | ||
234 | XpmColor ***oldct; | ||
235 | { | ||
236 | XpmColor **colorTable, **color; | ||
237 | - int a; | ||
238 | + unsigned int a; | ||
239 | |||
240 | - if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) | ||
241 | + if (ncolors >= UINT_MAX / sizeof(XpmColor *)) | ||
242 | return XpmNoMemory; | ||
243 | |||
244 | colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); | ||
245 | @@ -75,9 +75,9 @@ | ||
246 | static void | ||
247 | FreeOldColorTable(colorTable, ncolors) | ||
248 | XpmColor **colorTable; | ||
249 | - int ncolors; | ||
250 | + unsigned int ncolors; | ||
251 | { | ||
252 | - int a, b; | ||
253 | + unsigned int a, b; | ||
254 | XpmColor **color; | ||
255 | char **sptr; | ||
256 | |||
257 | @@ -128,7 +128,7 @@ | ||
258 | XpmExtension *ext; | ||
259 | char **sptr; | ||
260 | |||
261 | - if (extensions) { | ||
262 | + if (extensions && nextensions > 0) { | ||
263 | for (i = 0, ext = extensions; i < nextensions; i++, ext++) { | ||
264 | if (ext->name) | ||
265 | XpmFree(ext->name); | ||
266 | diff -Nur lib/Xm/XpmCrBufFrI.c lib/Xm/XpmCrBufFrI.c | ||
267 | --- lib/Xm/XpmCrBufFrI.c 2003-08-15 11:08:59.000000000 +0200 | ||
268 | +++ lib/Xm/XpmCrBufFrI.c 2005-02-14 14:28:44.975393496 +0100 | ||
269 | @@ -41,21 +41,26 @@ | ||
270 | #endif | ||
271 | |||
272 | |||
273 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ | ||
274 | + | ||
275 | + | ||
276 | #include "XpmI.h" | ||
277 | |||
278 | LFUNC(WriteColors, int, (char **dataptr, unsigned int *data_size, | ||
279 | unsigned int *used_size, XpmColor *colors, | ||
280 | unsigned int ncolors, unsigned int cpp)); | ||
281 | |||
282 | -LFUNC(WritePixels, void, (char *dataptr, unsigned int *used_size, | ||
283 | +LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size, | ||
284 | + unsigned int *used_size, | ||
285 | unsigned int width, unsigned int height, | ||
286 | unsigned int cpp, unsigned int *pixels, | ||
287 | XpmColor *colors)); | ||
288 | |||
289 | -LFUNC(WriteExtensions, void, (char *dataptr, unsigned int *used_size, | ||
290 | +LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size, | ||
291 | + unsigned int *used_size, | ||
292 | XpmExtension *ext, unsigned int num)); | ||
293 | |||
294 | -LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num)); | ||
295 | +LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num)); | ||
296 | LFUNC(CommentsSize, int, (XpmInfo *info)); | ||
297 | |||
298 | int | ||
299 | @@ -98,11 +103,12 @@ | ||
300 | |||
301 | #undef RETURN | ||
302 | #define RETURN(status) \ | ||
303 | +do \ | ||
304 | { \ | ||
305 | if (ptr) \ | ||
306 | XpmFree(ptr); \ | ||
307 | return(status); \ | ||
308 | -} | ||
309 | +} while(0) | ||
310 | |||
311 | int | ||
312 | XpmCreateBufferFromXpmImage(buffer_return, image, info) | ||
313 | @@ -116,7 +122,7 @@ | ||
314 | unsigned int cmts, extensions, ext_size = 0; | ||
315 | unsigned int l, cmt_size = 0; | ||
316 | char *ptr = NULL, *p; | ||
317 | - unsigned int ptr_size, used_size; | ||
318 | + unsigned int ptr_size, used_size, tmp; | ||
319 | |||
320 | *buffer_return = NULL; | ||
321 | |||
322 | @@ -138,7 +144,13 @@ | ||
323 | #ifdef VOID_SPRINTF | ||
324 | used_size = strlen(buf); | ||
325 | #endif | ||
326 | - ptr_size = used_size + ext_size + cmt_size + 1; | ||
327 | + ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */ | ||
328 | + if(ptr_size <= used_size || | ||
329 | + ptr_size <= ext_size || | ||
330 | + ptr_size <= cmt_size) | ||
331 | + { | ||
332 | + return XpmNoMemory; | ||
333 | + } | ||
334 | ptr = (char *) XpmMalloc(ptr_size); | ||
335 | if (!ptr) | ||
336 | return XpmNoMemory; | ||
337 | @@ -149,7 +161,7 @@ | ||
338 | #ifndef VOID_SPRINTF | ||
339 | used_size += | ||
340 | #endif | ||
341 | - sprintf(ptr + used_size, "/*%s*/\n", info->hints_cmt); | ||
342 | + snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt); | ||
343 | #ifdef VOID_SPRINTF | ||
344 | used_size += strlen(info->hints_cmt) + 5; | ||
345 | #endif | ||
346 | @@ -167,7 +179,7 @@ | ||
347 | #ifndef VOID_SPRINTF | ||
348 | l += | ||
349 | #endif | ||
350 | - sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot); | ||
351 | + snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot); | ||
352 | #ifdef VOID_SPRINTF | ||
353 | l = strlen(buf); | ||
354 | #endif | ||
355 | @@ -189,6 +201,8 @@ | ||
356 | l = strlen(buf); | ||
357 | #endif | ||
358 | ptr_size += l; | ||
359 | + if(ptr_size <= l) | ||
360 | + RETURN(XpmNoMemory); | ||
361 | p = (char *) XpmRealloc(ptr, ptr_size); | ||
362 | if (!p) | ||
363 | RETURN(XpmNoMemory); | ||
364 | @@ -201,7 +215,7 @@ | ||
365 | #ifndef VOID_SPRINTF | ||
366 | used_size += | ||
367 | #endif | ||
368 | - sprintf(ptr + used_size, "/*%s*/\n", info->colors_cmt); | ||
369 | + snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt); | ||
370 | #ifdef VOID_SPRINTF | ||
371 | used_size += strlen(info->colors_cmt) + 5; | ||
372 | #endif | ||
373 | @@ -217,7 +231,12 @@ | ||
374 | * 4 = 1 (for '"') + 3 (for '",\n') | ||
375 | * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n') | ||
376 | */ | ||
377 | - ptr_size += image->height * (image->width * image->cpp + 4) + 1; | ||
378 | + if(image->width > UINT_MAX / image->cpp || | ||
379 | + (tmp = image->width * image->cpp + 4) <= 4 || | ||
380 | + image->height > UINT_MAX / tmp || | ||
381 | + (tmp = image->height * tmp + 1) <= 1 || | ||
382 | + (ptr_size += tmp) <= tmp) | ||
383 | + RETURN(XpmNoMemory); | ||
384 | |||
385 | p = (char *) XpmRealloc(ptr, ptr_size); | ||
386 | if (!p) | ||
387 | @@ -229,17 +248,17 @@ | ||
388 | #ifndef VOID_SPRINTF | ||
389 | used_size += | ||
390 | #endif | ||
391 | - sprintf(ptr + used_size, "/*%s*/\n", info->pixels_cmt); | ||
392 | + snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt); | ||
393 | #ifdef VOID_SPRINTF | ||
394 | used_size += strlen(info->pixels_cmt) + 5; | ||
395 | #endif | ||
396 | } | ||
397 | - WritePixels(ptr + used_size, &used_size, image->width, image->height, | ||
398 | + WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height, | ||
399 | image->cpp, image->data, image->colorTable); | ||
400 | |||
401 | /* print extensions */ | ||
402 | if (extensions) | ||
403 | - WriteExtensions(ptr + used_size, &used_size, | ||
404 | + WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size, | ||
405 | info->extensions, info->nextensions); | ||
406 | |||
407 | /* close the array */ | ||
408 | @@ -250,6 +269,7 @@ | ||
409 | return (XpmSuccess); | ||
410 | } | ||
411 | |||
412 | + | ||
413 | static int | ||
414 | WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp) | ||
415 | char **dataptr; | ||
416 | @@ -259,7 +279,7 @@ | ||
417 | unsigned int ncolors; | ||
418 | unsigned int cpp; | ||
419 | { | ||
420 | - char buf[BUFSIZ]; | ||
421 | + char buf[BUFSIZ] = {0}; | ||
422 | unsigned int a, key, l; | ||
423 | char *s, *s2; | ||
424 | char **defaults; | ||
425 | @@ -269,22 +289,34 @@ | ||
426 | |||
427 | defaults = (char **) colors; | ||
428 | s = buf + 1; | ||
429 | - strncpy(s, *defaults++, cpp); | ||
430 | - s += cpp; | ||
431 | - | ||
432 | - for (key = 1; key <= NKEYS; key++, defaults++) { | ||
433 | - if ((s2 = *defaults)) { | ||
434 | -#ifndef VOID_SPRINTF | ||
435 | - s += | ||
436 | -#endif | ||
437 | - sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2); | ||
