summaryrefslogtreecommitdiff
path: root/graphics/imlib
diff options
context:
space:
mode:
authorsalo <salo@pkgsrc.org>2004-12-10 09:30:42 +0000
committersalo <salo@pkgsrc.org>2004-12-10 09:30:42 +0000
commit75ec60b05ab41a930b43c635e4a2edeeffe78d4a (patch)
tree6d1766b7b3ac2bd129e4dfe70b7e9a3436c39173 /graphics/imlib
parentda746bad75dbbc68c14868d6f23e0686544f7b26 (diff)
downloadpkgsrc-75ec60b05ab41a930b43c635e4a2edeeffe78d4a.tar.gz
Bump PKGREVISION, security fix:
"Multiple buffer overflows in imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to execute arbitrary code via certain image files." (1.9.15 is also affected) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026 Patch from Pavel Kankovsky.
Diffstat (limited to 'graphics/imlib')
-rw-r--r--graphics/imlib/Makefile3
-rw-r--r--graphics/imlib/buildlink3.mk4
-rw-r--r--graphics/imlib/distinfo12
-rw-r--r--graphics/imlib/patches/patch-ab169
-rw-r--r--graphics/imlib/patches/patch-ai20
-rw-r--r--graphics/imlib/patches/patch-aj89
-rw-r--r--graphics/imlib/patches/patch-ak13
-rw-r--r--graphics/imlib/patches/patch-al15
-rw-r--r--graphics/imlib/patches/patch-am97
-rw-r--r--graphics/imlib/patches/patch-an23
-rw-r--r--graphics/imlib/patches/patch-ao98
11 files changed, 526 insertions, 17 deletions
diff --git a/graphics/imlib/Makefile b/graphics/imlib/Makefile
index e93d380ffdb..ada104036d4 100644
--- a/graphics/imlib/Makefile
+++ b/graphics/imlib/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.89 2004/12/03 13:42:47 adam Exp $
+# $NetBSD: Makefile,v 1.90 2004/12/10 09:30:42 salo Exp $
DISTNAME= imlib-1.9.15
+PKGREVISION= 1
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_GNOME:=sources/imlib/1.9/}
EXTRACT_SUFX= .tar.bz2
diff --git a/graphics/imlib/buildlink3.mk b/graphics/imlib/buildlink3.mk
index fcded2e7cde..55392415d3d 100644
--- a/graphics/imlib/buildlink3.mk
+++ b/graphics/imlib/buildlink3.mk
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.5 2004/10/03 00:14:53 tv Exp $
+# $NetBSD: buildlink3.mk,v 1.6 2004/12/10 09:30:42 salo Exp $
BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH}+
IMLIB_BUILDLINK3_MK:= ${IMLIB_BUILDLINK3_MK}+
@@ -12,7 +12,7 @@ BUILDLINK_PACKAGES+= imlib
.if !empty(IMLIB_BUILDLINK3_MK:M+)
BUILDLINK_DEPENDS.imlib+= imlib>=1.9.14nb5
-BUILDLINK_RECOMMENDED.imlib+= imlib>=1.9.14nb7
+BUILDLINK_RECOMMENDED.imlib+= imlib>=1.9.15nb1
BUILDLINK_PKGSRCDIR.imlib?= ../../graphics/imlib
.endif # IMLIB_BUILDLINK3_MK
diff --git a/graphics/imlib/distinfo b/graphics/imlib/distinfo
index b9f7e3415b6..d468c965da2 100644
--- a/graphics/imlib/distinfo
+++ b/graphics/imlib/distinfo
@@ -1,10 +1,16 @@
-$NetBSD: distinfo,v 1.15 2004/12/03 13:42:47 adam Exp $
+$NetBSD: distinfo,v 1.16 2004/12/10 09:30:42 salo Exp $
SHA1 (imlib-1.9.15.tar.bz2) = c9a732a354fbb3c7e1a426e5d19fc92d73f8f720
