Contents of /trunk/openmotif/patches/openmotif-2.2.3-CAN-2004-0914-newer.patch
Parent Directory | Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 52479 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 52479 byte(s)
-import
1 | diff -Nur lib/Xm/Imakefile lib/Xm/Imakefile |
2 | --- lib/Xm/Imakefile 2002-01-15 18:30:40.000000000 +0100 |
3 | +++ lib/Xm/Imakefile 2005-02-14 14:24:12.000000000 +0100 |
4 | @@ -211,7 +211,8 @@ |
5 | XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \ |
6 | XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \ |
7 | XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \ |
8 | - XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c |
9 | + XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c \ |
10 | + Xpms_popen.c |
11 | |
12 | #if UseLocalRegex |
13 | REGEX_SRCS = regexp.c |
14 | @@ -274,7 +275,8 @@ |
15 | XpmCrBufFrP.o XpmCrPFrBuf.o XpmRdFToDat.o XpmWrFFrP.o Xpmrgb.o \ |
16 | XpmCrDatFrI.o XpmCrPFrDat.o XpmRdFToI.o Xpmcreate.o Xpmscan.o \ |
17 | XpmCrDatFrP.o XpmCrPFrI.o XpmRdFToP.o Xpmdata.o \ |
18 | - XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o |
19 | + XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o \ |
20 | + Xpms_popen.o |
21 | |
22 | #if UseLocalRegex |
23 | REGEX_OBJS = regexp.o |
24 | --- lib/Xm/Makefile.am 2004-11-17 19:03:26.962797006 +0100 |
25 | +++ lib/Xm/Makefile.am 2004-11-17 19:03:49.421724642 +0100 |
26 | @@ -241,7 +241,8 @@ |
27 | XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \ |
28 | XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \ |
29 | XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \ |
30 | - XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c |
31 | + XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c \ |
32 | + Xpms_popen.c |
33 | |
34 | NEW_WID_SRCS = IconH.c Container.c IconG.c \ |
35 | Notebook.c ComboBox.c GrabShell.c SpinB.c \ |
36 | --- /dev/null 1970-01-01 01:00:00.000000000 +0100 |
37 | +++ lib/Xm/Xpms_popen.c 2005-02-14 14:24:12.942319466 +0100 |
38 | @@ -0,0 +1,182 @@ |
39 | +/* |
40 | + * Copyright (C) 2004 The X.Org fundation |
41 | + * |
42 | + * Permission is hereby granted, free of charge, to any person |
43 | + * obtaining a copy of this software and associated documentation |
44 | + * files (the "Software"), to deal in the Software without |
45 | + * restriction, including without limitation the rights to use, copy, |
46 | + * modify, merge, publish, distribute, sublicense, and/or sell copies |
47 | + * of the Software, and to permit persons to whom the Software is fur- |
48 | + * nished to do so, subject to the following conditions: |
49 | + * |
50 | + * The above copyright notice and this permission notice shall be |
51 | + * included in all copies or substantial portions of the Software. |
52 | + * |
53 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
54 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |
55 | + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
56 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR |
57 | + * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF |
58 | + * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION |
59 | + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
60 | + * |
61 | + * Except as contained in this notice, the name of the X.Org fundation |
62 | + * shall not be used in advertising or otherwise to promote the sale, |
63 | + * use or other dealings in this Software without prior written |
64 | + * authorization from the X.Org fundation. |
65 | + */ |
66 | + |
67 | +/* |
68 | +** This is a secure but NOT 100% compatible replacement for popen() |
69 | +** Note: - don't use pclose() use fclose() for closing the returned |
70 | +** filedesc.!!! |
71 | +** |
72 | +** Known Bugs: - unable to use i/o-redirection like > or < |
73 | +** Author: - Thomas Biege <thomas@suse.de> |
74 | +** Credits: - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when |
75 | +** calling strtok() |
76 | +*/ |
77 | + |
78 | +#include <sys/types.h> |
79 | +#include <sys/wait.h> |
80 | +#include <stdio.h> |
81 | +#include <stdlib.h> |
82 | +#include <unistd.h> |
83 | +#include <string.h> |
84 | +#include "XpmI.h" |
85 | + |
86 | +#define __SEC_POPEN_TOKEN " " |
87 | + |
88 | +FILE *Xpms_popen(char *cmd, const char *type) |
89 | +{ |
90 | + pid_t pid; |
91 | + int pfd[2]; |
92 | + int rpipe = 0, wpipe = 0, i; |
93 | + char **argv; |
94 | + char *ptr; |
95 | + char *cmdcpy; |
96 | + |
97 | + |
98 | + if(cmd == NULL || cmd == "") |
99 | + return(NULL); |
100 | + |
101 | + if(type[0] != 'r' && type[0] != 'w') |
102 | + return(NULL); |
103 | + |
104 | + if ((cmdcpy = strdup(cmd)) == NULL) |
105 | + return(NULL); |
106 | + |
107 | + argv = NULL; |
108 | + if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL) |
109 | + { |
110 | + free(cmdcpy); |
111 | + return(NULL); |
112 | + } |
113 | + |
114 | + for(i = 0;; i++) |
115 | + { |
116 | + if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL) |
117 | + { |
118 | + free(cmdcpy); |
119 | + return(NULL); |
120 | + } |
121 | + |
122 | + if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL) |
123 | + { |
124 | + free(cmdcpy); |
125 | + return(NULL); |
126 | + } |
127 | + |
128 | + strcpy(argv[i], ptr); |
129 | + |
130 | + if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL) |
131 | + { |
132 | + if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL) |
133 | + { |
134 | + free(cmdcpy); |
135 | + return(NULL); |
136 | + } |
137 | + argv[i+1] = NULL; |
138 | + break; |
139 | + } |
140 | + } |
141 | + |
142 | + |
143 | + if(type[0] == 'r') |
144 | + rpipe = 1; |
145 | + else |
146 | + wpipe = 1; |
147 | + |
148 | + if (pipe(pfd) < 0) |
149 | + { |
150 | + free(cmdcpy); |
151 | + return(NULL); |
152 | + } |
153 | + |
154 | + if((pid = fork()) < 0) |
155 | + { |
156 | + close(pfd[0]); |
157 | + close(pfd[1]); |
158 | + free(cmdcpy); |
159 | + return(NULL); |
160 | + } |
161 | + |
162 | + if(pid == 0) /* child */ |
163 | + { |
164 | + if((pid = fork()) < 0) |
165 | + { |
166 | + close(pfd[0]); |
167 | + close(pfd[1]); |
168 | + free(cmdcpy); |
169 | + return(NULL); |
170 | + } |
171 | + if(pid > 0) |
172 | + { |
173 | + exit(0); /* child nr. 1 exits */ |
174 | + } |
175 | + |
176 | + /* child nr. 2 */ |
177 | + if(rpipe) |
178 | + { |
179 | + close(pfd[0]); /* close reading end, we don't need it */ |
180 | + dup2(STDOUT_FILENO, STDERR_FILENO); |
181 | + if (pfd[1] != STDOUT_FILENO) |
182 | + dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */ |
183 | + } |
184 | + else |
185 | + { |
186 | + close(pfd[1]); /* close writing end, we don't need it */ |
187 | + if (pfd[0] != STDIN_FILENO) |
188 | + dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */ |
189 | + } |
190 | + |
191 | + if(strchr(argv[0], '/') == NULL) |
192 | + execvp(argv[0], argv); /* search in $PATH */ |
193 | + else |
194 | + execv(argv[0], argv); |
195 | + |
196 | + close(pfd[0]); |
197 | + close(pfd[1]); |
198 | + free(cmdcpy); |
199 | + return(NULL); /* exec failed.. ooops! */ |
200 | + } |
201 | + else /* parent */ |
202 | + { |
203 | + waitpid(pid, NULL, 0); /* wait for child nr. 1 */ |
204 | + |
205 | + if(rpipe) |
206 | + { |
207 | + close(pfd[1]); |
208 | + free(cmdcpy); |
209 | + return(fdopen(pfd[0], "r")); |
210 | + } |
211 | + else |
212 | + { |
213 | + close(pfd[0]); |
214 | + free(cmdcpy); |
215 | + return(fdopen(pfd[1], "w")); |
216 | + } |
217 | + |
218 | + } |
219 | +} |
220 | + |
221 | diff -Nur lib/Xm/XpmAttrib.c lib/Xm/XpmAttrib.c |
222 | --- lib/Xm/XpmAttrib.c 2005-02-14 15:20:49.346039704 +0100 |
223 | +++ lib/Xm/XpmAttrib.c 2005-02-14 14:26:42.742624081 +0100 |
224 | @@ -44,7 +44,7 @@ |