438 | -#ifdef VOID_SPRINTF | ||
439 | - s += strlen(s); | ||
440 | -#endif | ||
441 | - } | ||
442 | - } | ||
443 | - strcpy(s, "\",\n"); | ||
444 | - l = s + 3 - buf; | ||
445 | + if(cpp > (sizeof(buf) - (s-buf))) | ||
446 | + return(XpmNoMemory); | ||
447 | + strncpy(s, *defaults++, cpp); | ||
448 | + s += cpp; | ||
449 | + | ||
450 | + for (key = 1; key <= NKEYS; key++, defaults++) { | ||
451 | + if ((s2 = *defaults)) { | ||
452 | +#ifndef VOID_SPRINTF | ||
453 | + s += | ||
454 | +#endif | ||
455 | + /* assume C99 compliance */ | ||
456 | + snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2); | ||
457 | +#ifdef VOID_SPRINTF | ||
458 | + s += strlen(s); | ||
459 | +#endif | ||
460 | + /* now let's check if s points out-of-bounds */ | ||
461 | + if((s-buf) > sizeof(buf)) | ||
462 | + return(XpmNoMemory); | ||
463 | + } | ||
464 | + } | ||
465 | + if(sizeof(buf) - (s-buf) < 4) | ||
466 | + return(XpmNoMemory); | ||
467 | + strcpy(s, "\",\n"); | ||
468 | + l = s + 3 - buf; | ||
469 | + if( *data_size >= UINT_MAX-l || | ||
470 | + *data_size + l <= *used_size || | ||
471 | + (*data_size + l - *used_size) <= sizeof(buf)) | ||
472 | + return(XpmNoMemory); | ||
473 | s = (char *) XpmRealloc(*dataptr, *data_size + l); | ||
474 | if (!s) | ||
475 | return (XpmNoMemory); | ||
476 | @@ -297,8 +329,9 @@ | ||
477 | } | ||
478 | |||
479 | static void | ||
480 | -WritePixels(dataptr, used_size, width, height, cpp, pixels, colors) | ||
481 | +WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors) | ||
482 | char *dataptr; | ||
483 | + unsigned int data_size; | ||
484 | unsigned int *used_size; | ||
485 | unsigned int width; | ||
486 | unsigned int height; | ||
487 | @@ -309,27 +342,36 @@ | ||
488 | char *s = dataptr; | ||
489 | unsigned int x, y, h; | ||
490 | |||
491 | + if(height <= 1) | ||
492 | + return; | ||
493 | + | ||
494 | h = height - 1; | ||
495 | for (y = 0; y < h; y++) { | ||
496 | *s++ = '"'; | ||
497 | for (x = 0; x < width; x++, pixels++) { | ||
498 | - strncpy(s, colors[*pixels].string, cpp); | ||
499 | + if(cpp >= (data_size - (s-dataptr))) | ||
500 | + return; | ||
501 | + strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */ | ||
502 | s += cpp; | ||
503 | } | ||
504 | + if((data_size - (s-dataptr)) < 4) | ||
505 | + return; | ||
506 | strcpy(s, "\",\n"); | ||
507 | s += 3; | ||
508 | } | ||
509 | /* duplicate some code to avoid a test in the loop */ | ||
510 | *s++ = '"'; | ||
511 | for (x = 0; x < width; x++, pixels++) { | ||
512 | - strncpy(s, colors[*pixels].string, cpp); | ||
513 | + if(cpp >= (data_size - (s-dataptr))) | ||
514 | + return; | ||
515 | + strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */ | ||
516 | s += cpp; | ||
517 | } | ||
518 | *s++ = '"'; | ||
519 | *used_size += s - dataptr; | ||
520 | } | ||
521 | |||
522 | -static int | ||
523 | +static unsigned int | ||
524 | ExtensionsSize(ext, num) | ||
525 | XpmExtension *ext; | ||
526 | unsigned int num; | ||
527 | @@ -338,21 +380,26 @@ | ||
528 | char **line; | ||
529 | |||
530 | size = 0; | ||
531 | + if(num == 0) | ||
532 | + return(0); /* ok? */ | ||
533 | for (x = 0; x < num; x++, ext++) { | ||
534 | /* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */ | ||
535 | size += strlen(ext->name) + 11; | ||
536 | - a = ext->nlines; | ||
537 | + a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */ | ||
538 | for (y = 0, line = ext->lines; y < a; y++, line++) | ||
539 | /* 4 = 3 (for ',\n"') + 1 (for '"') */ | ||
540 | size += strlen(*line) + 4; | ||
541 | } | ||
542 | /* 13 is for ',\n"XPMENDEXT"' */ | ||
543 | + if(size > UINT_MAX - 13) /* unlikely */ | ||
544 | + return(0); | ||
545 | return size + 13; | ||
546 | } | ||
547 | |||
548 | static void | ||
549 | -WriteExtensions(dataptr, used_size, ext, num) | ||
550 | +WriteExtensions(dataptr, data_size, used_size, ext, num) | ||
551 | char *dataptr; | ||
552 | + unsigned int data_size; | ||
553 | unsigned int *used_size; | ||
554 | XpmExtension *ext; | ||
555 | unsigned int num; | ||
556 | @@ -363,24 +410,24 @@ | ||
557 | |||
558 | for (x = 0; x < num; x++, ext++) { | ||
559 | #ifndef VOID_SPRINTF | ||
560 | - s += 11 + | ||
561 | + s += | ||
562 | #endif | ||
563 | - sprintf(s, ",\n\"XPMEXT %s\"", ext->name); | ||
564 | + snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name); | ||
565 | #ifdef VOID_SPRINTF | ||
566 | s += strlen(ext->name) + 11; | ||
567 | #endif | ||
568 | a = ext->nlines; | ||
569 | for (y = 0, line = ext->lines; y < a; y++, line++) { | ||
570 | #ifndef VOID_SPRINTF | ||
571 | - s += 4 + | ||
572 | + s += | ||
573 | #endif | ||
574 | - sprintf(s, ",\n\"%s\"", *line); | ||
575 | + snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line); | ||
576 | #ifdef VOID_SPRINTF | ||
577 | s += strlen(*line) + 4; | ||
578 | #endif | ||
579 | } | ||
580 | } | ||
581 | - strcpy(s, ",\n\"XPMENDEXT\""); | ||
582 | + strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1); | ||
583 | *used_size += s - dataptr + 13; | ||
584 | } | ||
585 | |||
586 | @@ -391,6 +438,7 @@ | ||
587 | int size = 0; | ||
588 | |||
589 | /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */ | ||
590 | + /* wrap possible but *very* unlikely */ | ||
591 | if (info->hints_cmt) | ||
592 | size += 5 + strlen(info->hints_cmt); | ||
593 | |||
594 | diff -Nur lib/Xm/XpmCrDatFrI.c lib/Xm/XpmCrDatFrI.c | ||
595 | --- lib/Xm/XpmCrDatFrI.c 2005-02-14 15:20:49.344040101 +0100 | ||
596 | +++ lib/Xm/XpmCrDatFrI.c 2005-02-14 14:32:22.610251056 +0100 | ||
597 | @@ -38,13 +38,16 @@ | ||
598 | #endif | ||
599 | |||
600 | |||
601 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ | ||
602 | + | ||
603 | #include "XpmI.h" | ||
604 | |||
605 | LFUNC(CreateColors, int, (char **dataptr, unsigned int *data_size, | ||
606 | XpmColor *colors, unsigned int ncolors, | ||
607 | unsigned int cpp)); | ||
608 | |||
609 | -LFUNC(CreatePixels, void, (char **dataptr, unsigned int width, | ||
610 | +LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size, | ||
611 | + unsigned int width, | ||
612 | unsigned int height, unsigned int cpp, | ||
613 | unsigned int *pixels, XpmColor *colors)); | ||
614 | |||
615 | @@ -52,7 +55,8 @@ | ||
616 | unsigned int *ext_size, | ||
617 | unsigned int *ext_nlines)); | ||
618 | |||
619 | -LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset, | ||
620 | +LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size, | ||
621 | + unsigned int offset, | ||
622 | XpmExtension *ext, unsigned int num, | ||
623 | unsigned int ext_nlines)); | ||
624 | |||
625 | @@ -93,6 +97,7 @@ | ||
626 | |||
627 | #undef RETURN | ||
628 | #define RETURN(status) \ | ||
629 | +do \ | ||
630 | { \ | ||
631 | if (header) { \ | ||
632 | for (l = 0; l < header_nlines; l++) \ | ||
633 | @@ -101,7 +106,7 @@ | ||
634 | XpmFree(header); \ | ||
635 | } \ | ||
636 | return(status); \ | ||
637 | -} | ||
638 | +} while(0) | ||
639 | |||
640 | int | ||
641 | XpmCreateDataFromXpmImage(data_return, image, info) | ||
642 | @@ -133,10 +138,15 @@ | ||
643 | * is the hints line + the color table lines | ||
644 | */ | ||
645 | header_nlines = 1 + image->ncolors; | ||
646 | + | ||
647 | + if(header_nlines <= image->ncolors || | ||
648 | + header_nlines >= UINT_MAX / sizeof(char *)) | ||