Size (imlib-1.9.15.tar.bz2) = 683242 bytes
SHA1 (patch-aa) = 185a5229af781d3dbc57978a3f4acd8308ca4c14
-SHA1 (patch-ab) = df9f9f7c85f0794748a4ca6f58836f8dd230c805
+SHA1 (patch-ab) = d1daff101bec77680f3e17cb776285976a7b5c7a
SHA1 (patch-ae) = 3ed6fff2e73f04ec83c27dc6e3f2db2fa446abbb
SHA1 (patch-ag) = 961a92dfedc79570aacdd75102e63a32171ece55
SHA1 (patch-ah) = edee5311a47d552f9d1b9dcb96f256518040c538
-SHA1 (patch-ai) = 4c1ab5bd72cd3a5070a84b08e7870591d5a3b309
+SHA1 (patch-ai) = df13b72272f754375348437b99d962cb17732619
+SHA1 (patch-aj) = 2769e304deb93dd413fa3c44d53d1d67e92d5d00
+SHA1 (patch-ak) = 4d7ae79f23bf0c64fd85ffebc086b7bb43207718
+SHA1 (patch-al) = 4ad51c7128f7d6a5ecc67f51c745caf53a4def06
+SHA1 (patch-am) = 73c62e11f5b6ac6774e51f8183987b2b4db01465
+SHA1 (patch-an) = 260aeece3eb74d3ec11deed4e38fd46d3f1cde79
+SHA1 (patch-ao) = d4e3df56d2f743e53e73d72551ccd03491bf1c44
diff --git a/graphics/imlib/patches/patch-ab b/graphics/imlib/patches/patch-ab
index 572a759f4f0..267d4f44789 100644
--- a/graphics/imlib/patches/patch-ab
+++ b/graphics/imlib/patches/patch-ab
@@ -1,8 +1,37 @@
-$NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $
+$NetBSD: patch-ab,v 1.6 2004/12/10 09:30:42 salo Exp $
---- Imlib/load.c.orig Wed Mar 13 19:06:29 2002
-+++ Imlib/load.c
-@@ -254,7 +254,8 @@
+--- Imlib/load.c.orig 2004-09-21 02:23:20.000000000 +0200
++++ Imlib/load.c 2004-12-10 09:58:18.000000000 +0100
+@@ -4,6 +4,8 @@
+ #include "Imlib_private.h"
+ #include <setjmp.h>
+
++#define G_MAXINT ((int) 0x7fffffff)
++
+ /* Split the ID - damages input */
+
+ static char *
+@@ -41,13 +43,17 @@
+
+ /*
+ * Make sure we don't wrap on our memory allocations
++ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp
++ * + 3 is safety margin
+ */
+
+ void * _imlib_malloc_image(unsigned int w, unsigned int h)
+ {
+- if( w > 32767 || h > 32767)
++ if (w <= 0 || w > 32767 ||
++ h <= 0 || h > 32767 ||
++ h >= (G_MAXINT/4 - 1) / w)
+ return NULL;
+- return malloc(w * h * 3);
++ return malloc(w * h * 3 + 3);
+ }
+
+ #ifdef HAVE_LIBJPEG
+@@ -254,7 +260,8 @@
png_read_image(png_ptr, lines);
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
ptr = data;
@@ -12,7 +41,7 @@ $NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $
{
for (y = 0; y < *h; y++)
{
-@@ -279,6 +280,7 @@
+@@ -279,6 +286,7 @@
}
}
}
@@ -20,7 +49,7 @@ $NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $
else if (color_type == PNG_COLOR_TYPE_GRAY)
{
for (y = 0; y < *h; y++)
-@@ -294,6 +296,7 @@
+@@ -294,6 +302,7 @@
}
}
}
@@ -28,3 +57,131 @@ $NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $
else
{
for (y = 0; y < *h; y++)
+@@ -360,7 +369,9 @@
+ npix = ww * hh;
+ *w = (int)ww;
+ *h = (int)hh;
+- if(ww > 32767 || hh > 32767)
++ if (ww <= 0 || ww > 32767 ||
++ hh <= 0 || hh > 32767 ||
++ hh >= (G_MAXINT/sizeof(uint32)) / ww)
+ {
+ TIFFClose(tif);