225 | LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, |
226 | XpmColor ***oldct)); |
227 | |
228 | -LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); |
229 | +LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors)); |
230 | |
231 | /* |
232 | * Create a colortable compatible with the old style colortable |
233 | @@ -56,9 +56,9 @@ |
234 | XpmColor ***oldct; |
235 | { |
236 | XpmColor **colorTable, **color; |
237 | - int a; |
238 | + unsigned int a; |
239 | |
240 | - if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) |
241 | + if (ncolors >= UINT_MAX / sizeof(XpmColor *)) |
242 | return XpmNoMemory; |
243 | |
244 | colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); |
245 | @@ -75,9 +75,9 @@ |
246 | static void |
247 | FreeOldColorTable(colorTable, ncolors) |
248 | XpmColor **colorTable; |
249 | - int ncolors; |
250 | + unsigned int ncolors; |
251 | { |
252 | - int a, b; |
253 | + unsigned int a, b; |
254 | XpmColor **color; |
255 | char **sptr; |
256 | |
257 | @@ -128,7 +128,7 @@ |
258 | XpmExtension *ext; |
259 | char **sptr; |
260 | |
261 | - if (extensions) { |
262 | + if (extensions && nextensions > 0) { |
263 | for (i = 0, ext = extensions; i < nextensions; i++, ext++) { |
264 | if (ext->name) |
265 | XpmFree(ext->name); |
266 | diff -Nur lib/Xm/XpmCrBufFrI.c lib/Xm/XpmCrBufFrI.c |
267 | --- lib/Xm/XpmCrBufFrI.c 2003-08-15 11:08:59.000000000 +0200 |
268 | +++ lib/Xm/XpmCrBufFrI.c 2005-02-14 14:28:44.975393496 +0100 |
269 | @@ -41,21 +41,26 @@ |
270 | #endif |
271 | |
272 | |
273 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ |
274 | + |
275 | + |
276 | #include "XpmI.h" |
277 | |
278 | LFUNC(WriteColors, int, (char **dataptr, unsigned int *data_size, |
279 | unsigned int *used_size, XpmColor *colors, |
280 | unsigned int ncolors, unsigned int cpp)); |
281 | |
282 | -LFUNC(WritePixels, void, (char *dataptr, unsigned int *used_size, |
283 | +LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size, |
284 | + unsigned int *used_size, |
285 | unsigned int width, unsigned int height, |
286 | unsigned int cpp, unsigned int *pixels, |
287 | XpmColor *colors)); |
288 | |
289 | -LFUNC(WriteExtensions, void, (char *dataptr, unsigned int *used_size, |
290 | +LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size, |
291 | + unsigned int *used_size, |
292 | XpmExtension *ext, unsigned int num)); |
293 | |
294 | -LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num)); |
295 | +LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num)); |
296 | LFUNC(CommentsSize, int, (XpmInfo *info)); |
297 | |
298 | int |
299 | @@ -98,11 +103,12 @@ |
300 | |
301 | #undef RETURN |
302 | #define RETURN(status) \ |
303 | +do \ |
304 | { \ |
305 | if (ptr) \ |
306 | XpmFree(ptr); \ |
307 | return(status); \ |
308 | -} |
309 | +} while(0) |
310 | |
311 | int |
312 | XpmCreateBufferFromXpmImage(buffer_return, image, info) |
313 | @@ -116,7 +122,7 @@ |
314 | unsigned int cmts, extensions, ext_size = 0; |
315 | unsigned int l, cmt_size = 0; |
316 | char *ptr = NULL, *p; |
317 | - unsigned int ptr_size, used_size; |
318 | + unsigned int ptr_size, used_size, tmp; |
319 | |
320 | *buffer_return = NULL; |
321 | |
322 | @@ -138,7 +144,13 @@ |
323 | #ifdef VOID_SPRINTF |
324 | used_size = strlen(buf); |
325 | #endif |
326 | - ptr_size = used_size + ext_size + cmt_size + 1; |
327 | + ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */ |
328 | + if(ptr_size <= used_size || |
329 | + ptr_size <= ext_size || |
330 | + ptr_size <= cmt_size) |
331 | + { |
332 | + return XpmNoMemory; |
333 | + } |
334 | ptr = (char *) XpmMalloc(ptr_size); |
335 | if (!ptr) |
336 | return XpmNoMemory; |
337 | @@ -149,7 +161,7 @@ |
338 | #ifndef VOID_SPRINTF |
339 | used_size += |
340 | #endif |
341 | - sprintf(ptr + used_size, "/*%s*/\n", info->hints_cmt); |
342 | + snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt); |
343 | #ifdef VOID_SPRINTF |
344 | used_size += strlen(info->hints_cmt) + 5; |
345 | #endif |
346 | @@ -167,7 +179,7 @@ |
347 | #ifndef VOID_SPRINTF |
348 | l += |
349 | #endif |
350 | - sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot); |
351 | + snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot); |
352 | #ifdef VOID_SPRINTF |
353 | l = strlen(buf); |
354 | #endif |
355 | @@ -189,6 +201,8 @@ |
356 | l = strlen(buf); |
357 | #endif |
358 | ptr_size += l; |
359 | + if(ptr_size <= l) |
360 | + RETURN(XpmNoMemory); |
361 | p = (char *) XpmRealloc(ptr, ptr_size); |
362 | if (!p) |
363 | RETURN(XpmNoMemory); |
364 | @@ -201,7 +215,7 @@ |
365 | #ifndef VOID_SPRINTF |
366 | used_size += |
367 | #endif |
368 | - sprintf(ptr + used_size, "/*%s*/\n", info->colors_cmt); |
369 | + snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt); |
370 | #ifdef VOID_SPRINTF |
371 | used_size += strlen(info->colors_cmt) + 5; |
372 | #endif |
373 | @@ -217,7 +231,12 @@ |
374 | * 4 = 1 (for '"') + 3 (for '",\n') |
375 | * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n') |
376 | */ |
377 | - ptr_size += image->height * (image->width * image->cpp + 4) + 1; |
378 | + if(image->width > UINT_MAX / image->cpp || |
379 | + (tmp = image->width * image->cpp + 4) <= 4 || |
380 | + image->height > UINT_MAX / tmp || |
381 | + (tmp = image->height * tmp + 1) <= 1 || |
382 | + (ptr_size += tmp) <= tmp) |
383 | + RETURN(XpmNoMemory); |
384 | |
385 | p = (char *) XpmRealloc(ptr, ptr_size); |
386 | if (!p) |
387 | @@ -229,17 +248,17 @@ |
388 | #ifndef VOID_SPRINTF |
389 | used_size += |
390 | #endif |
391 | - sprintf(ptr + used_size, "/*%s*/\n", info->pixels_cmt); |
392 | + snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt); |
393 | #ifdef VOID_SPRINTF |
394 | used_size += strlen(info->pixels_cmt) + 5; |
395 | #endif |
396 | } |
397 | - WritePixels(ptr + used_size, &used_size, image->width, image->height, |
398 | + WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height, |
399 | image->cpp, image->data, image->colorTable); |
400 | |
401 | /* print extensions */ |
402 | if (extensions) |
403 | - WriteExtensions(ptr + used_size, &used_size, |
404 | + WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size, |
405 | info->extensions, info->nextensions); |
406 | |
407 | /* close the array */ |
408 | @@ -250,6 +269,7 @@ |
409 | return (XpmSuccess); |
410 | } |
411 | |
412 | + |
413 | static int |
414 | WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp) |
415 | char **dataptr; |
416 | @@ -259,7 +279,7 @@ |
417 | unsigned int ncolors; |
418 | unsigned int cpp; |
419 | { |
420 | - char buf[BUFSIZ]; |
421 | + char buf[BUFSIZ] = {0}; |
422 | unsigned int a, key, l; |
423 | char *s, *s2; |
424 | char **defaults; |
425 | @@ -269,22 +289,34 @@ |
426 | |
427 | defaults = (char **) colors; |
428 | s = buf + 1; |
429 | - strncpy(s, *defaults++, cpp); |
430 | - s += cpp; |
431 | - |
432 | - for (key = 1; key <= NKEYS; key++, defaults++) { |
433 | - if ((s2 = *defaults)) { |
434 | -#ifndef VOID_SPRINTF |
435 | - s += |
436 | -#endif |
437 | - sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2); |
438 | -#ifdef VOID_SPRINTF |
439 | - s += strlen(s); |
440 | -#endif |
441 | - } |
442 | - } |
443 | - strcpy(s, "\",\n"); |
444 | - l = s + 3 - buf; |
445 | + if(cpp > (sizeof(buf) - (s-buf))) |
446 | + return(XpmNoMemory); |
447 | + strncpy(s, *defaults++, cpp); |
448 | + s += cpp; |
449 | + |
450 | + for (key = 1; key <= NKEYS; key++, defaults++) { |
451 | + if ((s2 = *defaults)) { |
452 | +#ifndef VOID_SPRINTF |
453 | + s += |
454 | +#endif |
455 | + /* assume C99 compliance */ |
456 | + snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2); |
457 | +#ifdef VOID_SPRINTF |
458 | + s += strlen(s); |
459 | +#endif |