649 | + return(XpmNoMemory); | ||
650 | + | ||
651 | header_size = sizeof(char *) * header_nlines; | ||
652 | - if (header_size >= SIZE_MAX / sizeof(char *)) | ||
653 | + if (header_size >= UINT_MAX / sizeof(char *)) | ||
654 | return (XpmNoMemory); | ||
655 | - header = (char **) XpmCalloc(header_size, sizeof(char *)); | ||
656 | + header = (char **) XpmCalloc(header_size, sizeof(char *)); | ||
657 | if (!header) | ||
658 | return (XpmNoMemory); | ||
659 | |||
660 | @@ -180,8 +190,22 @@ | ||
661 | |||
662 | /* now we know the size needed, alloc the data and copy the header lines */ | ||
663 | offset = image->width * image->cpp + 1; | ||
664 | - data_size = header_size + (image->height + ext_nlines) * sizeof(char *) | ||
665 | - + image->height * offset + ext_size; | ||
666 | + | ||
667 | + if(offset <= image->width || offset <= image->cpp) | ||
668 | + RETURN(XpmNoMemory); | ||
669 | + | ||
670 | + if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *)) | ||
671 | + RETURN(XpmNoMemory); | ||
672 | + data_size = (image->height + ext_nlines) * sizeof(char *); | ||
673 | + | ||
674 | + if (image->height > UINT_MAX / offset || | ||
675 | + image->height * offset > UINT_MAX - data_size) | ||
676 | + RETURN(XpmNoMemory); | ||
677 | + data_size += image->height * offset; | ||
678 | + | ||
679 | + if( (header_size + ext_size) >= (UINT_MAX - data_size) ) | ||
680 | + RETURN(XpmNoMemory); | ||
681 | + data_size += header_size + ext_size; | ||
682 | |||
683 | data = (char **) XpmMalloc(data_size); | ||
684 | if (!data) | ||
685 | @@ -189,8 +213,10 @@ | ||
686 | |||
687 | data_nlines = header_nlines + image->height + ext_nlines; | ||
688 | *data = (char *) (data + data_nlines); | ||
689 | + | ||
690 | + /* can header have less elements then n suggests? */ | ||
691 | n = image->ncolors; | ||
692 | - for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) { | ||
693 | + for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) { | ||
694 | strcpy(*sptr, *sptr2); | ||
695 | *(sptr + 1) = *sptr + strlen(*sptr2) + 1; | ||
696 | } | ||
697 | @@ -199,12 +225,13 @@ | ||
698 | data[header_nlines] = (char *) data + header_size | ||
699 | + (image->height + ext_nlines) * sizeof(char *); | ||
700 | |||
701 | - CreatePixels(data + header_nlines, image->width, image->height, | ||
702 | + CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height, | ||
703 | image->cpp, image->data, image->colorTable); | ||
704 | |||
705 | /* print extensions */ | ||
706 | if (extensions) | ||
707 | - CreateExtensions(data + header_nlines + image->height - 1, offset, | ||
708 | + CreateExtensions(data + header_nlines + image->height - 1, | ||
709 | + data_size - header_nlines - image->height + 1, offset, | ||
710 | info->extensions, info->nextensions, | ||
711 | ext_nlines); | ||
712 | |||
713 | @@ -229,18 +256,27 @@ | ||
714 | for (a = 0; a < ncolors; a++, colors++, dataptr++) { | ||
715 | |||
716 | defaults = (char **) colors; | ||
717 | + if(sizeof(buf) <= cpp) | ||
718 | + return(XpmNoMemory); | ||
719 | strncpy(buf, *defaults++, cpp); | ||
720 | s = buf + cpp; | ||
721 | |||
722 | + if(sizeof(buf) <= (s-buf)) | ||
723 | + return XpmNoMemory; | ||
724 | + | ||
725 | for (key = 1; key <= NKEYS; key++, defaults++) { | ||
726 | if ((s2 = *defaults)) { | ||
727 | #ifndef VOID_SPRINTF | ||
728 | s += | ||
729 | #endif | ||
730 | - sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2); | ||
731 | + /* assume C99 compliance */ | ||
732 | + snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2); | ||
733 | #ifdef VOID_SPRINTF | ||
734 | - s += strlen(s); | ||
735 | + s += strlen(s); | ||
736 | #endif | ||
737 | + /* does s point out-of-bounds? */ | ||
738 | + if(sizeof(buf) < (s-buf)) | ||
739 | + return XpmNoMemory; | ||
740 | } | ||
741 | } | ||
742 | l = s - buf + 1; | ||
743 | @@ -254,8 +290,9 @@ | ||
744 | } | ||
745 | |||
746 | static void | ||
747 | -CreatePixels(dataptr, width, height, cpp, pixels, colors) | ||
748 | +CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors) | ||
749 | char **dataptr; | ||
750 | + unsigned int data_size; | ||
751 | unsigned int width; | ||
752 | unsigned int height; | ||
753 | unsigned int cpp; | ||
754 | @@ -265,21 +302,38 @@ | ||
755 | char *s; | ||
756 | unsigned int x, y, h, offset; | ||
757 | |||
758 | + if(height <= 1) | ||
759 | + return; | ||
760 | + | ||
761 | h = height - 1; | ||
762 | + | ||
763 | offset = width * cpp + 1; | ||
764 | + | ||
765 | + if(offset <= width || offset <= cpp) | ||
766 | + return; | ||
767 | + | ||
768 | + /* why trust h? */ | ||
769 | for (y = 0; y < h; y++, dataptr++) { | ||
770 | s = *dataptr; | ||
771 | + /* why trust width? */ | ||
772 | for (x = 0; x < width; x++, pixels++) { | ||
773 | - strncpy(s, colors[*pixels].string, cpp); | ||
774 | + if(cpp > (data_size - (s - *dataptr))) | ||
775 | + return; | ||
776 | + strncpy(s, colors[*pixels].string, cpp); /* why trust pixel? */ | ||
777 | s += cpp; | ||
778 | } | ||
779 | *s = '\0'; | ||
780 | + if(offset > data_size) | ||
781 | + return; | ||
782 | *(dataptr + 1) = *dataptr + offset; | ||
783 | } | ||
784 | /* duplicate some code to avoid a test in the loop */ | ||
785 | s = *dataptr; | ||
786 | + /* why trust width? */ | ||
787 | for (x = 0; x < width; x++, pixels++) { | ||
788 | - strncpy(s, colors[*pixels].string, cpp); | ||
789 | + if(cpp > data_size - (s - *dataptr)) | ||
790 | + return; | ||
791 | + strncpy(s, colors[*pixels].string, cpp); /* why should we trust *pixel? */ | ||
792 | s += cpp; | ||
793 | } | ||
794 | *s = '\0'; | ||
795 | @@ -312,8 +366,9 @@ | ||
796 | } | ||
797 | |||
798 | static void | ||
799 | -CreateExtensions(dataptr, offset, ext, num, ext_nlines) | ||
800 | +CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines) | ||
801 | char **dataptr; | ||
802 | + unsigned int data_size; | ||
803 | unsigned int offset; | ||
804 | XpmExtension *ext; | ||
805 | unsigned int num; | ||
806 | @@ -326,12 +381,12 @@ | ||
807 | dataptr++; | ||
808 | a = 0; | ||
809 | for (x = 0; x < num; x++, ext++) { | ||
810 | - sprintf(*dataptr, "XPMEXT %s", ext->name); | ||
811 | + snprintf(*dataptr, data_size, "XPMEXT %s", ext->name); | ||
812 | a++; | ||
813 | if (a < ext_nlines) | ||
814 | *(dataptr + 1) = *dataptr + strlen(ext->name) + 8; | ||
815 | dataptr++; | ||
816 | - b = ext->nlines; | ||
817 | + b = ext->nlines; /* can we trust these values? */ | ||
818 | for (y = 0, line = ext->lines; y < b; y++, line++) { | ||
819 | strcpy(*dataptr, *line); | ||
820 | a++; | ||
821 | diff -Nur lib/Xm/Xpmcreate.c lib/Xm/Xpmcreate.c | ||
822 | --- lib/Xm/Xpmcreate.c 2005-02-14 15:20:49.348039308 +0100 | ||
823 | +++ lib/Xm/Xpmcreate.c 2005-02-14 14:36:37.104801803 +0100 | ||
824 | @@ -44,6 +44,8 @@ | ||
825 | #endif | ||
826 | |||
827 | |||
828 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ | ||
829 | + | ||
830 | #include "XpmI.h" | ||
831 | #include <ctype.h> | ||
832 | |||
833 | @@ -565,7 +567,7 @@ | ||
834 | */ | ||
835 | } else { | ||
836 | #endif | ||
837 | - int i; | ||
838 | + unsigned int i; | ||
839 | |||
840 | ncols = visual->map_entries; | ||
841 | cols = (XColor *) XpmCalloc(ncols, sizeof(XColor)); | ||
842 | @@ -723,6 +725,7 @@ | ||