+ return NULL;
+@@ -463,7 +474,7 @@
+ }
+ *w = gif->Image.Width;
+ *h = gif->Image.Height;
+- if (*h > 32767 || *w > 32767)
++ if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
+ {
+ return NULL;
+ }
+@@ -1000,7 +1011,12 @@
+ comment = 0;
+ quote = 0;
+ context = 0;
++ memset(lookup, 0, sizeof(lookup));
++
+ line = malloc(lsz);
++ if (!line)
++ return NULL;
++
+ while (!done)
+ {
+ pc = c;
+@@ -1029,25 +1045,25 @@
+ {
+ /* Header */
+ sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
+- if (ncolors > 32766)
++ if (ncolors <= 0 || ncolors > 32766)
+ {
+ fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n");
+ free(line);
+ return NULL;
+ }
+- if (cpp > 5)
++ if (cpp <= 0 || cpp > 5)
+ {
+ fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n");
+ free(line);
+ return NULL;
+ }
+- if (*w > 32767)
++ if (*w <= 0 || *w > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
+ free(line);
+ return NULL;
+ }
+- if (*h > 32767)
++ if (*h <= 0 || *h > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
+ free(line);
+@@ -1080,11 +1096,13 @@
+ {
+ int slen;
+ int hascolor, iscolor;
++ int space;
+
+ iscolor = 0;
+ hascolor = 0;
+ tok[0] = 0;
+ col[0] = 0;
++ space = sizeof(col) - 1;
+ s[0] = 0;
+ len = strlen(line);
+ strncpy(cmap[j].str, line, cpp);
+@@ -1107,10 +1125,10 @@
+ {
+ if (k >= len)
+ {
+- if (col[0])
+- strcat(col, " ");
+- if (strlen(col) + strlen(s) < sizeof(col))
+- strcat(col, s);
++ if (col[0] && space > 0)
++ strcat(col, " "), space -= 1;
++ if (slen <= space)
++ strcat(col, s), space -= slen;
+ }
+ if (col[0])
+ {
+@@ -1140,14 +1158,17 @@
+ }
+ }
+ }
++ if (slen < sizeof(tok));
+ strcpy(tok, s);
+ col[0] = 0;
++ space = sizeof(col) - 1;
+ }
+ else
+ {
+- if (col[0])
+- strcat(col, " ");
+- strcat(col, s);
++ if (col[0] && space > 0)
++ strcat(col, " "), space -=1;
++ if (slen <= space)
++ strcat(col, s), space -= slen;
+ }
+ }
+ }
+@@ -1376,12 +1397,12 @@
+ sscanf(s, "%i %i", w, h);
+ a = *w;
+ b = *h;
+- if (a > 32767)
++ if (a <= 0 || a > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
+ return NULL;
+ }
+- if (b > 32767)
++ if (b <= 0 || b > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
+ return NULL;
diff --git a/graphics/imlib/patches/patch-ai b/graphics/imlib/patches/patch-ai
index d694b7f1b37..4063d7ed918 100644
--- a/graphics/imlib/patches/patch-ai
+++ b/graphics/imlib/patches/patch-ai
@@ -1,8 +1,8 @@
-$NetBSD: patch-ai,v 1.1 2004/03/13 17:35:54 cube Exp $
+$NetBSD: patch-ai,v 1.2 2004/12/10 09:30:42 salo Exp $
--- gdk_imlib/io-ppm.c.orig 2002-03-04 18:06:29.000000000 +0100
-+++ gdk_imlib/io-ppm.c
-@@ -50,7 +50,7 @@ loader_ppm (FILE * f, int *w, int *h, in
++++ gdk_imlib/io-ppm.c 2004-12-10 10:00:56.000000000 +0100
+@@ -50,15 +50,15 @@
if (s[0] != '#')
{
done = 0;
@@ -10,8 +10,18 @@ $NetBSD: patch-ai,v 1.1 2004/03/13 17:35:54 cube Exp $