460 | + /* now let's check if s points out-of-bounds */ |
461 | + if((s-buf) > sizeof(buf)) |
462 | + return(XpmNoMemory); |
463 | + } |
464 | + } |
465 | + if(sizeof(buf) - (s-buf) < 4) |
466 | + return(XpmNoMemory); |
467 | + strcpy(s, "\",\n"); |
468 | + l = s + 3 - buf; |
469 | + if( *data_size >= UINT_MAX-l || |
470 | + *data_size + l <= *used_size || |
471 | + (*data_size + l - *used_size) <= sizeof(buf)) |
472 | + return(XpmNoMemory); |
473 | s = (char *) XpmRealloc(*dataptr, *data_size + l); |
474 | if (!s) |
475 | return (XpmNoMemory); |
476 | @@ -297,8 +329,9 @@ |
477 | } |
478 | |
479 | static void |
480 | -WritePixels(dataptr, used_size, width, height, cpp, pixels, colors) |
481 | +WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors) |
482 | char *dataptr; |
483 | + unsigned int data_size; |
484 | unsigned int *used_size; |
485 | unsigned int width; |
486 | unsigned int height; |
487 | @@ -309,27 +342,36 @@ |
488 | char *s = dataptr; |
489 | unsigned int x, y, h; |
490 | |
491 | + if(height <= 1) |
492 | + return; |
493 | + |
494 | h = height - 1; |
495 | for (y = 0; y < h; y++) { |
496 | *s++ = '"'; |
497 | for (x = 0; x < width; x++, pixels++) { |
498 | - strncpy(s, colors[*pixels].string, cpp); |
499 | + if(cpp >= (data_size - (s-dataptr))) |
500 | + return; |
501 | + strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */ |
502 | s += cpp; |
503 | } |
504 | + if((data_size - (s-dataptr)) < 4) |
505 | + return; |
506 | strcpy(s, "\",\n"); |
507 | s += 3; |
508 | } |
509 | /* duplicate some code to avoid a test in the loop */ |
510 | *s++ = '"'; |
511 | for (x = 0; x < width; x++, pixels++) { |
512 | - strncpy(s, colors[*pixels].string, cpp); |
513 | + if(cpp >= (data_size - (s-dataptr))) |
514 | + return; |
515 | + strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */ |
516 | s += cpp; |
517 | } |
518 | *s++ = '"'; |
519 | *used_size += s - dataptr; |
520 | } |
521 | |
522 | -static int |
523 | +static unsigned int |
524 | ExtensionsSize(ext, num) |
525 | XpmExtension *ext; |
526 | unsigned int num; |
527 | @@ -338,21 +380,26 @@ |
528 | char **line; |
529 | |
530 | size = 0; |
531 | + if(num == 0) |
532 | + return(0); /* ok? */ |
533 | for (x = 0; x < num; x++, ext++) { |
534 | /* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */ |
535 | size += strlen(ext->name) + 11; |
536 | - a = ext->nlines; |
537 | + a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */ |
538 | for (y = 0, line = ext->lines; y < a; y++, line++) |
539 | /* 4 = 3 (for ',\n"') + 1 (for '"') */ |
540 | size += strlen(*line) + 4; |
541 | } |
542 | /* 13 is for ',\n"XPMENDEXT"' */ |
543 | + if(size > UINT_MAX - 13) /* unlikely */ |
544 | + return(0); |
545 | return size + 13; |
546 | } |
547 | |
548 | static void |
549 | -WriteExtensions(dataptr, used_size, ext, num) |
550 | +WriteExtensions(dataptr, data_size, used_size, ext, num) |
551 | char *dataptr; |
552 | + unsigned int data_size; |
553 | unsigned int *used_size; |
554 | XpmExtension *ext; |
555 | unsigned int num; |
556 | @@ -363,24 +410,24 @@ |
557 | |
558 | for (x = 0; x < num; x++, ext++) { |
559 | #ifndef VOID_SPRINTF |
560 | - s += 11 + |
561 | + s += |
562 | #endif |
563 | - sprintf(s, ",\n\"XPMEXT %s\"", ext->name); |
564 | + snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name); |
565 | #ifdef VOID_SPRINTF |
566 | s += strlen(ext->name) + 11; |
567 | #endif |
568 | a = ext->nlines; |
569 | for (y = 0, line = ext->lines; y < a; y++, line++) { |
570 | #ifndef VOID_SPRINTF |
571 | - s += 4 + |
572 | + s += |
573 | #endif |
574 | - sprintf(s, ",\n\"%s\"", *line); |
575 | + snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line); |
576 | #ifdef VOID_SPRINTF |
577 | s += strlen(*line) + 4; |
578 | #endif |
579 | } |
580 | } |
581 | - strcpy(s, ",\n\"XPMENDEXT\""); |
582 | + strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1); |
583 | *used_size += s - dataptr + 13; |
584 | } |
585 | |
586 | @@ -391,6 +438,7 @@ |
587 | int size = 0; |
588 | |
589 | /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */ |
590 | + /* wrap possible but *very* unlikely */ |
591 | if (info->hints_cmt) |
592 | size += 5 + strlen(info->hints_cmt); |
593 | |
594 | diff -Nur lib/Xm/XpmCrDatFrI.c lib/Xm/XpmCrDatFrI.c |
595 | --- lib/Xm/XpmCrDatFrI.c 2005-02-14 15:20:49.344040101 +0100 |
596 | +++ lib/Xm/XpmCrDatFrI.c 2005-02-14 14:32:22.610251056 +0100 |
597 | @@ -38,13 +38,16 @@ |
598 | #endif |
599 | |
600 | |
601 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ |
602 | + |
603 | #include "XpmI.h" |
604 | |
605 | LFUNC(CreateColors, int, (char **dataptr, unsigned int *data_size, |
606 | XpmColor *colors, unsigned int ncolors, |
607 | unsigned int cpp)); |
608 | |
609 | -LFUNC(CreatePixels, void, (char **dataptr, unsigned int width, |
610 | +LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size, |
611 | + unsigned int width, |
612 | unsigned int height, unsigned int cpp, |
613 | unsigned int *pixels, XpmColor *colors)); |
614 | |
615 | @@ -52,7 +55,8 @@ |
616 | unsigned int *ext_size, |
617 | unsigned int *ext_nlines)); |
618 | |
619 | -LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset, |
620 | +LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size, |
621 | + unsigned int offset, |
622 | XpmExtension *ext, unsigned int num, |
623 | unsigned int ext_nlines)); |
624 | |
625 | @@ -93,6 +97,7 @@ |
626 | |
627 | #undef RETURN |
628 | #define RETURN(status) \ |
629 | +do \ |
630 | { \ |
631 | if (header) { \ |
632 | for (l = 0; l < header_nlines; l++) \ |
633 | @@ -101,7 +106,7 @@ |
634 | XpmFree(header); \ |
635 | } \ |
636 | return(status); \ |
637 | -} |
638 | +} while(0) |
639 | |
640 | int |
641 | XpmCreateDataFromXpmImage(data_return, image, info) |
642 | @@ -133,10 +138,15 @@ |
643 | * is the hints line + the color table lines |
644 | */ |
645 | header_nlines = 1 + image->ncolors; |
646 | + |
647 | + if(header_nlines <= image->ncolors || |
648 | + header_nlines >= UINT_MAX / sizeof(char *)) |
649 | + return(XpmNoMemory); |
650 | + |
651 | header_size = sizeof(char *) * header_nlines; |
652 | - if (header_size >= SIZE_MAX / sizeof(char *)) |
653 | + if (header_size >= UINT_MAX / sizeof(char *)) |
654 | return (XpmNoMemory); |
655 | - header = (char **) XpmCalloc(header_size, sizeof(char *)); |
656 | + header = (char **) XpmCalloc(header_size, sizeof(char *)); |
657 | if (!header) |
658 | return (XpmNoMemory); |
659 | |
660 | @@ -180,8 +190,22 @@ |
661 | |
662 | /* now we know the size needed, alloc the data and copy the header lines */ |
663 | offset = image->width * image->cpp + 1; |
664 | - data_size = header_size + (image->height + ext_nlines) * sizeof(char *) |
665 | - + image->height * offset + ext_size; |
666 | + |
667 | + if(offset <= image->width || offset <= image->cpp) |
668 | + RETURN(XpmNoMemory); |
669 | + |
670 | + if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *)) |
671 | + RETURN(XpmNoMemory); |
672 | + data_size = (image->height + ext_nlines) * sizeof(char *); |
673 | + |
674 | + if (image->height > UINT_MAX / offset || |
675 | + image->height * offset > UINT_MAX - data_size) |
676 | + RETURN(XpmNoMemory); |
677 | + data_size += image->height * offset; |
678 | + |
679 | + if( (header_size + ext_size) >= (UINT_MAX - data_size) ) |
680 | + RETURN(XpmNoMemory); |
681 | + data_size += header_size + ext_size; |
682 | |
683 | data = (char **) XpmMalloc(data_size); |
684 | if (!data) |
685 | @@ -189,8 +213,10 @@ |
686 | |
687 | data_nlines = header_nlines + image->height + ext_nlines; |
688 | *data = (char *) (data + data_nlines); |
689 | + |
690 | + /* can header have less elements then n suggests? */ |
691 | n = image->ncolors; |