843 | /* function call in case of error, frees only locally allocated variables */ | ||
844 | #undef RETURN | ||
845 | #define RETURN(status) \ | ||
846 | +do \ | ||
847 | { \ | ||
848 | if (ximage) XDestroyImage(ximage); \ | ||
849 | if (shapeimage) XDestroyImage(shapeimage); \ | ||
850 | @@ -733,7 +736,7 @@ | ||
851 | if (alloc_pixels) XpmFree(alloc_pixels); \ | ||
852 | if (used_pixels) XpmFree(used_pixels); \ | ||
853 | return (status); \ | ||
854 | -} | ||
855 | +} while(0) | ||
856 | |||
857 | int | ||
858 | XpmCreateImageFromXpmImage(display, image, | ||
859 | @@ -804,7 +807,7 @@ | ||
860 | |||
861 | ErrorStatus = XpmSuccess; | ||
862 | |||
863 | - if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) | ||
864 | + if (image->ncolors >= UINT_MAX / sizeof(Pixel)) | ||
865 | return (XpmNoMemory); | ||
866 | |||
867 | /* malloc pixels index tables */ | ||
868 | @@ -950,9 +953,13 @@ | ||
869 | return (XpmNoMemory); | ||
870 | |||
871 | #ifndef FOR_MSW | ||
872 | - if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) | ||
873 | - return XpmNoMemory; | ||
874 | + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { | ||
875 | + XDestroyImage(*image_return); | ||
876 | + return XpmNoMemory; | ||
877 | + } | ||
878 | /* now that bytes_per_line must have been set properly alloc data */ | ||
879 | + if((*image_return)->bytes_per_line == 0 || height == 0) | ||
880 | + return XpmNoMemory; | ||
881 | (*image_return)->data = | ||
882 | (char *) XpmMalloc((*image_return)->bytes_per_line * height); | ||
883 | |||
884 | @@ -980,7 +987,7 @@ | ||
885 | LFUNC(_putbits, void, (register char *src, int dstoffset, | ||
886 | register int numbits, register char *dst)); | ||
887 | |||
888 | -LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb)); | ||
889 | +LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb)); | ||
890 | |||
891 | static unsigned char Const _reverse_byte[0x100] = { | ||
892 | 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, | ||
893 | @@ -1020,12 +1027,12 @@ | ||
894 | static int | ||
895 | _XReverse_Bytes(bpt, nb) | ||
896 | register unsigned char *bpt; | ||
897 | - register int nb; | ||
898 | + register unsigned int nb; | ||
899 | { | ||
900 | do { | ||
901 | *bpt = _reverse_byte[*bpt]; | ||
902 | bpt++; | ||
903 | - } while (--nb > 0); | ||
904 | + } while (--nb > 0); /* is nb user-controled? */ | ||
905 | return 0; | ||
906 | } | ||
907 | |||
908 | @@ -1164,7 +1171,7 @@ | ||
909 | register char *src; | ||
910 | register char *dst; | ||
911 | register unsigned int *iptr; | ||
912 | - register int x, y, i; | ||
913 | + register unsigned int x, y, i; | ||
914 | register char *data; | ||
915 | Pixel pixel, px; | ||
916 | int nbytes, depth, ibu, ibpp; | ||
917 | @@ -1174,8 +1181,8 @@ | ||
918 | depth = image->depth; | ||
919 | if (depth == 1) { | ||
920 | ibu = image->bitmap_unit; | ||
921 | - for (y = 0; y < height; y++) | ||
922 | - for (x = 0; x < width; x++, iptr++) { | ||
923 | + for (y = 0; y < height; y++) /* how can we trust height */ | ||
924 | + for (x = 0; x < width; x++, iptr++) { /* how can we trust width */ | ||
925 | pixel = pixels[*iptr]; | ||
926 | for (i = 0, px = pixel; i < sizeof(unsigned long); | ||
927 | i++, px >>= 8) | ||
928 | @@ -1250,12 +1257,12 @@ | ||
929 | { | ||
930 | unsigned char *data; | ||
931 | unsigned int *iptr; | ||
932 | - int y; | ||
933 | + unsigned int y; | ||
934 | Pixel pixel; | ||
935 | |||
936 | #ifdef WITHOUT_SPEEDUPS | ||
937 | |||
938 | - int x; | ||
939 | + unsigned int x; | ||
940 | unsigned char *addr; | ||
941 | |||
942 | data = (unsigned char *) image->data; | ||
943 | @@ -1292,7 +1299,7 @@ | ||
944 | |||
945 | #else /* WITHOUT_SPEEDUPS */ | ||
946 | |||
947 | - int bpl = image->bytes_per_line; | ||
948 | + unsigned int bpl = image->bytes_per_line; | ||
949 | unsigned char *data_ptr, *max_data; | ||
950 | |||
951 | data = (unsigned char *) image->data; | ||
952 | @@ -1360,11 +1367,11 @@ | ||
953 | { | ||
954 | unsigned char *data; | ||
955 | unsigned int *iptr; | ||
956 | - int y; | ||
957 | + unsigned int y; | ||
958 | |||
959 | #ifdef WITHOUT_SPEEDUPS | ||
960 | |||
961 | - int x; | ||
962 | + unsigned int x; | ||
963 | unsigned char *addr; | ||
964 | |||
965 | data = (unsigned char *) image->data; | ||
966 | @@ -1388,7 +1395,7 @@ | ||
967 | |||
968 | Pixel pixel; | ||
969 | |||
970 | - int bpl = image->bytes_per_line; | ||
971 | + unsigned int bpl = image->bytes_per_line; | ||
972 | unsigned char *data_ptr, *max_data; | ||
973 | |||
974 | data = (unsigned char *) image->data; | ||
975 | @@ -1441,11 +1448,11 @@ | ||
976 | { | ||
977 | char *data; | ||
978 | unsigned int *iptr; | ||
979 | - int y; | ||
980 | + unsigned int y; | ||
981 | |||
982 | #ifdef WITHOUT_SPEEDUPS | ||
983 | |||
984 | - int x; | ||
985 | + unsigned int x; | ||
986 | |||
987 | data = image->data; | ||
988 | iptr = pixelindex; | ||
989 | @@ -1455,7 +1462,7 @@ | ||
990 | |||
991 | #else /* WITHOUT_SPEEDUPS */ | ||
992 | |||
993 | - int bpl = image->bytes_per_line; | ||
994 | + unsigned int bpl = image->bytes_per_line; | ||
995 | char *data_ptr, *max_data; | ||
996 | |||
997 | data = image->data; | ||
998 | @@ -1490,12 +1497,12 @@ | ||
999 | PutImagePixels(image, width, height, pixelindex, pixels); | ||
1000 | else { | ||
1001 | unsigned int *iptr; | ||
1002 | - int y; | ||
1003 | + unsigned int y; | ||
1004 | char *data; | ||
1005 | |||
1006 | #ifdef WITHOUT_SPEEDUPS | ||
1007 | |||
1008 | - int x; | ||
1009 | + unsigned int x; | ||
1010 | |||
1011 | data = image->data; | ||
1012 | iptr = pixelindex; | ||
1013 | @@ -1673,6 +1680,9 @@ | ||
1014 | Pixel px; | ||
1015 | int nbytes; | ||
1016 | |||
1017 | + if(x < 0 || y < 0) | ||
1018 | + return 0; | ||
1019 | + | ||
1020 | for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8) | ||
1021 | ((unsigned char *)&pixel)[i] = px; | ||
1022 | src = &ximage->data[XYINDEX(x, y, ximage)]; | ||
1023 | @@ -1704,7 +1714,10 @@ | ||
1024 | register int i; | ||
1025 | register char *data; | ||
1026 | Pixel px; | ||
1027 | - int nbytes, ibpp; | ||
1028 | + unsigned int nbytes, ibpp; | ||
1029 | + | ||
1030 | + if(x < 0 || y < 0) | ||
1031 | + return 0; | ||
1032 | |||
1033 | ibpp = ximage->bits_per_pixel; | ||
1034 | if (ximage->depth == 4) | ||
1035 | @@ -1737,6 +1750,9 @@ | ||
1036 | { | ||
1037 | unsigned char *addr; | ||
1038 | |||
1039 | + if(x < 0 || y < 0) | ||
1040 | + return 0; | ||
1041 | + | ||
1042 | addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; | ||
1043 | *((unsigned long *)addr) = pixel; | ||
1044 | return 1; | ||
1045 | @@ -1751,6 +1767,9 @@ | ||
1046 | { | ||
1047 | unsigned char *addr; | ||
1048 | |||
1049 | + if(x < 0 || y < 0) | ||
1050 | + return 0; | ||
1051 | + | ||
1052 | addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; | ||
1053 | addr[0] = pixel >> 24; | ||
1054 | addr[1] = pixel >> 16; | ||
1055 | @@ -1768,6 +1787,9 @@ | ||
1056 | { | ||
1057 | unsigned char *addr; | ||
1058 | |||
1059 | + if(x < 0 || y < 0) | ||
1060 | + return 0; | ||
1061 | + | ||
1062 | addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; | ||
1063 | addr[3] = pixel >> 24; | ||
1064 | addr[2] = pixel >> 16; | ||
1065 | @@ -1785,6 +1807,9 @@ | ||
1066 | { | ||
1067 | unsigned char *addr; | ||
1068 | |||
1069 | + if(x < 0 || y < 0) | ||