+ sscanf(s, "%d %d", w, h);
a = *w;
b = *h;
- if (a > 32767)
-@@ -66,7 +66,7 @@ loader_ppm (FILE * f, int *w, int *h, in
+- if (a > 32767)
++ if (a <= 0 || a > 32767)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
+ return NULL;
+ }
+- if (b > 32767)
++ if (b <= 0 || b > 32767)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
+ return NULL;
+@@ -66,7 +66,7 @@
if (!bw)
{
fgets(s, 256, f);
diff --git a/graphics/imlib/patches/patch-aj b/graphics/imlib/patches/patch-aj
new file mode 100644
index 00000000000..36ac62c6873
--- /dev/null
+++ b/graphics/imlib/patches/patch-aj
@@ -0,0 +1,89 @@
+$NetBSD: patch-aj,v 1.1 2004/12/10 09:30:42 salo Exp $
+
+--- Imlib/utils.c.orig 2004-09-21 02:22:59.000000000 +0200
++++ Imlib/utils.c 2004-12-10 09:58:18.000000000 +0100
+@@ -1496,36 +1496,56 @@
+ context = 0;
+ ptr = NULL;
+ end = NULL;
++ memset(lookup, 0, sizeof(lookup));
+
+ while (!done)
+ {
+ line = data[count++];
++ if (!line)
++ break;
++ line = strdup(line);
++ if (!line)
++ break;
++ len = strlen(line);
++ for (i = 0; i < len; ++i)
++ {
++ c = line[i];
++ if (c < 32)
++ line[i] = 32;
++ else if (c > 127)
++ line[i] = 127;
++ }
++
+ if (context == 0)
+ {
+ /* Header */
+ sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
+- if (ncolors > 32766)
++ if (ncolors <= 0 || ncolors > 32766)
+ {
+ fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n");
+ free(im);
++ free(line);
+ return NULL;
+ }
+- if (cpp > 5)
++ if (cpp <= 0 || cpp > 5)
+ {
+ fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n");
+ free(im);
++ free(line);
+ return NULL;
+ }
+- if (w > 32767)
++ if (w <= 0 || w > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n");
+ free(im);
++ free(line);
+ return NULL;
+ }
+- if (h > 32767)
++ if (h <= 0 || h > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n");
+ free(im);
++ free(line);
+ return NULL;
+ }
+ cmap = malloc(sizeof(struct _cmap) * ncolors);
+@@ -1533,6 +1553,7 @@
+ if (!cmap)
+ {
+ free(im);
++ free(line);
+ return NULL;
+ }
+ im->rgb_width = w;
+@@ -1542,6 +1563,7 @@
+ {
+ free(cmap);
+ free(im);
++ free(line);
+ return NULL;
+ }
+ im->alpha_data = NULL;
+@@ -1817,6 +1839,7 @@
+ }
+ if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
+ done = 1;
++ free(line);
+ }
+ if (!transp)
+ {
diff --git a/graphics/imlib/patches/patch-ak b/graphics/imlib/patches/patch-ak
new file mode 100644
index 00000000000..1d640290d70
--- /dev/null
+++ b/graphics/imlib/patches/patch-ak
@@ -0,0 +1,13 @@
+$NetBSD: patch-ak,v 1.1 2004/12/10 09:30:42 salo Exp $
+
+--- gdk_imlib/io-gif.c.orig 2002-03-04 18:06:29.000000000 +0100
++++ gdk_imlib/io-gif.c 2004-12-10 10:00:56.000000000 +0100
+@@ -55,7 +55,7 @@
+ }
+ *w = gif->Image.Width;
+ *h = gif->Image.Height;
+- if(*h > 32767 || *w > 32767)