692 | - for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) { |
693 | + for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) { |
694 | strcpy(*sptr, *sptr2); |
695 | *(sptr + 1) = *sptr + strlen(*sptr2) + 1; |
696 | } |
697 | @@ -199,12 +225,13 @@ |
698 | data[header_nlines] = (char *) data + header_size |
699 | + (image->height + ext_nlines) * sizeof(char *); |
700 | |
701 | - CreatePixels(data + header_nlines, image->width, image->height, |
702 | + CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height, |
703 | image->cpp, image->data, image->colorTable); |
704 | |
705 | /* print extensions */ |
706 | if (extensions) |
707 | - CreateExtensions(data + header_nlines + image->height - 1, offset, |
708 | + CreateExtensions(data + header_nlines + image->height - 1, |
709 | + data_size - header_nlines - image->height + 1, offset, |
710 | info->extensions, info->nextensions, |
711 | ext_nlines); |
712 | |
713 | @@ -229,18 +256,27 @@ |
714 | for (a = 0; a < ncolors; a++, colors++, dataptr++) { |
715 | |
716 | defaults = (char **) colors; |
717 | + if(sizeof(buf) <= cpp) |
718 | + return(XpmNoMemory); |
719 | strncpy(buf, *defaults++, cpp); |
720 | s = buf + cpp; |
721 | |
722 | + if(sizeof(buf) <= (s-buf)) |
723 | + return XpmNoMemory; |
724 | + |
725 | for (key = 1; key <= NKEYS; key++, defaults++) { |
726 | if ((s2 = *defaults)) { |
727 | #ifndef VOID_SPRINTF |
728 | s += |
729 | #endif |
730 | - sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2); |
731 | + /* assume C99 compliance */ |
732 | + snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2); |
733 | #ifdef VOID_SPRINTF |
734 | - s += strlen(s); |
735 | + s += strlen(s); |
736 | #endif |
737 | + /* does s point out-of-bounds? */ |
738 | + if(sizeof(buf) < (s-buf)) |
739 | + return XpmNoMemory; |
740 | } |
741 | } |
742 | l = s - buf + 1; |
743 | @@ -254,8 +290,9 @@ |
744 | } |
745 | |
746 | static void |
747 | -CreatePixels(dataptr, width, height, cpp, pixels, colors) |
748 | +CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors) |
749 | char **dataptr; |
750 | + unsigned int data_size; |
751 | unsigned int width; |
752 | unsigned int height; |
753 | unsigned int cpp; |
754 | @@ -265,21 +302,38 @@ |
755 | char *s; |
756 | unsigned int x, y, h, offset; |
757 | |
758 | + if(height <= 1) |
759 | + return; |
760 | + |
761 | h = height - 1; |
762 | + |
763 | offset = width * cpp + 1; |
764 | + |
765 | + if(offset <= width || offset <= cpp) |
766 | + return; |
767 | + |
768 | + /* why trust h? */ |
769 | for (y = 0; y < h; y++, dataptr++) { |
770 | s = *dataptr; |
771 | + /* why trust width? */ |
772 | for (x = 0; x < width; x++, pixels++) { |
773 | - strncpy(s, colors[*pixels].string, cpp); |
774 | + if(cpp > (data_size - (s - *dataptr))) |
775 | + return; |
776 | + strncpy(s, colors[*pixels].string, cpp); /* why trust pixel? */ |
777 | s += cpp; |
778 | } |
779 | *s = '\0'; |
780 | + if(offset > data_size) |
781 | + return; |
782 | *(dataptr + 1) = *dataptr + offset; |
783 | } |
784 | /* duplicate some code to avoid a test in the loop */ |
785 | s = *dataptr; |
786 | + /* why trust width? */ |
787 | for (x = 0; x < width; x++, pixels++) { |
788 | - strncpy(s, colors[*pixels].string, cpp); |
789 | + if(cpp > data_size - (s - *dataptr)) |
790 | + return; |
791 | + strncpy(s, colors[*pixels].string, cpp); /* why should we trust *pixel? */ |
792 | s += cpp; |
793 | } |
794 | *s = '\0'; |
795 | @@ -312,8 +366,9 @@ |
796 | } |
797 | |
798 | static void |
799 | -CreateExtensions(dataptr, offset, ext, num, ext_nlines) |
800 | +CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines) |
801 | char **dataptr; |
802 | + unsigned int data_size; |
803 | unsigned int offset; |
804 | XpmExtension *ext; |
805 | unsigned int num; |
806 | @@ -326,12 +381,12 @@ |
807 | dataptr++; |
808 | a = 0; |
809 | for (x = 0; x < num; x++, ext++) { |
810 | - sprintf(*dataptr, "XPMEXT %s", ext->name); |
811 | + snprintf(*dataptr, data_size, "XPMEXT %s", ext->name); |
812 | a++; |
813 | if (a < ext_nlines) |
814 | *(dataptr + 1) = *dataptr + strlen(ext->name) + 8; |
815 | dataptr++; |
816 | - b = ext->nlines; |
817 | + b = ext->nlines; /* can we trust these values? */ |
818 | for (y = 0, line = ext->lines; y < b; y++, line++) { |
819 | strcpy(*dataptr, *line); |
820 | a++; |
821 | diff -Nur lib/Xm/Xpmcreate.c lib/Xm/Xpmcreate.c |
822 | --- lib/Xm/Xpmcreate.c 2005-02-14 15:20:49.348039308 +0100 |
823 | +++ lib/Xm/Xpmcreate.c 2005-02-14 14:36:37.104801803 +0100 |
824 | @@ -44,6 +44,8 @@ |
825 | #endif |
826 | |
827 | |
828 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ |
829 | + |
830 | #include "XpmI.h" |
831 | #include <ctype.h> |
832 | |
833 | @@ -565,7 +567,7 @@ |
834 | */ |
835 | } else { |
836 | #endif |
837 | - int i; |
838 | + unsigned int i; |
839 | |
840 | ncols = visual->map_entries; |
841 | cols = (XColor *) XpmCalloc(ncols, sizeof(XColor)); |
842 | @@ -723,6 +725,7 @@ |
843 | /* function call in case of error, frees only locally allocated variables */ |
844 | #undef RETURN |
845 | #define RETURN(status) \ |
846 | +do \ |
847 | { \ |
848 | if (ximage) XDestroyImage(ximage); \ |
849 | if (shapeimage) XDestroyImage(shapeimage); \ |
850 | @@ -733,7 +736,7 @@ |
851 | if (alloc_pixels) XpmFree(alloc_pixels); \ |
852 | if (used_pixels) XpmFree(used_pixels); \ |
853 | return (status); \ |
854 | -} |
855 | +} while(0) |
856 | |
857 | int |
858 | XpmCreateImageFromXpmImage(display, image, |
859 | @@ -804,7 +807,7 @@ |
860 | |
861 | ErrorStatus = XpmSuccess; |
862 | |
863 | - if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) |
864 | + if (image->ncolors >= UINT_MAX / sizeof(Pixel)) |
865 | return (XpmNoMemory); |
866 | |
867 | /* malloc pixels index tables */ |
868 | @@ -950,9 +953,13 @@ |
869 | return (XpmNoMemory); |
870 | |
871 | #ifndef FOR_MSW |
872 | - if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) |
873 | - return XpmNoMemory; |
874 | + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { |
875 | + XDestroyImage(*image_return); |
876 | + return XpmNoMemory; |
877 | + } |
878 | /* now that bytes_per_line must have been set properly alloc data */ |
879 | + if((*image_return)->bytes_per_line == 0 || height == 0) |
880 | + return XpmNoMemory; |
881 | (*image_return)->data = |
882 | (char *) XpmMalloc((*image_return)->bytes_per_line * height); |
883 | |
884 | @@ -980,7 +987,7 @@ |
885 | LFUNC(_putbits, void, (register char *src, int dstoffset, |
886 | register int numbits, register char *dst)); |
887 | |
888 | -LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb)); |
889 | +LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb)); |
890 | |
891 | static unsigned char Const _reverse_byte[0x100] = { |
892 | 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, |
893 | @@ -1020,12 +1027,12 @@ |
894 | static int |
895 | _XReverse_Bytes(bpt, nb) |
896 | register unsigned char *bpt; |
897 | - register int nb; |
898 | + register unsigned int nb; |
899 | { |
900 | do { |
901 | *bpt = _reverse_byte[*bpt]; |
902 | bpt++; |
903 | - } while (--nb > 0); |
904 | + } while (--nb > 0); /* is nb user-controled? */ |
905 | return 0; |
906 | } |
907 | |
908 | @@ -1164,7 +1171,7 @@ |
909 | register char *src; |
910 | register char *dst; |
911 | register unsigned int *iptr; |
912 | - register int x, y, i; |
913 | + register unsigned int x, y, i; |
914 | register char *data; |
915 | Pixel pixel, px; |
916 | int nbytes, depth, ibu, ibpp; |
917 | @@ -1174,8 +1181,8 @@ |
918 | depth = image->depth; |
919 | if (depth == 1) { |
920 | ibu = image->bitmap_unit; |
921 | - for (y = 0; y < height; y++) |
922 | - for (x = 0; x < width; x++, iptr++) { |