1070 | + return 0; | ||
1071 | + | ||
1072 | addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; | ||
1073 | addr[0] = pixel >> 8; | ||
1074 | addr[1] = pixel; | ||
1075 | @@ -1800,6 +1825,9 @@ | ||
1076 | { | ||
1077 | unsigned char *addr; | ||
1078 | |||
1079 | + if(x < 0 || y < 0) | ||
1080 | + return 0; | ||
1081 | + | ||
1082 | addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; | ||
1083 | addr[1] = pixel >> 8; | ||
1084 | addr[0] = pixel; | ||
1085 | @@ -1813,6 +1841,9 @@ | ||
1086 | int y; | ||
1087 | unsigned long pixel; | ||
1088 | { | ||
1089 | + if(x < 0 || y < 0) | ||
1090 | + return 0; | ||
1091 | + | ||
1092 | ximage->data[ZINDEX8(x, y, ximage)] = pixel; | ||
1093 | return 1; | ||
1094 | } | ||
1095 | @@ -1824,6 +1855,9 @@ | ||
1096 | int y; | ||
1097 | unsigned long pixel; | ||
1098 | { | ||
1099 | + if(x < 0 || y < 0) | ||
1100 | + return 0; | ||
1101 | + | ||
1102 | if (pixel & 1) | ||
1103 | ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7); | ||
1104 | else | ||
1105 | @@ -1838,6 +1872,9 @@ | ||
1106 | int y; | ||
1107 | unsigned long pixel; | ||
1108 | { | ||
1109 | + if(x < 0 || y < 0) | ||
1110 | + return 0; | ||
1111 | + | ||
1112 | if (pixel & 1) | ||
1113 | ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7); | ||
1114 | else | ||
1115 | @@ -1850,6 +1887,7 @@ | ||
1116 | /* function call in case of error, frees only locally allocated variables */ | ||
1117 | #undef RETURN | ||
1118 | #define RETURN(status) \ | ||
1119 | +do \ | ||
1120 | { \ | ||
1121 | if (USE_HASHTABLE) xpmHashTableFree(&hashtable); \ | ||
1122 | if (colorTable) xpmFreeColorTable(colorTable, ncolors); \ | ||
1123 | @@ -1865,7 +1903,7 @@ | ||
1124 | if (alloc_pixels) XpmFree(alloc_pixels); \ | ||
1125 | if (used_pixels) XpmFree(used_pixels); \ | ||
1126 | return(status); \ | ||
1127 | -} | ||
1128 | +} while(0) | ||
1129 | |||
1130 | /* | ||
1131 | * This function parses an Xpm file or data and directly create an XImage | ||
1132 | @@ -1997,7 +2035,7 @@ | ||
1133 | xpmGetCmt(data, &colors_cmt); | ||
1134 | |||
1135 | /* malloc pixels index tables */ | ||
1136 | - if (ncolors >= SIZE_MAX / sizeof(Pixel)) | ||
1137 | + if (ncolors >= UINT_MAX / sizeof(Pixel)) | ||
1138 | return XpmNoMemory; | ||
1139 | |||
1140 | image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); | ||
1141 | @@ -2109,7 +2147,7 @@ | ||
1142 | * free the hastable | ||
1143 | */ | ||
1144 | if (ErrorStatus != XpmSuccess) | ||
1145 | - RETURN(ErrorStatus) | ||
1146 | + RETURN(ErrorStatus); | ||
1147 | else if (USE_HASHTABLE) | ||
1148 | xpmHashTableFree(&hashtable); | ||
1149 | |||
1150 | @@ -2258,11 +2296,11 @@ | ||
1151 | |||
1152 | /* array of pointers malloced by need */ | ||
1153 | unsigned short *cidx[256]; | ||
1154 | - int char1; | ||
1155 | + unsigned int char1; | ||
1156 | |||
1157 | bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ | ||
1158 | for (a = 0; a < ncolors; a++) { | ||
1159 | - char1 = colorTable[a].string[0]; | ||
1160 | + char1 = (unsigned char) colorTable[a].string[0]; | ||
1161 | if (cidx[char1] == NULL) { /* get new memory */ | ||
1162 | cidx[char1] = (unsigned short *) | ||
1163 | XpmCalloc(256, sizeof(unsigned short)); | ||
1164 | @@ -2280,7 +2318,7 @@ | ||
1165 | int cc1 = xpmGetC(data); | ||
1166 | if (cc1 > 0 && cc1 < 256) { | ||
1167 | int cc2 = xpmGetC(data); | ||
1168 | - if (cc2 > 0 && cc2 < 256 && cidx[cc1][cc2] != 0) { | ||
1169 | + if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0) { | ||
1170 | #ifndef FOR_MSW | ||
1171 | XPutPixel(image, x, y, | ||
1172 | image_pixels[cidx[cc1][cc2] - 1]); | ||
1173 | diff -Nur lib/Xm/Xpmdata.c lib/Xm/Xpmdata.c | ||
1174 | --- lib/Xm/Xpmdata.c 2005-02-14 15:20:49.343040299 +0100 | ||
1175 | +++ lib/Xm/Xpmdata.c 2005-02-14 14:38:22.161975990 +0100 | ||
1176 | @@ -33,6 +33,8 @@ | ||
1177 | * Developed by Arnaud Le Hors * | ||
1178 | \*****************************************************************************/ | ||
1179 | |||
1180 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ | ||
1181 | + | ||
1182 | /* Official version number */ | ||
1183 | static char *RCS_Version = "$XpmVersion: 3.4i $"; | ||
1184 | |||
1185 | @@ -279,7 +281,7 @@ | ||
1186 | } | ||
1187 | ungetc(c, file); | ||
1188 | } | ||
1189 | - return (n); | ||
1190 | + return (n); /* this returns bytes read + 1 */ | ||
1191 | } | ||
1192 | |||
1193 | /* | ||
1194 | @@ -376,8 +378,9 @@ | ||
1195 | { | ||
1196 | if (!mdata->type) | ||
1197 | *cmt = NULL; | ||
1198 | - else if (mdata->CommentLength != 0 && mdata->CommentLength < SIZE_MAX - 1) { | ||
1199 | - *cmt = (char *) XpmMalloc(mdata->CommentLength + 1); | ||
1200 | + else if (mdata->CommentLength != 0 && mdata->CommentLength < UINT_MAX - 1) { | ||
1201 | + if( (*cmt = (char *) XpmMalloc(mdata->CommentLength + 1)) == NULL) | ||
1202 | + return XpmNoMemory; | ||
1203 | strncpy(*cmt, mdata->Comment, mdata->CommentLength); | ||
1204 | (*cmt)[mdata->CommentLength] = '\0'; | ||
1205 | mdata->CommentLength = 0; | ||
1206 | @@ -405,7 +408,7 @@ | ||
1207 | xpmParseHeader(mdata) | ||
1208 | xpmData *mdata; | ||
1209 | { | ||
1210 | - char buf[BUFSIZ]; | ||
1211 | + char buf[BUFSIZ+1] = {0}; | ||
1212 | int l, n = 0; | ||
1213 | |||
1214 | if (mdata->type) { | ||
1215 | diff -Nur lib/Xm/Xpmhashtab.c lib/Xm/Xpmhashtab.c | ||
1216 | --- lib/Xm/Xpmhashtab.c 2005-02-14 15:20:49.342040497 +0100 | ||
1217 | +++ lib/Xm/Xpmhashtab.c 2005-02-14 14:39:44.386676330 +0100 | ||
1218 | @@ -144,13 +144,13 @@ | ||
1219 | unsigned int size = table->size; | ||
1220 | xpmHashAtom *t, *p; | ||
1221 | int i; | ||
1222 | - int oldSize = size; | ||
1223 | + unsigned int oldSize = size; | ||
1224 | |||
1225 | t = atomTable; | ||
1226 | HASH_TABLE_GROWS | ||
1227 | table->size = size; | ||
1228 | table->limit = size / 3; | ||
1229 | - if (size >= SIZE_MAX / sizeof(*atomTable)) | ||
1230 | + if (size >= UINT_MAX / sizeof(*atomTable)) | ||
1231 | return (XpmNoMemory); | ||
1232 | atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); | ||
1233 | if (!atomTable) | ||
1234 | @@ -212,7 +212,7 @@ | ||
1235 | table->size = INITIAL_HASH_SIZE; | ||
1236 | table->limit = table->size / 3; | ||
1237 | table->used = 0; | ||
1238 | - if (table->size >= SIZE_MAX / sizeof(*atomTable)) | ||
1239 | + if (table->size >= UINT_MAX / sizeof(*atomTable)) | ||
1240 | return (XpmNoMemory); | ||
1241 | atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); | ||
1242 | if (!atomTable) | ||
1243 | --- lib/Xm/XpmI.h 2005-02-14 15:20:49.344040101 +0100 | ||
1244 | +++ lib/Xm/XpmI.h 2005-02-14 14:24:12.903327195 +0100 | ||
1245 | @@ -108,8 +109,10 @@ | ||
1246 | * lets try to solve include files | ||
1247 | */ | ||
1248 | |||
1249 | +#include <sys/types.h> | ||
1250 | #include <stdio.h> | ||
1251 | #include <stdlib.h> | ||
1252 | +#include <limits.h> | ||
1253 | /* stdio.h doesn't declare popen on a Sequent DYNIX OS */ | ||
1254 | #ifdef sequent | ||
1255 | extern FILE *popen(); | ||
1256 | diff -Nur lib/Xm/Xpmmisc.c lib/Xm/Xpmmisc.c | ||
1257 | --- lib/Xm/Xpmmisc.c 2002-01-10 21:57:09.000000000 +0100 | ||
1258 | +++ lib/Xm/Xpmmisc.c 2005-02-14 14:24:12.907326402 +0100 | ||
1259 | @@ -52,7 +52,7 @@ | ||
1260 | char *s1; | ||
1261 | { | ||
1262 | char *s2; | ||