++ if(*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
+ {
+ return NULL;
+ }
diff --git a/graphics/imlib/patches/patch-al b/graphics/imlib/patches/patch-al
new file mode 100644
index 00000000000..f06fd5f4a3f
--- /dev/null
+++ b/graphics/imlib/patches/patch-al
@@ -0,0 +1,15 @@
+$NetBSD: patch-al,v 1.1 2004/12/10 09:30:42 salo Exp $
+
+--- gdk_imlib/io-tiff.c.orig 2002-03-04 18:06:29.000000000 +0100
++++ gdk_imlib/io-tiff.c 2004-12-10 10:00:56.000000000 +0100
+@@ -36,7 +36,9 @@
+ npix = ww * hh;
+ *w = (int)ww;
+ *h = (int)hh;
+- if(ww > 32767 || hh > 32767)
++ if (ww <= 0 || ww > 32767 ||
++ hh <= 0 || hh > 32767 ||
++ hh >= (G_MAXINT/sizeof(uint32)) / ww)
+ {
+ TIFFClose(tif);
+ return NULL;
diff --git a/graphics/imlib/patches/patch-am b/graphics/imlib/patches/patch-am
new file mode 100644
index 00000000000..6b5a3fe8fbf
--- /dev/null
+++ b/graphics/imlib/patches/patch-am
@@ -0,0 +1,97 @@
+$NetBSD: patch-am,v 1.1 2004/12/10 09:30:42 salo Exp $
+
+--- gdk_imlib/io-xpm.c.orig 2002-03-04 18:06:29.000000000 +0100
++++ gdk_imlib/io-xpm.c 2004-12-10 10:00:56.000000000 +0100
+@@ -40,8 +40,12 @@
+ context = 0;
+ i = j = 0;
+ cmap = NULL;
++ memset(lookup, 0, sizeof(lookup));
+
+ line = malloc(lsz);
++ if (!line)
++ return NULL;
++
+ while (!done)
+ {
+ pc = c;
+@@ -70,25 +74,25 @@
+ {
+ /* Header */
+ sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
+- if (ncolors > 32766)
++ if (ncolors <= 0 || ncolors > 32766)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n");
+ free(line);
+ return NULL;
+ }
+- if (cpp > 5)
++ if (cpp <= 0 || cpp > 5)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n");
+ free(line);
+ return NULL;
+ }
+- if (*w > 32767)
++ if (*w <= 0 || *w > 32767)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
+ free(line);
+ return NULL;
+ }
+- if (*h > 32767)
++ if (*h <= 0 || *h > 32767)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
+ free(line);
+@@ -120,11 +124,13 @@
+ {
+ int slen;
+ int hascolor, iscolor;
++ int space;
+
+ hascolor = 0;
+ iscolor = 0;
+ tok[0] = 0;
+ col[0] = 0;
++ space = sizeof(col) - 1;
+ s[0] = 0;
+ len = strlen(line);
+ strncpy(cmap[j].str, line, cpp);
+@@ -147,10 +153,10 @@
+ {
+ if (k >= len)
+ {
+- if (col[0])
+- strcat(col, " ");
+- if (strlen(col) + strlen(s) < sizeof(col))
+- strcat(col, s);
++ if (col[0] && space > 0)
++ strncat(col, " ", space), space -= 1;
++ if (slen <= space)
++ strcat(col, s), space -= slen;
+ }
+ if (col[0])
+ {
+@@ -180,14 +186,17 @@
+ }
+ }
+ }
++ if (slen < sizeof(tok))
+ strcpy(tok, s);
+ col[0] = 0;
++ space = sizeof(col) - 1;
+ }
+ else
+ {
+- if (col[0])
+- strcat(col, " ");
+- strcat(col, s);
++ if (col[0] && space > 0)
++ strcat(col, " "), space -= 1;
++ if (slen <= space)
++ strcat(col, s), space -= slen;
+ }
+ }
+ }
diff --git a/graphics/imlib/patches/patch-an b/graphics/imlib/patches/patch-an
