Security fix for CVE-2005-3178:

"Buffer overflow in xli might allow user-complicit attackers to execute
arbitrary code via a long title name in a NIFF file, which triggers the
overflow during zoom, reduce, or rotate operations."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3178

Patch from Debian.

4 files changed, 61 insertions, 3 deletions

diff --git a/graphics/xli/Makefile b/graphics/xli/Makefile
index bcffa1e9d26..3bb0dd8e4f9 100644
--- a/graphics/xli/Makefile
+++ b/graphics/xli/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.30 2005/10/10 19:54:13 reed Exp $
+# $NetBSD: Makefile,v 1.31 2005/10/30 17:58:58 salo Exp $
 
 DISTNAME=	xli-2005-02-27
 PKGNAME=	xli-1.17.0
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	graphics x11
 MASTER_SITES=	http://pantransit.reptiles.org/prog/xli/
 
diff --git a/graphics/xli/distinfo b/graphics/xli/distinfo
index a36def49076..606341e8bb9 100644
--- a/graphics/xli/distinfo
+++ b/graphics/xli/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.17 2005/10/23 20:02:57 rillig Exp $
+$NetBSD: distinfo,v 1.18 2005/10/30 17:58:58 salo Exp $
 
 SHA1 (xli-2005-02-27.tar.gz) = 977d8ece0edd41f3ec606310496cf3231f046d88
 RMD160 (xli-2005-02-27.tar.gz) = fc83fa5173befa73a0eeb56ad323dad148ef1426
@@ -7,3 +7,5 @@ SHA1 (patch-aa) = e9092fdad849405c5a42760e64875566ed1e04f7
 SHA1 (patch-ab) = 4c9e01d046fb96c056799b078c5d78451270f52e
 SHA1 (patch-ac) = b4fca6bc9c198728aa3adc0a9f8afaf5be5a004a
 SHA1 (patch-ad) = d47bc23051b9e75d265a413fdbde1c5bb9d747de
+SHA1 (patch-ae) = 9085d53b8823ec0ce42dc8072f74e97763abc86b
+SHA1 (patch-af) = e6d762b19dc82377727f045b731b40c04afefe11
diff --git a/graphics/xli/patches/patch-ae b/graphics/xli/patches/patch-ae
new file mode 100644
index 00000000000..78be8b31155
--- /dev/null
+++ b/graphics/xli/patches/patch-ae
@@ -0,0 +1,16 @@
+$NetBSD: patch-ae,v 1.1 2005/10/30 17:58:58 salo Exp $
+
+Security fix for CVE-2005-3178, from Debian.
+
+--- reduce.c.orig	1999-10-25 04:15:02.000000000 +0200
++++ reduce.c	2005-10-30 18:49:53.000000000 +0100
+@@ -178,7 +178,8 @@
+ 	/* get destination image */
+ 	depth = colorsToDepth(OutColors);
+ 	new_image = newRGBImage(image->width, image->height, depth);
+-	sprintf(buf, "%s (%d colors)", image->title, OutColors);
++	snprintf(buf, BUFSIZ, "%s (%d colors)", image->title, OutColors);
++	buf[BUFSIZ-1] = '\0';
+ 	new_image->title = dupString(buf);
+ 	new_image->gamma = image->gamma;
+ 
diff --git a/graphics/xli/patches/patch-af b/graphics/xli/patches/patch-af
new file mode 100644
index 00000000000..7e4565ee9b7
--- /dev/null
+++ b/graphics/xli/patches/patch-af
@@ -0,0 +1,40 @@
+$NetBSD: patch-af,v 1.1 2005/10/30 17:58:58 salo Exp $
+
+Security fix for CVE-2005-3178, from Debian.
+
+--- zoom.c.orig	2005-02-28 01:42:39.000000000 +0100
++++ zoom.c	2005-10-30 18:50:04.000000000 +0100
+@@ -52,28 +52,29 @@
+     if (verbose)
+       printf("  Zooming image Y axis by %d%%...", yzoom);
+     if (changetitle)
+-      sprintf(buf, "%s (Y zoom %d%%)", oimage->title, yzoom);
++      snprintf(buf, BUFSIZ, "%s (Y zoom %d%%)", oimage->title, yzoom);
+   }
+   else if (!yzoom) {
+     if (verbose)
+       printf("  Zooming image X axis by %d%%...", xzoom);
+     if (changetitle)
+-      sprintf(buf, "%s (X zoom %d%%)", oimage->title, xzoom);
++      snprintf(buf, BUFSIZ, "%s (X zoom %d%%)", oimage->title, xzoom);
+   }
+   else if (xzoom == yzoom) {
+     if (verbose)
+       printf("  Zooming image by %d%%...", xzoom);
+     if (changetitle)
+-      sprintf(buf, "%s (%d%% zoom)", oimage->title, xzoom);
++      snprintf(buf, BUFSIZ, "%s (%d%% zoom)", oimage->title, xzoom);
+   }
+   else {
+     if (verbose)
+       printf("  Zooming image X axis by %d%% and Y axis by %d%%...",
+ 	     xzoom, yzoom);
+     if (changetitle)
+-      sprintf(buf, "%s (X zoom %d%% Y zoom %d%%)", oimage->title,
++      snprintf(buf, BUFSIZ, "%s (X zoom %d%% Y zoom %d%%)", oimage->title,
+ 	    xzoom, yzoom);
+   }
++  buf[BUFSIZ-1] = '\0';
+   if (!changetitle)
+     strcpy(buf,oimage->title);
+