1263 | - int l = strlen(s1) + 1; | ||
1264 | + size_t l = strlen(s1) + 1; | ||
1265 | |||
1266 | if (s2 = (char *) XpmMalloc(l)) | ||
1267 | strcpy(s2, s1); | ||
1268 | diff -Nur lib/Xm/Xpmparse.c lib/Xm/Xpmparse.c | ||
1269 | --- lib/Xm/Xpmparse.c 2005-02-14 15:20:49.349039110 +0100 | ||
1270 | +++ lib/Xm/Xpmparse.c 2005-02-14 14:46:55.361242890 +0100 | ||
1271 | @@ -49,21 +49,21 @@ | ||
1272 | #include <string.h> | ||
1273 | |||
1274 | #ifdef HAS_STRLCAT | ||
1275 | -# define STRLCAT(dst, src, dstsize) { \ | ||
1276 | +# define STRLCAT(dst, src, dstsize) do { \ | ||
1277 | if (strlcat(dst, src, dstsize) >= (dstsize)) \ | ||
1278 | - return (XpmFileInvalid); } | ||
1279 | -# define STRLCPY(dst, src, dstsize) { \ | ||
1280 | + return (XpmFileInvalid); } while(0) | ||
1281 | +# define STRLCPY(dst, src, dstsize) do { \ | ||
1282 | if (strlcpy(dst, src, dstsize) >= (dstsize)) \ | ||
1283 | - return (XpmFileInvalid); } | ||
1284 | + return (XpmFileInvalid); } while(0) | ||
1285 | #else | ||
1286 | -# define STRLCAT(dst, src, dstsize) { \ | ||
1287 | +# define STRLCAT(dst, src, dstsize) do { \ | ||
1288 | if ((strlen(dst) + strlen(src)) < (dstsize)) \ | ||
1289 | strcat(dst, src); \ | ||
1290 | - else return (XpmFileInvalid); } | ||
1291 | -# define STRLCPY(dst, src, dstsize) { \ | ||
1292 | + else return (XpmFileInvalid); } while(0) | ||
1293 | +# define STRLCPY(dst, src, dstsize) do { \ | ||
1294 | if (strlen(src) < (dstsize)) \ | ||
1295 | strcpy(dst, src); \ | ||
1296 | - else return (XpmFileInvalid); } | ||
1297 | + else return (XpmFileInvalid); } while(0) | ||
1298 | #endif | ||
1299 | |||
1300 | LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, | ||
1301 | @@ -83,6 +83,7 @@ | ||
1302 | /* function call in case of error, frees only locally allocated variables */ | ||
1303 | #undef RETURN | ||
1304 | #define RETURN(status) \ | ||
1305 | +do \ | ||
1306 | { \ | ||
1307 | if (colorTable) xpmFreeColorTable(colorTable, ncolors); \ | ||
1308 | if (pixelindex) XpmFree(pixelindex); \ | ||
1309 | @@ -90,7 +91,7 @@ | ||
1310 | if (colors_cmt) XpmFree(colors_cmt); \ | ||
1311 | if (pixels_cmt) XpmFree(pixels_cmt); \ | ||
1312 | return(status); \ | ||
1313 | -} | ||
1314 | +} while(0) | ||
1315 | |||
1316 | /* | ||
1317 | * This function parses an Xpm file or data and store the found informations | ||
1318 | @@ -354,7 +355,7 @@ | ||
1319 | char **defaults; | ||
1320 | int ErrorStatus; | ||
1321 | |||
1322 | - if (ncolors >= SIZE_MAX / sizeof(XpmColor)) | ||
1323 | + if (ncolors >= UINT_MAX / sizeof(XpmColor)) | ||
1324 | return (XpmNoMemory); | ||
1325 | colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); | ||
1326 | if (!colorTable) | ||
1327 | @@ -367,7 +368,7 @@ | ||
1328 | /* | ||
1329 | * read pixel value | ||
1330 | */ | ||
1331 | - if (cpp >= SIZE_MAX - 1) { | ||
1332 | + if (cpp >= UINT_MAX - 1) { | ||
1333 | xpmFreeColorTable(colorTable, ncolors); | ||
1334 | return (XpmNoMemory); | ||
1335 | } | ||
1336 | @@ -436,7 +437,7 @@ | ||
1337 | xpmFreeColorTable(colorTable, ncolors); | ||
1338 | return (XpmFileInvalid); | ||
1339 | } | ||
1340 | - len = strlen(curbuf) + 1; | ||
1341 | + len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */ | ||
1342 | s = defaults[curkey] = (char *) XpmMalloc(len); | ||
1343 | if (!s) { | ||
1344 | xpmFreeColorTable(colorTable, ncolors); | ||
1345 | @@ -455,7 +456,7 @@ | ||
1346 | /* | ||
1347 | * read pixel value | ||
1348 | */ | ||
1349 | - if (cpp >= SIZE_MAX - 1) { | ||
1350 | + if (cpp >= UINT_MAX - 1) { | ||
1351 | xpmFreeColorTable(colorTable, ncolors); | ||
1352 | return (XpmNoMemory); | ||
1353 | } | ||
1354 | @@ -500,7 +501,7 @@ | ||
1355 | memcpy(s, curbuf, len); | ||
1356 | color->c_color = s; | ||
1357 | *curbuf = '\0'; /* reset curbuf */ | ||
1358 | - if (a < ncolors - 1) | ||
1359 | + if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */ | ||
1360 | xpmNextString(data); /* get to the next string */ | ||
1361 | } | ||
1362 | } | ||
1363 | @@ -519,11 +520,11 @@ | ||
1364 | xpmHashTable *hashtable; | ||
1365 | unsigned int **pixels; | ||
1366 | { | ||
1367 | - unsigned int *iptr, *iptr2; | ||
1368 | + unsigned int *iptr, *iptr2 = NULL; | ||
1369 | unsigned int a, x, y; | ||
1370 | |||
1371 | - if ((height > 0 && width >= SIZE_MAX / height) || | ||
1372 | - width * height >= SIZE_MAX / sizeof(unsigned int)) | ||
1373 | + if ((height > 0 && width >= UINT_MAX / height) || | ||
1374 | + width * height >= UINT_MAX / sizeof(unsigned int)) | ||
1375 | return XpmNoMemory; | ||
1376 | #ifndef FOR_MSW | ||
1377 | iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); | ||
1378 | @@ -548,8 +549,10 @@ | ||
1379 | { | ||
1380 | unsigned short colidx[256]; | ||
1381 | |||
1382 | - if (ncolors > 256) | ||
1383 | + if (ncolors > 256) { | ||
1384 | return (XpmFileInvalid); | ||
1385 | + XpmFree(iptr2); /* found by Egbert Eich */ | ||
1386 | + } | ||
1387 | |||
1388 | bzero((char *)colidx, 256 * sizeof(short)); | ||
1389 | for (a = 0; a < ncolors; a++) | ||
1390 | @@ -576,16 +579,20 @@ | ||
1391 | { | ||
1392 | |||
1393 | /* free all allocated pointers at all exits */ | ||
1394 | -#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \ | ||
1395 | -if (cidx[f]) XpmFree(cidx[f]);} | ||
1396 | +#define FREE_CIDX \ | ||
1397 | +do \ | ||
1398 | +{ \ | ||
1399 | + int f; for (f = 0; f < 256; f++) \ | ||
1400 | + if (cidx[f]) XpmFree(cidx[f]); \ | ||
1401 | +} while(0) | ||
1402 | |||
1403 | /* array of pointers malloced by need */ | ||
1404 | unsigned short *cidx[256]; | ||
1405 | - int char1; | ||
1406 | + unsigned int char1; | ||
1407 | |||
1408 | bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ | ||
1409 | for (a = 0; a < ncolors; a++) { | ||
1410 | - char1 = colorTable[a].string[0]; | ||
1411 | + char1 = (unsigned char) colorTable[a].string[0]; | ||
1412 | if (cidx[char1] == NULL) { /* get new memory */ | ||
1413 | cidx[char1] = (unsigned short *) | ||
1414 | XpmCalloc(256, sizeof(unsigned short)); | ||
1415 | @@ -604,7 +611,7 @@ | ||
1416 | int cc1 = xpmGetC(data); | ||
1417 | if (cc1 > 0 && cc1 < 256) { | ||
1418 | int cc2 = xpmGetC(data); | ||
1419 | - if (cc2 > 0 && cc2 < 256 && cidx[cc1][cc2] != 0) | ||
1420 | + if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0) | ||
1421 | *iptr = cidx[cc1][cc2] - 1; | ||
1422 | else { | ||
1423 | FREE_CIDX; | ||
1424 | @@ -628,8 +635,10 @@ | ||
1425 | char *s; | ||
1426 | char buf[BUFSIZ]; | ||
1427 | |||
1428 | - if (cpp >= sizeof(buf)) | ||
1429 | + if (cpp >= sizeof(buf)) { | ||
1430 | return (XpmFileInvalid); | ||
1431 | + XpmFree(iptr2); /* found by Egbert Eich */ | ||
1432 | + } | ||
1433 | |||
1434 | buf[cpp] = '\0'; | ||
1435 | if (USE_HASHTABLE) { | ||
1436 | @@ -639,7 +648,7 @@ | ||
1437 | xpmNextString(data); | ||
1438 | for (x = 0; x < width; x++, iptr++) { | ||
1439 | for (a = 0, s = buf; a < cpp; a++, s++) | ||
1440 | - *s = xpmGetC(data); | ||
1441 | + *s = xpmGetC(data); /* int assigned to char, not a problem here */ | ||
1442 | slot = xpmHashSlot(hashtable, buf); | ||
1443 | if (!*slot) { /* no color matches */ | ||
1444 | XpmFree(iptr2); | ||
1445 | @@ -653,7 +662,7 @@ | ||
1446 | xpmNextString(data); | ||
1447 | for (x = 0; x < width; x++, iptr++) { | ||
1448 | for (a = 0, s = buf; a < cpp; a++, s++) | ||