new file mode 100644
index 00000000000..21908102372
--- /dev/null
+++ b/graphics/imlib/patches/patch-an
@@ -0,0 +1,23 @@
+$NetBSD: patch-an,v 1.1 2004/12/10 09:30:42 salo Exp $
+
+--- gdk_imlib/misc.c.orig 2002-03-04 18:06:32.000000000 +0100
++++ gdk_imlib/misc.c 2004-12-10 10:15:22.000000000 +0100
+@@ -1355,11 +1355,16 @@
+
+ /*
+ * Make sure we don't wrap on our memory allocations
++ * we check G_MAX_INT/4 because rend.c malloc's w * h * bpp
++ * + 3 is safety margin
+ */
+
+ void *_gdk_malloc_image(unsigned int w, unsigned int h)
+ {
+- if( w > 32767 || h > 32767)
++ if (w <= 0 || w > 32767 ||
++ h <= 0 || h > 32767 ||
++ h >= (G_MAXINT/4 - 1) / w)
+ return NULL;
+- return malloc(w * h * 3);
++ return malloc(w * h * 3 + 3);
+ }
++
diff --git a/graphics/imlib/patches/patch-ao b/graphics/imlib/patches/patch-ao
new file mode 100644
index 00000000000..6572f8e12dd
--- /dev/null
+++ b/graphics/imlib/patches/patch-ao
@@ -0,0 +1,98 @@
+$NetBSD: patch-ao,v 1.1 2004/12/10 09:30:42 salo Exp $
+
+--- gdk_imlib/utils.c.orig 2002-03-22 15:43:29.000000000 +0100
++++ gdk_imlib/utils.c 2004-12-10 10:15:22.000000000 +0100
+@@ -1236,36 +1236,56 @@
+ context = 0;
+ ptr = NULL;
+ end = NULL;
++ memset(lookup, 0, sizeof(lookup));
+
+ while (!done)
+ {
+ line = data[count++];
++ if (!line)
++ break;
++ line = strdup(line);
++ if (!line)
++ break;
++ len = strlen(line);
++ for (i = 0; i < len; ++i)
++ {
++ c = line[i];
++ if (c < 32)
++ line[i] = 32;
++ else if (c > 127)
++ line[i] = 127;
++ }
++
+ if (context == 0)
+ {
+ /* Header */
+ sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
+- if (ncolors > 32766)
++ if (ncolors <= 0 || ncolors > 32766)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n");
+ free(im);
++ free(line);
+ return NULL;
+ }
+- if (cpp > 5)
++ if (cpp <= 0 || cpp > 5)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n");
+ free(im);
++ free(line);
+ return NULL;
+ }
+- if (w > 32767)
++ if (w <= 0 || w > 32767)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n");
+ free(im);
++ free(line);
+ return NULL;
+ }
+- if (h > 32767)
++ if (h <= 0 || h > 32767)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n");
+ free(im);
++ free(line);
+ return NULL;
+ }
+ cmap = malloc(sizeof(struct _cmap) * ncolors);
+@@ -1273,6 +1293,7 @@
+ if (!cmap)
+ {
+ free(im);
++ free(line);
+ return NULL;
+ }
+ im->rgb_width = w;
+@@ -1282,6 +1303,7 @@
+ {
+ free(cmap);
+ free(im);
++ free(line);
+ return NULL;
+ }
+ im->alpha_data = NULL;
+@@ -1355,7 +1377,7 @@
+ strcpy(col + colptr, " ");
+ colptr++;
+ }
+- if (colptr + ls <= sizeof(col))
++ if (colptr + ls < sizeof(col))
+ {
+ strcpy(col + colptr, s);
+ colptr += ls;
+@@ -1558,6 +1580,7 @@
+ }
+ if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
+ done = 1;
++ free(line);
+ }
+ if (!transp)
+ {