923 | + for (y = 0; y < height; y++) /* how can we trust height */ |
924 | + for (x = 0; x < width; x++, iptr++) { /* how can we trust width */ |
925 | pixel = pixels[*iptr]; |
926 | for (i = 0, px = pixel; i < sizeof(unsigned long); |
927 | i++, px >>= 8) |
928 | @@ -1250,12 +1257,12 @@ |
929 | { |
930 | unsigned char *data; |
931 | unsigned int *iptr; |
932 | - int y; |
933 | + unsigned int y; |
934 | Pixel pixel; |
935 | |
936 | #ifdef WITHOUT_SPEEDUPS |
937 | |
938 | - int x; |
939 | + unsigned int x; |
940 | unsigned char *addr; |
941 | |
942 | data = (unsigned char *) image->data; |
943 | @@ -1292,7 +1299,7 @@ |
944 | |
945 | #else /* WITHOUT_SPEEDUPS */ |
946 | |
947 | - int bpl = image->bytes_per_line; |
948 | + unsigned int bpl = image->bytes_per_line; |
949 | unsigned char *data_ptr, *max_data; |
950 | |
951 | data = (unsigned char *) image->data; |
952 | @@ -1360,11 +1367,11 @@ |
953 | { |
954 | unsigned char *data; |
955 | unsigned int *iptr; |
956 | - int y; |
957 | + unsigned int y; |
958 | |
959 | #ifdef WITHOUT_SPEEDUPS |
960 | |
961 | - int x; |
962 | + unsigned int x; |
963 | unsigned char *addr; |
964 | |
965 | data = (unsigned char *) image->data; |
966 | @@ -1388,7 +1395,7 @@ |
967 | |
968 | Pixel pixel; |
969 | |
970 | - int bpl = image->bytes_per_line; |
971 | + unsigned int bpl = image->bytes_per_line; |
972 | unsigned char *data_ptr, *max_data; |
973 | |
974 | data = (unsigned char *) image->data; |
975 | @@ -1441,11 +1448,11 @@ |
976 | { |
977 | char *data; |
978 | unsigned int *iptr; |
979 | - int y; |
980 | + unsigned int y; |
981 | |
982 | #ifdef WITHOUT_SPEEDUPS |
983 | |
984 | - int x; |
985 | + unsigned int x; |
986 | |
987 | data = image->data; |
988 | iptr = pixelindex; |
989 | @@ -1455,7 +1462,7 @@ |
990 | |
991 | #else /* WITHOUT_SPEEDUPS */ |
992 | |
993 | - int bpl = image->bytes_per_line; |
994 | + unsigned int bpl = image->bytes_per_line; |
995 | char *data_ptr, *max_data; |
996 | |
997 | data = image->data; |
998 | @@ -1490,12 +1497,12 @@ |
999 | PutImagePixels(image, width, height, pixelindex, pixels); |
1000 | else { |
1001 | unsigned int *iptr; |
1002 | - int y; |
1003 | + unsigned int y; |
1004 | char *data; |
1005 | |
1006 | #ifdef WITHOUT_SPEEDUPS |
1007 | |
1008 | - int x; |
1009 | + unsigned int x; |
1010 | |
1011 | data = image->data; |
1012 | iptr = pixelindex; |
1013 | @@ -1673,6 +1680,9 @@ |
1014 | Pixel px; |
1015 | int nbytes; |
1016 | |
1017 | + if(x < 0 || y < 0) |
1018 | + return 0; |
1019 | + |
1020 | for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8) |
1021 | ((unsigned char *)&pixel)[i] = px; |
1022 | src = &ximage->data[XYINDEX(x, y, ximage)]; |
1023 | @@ -1704,7 +1714,10 @@ |
1024 | register int i; |
1025 | register char *data; |
1026 | Pixel px; |
1027 | - int nbytes, ibpp; |
1028 | + unsigned int nbytes, ibpp; |
1029 | + |
1030 | + if(x < 0 || y < 0) |
1031 | + return 0; |
1032 | |
1033 | ibpp = ximage->bits_per_pixel; |
1034 | if (ximage->depth == 4) |
1035 | @@ -1737,6 +1750,9 @@ |
1036 | { |
1037 | unsigned char *addr; |
1038 | |
1039 | + if(x < 0 || y < 0) |
1040 | + return 0; |
1041 | + |
1042 | addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; |
1043 | *((unsigned long *)addr) = pixel; |
1044 | return 1; |
1045 | @@ -1751,6 +1767,9 @@ |
1046 | { |
1047 | unsigned char *addr; |
1048 | |
1049 | + if(x < 0 || y < 0) |
1050 | + return 0; |
1051 | + |
1052 | addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; |
1053 | addr[0] = pixel >> 24; |
1054 | addr[1] = pixel >> 16; |
1055 | @@ -1768,6 +1787,9 @@ |
1056 | { |
1057 | unsigned char *addr; |
1058 | |
1059 | + if(x < 0 || y < 0) |
1060 | + return 0; |
1061 | + |
1062 | addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; |
1063 | addr[3] = pixel >> 24; |
1064 | addr[2] = pixel >> 16; |
1065 | @@ -1785,6 +1807,9 @@ |
1066 | { |
1067 | unsigned char *addr; |
1068 | |
1069 | + if(x < 0 || y < 0) |
1070 | + return 0; |
1071 | + |
1072 | addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; |
1073 | addr[0] = pixel >> 8; |
1074 | addr[1] = pixel; |
1075 | @@ -1800,6 +1825,9 @@ |
1076 | { |
1077 | unsigned char *addr; |
1078 | |
1079 | + if(x < 0 || y < 0) |
1080 | + return 0; |
1081 | + |
1082 | addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; |
1083 | addr[1] = pixel >> 8; |
1084 | addr[0] = pixel; |
1085 | @@ -1813,6 +1841,9 @@ |
1086 | int y; |
1087 | unsigned long pixel; |
1088 | { |
1089 | + if(x < 0 || y < 0) |
1090 | + return 0; |
1091 | + |
1092 | ximage->data[ZINDEX8(x, y, ximage)] = pixel; |
1093 | return 1; |
1094 | } |
1095 | @@ -1824,6 +1855,9 @@ |
1096 | int y; |
1097 | unsigned long pixel; |
1098 | { |
1099 | + if(x < 0 || y < 0) |
1100 | + return 0; |
1101 | + |
1102 | if (pixel & 1) |
1103 | ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7); |
1104 | else |
1105 | @@ -1838,6 +1872,9 @@ |
1106 | int y; |
1107 | unsigned long pixel; |
1108 | { |
1109 | + if(x < 0 || y < 0) |
1110 | + return 0; |
1111 | + |
1112 | if (pixel & 1) |
1113 | ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7); |
1114 | else |
1115 | @@ -1850,6 +1887,7 @@ |
1116 | /* function call in case of error, frees only locally allocated variables */ |
1117 | #undef RETURN |
1118 | #define RETURN(status) \ |
1119 | +do \ |
1120 | { \ |
1121 | if (USE_HASHTABLE) xpmHashTableFree(&hashtable); \ |
1122 | if (colorTable) xpmFreeColorTable(colorTable, ncolors); \ |
1123 | @@ -1865,7 +1903,7 @@ |
1124 | if (alloc_pixels) XpmFree(alloc_pixels); \ |
1125 | if (used_pixels) XpmFree(used_pixels); \ |
1126 | return(status); \ |
1127 | -} |
1128 | +} while(0) |
1129 | |
1130 | /* |
1131 | * This function parses an Xpm file or data and directly create an XImage |
1132 | @@ -1997,7 +2035,7 @@ |
1133 | xpmGetCmt(data, &colors_cmt); |
1134 | |
1135 | /* malloc pixels index tables */ |
1136 | - if (ncolors >= SIZE_MAX / sizeof(Pixel)) |
1137 | + if (ncolors >= UINT_MAX / sizeof(Pixel)) |
1138 | return XpmNoMemory; |
1139 | |
1140 | image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); |
1141 | @@ -2109,7 +2147,7 @@ |
1142 | * free the hastable |
1143 | */ |
1144 | if (ErrorStatus != XpmSuccess) |
1145 | - RETURN(ErrorStatus) |
1146 | + RETURN(ErrorStatus); |
1147 | else if (USE_HASHTABLE) |
1148 | xpmHashTableFree(&hashtable); |
1149 | |
1150 | @@ -2258,11 +2296,11 @@ |
1151 | |
1152 | /* array of pointers malloced by need */ |
1153 | unsigned short *cidx[256]; |
1154 | - int char1; |
1155 | + unsigned int char1; |
1156 | |
1157 | bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ |
1158 | for (a = 0; a < ncolors; a++) { |
1159 | - char1 = colorTable[a].string[0]; |
1160 | + char1 = (unsigned char) colorTable[a].string[0]; |
1161 | if (cidx[char1] == NULL) { /* get new memory */ |
1162 | cidx[char1] = (unsigned short *) |
1163 | XpmCalloc(256, sizeof(unsigned short)); |
1164 | @@ -2280,7 +2318,7 @@ |
1165 | int cc1 = xpmGetC(data); |
1166 | if (cc1 > 0 && cc1 < 256) { |
1167 | int cc2 = xpmGetC(data); |
1168 | - if (cc2 > 0 && cc2 < 256 && cidx[cc1][cc2] != 0) { |
1169 | + if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0) { |
1170 | #ifndef FOR_MSW |
1171 | XPutPixel(image, x, y, |
1172 | image_pixels[cidx[cc1][cc2] - 1]); |
1173 | diff -Nur lib/Xm/Xpmdata.c lib/Xm/Xpmdata.c |
1174 | --- lib/Xm/Xpmdata.c 2005-02-14 15:20:49.343040299 +0100 |
1175 | +++ lib/Xm/Xpmdata.c 2005-02-14 14:38:22.161975990 +0100 |
1176 | @@ -33,6 +33,8 @@ |
1177 | * Developed by Arnaud Le Hors * |
1178 | \*****************************************************************************/ |
1179 | |
1180 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ |
1181 | + |
1182 | /* Official version number */ |