1449 | - *s = xpmGetC(data); | ||
1450 | + *s = xpmGetC(data); /* int assigned to char, not a problem here */ | ||
1451 | for (a = 0; a < ncolors; a++) | ||
1452 | if (!strcmp(colorTable[a].string, buf)) | ||
1453 | break; | ||
1454 | @@ -708,7 +717,7 @@ | ||
1455 | while (!notstart && notend) { | ||
1456 | /* there starts an extension */ | ||
1457 | ext = (XpmExtension *) | ||
1458 | - XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); | ||
1459 | + XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */ | ||
1460 | if (!ext) { | ||
1461 | XpmFree(string); | ||
1462 | XpmFreeExtensions(exts, num); | ||
1463 | @@ -745,7 +754,7 @@ | ||
1464 | while ((notstart = strncmp("XPMEXT", string, 6)) | ||
1465 | && (notend = strncmp("XPMENDEXT", string, 9))) { | ||
1466 | sp = (char **) | ||
1467 | - XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); | ||
1468 | + XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */ | ||
1469 | if (!sp) { | ||
1470 | XpmFree(string); | ||
1471 | ext->nlines = nlines; | ||
1472 | diff -Nur lib/Xm/XpmRdFToBuf.c lib/Xm/XpmRdFToBuf.c | ||
1473 | --- lib/Xm/XpmRdFToBuf.c 2002-01-10 21:57:08.000000000 +0100 | ||
1474 | +++ lib/Xm/XpmRdFToBuf.c 2005-02-14 14:24:12.904326997 +0100 | ||
1475 | @@ -43,6 +43,8 @@ | ||
1476 | #endif | ||
1477 | |||
1478 | |||
1479 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ | ||
1480 | + | ||
1481 | #include "XpmI.h" | ||
1482 | #include <sys/stat.h> | ||
1483 | #if !defined(FOR_MSW) && !defined(WIN32) | ||
1484 | @@ -64,7 +66,8 @@ | ||
1485 | char *filename; | ||
1486 | char **buffer_return; | ||
1487 | { | ||
1488 | - int fd, fcheck, len; | ||
1489 | + int fd, fcheck; | ||
1490 | + off_t len; | ||
1491 | char *ptr; | ||
1492 | struct stat stats; | ||
1493 | FILE *fp; | ||
1494 | @@ -88,7 +91,7 @@ | ||
1495 | close(fd); | ||
1496 | return XpmOpenFailed; | ||
1497 | } | ||
1498 | - len = (int) stats.st_size; | ||
1499 | + len = stats.st_size; | ||
1500 | ptr = (char *) XpmMalloc(len + 1); | ||
1501 | if (!ptr) { | ||
1502 | fclose(fp); | ||
1503 | diff -Nur lib/Xm/XpmRdFToI.c lib/Xm/XpmRdFToI.c | ||
1504 | --- lib/Xm/XpmRdFToI.c 2002-01-10 21:57:08.000000000 +0100 | ||
1505 | +++ lib/Xm/XpmRdFToI.c 2005-02-14 14:24:12.861335519 +0100 | ||
1506 | @@ -38,6 +38,8 @@ | ||
1507 | #endif | ||
1508 | |||
1509 | |||
1510 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ | ||
1511 | + | ||
1512 | #include "XpmI.h" | ||
1513 | #include <sys/stat.h> | ||
1514 | #include <sys/param.h> | ||
1515 | @@ -127,6 +129,12 @@ | ||
1516 | /* | ||
1517 | * open the given file to be read as an xpmData which is returned. | ||
1518 | */ | ||
1519 | +#ifndef NO_ZPIPE | ||
1520 | + FILE *Xpms_popen(char *cmd, const char *type); | ||
1521 | +#else | ||
1522 | +# define Xpms_popen popen | ||
1523 | +#endif | ||
1524 | + | ||
1525 | static int | ||
1526 | OpenReadFile(filename, mdata) | ||
1527 | char *filename; | ||
1528 | @@ -144,17 +152,21 @@ | ||
1529 | mdata->type = XPMFILE; | ||
1530 | } else { | ||
1531 | #ifndef NO_ZPIPE | ||
1532 | - int len = strlen(filename); | ||
1533 | + size_t len = strlen(filename); | ||
1534 | + | ||
1535 | + if(len == 0 || | ||
1536 | + filename[len-1] == '/') | ||
1537 | + return(XpmOpenFailed); | ||
1538 | if ((len > 2) && !strcmp(".Z", filename + (len - 2))) { | ||
1539 | mdata->type = XPMPIPE; | ||
1540 | - sprintf(buf, "uncompress -c \"%s\"", filename); | ||
1541 | - if (!(mdata->stream.file = popen(buf, "r"))) | ||
1542 | + snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename); | ||
1543 | + if (!(mdata->stream.file = Xpms_popen(buf, "r"))) | ||
1544 | return (XpmOpenFailed); | ||
1545 | |||
1546 | } else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) { | ||
1547 | mdata->type = XPMPIPE; | ||
1548 | - sprintf(buf, "gunzip -qc \"%s\"", filename); | ||
1549 | - if (!(mdata->stream.file = popen(buf, "r"))) | ||
1550 | + snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename); | ||
1551 | + if (!(mdata->stream.file = Xpms_popen(buf, "r"))) | ||
1552 | return (XpmOpenFailed); | ||
1553 | |||
1554 | } else { | ||
1555 | @@ -162,19 +174,19 @@ | ||
1556 | if (!(compressfile = (char *) XpmMalloc(len + 4))) | ||
1557 | return (XpmNoMemory); | ||
1558 | |||
1559 | - sprintf(compressfile, "%s.Z", filename); | ||
1560 | + snprintf(compressfile, len+4, "%s.Z", filename); | ||
1561 | if (!stat(compressfile, &status)) { | ||
1562 | - sprintf(buf, "uncompress -c \"%s\"", compressfile); | ||
1563 | - if (!(mdata->stream.file = popen(buf, "r"))) { | ||
1564 | + snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile); | ||
1565 | + if (!(mdata->stream.file = Xpms_popen(buf, "r"))) { | ||
1566 | XpmFree(compressfile); | ||
1567 | return (XpmOpenFailed); | ||
1568 | } | ||
1569 | mdata->type = XPMPIPE; | ||
1570 | } else { | ||
1571 | - sprintf(compressfile, "%s.gz", filename); | ||
1572 | + snprintf(compressfile, len+4, "%s.gz", filename); | ||
1573 | if (!stat(compressfile, &status)) { | ||
1574 | - sprintf(buf, "gunzip -c \"%s\"", compressfile); | ||
1575 | - if (!(mdata->stream.file = popen(buf, "r"))) { | ||
1576 | + snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile); | ||
1577 | + if (!(mdata->stream.file = Xpms_popen(buf, "r"))) { | ||
1578 | XpmFree(compressfile); | ||
1579 | return (XpmOpenFailed); | ||
1580 | } | ||
1581 | @@ -216,7 +228,7 @@ | ||
1582 | break; | ||
1583 | #ifndef NO_ZPIPE | ||
1584 | case XPMPIPE: | ||
1585 | - pclose(mdata->stream.file); | ||
1586 | + fclose(mdata->stream.file); | ||
1587 | break; | ||
1588 | #endif | ||
1589 | } | ||
1590 | diff -Nur lib/Xm/Xpmscan.c lib/Xm/Xpmscan.c | ||
1591 | --- lib/Xm/Xpmscan.c 2005-02-14 15:20:49.345039902 +0100 | ||
1592 | +++ lib/Xm/Xpmscan.c 2005-02-14 14:48:52.388044300 +0100 | ||
1593 | @@ -43,12 +43,14 @@ | ||
1594 | #endif | ||
1595 | |||
1596 | |||
1597 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ | ||
1598 | + | ||
1599 | #include "XpmI.h" | ||
1600 | |||
1601 | #define MAXPRINTABLE 92 /* number of printable ascii chars | ||
1602 | * minus \ and " for string compat | ||
1603 | * and ? to avoid ANSI trigraphs. */ | ||
1604 | - | ||
1605 | + /* " */ | ||
1606 | static char *printable = | ||
1607 | " .XoO+@#$%&*=-;:>,<1234567890qwertyuipasdfghjklzxcvbnmMNBVCZ\ | ||
1608 | ASDFGHJKLPIUYTREWQ!~^/()_`'][{}|"; | ||
1609 | @@ -163,12 +165,13 @@ | ||
1610 | /* function call in case of error, frees only locally allocated variables */ | ||
1611 | #undef RETURN | ||
1612 | #define RETURN(status) \ | ||
1613 | +do \ | ||
1614 | { \ | ||
1615 | if (pmap.pixelindex) XpmFree(pmap.pixelindex); \ | ||
1616 | if (pmap.pixels) XpmFree(pmap.pixels); \ | ||
1617 | if (colorTable) xpmFreeColorTable(colorTable, pmap.ncolors); \ | ||
1618 | return(status); \ | ||
1619 | -} | ||
1620 | +} while(0) | ||
1621 | |||
1622 | /* | ||
1623 | * This function scans the given image and stores the found informations in | ||
1624 | @@ -226,15 +229,15 @@ | ||
1625 | else | ||
1626 | cpp = 0; | ||
1627 | |||
1628 | - if ((height > 0 && width >= SIZE_MAX / height) || | ||
1629 | - width * height >= SIZE_MAX / sizeof(unsigned int)) | ||
1630 | + if ((height > 0 && width >= UINT_MAX / height) || | ||
1631 | + width * height >= UINT_MAX / sizeof(unsigned int)) | ||