1183 | static char *RCS_Version = "$XpmVersion: 3.4i $"; |
1184 | |
1185 | @@ -279,7 +281,7 @@ |
1186 | } |
1187 | ungetc(c, file); |
1188 | } |
1189 | - return (n); |
1190 | + return (n); /* this returns bytes read + 1 */ |
1191 | } |
1192 | |
1193 | /* |
1194 | @@ -376,8 +378,9 @@ |
1195 | { |
1196 | if (!mdata->type) |
1197 | *cmt = NULL; |
1198 | - else if (mdata->CommentLength != 0 && mdata->CommentLength < SIZE_MAX - 1) { |
1199 | - *cmt = (char *) XpmMalloc(mdata->CommentLength + 1); |
1200 | + else if (mdata->CommentLength != 0 && mdata->CommentLength < UINT_MAX - 1) { |
1201 | + if( (*cmt = (char *) XpmMalloc(mdata->CommentLength + 1)) == NULL) |
1202 | + return XpmNoMemory; |
1203 | strncpy(*cmt, mdata->Comment, mdata->CommentLength); |
1204 | (*cmt)[mdata->CommentLength] = '\0'; |
1205 | mdata->CommentLength = 0; |
1206 | @@ -405,7 +408,7 @@ |
1207 | xpmParseHeader(mdata) |
1208 | xpmData *mdata; |
1209 | { |
1210 | - char buf[BUFSIZ]; |
1211 | + char buf[BUFSIZ+1] = {0}; |
1212 | int l, n = 0; |
1213 | |
1214 | if (mdata->type) { |
1215 | diff -Nur lib/Xm/Xpmhashtab.c lib/Xm/Xpmhashtab.c |
1216 | --- lib/Xm/Xpmhashtab.c 2005-02-14 15:20:49.342040497 +0100 |
1217 | +++ lib/Xm/Xpmhashtab.c 2005-02-14 14:39:44.386676330 +0100 |
1218 | @@ -144,13 +144,13 @@ |
1219 | unsigned int size = table->size; |
1220 | xpmHashAtom *t, *p; |
1221 | int i; |
1222 | - int oldSize = size; |
1223 | + unsigned int oldSize = size; |
1224 | |
1225 | t = atomTable; |
1226 | HASH_TABLE_GROWS |
1227 | table->size = size; |
1228 | table->limit = size / 3; |
1229 | - if (size >= SIZE_MAX / sizeof(*atomTable)) |
1230 | + if (size >= UINT_MAX / sizeof(*atomTable)) |
1231 | return (XpmNoMemory); |
1232 | atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); |
1233 | if (!atomTable) |
1234 | @@ -212,7 +212,7 @@ |
1235 | table->size = INITIAL_HASH_SIZE; |
1236 | table->limit = table->size / 3; |
1237 | table->used = 0; |
1238 | - if (table->size >= SIZE_MAX / sizeof(*atomTable)) |
1239 | + if (table->size >= UINT_MAX / sizeof(*atomTable)) |
1240 | return (XpmNoMemory); |
1241 | atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); |
1242 | if (!atomTable) |
1243 | --- lib/Xm/XpmI.h 2005-02-14 15:20:49.344040101 +0100 |
1244 | +++ lib/Xm/XpmI.h 2005-02-14 14:24:12.903327195 +0100 |
1245 | @@ -108,8 +109,10 @@ |
1246 | * lets try to solve include files |
1247 | */ |
1248 | |
1249 | +#include <sys/types.h> |
1250 | #include <stdio.h> |
1251 | #include <stdlib.h> |
1252 | +#include <limits.h> |
1253 | /* stdio.h doesn't declare popen on a Sequent DYNIX OS */ |
1254 | #ifdef sequent |
1255 | extern FILE *popen(); |
1256 | diff -Nur lib/Xm/Xpmmisc.c lib/Xm/Xpmmisc.c |
1257 | --- lib/Xm/Xpmmisc.c 2002-01-10 21:57:09.000000000 +0100 |
1258 | +++ lib/Xm/Xpmmisc.c 2005-02-14 14:24:12.907326402 +0100 |
1259 | @@ -52,7 +52,7 @@ |
1260 | char *s1; |
1261 | { |
1262 | char *s2; |
1263 | - int l = strlen(s1) + 1; |
1264 | + size_t l = strlen(s1) + 1; |
1265 | |
1266 | if (s2 = (char *) XpmMalloc(l)) |
1267 | strcpy(s2, s1); |
1268 | diff -Nur lib/Xm/Xpmparse.c lib/Xm/Xpmparse.c |
1269 | --- lib/Xm/Xpmparse.c 2005-02-14 15:20:49.349039110 +0100 |
1270 | +++ lib/Xm/Xpmparse.c 2005-02-14 14:46:55.361242890 +0100 |
1271 | @@ -49,21 +49,21 @@ |
1272 | #include <string.h> |
1273 | |
1274 | #ifdef HAS_STRLCAT |
1275 | -# define STRLCAT(dst, src, dstsize) { \ |
1276 | +# define STRLCAT(dst, src, dstsize) do { \ |
1277 | if (strlcat(dst, src, dstsize) >= (dstsize)) \ |
1278 | - return (XpmFileInvalid); } |
1279 | -# define STRLCPY(dst, src, dstsize) { \ |
1280 | + return (XpmFileInvalid); } while(0) |
1281 | +# define STRLCPY(dst, src, dstsize) do { \ |
1282 | if (strlcpy(dst, src, dstsize) >= (dstsize)) \ |
1283 | - return (XpmFileInvalid); } |
1284 | + return (XpmFileInvalid); } while(0) |
1285 | #else |
1286 | -# define STRLCAT(dst, src, dstsize) { \ |
1287 | +# define STRLCAT(dst, src, dstsize) do { \ |
1288 | if ((strlen(dst) + strlen(src)) < (dstsize)) \ |
1289 | strcat(dst, src); \ |
1290 | - else return (XpmFileInvalid); } |
1291 | -# define STRLCPY(dst, src, dstsize) { \ |
1292 | + else return (XpmFileInvalid); } while(0) |
1293 | +# define STRLCPY(dst, src, dstsize) do { \ |
1294 | if (strlen(src) < (dstsize)) \ |
1295 | strcpy(dst, src); \ |
1296 | - else return (XpmFileInvalid); } |
1297 | + else return (XpmFileInvalid); } while(0) |
1298 | #endif |
1299 | |
1300 | LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, |
1301 | @@ -83,6 +83,7 @@ |
1302 | /* function call in case of error, frees only locally allocated variables */ |
1303 | #undef RETURN |
1304 | #define RETURN(status) \ |
1305 | +do \ |
1306 | { \ |
1307 | if (colorTable) xpmFreeColorTable(colorTable, ncolors); \ |
1308 | if (pixelindex) XpmFree(pixelindex); \ |
1309 | @@ -90,7 +91,7 @@ |
1310 | if (colors_cmt) XpmFree(colors_cmt); \ |
1311 | if (pixels_cmt) XpmFree(pixels_cmt); \ |
1312 | return(status); \ |
1313 | -} |
1314 | +} while(0) |
1315 | |
1316 | /* |
1317 | * This function parses an Xpm file or data and store the found informations |
1318 | @@ -354,7 +355,7 @@ |
1319 | char **defaults; |
1320 | int ErrorStatus; |
1321 | |
1322 | - if (ncolors >= SIZE_MAX / sizeof(XpmColor)) |
1323 | + if (ncolors >= UINT_MAX / sizeof(XpmColor)) |
1324 | return (XpmNoMemory); |
1325 | colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); |
1326 | if (!colorTable) |
1327 | @@ -367,7 +368,7 @@ |
1328 | /* |
1329 | * read pixel value |
1330 | */ |
1331 | - if (cpp >= SIZE_MAX - 1) { |
1332 | + if (cpp >= UINT_MAX - 1) { |
1333 | xpmFreeColorTable(colorTable, ncolors); |
1334 | return (XpmNoMemory); |
1335 | } |
1336 | @@ -436,7 +437,7 @@ |
1337 | xpmFreeColorTable(colorTable, ncolors); |
1338 | return (XpmFileInvalid); |
1339 | } |
1340 | - len = strlen(curbuf) + 1; |
1341 | + len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */ |
1342 | s = defaults[curkey] = (char *) XpmMalloc(len); |
1343 | if (!s) { |
1344 | xpmFreeColorTable(colorTable, ncolors); |
1345 | @@ -455,7 +456,7 @@ |
1346 | /* |
1347 | * read pixel value |
1348 | */ |
1349 | - if (cpp >= SIZE_MAX - 1) { |
1350 | + if (cpp >= UINT_MAX - 1) { |
1351 | xpmFreeColorTable(colorTable, ncolors); |
1352 | return (XpmNoMemory); |
1353 | } |
1354 | @@ -500,7 +501,7 @@ |
1355 | memcpy(s, curbuf, len); |
1356 | color->c_color = s; |
1357 | *curbuf = '\0'; /* reset curbuf */ |
1358 | - if (a < ncolors - 1) |
1359 | + if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */ |
1360 | xpmNextString(data); /* get to the next string */ |
1361 | } |
1362 | } |
1363 | @@ -519,11 +520,11 @@ |
1364 | xpmHashTable *hashtable; |
1365 | unsigned int **pixels; |
1366 | { |
1367 | - unsigned int *iptr, *iptr2; |
1368 | + unsigned int *iptr, *iptr2 = NULL; |
1369 | unsigned int a, x, y; |
1370 | |
1371 | - if ((height > 0 && width >= SIZE_MAX / height) || |
1372 | - width * height >= SIZE_MAX / sizeof(unsigned int)) |
1373 | + if ((height > 0 && width >= UINT_MAX / height) || |
1374 | + width * height >= UINT_MAX / sizeof(unsigned int)) |
1375 | return XpmNoMemory; |
1376 | #ifndef FOR_MSW |
1377 | iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); |
1378 | @@ -548,8 +549,10 @@ |
1379 | { |
1380 | unsigned short colidx[256]; |
1381 | |
1382 | - if (ncolors > 256) |
1383 | + if (ncolors > 256) { |
1384 | return (XpmFileInvalid); |
1385 | + XpmFree(iptr2); /* found by Egbert Eich */ |
1386 | + } |
1387 | |
1388 | bzero((char *)colidx, 256 * sizeof(short)); |
1389 | for (a = 0; a < ncolors; a++) |
1390 | @@ -576,16 +579,20 @@ |
1391 | { |
1392 | |
1393 | /* free all allocated pointers at all exits */ |
1394 | -#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \ |
1395 | -if (cidx[f]) XpmFree(cidx[f]);} |
1396 | +#define FREE_CIDX \ |
1397 | +do \ |
1398 | +{ \ |
1399 | + int f; for (f = 0; f < 256; f++) \ |
1400 | + if (cidx[f]) XpmFree(cidx[f]); \ |
1401 | +} while(0) |
1402 | |
1403 | /* array of pointers malloced by need */ |
1404 | unsigned short *cidx[256]; |
1405 | - int char1; |
1406 | + unsigned int char1; |
1407 | |
1408 | bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ |
1409 | for (a = 0; a < ncolors; a++) { |
1410 | - char1 = colorTable[a].string[0]; |
1411 | + char1 = (unsigned char) colorTable[a].string[0]; |
1412 | if (cidx[char1] == NULL) { /* get new memory */ |
1413 | cidx[char1] = (unsigned short *) |
1414 | XpmCalloc(256, sizeof(unsigned short)); |
1415 | @@ -604,7 +611,7 @@ |
1416 | int cc1 = xpmGetC(data); |
1417 | if (cc1 > 0 && cc1 < 256) { |
1418 | int cc2 = xpmGetC(data); |
1419 | - if (cc2 > 0 && cc2 < 256 && cidx[cc1][cc2] != 0) |
1420 | + if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0) |
1421 | *iptr = cidx[cc1][cc2] - 1; |
1422 | else { |
1423 | FREE_CIDX; |
1424 | @@ -628,8 +635,10 @@ |
1425 | char *s; |
1426 | char buf[BUFSIZ]; |
1427 | |
1428 | - if (cpp >= sizeof(buf)) |
1429 | + if (cpp >= sizeof(buf)) { |
1430 | return (XpmFileInvalid); |
1431 | + XpmFree(iptr2); /* found by Egbert Eich */ |
1432 | + } |
1433 | |
1434 | buf[cpp] = '\0'; |
1435 | if (USE_HASHTABLE) { |
1436 | @@ -639,7 +648,7 @@ |
1437 | xpmNextString(data); |
1438 | for (x = 0; x < width; x++, iptr++) { |
1439 | for (a = 0, s = buf; a < cpp; a++, s++) |
1440 | - *s = xpmGetC(data); |
1441 | + *s = xpmGetC(data); /* int assigned to char, not a problem here */ |
1442 | slot = xpmHashSlot(hashtable, buf); |
1443 | if (!*slot) { /* no color matches */ |
1444 | XpmFree(iptr2); |
1445 | @@ -653,7 +662,7 @@ |
1446 | xpmNextString(data); |
1447 | for (x = 0; x < width; x++, iptr++) { |
1448 | for (a = 0, s = buf; a < cpp; a++, s++) |
1449 | - *s = xpmGetC(data); |
1450 | + *s = xpmGetC(data); /* int assigned to char, not a problem here */ |
1451 | for (a = 0; a < ncolors; a++) |
1452 | if (!strcmp(colorTable[a].string, buf)) |
1453 | break; |
1454 | @@ -708,7 +717,7 @@ |
1455 | while (!notstart && notend) { |
1456 | /* there starts an extension */ |
1457 | ext = (XpmExtension *) |
1458 | - XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); |
1459 | + XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */ |
1460 | if (!ext) { |
1461 | XpmFree(string); |
1462 | XpmFreeExtensions(exts, num); |
1463 | @@ -745,7 +754,7 @@ |
1464 | while ((notstart = strncmp("XPMEXT", string, 6)) |
1465 | && (notend = strncmp("XPMENDEXT", string, 9))) { |
1466 | sp = (char **) |
1467 | - XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); |
1468 | + XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */ |
1469 | if (!sp) { |
1470 | XpmFree(string); |
1471 | ext->nlines = nlines; |
1472 | diff -Nur lib/Xm/XpmRdFToBuf.c lib/Xm/XpmRdFToBuf.c |
1473 | --- lib/Xm/XpmRdFToBuf.c 2002-01-10 21:57:08.000000000 +0100 |
1474 | +++ lib/Xm/XpmRdFToBuf.c 2005-02-14 14:24:12.904326997 +0100 |
1475 | @@ -43,6 +43,8 @@ |
1476 | #endif |
1477 | |
1478 | |
1479 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ |
1480 | + |
1481 | #include "XpmI.h" |
1482 | #include <sys/stat.h> |
1483 | #if !defined(FOR_MSW) && !defined(WIN32) |
1484 | @@ -64,7 +66,8 @@ |
1485 | char *filename; |
1486 | char **buffer_return; |
1487 | { |
1488 | - int fd, fcheck, len; |
1489 | + int fd, fcheck; |
1490 | + off_t len; |
1491 | char *ptr; |
1492 | struct stat stats; |
1493 | FILE *fp; |
1494 | @@ -88,7 +91,7 @@ |
1495 | close(fd); |
1496 | return XpmOpenFailed; |
1497 | } |
1498 | - len = (int) stats.st_size; |
1499 | + len = stats.st_size; |
1500 | ptr = (char *) XpmMalloc(len + 1); |
1501 | if (!ptr) { |
1502 | fclose(fp); |
1503 | diff -Nur lib/Xm/XpmRdFToI.c lib/Xm/XpmRdFToI.c |
1504 | --- lib/Xm/XpmRdFToI.c 2002-01-10 21:57:08.000000000 +0100 |
1505 | +++ lib/Xm/XpmRdFToI.c 2005-02-14 14:24:12.861335519 +0100 |
1506 | @@ -38,6 +38,8 @@ |
1507 | #endif |
1508 | |
1509 | |
1510 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ |
1511 | + |
1512 | #include "XpmI.h" |
1513 | #include <sys/stat.h> |
1514 | #include <sys/param.h> |
1515 | @@ -127,6 +129,12 @@ |
1516 | /* |
1517 | * open the given file to be read as an xpmData which is returned. |
1518 | */ |
1519 | +#ifndef NO_ZPIPE |
1520 | + FILE *Xpms_popen(char *cmd, const char *type); |
1521 | +#else |
1522 | +# define Xpms_popen popen |
1523 | +#endif |
1524 | + |
1525 | static int |
1526 | OpenReadFile(filename, mdata) |
1527 | char *filename; |
1528 | @@ -144,17 +152,21 @@ |
1529 | mdata->type = XPMFILE; |
1530 | } else { |
1531 | #ifndef NO_ZPIPE |
1532 | - int len = strlen(filename); |
1533 | + size_t len = strlen(filename); |
1534 | + |
1535 | + if(len == 0 || |
1536 | + filename[len-1] == '/') |
1537 | + return(XpmOpenFailed); |
1538 | if ((len > 2) && !strcmp(".Z", filename + (len - 2))) { |
1539 | mdata->type = XPMPIPE; |
1540 | - sprintf(buf, "uncompress -c \"%s\"", filename); |
1541 | - if (!(mdata->stream.file = popen(buf, "r"))) |
1542 | + snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename); |
1543 | + if (!(mdata->stream.file = Xpms_popen(buf, "r"))) |
1544 | return (XpmOpenFailed); |
1545 | |
1546 | } else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) { |
1547 | mdata->type = XPMPIPE; |
1548 | - sprintf(buf, "gunzip -qc \"%s\"", filename); |
1549 | - if (!(mdata->stream.file = popen(buf, "r"))) |
1550 | + snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename); |
1551 | + if (!(mdata->stream.file = Xpms_popen(buf, "r"))) |
1552 | return (XpmOpenFailed); |
1553 | |
1554 | } else { |
1555 | @@ -162,19 +174,19 @@ |
1556 | if (!(compressfile = (char *) XpmMalloc(len + 4))) |
1557 | return (XpmNoMemory); |
1558 | |
1559 | - sprintf(compressfile, "%s.Z", filename); |
1560 | + snprintf(compressfile, len+4, "%s.Z", filename); |
1561 | if (!stat(compressfile, &status)) { |
1562 | - sprintf(buf, "uncompress -c \"%s\"", compressfile); |
1563 | - if (!(mdata->stream.file = popen(buf, "r"))) { |
1564 | + snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile); |
1565 | + if (!(mdata->stream.file = Xpms_popen(buf, "r"))) { |
1566 | XpmFree(compressfile); |
1567 | return (XpmOpenFailed); |
1568 | } |
1569 | mdata->type = XPMPIPE; |
1570 | } else { |
1571 | - sprintf(compressfile, "%s.gz", filename); |
1572 | + snprintf(compressfile, len+4, "%s.gz", filename); |
1573 | if (!stat(compressfile, &status)) { |
1574 | - sprintf(buf, "gunzip -c \"%s\"", compressfile); |
1575 | - if (!(mdata->stream.file = popen(buf, "r"))) { |
1576 | + snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile); |
1577 | + if (!(mdata->stream.file = Xpms_popen(buf, "r"))) { |
1578 | XpmFree(compressfile); |
1579 | return (XpmOpenFailed); |
1580 | } |
1581 | @@ -216,7 +228,7 @@ |
1582 | break; |
1583 | #ifndef NO_ZPIPE |
1584 | case XPMPIPE: |
1585 | - pclose(mdata->stream.file); |
1586 | + fclose(mdata->stream.file); |
1587 | break; |
1588 | #endif |
1589 | } |
1590 | diff -Nur lib/Xm/Xpmscan.c lib/Xm/Xpmscan.c |
1591 | --- lib/Xm/Xpmscan.c 2005-02-14 15:20:49.345039902 +0100 |
1592 | +++ lib/Xm/Xpmscan.c 2005-02-14 14:48:52.388044300 +0100 |
1593 | @@ -43,12 +43,14 @@ |
1594 | #endif |
1595 | |
1596 | |
1597 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ |
1598 | + |
1599 | #include "XpmI.h" |
1600 | |
1601 | #define MAXPRINTABLE 92 /* number of printable ascii chars |
1602 | * minus \ and " for string compat |
1603 | * and ? to avoid ANSI trigraphs. */ |
1604 | - |
1605 | + /* " */ |