1632 | RETURN(XpmNoMemory); | ||
1633 | pmap.pixelindex = | ||
1634 | (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); | ||
1635 | if (!pmap.pixelindex) | ||
1636 | RETURN(XpmNoMemory); | ||
1637 | |||
1638 | - if (pmap.size >= SIZE_MAX / sizeof(Pixel)) | ||
1639 | + if (pmap.size >= UINT_MAX / sizeof(Pixel)) | ||
1640 | RETURN(XpmNoMemory); | ||
1641 | |||
1642 | pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); | ||
1643 | @@ -292,7 +295,7 @@ | ||
1644 | * color | ||
1645 | */ | ||
1646 | |||
1647 | - if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) | ||
1648 | + if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor)) | ||
1649 | RETURN(XpmNoMemory); | ||
1650 | colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); | ||
1651 | if (!colorTable) | ||
1652 | @@ -341,7 +344,7 @@ | ||
1653 | |||
1654 | /* first get a character string */ | ||
1655 | a = 0; | ||
1656 | - if (cpp >= SIZE_MAX - 1) | ||
1657 | + if (cpp >= UINT_MAX - 1) | ||
1658 | return (XpmNoMemory); | ||
1659 | if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) | ||
1660 | return (XpmNoMemory); | ||
1661 | @@ -434,7 +437,7 @@ | ||
1662 | } | ||
1663 | |||
1664 | /* first get character strings and rgb values */ | ||
1665 | - if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) | ||
1666 | + if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1) | ||
1667 | return (XpmNoMemory); | ||
1668 | xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); | ||
1669 | if (!xcolors) | ||
1670 | @@ -591,7 +594,7 @@ | ||
1671 | char *dst; | ||
1672 | unsigned int *iptr; | ||
1673 | char *data; | ||
1674 | - int x, y, i; | ||
1675 | + unsigned int x, y, i; | ||
1676 | int bits, depth, ibu, ibpp, offset; | ||
1677 | unsigned long lbt; | ||
1678 | Pixel pixel, px; | ||
1679 | @@ -693,7 +696,7 @@ | ||
1680 | unsigned char *addr; | ||
1681 | unsigned char *data; | ||
1682 | unsigned int *iptr; | ||
1683 | - int x, y; | ||
1684 | + unsigned int x, y; | ||
1685 | unsigned long lbt; | ||
1686 | Pixel pixel; | ||
1687 | int depth; | ||
1688 | @@ -758,7 +761,7 @@ | ||
1689 | unsigned char *addr; | ||
1690 | unsigned char *data; | ||
1691 | unsigned int *iptr; | ||
1692 | - int x, y; | ||
1693 | + unsigned int x, y; | ||
1694 | unsigned long lbt; | ||
1695 | Pixel pixel; | ||
1696 | int depth; | ||
1697 | @@ -803,7 +806,7 @@ | ||
1698 | { | ||
1699 | unsigned int *iptr; | ||
1700 | unsigned char *data; | ||
1701 | - int x, y; | ||
1702 | + unsigned int x, y; | ||
1703 | unsigned long lbt; | ||
1704 | Pixel pixel; | ||
1705 | int depth; | ||
1706 | @@ -836,7 +839,7 @@ | ||
1707 | int (*storeFunc) (); | ||
1708 | { | ||
1709 | unsigned int *iptr; | ||
1710 | - int x, y; | ||
1711 | + unsigned int x, y; | ||
1712 | char *data; | ||
1713 | Pixel pixel; | ||
1714 | int xoff, yoff, offset, bpl; | ||
1715 | diff -Nur lib/Xm/XpmWrFFrBuf.c lib/Xm/XpmWrFFrBuf.c | ||
1716 | --- lib/Xm/XpmWrFFrBuf.c 2002-01-10 21:57:08.000000000 +0100 | ||
1717 | +++ lib/Xm/XpmWrFFrBuf.c 2005-02-14 14:24:12.906326601 +0100 | ||
1718 | @@ -38,6 +38,8 @@ | ||
1719 | #endif | ||
1720 | |||
1721 | |||
1722 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ | ||
1723 | + | ||
1724 | #include "XpmI.h" | ||
1725 | |||
1726 | int | ||
1727 | @@ -55,7 +57,7 @@ | ||
1728 | fcheck = fwrite(buffer, len, 1, fp); | ||
1729 | fclose(fp); | ||
1730 | if (fcheck != 1) | ||
1731 | - return XpmOpenFailed; | ||
1732 | + return XpmOpenFailed; /* maybe use a better return value */ | ||
1733 | |||
1734 | return XpmSuccess; | ||
1735 | } | ||
1736 | diff -Nur lib/Xm/XpmWrFFrI.c lib/Xm/XpmWrFFrI.c | ||
1737 | --- lib/Xm/XpmWrFFrI.c 2005-02-14 15:20:49.343040299 +0100 | ||
1738 | +++ lib/Xm/XpmWrFFrI.c 2005-02-14 14:50:25.766533589 +0100 | ||
1739 | @@ -38,6 +38,8 @@ | ||
1740 | #endif | ||
1741 | |||
1742 | |||
1743 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ | ||
1744 | + | ||
1745 | #include "XpmI.h" | ||
1746 | #if !defined(NO_ZPIPE) && defined(WIN32) | ||
1747 | # define popen _popen | ||
1748 | @@ -98,7 +100,7 @@ | ||
1749 | XpmInfo *info; | ||
1750 | { | ||
1751 | xpmData mdata; | ||
1752 | - char *name, *dot, *s, new_name[BUFSIZ]; | ||
1753 | + char *name, *dot, *s, new_name[BUFSIZ] = {0}; | ||
1754 | int ErrorStatus; | ||
1755 | |||
1756 | /* open file to write */ | ||
1757 | @@ -117,6 +119,8 @@ | ||
1758 | #endif | ||
1759 | /* let's try to make a valid C syntax name */ | ||
1760 | if ((dot = index(name, '.'))) { | ||
1761 | + strncpy(new_name, name, sizeof(new_name)); | ||
1762 | + new_name[sizeof(new_name)-1] = 0; | ||
1763 | strcpy(new_name, name); | ||
1764 | /* change '.' to '_' */ | ||
1765 | name = s = new_name; | ||
1766 | @@ -127,7 +131,8 @@ | ||
1767 | } | ||
1768 | if ((dot = index(name, '-'))) { | ||
1769 | if (name != new_name) { | ||
1770 | - strcpy(new_name, name); | ||
1771 | + strncpy(new_name, name, sizeof(new_name)); | ||
1772 | + new_name[sizeof(new_name)-1] = 0; | ||
1773 | name = new_name; | ||
1774 | } | ||
1775 | /* change '-' to '_' */ | ||
1776 | @@ -244,7 +249,7 @@ | ||
1777 | unsigned int x, y, h; | ||
1778 | |||
1779 | h = height - 1; | ||
1780 | - if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp) | ||
1781 | + if (cpp != 0 && width >= (UINT_MAX - 3)/cpp) | ||
1782 | return (XpmNoMemory); | ||
1783 | p = buf = (char *) XpmMalloc(width * cpp + 3); | ||
1784 | if (!buf) | ||
1785 | @@ -296,6 +301,11 @@ | ||
1786 | /* | ||
1787 | * open the given file to be written as an xpmData which is returned | ||
1788 | */ | ||
1789 | +#ifndef NO_ZPIPE | ||
1790 | + FILE *Xpms_popen(char *cmd, const char *type); | ||
1791 | +#else | ||
1792 | +# define Xpms_popen popen | ||
1793 | +#endif | ||
1794 | static int | ||
1795 | OpenWriteFile(filename, mdata) | ||
1796 | char *filename; | ||
1797 | @@ -311,16 +321,23 @@ | ||
1798 | mdata->type = XPMFILE; | ||
1799 | } else { | ||
1800 | #ifndef NO_ZPIPE | ||
1801 | - int len = strlen(filename); | ||
1802 | + size_t len = strlen(filename); | ||
1803 | + | ||
1804 | + if(len == 0 || | ||
1805 | + filename[0] == '/' || | ||
1806 | + strstr(filename, "../") != NULL || | ||
1807 | + filename[len-1] == '/') | ||
1808 | + return(XpmOpenFailed); | ||
1809 | + | ||
1810 | if (len > 2 && !strcmp(".Z", filename + (len - 2))) { | ||
1811 | - sprintf(buf, "compress > \"%s\"", filename); | ||
1812 | - if (!(mdata->stream.file = popen(buf, "w"))) | ||
1813 | + snprintf(buf, sizeof(buf), "compress > \"%s\"", filename); | ||
1814 | + if (!(mdata->stream.file = Xpms_popen(buf, "w"))) | ||
1815 | return (XpmOpenFailed); | ||
1816 | |||
1817 | mdata->type = XPMPIPE; | ||
1818 | } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { | ||
1819 | - sprintf(buf, "gzip -q > \"%s\"", filename); | ||
1820 | - if (!(mdata->stream.file = popen(buf, "w"))) | ||
1821 | + snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename); | ||
1822 | + if (!(mdata->stream.file = Xpms_popen(buf, "w"))) | ||
1823 | return (XpmOpenFailed); | ||
1824 | |||
1825 | mdata->type = XPMPIPE; | ||
1826 | @@ -351,7 +368,7 @@ | ||
1827 | break; | ||
1828 | #ifndef NO_ZPIPE | ||
1829 | case XPMPIPE: | ||
1830 | - pclose(mdata->stream.file); | ||
1831 | + fclose(mdata->stream.file); | ||
1832 | break; | ||
1833 | #endif | ||
1834 | } |