1606 | static char *printable = |
1607 | " .XoO+@#$%&*=-;:>,<1234567890qwertyuipasdfghjklzxcvbnmMNBVCZ\ |
1608 | ASDFGHJKLPIUYTREWQ!~^/()_`'][{}|"; |
1609 | @@ -163,12 +165,13 @@ |
1610 | /* function call in case of error, frees only locally allocated variables */ |
1611 | #undef RETURN |
1612 | #define RETURN(status) \ |
1613 | +do \ |
1614 | { \ |
1615 | if (pmap.pixelindex) XpmFree(pmap.pixelindex); \ |
1616 | if (pmap.pixels) XpmFree(pmap.pixels); \ |
1617 | if (colorTable) xpmFreeColorTable(colorTable, pmap.ncolors); \ |
1618 | return(status); \ |
1619 | -} |
1620 | +} while(0) |
1621 | |
1622 | /* |
1623 | * This function scans the given image and stores the found informations in |
1624 | @@ -226,15 +229,15 @@ |
1625 | else |
1626 | cpp = 0; |
1627 | |
1628 | - if ((height > 0 && width >= SIZE_MAX / height) || |
1629 | - width * height >= SIZE_MAX / sizeof(unsigned int)) |
1630 | + if ((height > 0 && width >= UINT_MAX / height) || |
1631 | + width * height >= UINT_MAX / sizeof(unsigned int)) |
1632 | RETURN(XpmNoMemory); |
1633 | pmap.pixelindex = |
1634 | (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); |
1635 | if (!pmap.pixelindex) |
1636 | RETURN(XpmNoMemory); |
1637 | |
1638 | - if (pmap.size >= SIZE_MAX / sizeof(Pixel)) |
1639 | + if (pmap.size >= UINT_MAX / sizeof(Pixel)) |
1640 | RETURN(XpmNoMemory); |
1641 | |
1642 | pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); |
1643 | @@ -292,7 +295,7 @@ |
1644 | * color |
1645 | */ |
1646 | |
1647 | - if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) |
1648 | + if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor)) |
1649 | RETURN(XpmNoMemory); |
1650 | colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); |
1651 | if (!colorTable) |
1652 | @@ -341,7 +344,7 @@ |
1653 | |
1654 | /* first get a character string */ |
1655 | a = 0; |
1656 | - if (cpp >= SIZE_MAX - 1) |
1657 | + if (cpp >= UINT_MAX - 1) |
1658 | return (XpmNoMemory); |
1659 | if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) |
1660 | return (XpmNoMemory); |
1661 | @@ -434,7 +437,7 @@ |
1662 | } |
1663 | |
1664 | /* first get character strings and rgb values */ |
1665 | - if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) |
1666 | + if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1) |
1667 | return (XpmNoMemory); |
1668 | xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); |
1669 | if (!xcolors) |
1670 | @@ -591,7 +594,7 @@ |
1671 | char *dst; |
1672 | unsigned int *iptr; |
1673 | char *data; |
1674 | - int x, y, i; |
1675 | + unsigned int x, y, i; |
1676 | int bits, depth, ibu, ibpp, offset; |
1677 | unsigned long lbt; |
1678 | Pixel pixel, px; |
1679 | @@ -693,7 +696,7 @@ |
1680 | unsigned char *addr; |
1681 | unsigned char *data; |
1682 | unsigned int *iptr; |
1683 | - int x, y; |
1684 | + unsigned int x, y; |
1685 | unsigned long lbt; |
1686 | Pixel pixel; |
1687 | int depth; |
1688 | @@ -758,7 +761,7 @@ |
1689 | unsigned char *addr; |
1690 | unsigned char *data; |
1691 | unsigned int *iptr; |
1692 | - int x, y; |
1693 | + unsigned int x, y; |
1694 | unsigned long lbt; |
1695 | Pixel pixel; |
1696 | int depth; |
1697 | @@ -803,7 +806,7 @@ |
1698 | { |
1699 | unsigned int *iptr; |
1700 | unsigned char *data; |
1701 | - int x, y; |
1702 | + unsigned int x, y; |
1703 | unsigned long lbt; |
1704 | Pixel pixel; |
1705 | int depth; |
1706 | @@ -836,7 +839,7 @@ |
1707 | int (*storeFunc) (); |
1708 | { |
1709 | unsigned int *iptr; |
1710 | - int x, y; |
1711 | + unsigned int x, y; |
1712 | char *data; |
1713 | Pixel pixel; |
1714 | int xoff, yoff, offset, bpl; |
1715 | diff -Nur lib/Xm/XpmWrFFrBuf.c lib/Xm/XpmWrFFrBuf.c |
1716 | --- lib/Xm/XpmWrFFrBuf.c 2002-01-10 21:57:08.000000000 +0100 |
1717 | +++ lib/Xm/XpmWrFFrBuf.c 2005-02-14 14:24:12.906326601 +0100 |
1718 | @@ -38,6 +38,8 @@ |
1719 | #endif |
1720 | |
1721 | |
1722 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ |
1723 | + |
1724 | #include "XpmI.h" |
1725 | |
1726 | int |
1727 | @@ -55,7 +57,7 @@ |
1728 | fcheck = fwrite(buffer, len, 1, fp); |
1729 | fclose(fp); |
1730 | if (fcheck != 1) |
1731 | - return XpmOpenFailed; |
1732 | + return XpmOpenFailed; /* maybe use a better return value */ |
1733 | |
1734 | return XpmSuccess; |
1735 | } |
1736 | diff -Nur lib/Xm/XpmWrFFrI.c lib/Xm/XpmWrFFrI.c |
1737 | --- lib/Xm/XpmWrFFrI.c 2005-02-14 15:20:49.343040299 +0100 |
1738 | +++ lib/Xm/XpmWrFFrI.c 2005-02-14 14:50:25.766533589 +0100 |
1739 | @@ -38,6 +38,8 @@ |
1740 | #endif |
1741 | |
1742 | |
1743 | +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ |
1744 | + |
1745 | #include "XpmI.h" |
1746 | #if !defined(NO_ZPIPE) && defined(WIN32) |
1747 | # define popen _popen |
1748 | @@ -98,7 +100,7 @@ |
1749 | XpmInfo *info; |
1750 | { |
1751 | xpmData mdata; |
1752 | - char *name, *dot, *s, new_name[BUFSIZ]; |
1753 | + char *name, *dot, *s, new_name[BUFSIZ] = {0}; |
1754 | int ErrorStatus; |
1755 | |
1756 | /* open file to write */ |
1757 | @@ -117,6 +119,8 @@ |
1758 | #endif |
1759 | /* let's try to make a valid C syntax name */ |
1760 | if ((dot = index(name, '.'))) { |
1761 | + strncpy(new_name, name, sizeof(new_name)); |
1762 | + new_name[sizeof(new_name)-1] = 0; |
1763 | strcpy(new_name, name); |
1764 | /* change '.' to '_' */ |
1765 | name = s = new_name; |
1766 | @@ -127,7 +131,8 @@ |
1767 | } |
1768 | if ((dot = index(name, '-'))) { |
1769 | if (name != new_name) { |
1770 | - strcpy(new_name, name); |
1771 | + strncpy(new_name, name, sizeof(new_name)); |
1772 | + new_name[sizeof(new_name)-1] = 0; |
1773 | name = new_name; |
1774 | } |
1775 | /* change '-' to '_' */ |
1776 | @@ -244,7 +249,7 @@ |
1777 | unsigned int x, y, h; |
1778 | |
1779 | h = height - 1; |
1780 | - if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp) |
1781 | + if (cpp != 0 && width >= (UINT_MAX - 3)/cpp) |
1782 | return (XpmNoMemory); |
1783 | p = buf = (char *) XpmMalloc(width * cpp + 3); |
1784 | if (!buf) |
1785 | @@ -296,6 +301,11 @@ |
1786 | /* |
1787 | * open the given file to be written as an xpmData which is returned |
1788 | */ |
1789 | +#ifndef NO_ZPIPE |
1790 | + FILE *Xpms_popen(char *cmd, const char *type); |
1791 | +#else |
1792 | +# define Xpms_popen popen |
1793 | +#endif |
1794 | static int |
1795 | OpenWriteFile(filename, mdata) |
1796 | char *filename; |
1797 | @@ -311,16 +321,23 @@ |
1798 | mdata->type = XPMFILE; |
1799 | } else { |
1800 | #ifndef NO_ZPIPE |
1801 | - int len = strlen(filename); |
1802 | + size_t len = strlen(filename); |
1803 | + |
1804 | + if(len == 0 || |
1805 | + filename[0] == '/' || |
1806 | + strstr(filename, "../") != NULL || |
1807 | + filename[len-1] == '/') |
1808 | + return(XpmOpenFailed); |
1809 | + |
1810 | if (len > 2 && !strcmp(".Z", filename + (len - 2))) { |
1811 | - sprintf(buf, "compress > \"%s\"", filename); |
1812 | - if (!(mdata->stream.file = popen(buf, "w"))) |
1813 | + snprintf(buf, sizeof(buf), "compress > \"%s\"", filename); |
1814 | + if (!(mdata->stream.file = Xpms_popen(buf, "w"))) |
1815 | return (XpmOpenFailed); |
1816 | |
1817 | mdata->type = XPMPIPE; |
1818 | } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { |
1819 | - sprintf(buf, "gzip -q > \"%s\"", filename); |
1820 | - if (!(mdata->stream.file = popen(buf, "w"))) |
1821 | + snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename); |
1822 | + if (!(mdata->stream.file = Xpms_popen(buf, "w"))) |
1823 | return (XpmOpenFailed); |
1824 | |
1825 | mdata->type = XPMPIPE; |
1826 | @@ -351,7 +368,7 @@ |
1827 | break; |
1828 | #ifndef NO_ZPIPE |
1829 | case XPMPIPE: |
1830 | - pclose(mdata->stream.file); |
1831 | + fclose(mdata->stream.file); |
1832 | break; |
1833 | #endif |
1834 | } |