summaryrefslogtreecommitdiff
path: root/graphics/xpm
diff options
context:
space:
mode:
authorjlam <jlam@pkgsrc.org>2005-06-14 18:10:37 +0000
committerjlam <jlam@pkgsrc.org>2005-06-14 18:10:37 +0000
commit416d289ba6fe62a94fe41c69bc35841ea3aa68a2 (patch)
tree1b7ee2922136089c601a3f3b3b9f05d0492a8e93 /graphics/xpm
parentce923579a3a1f50a5e3415d161aa85bce9df2597 (diff)
downloadpkgsrc-416d289ba6fe62a94fe41c69bc35841ea3aa68a2.tar.gz
Apply fixes derived from the HEAD branch of X.Org (6.8.99) to address
problems noted in CAN-2004-0914: Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFree86 and other packages, include (1) multiple integer overflows, (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell metacharacter, (5) endless loops, and (6) memory leaks, which could allow remote attackers to obtain sensitive information, cause a denial of service (application crash), or execute arbitary code via a certain XPM image file. Bump PKGREVISION to 4. Since this is a security-related fix, also bump the BUILDLINK_RECOMMENDED version for this package.
Diffstat (limited to 'graphics/xpm')
-rw-r--r--graphics/xpm/Makefile4
-rw-r--r--graphics/xpm/buildlink3.mk4
-rw-r--r--graphics/xpm/distinfo28
-rw-r--r--graphics/xpm/patches/patch-ac28
-rw-r--r--graphics/xpm/patches/patch-ad22
-rw-r--r--graphics/xpm/patches/patch-ae45
-rw-r--r--graphics/xpm/patches/patch-af232
-rw-r--r--graphics/xpm/patches/patch-ag392
-rw-r--r--graphics/xpm/patches/patch-ah40
-rw-r--r--graphics/xpm/patches/patch-ai16
-rw-r--r--graphics/xpm/patches/patch-aj176
-rw-r--r--graphics/xpm/patches/patch-ak168
-rw-r--r--graphics/xpm/patches/patch-al308
-rw-r--r--graphics/xpm/patches/patch-am32
-rw-r--r--graphics/xpm/patches/patch-an88
-rw-r--r--graphics/xpm/patches/patch-ao22
-rw-r--r--graphics/xpm/patches/patch-ap103
-rw-r--r--graphics/xpm/patches/patch-aq13
-rw-r--r--graphics/xpm/patches/patch-ar186
-rw-r--r--graphics/xpm/patches/patch-as12
20 files changed, 1778 insertions, 141 deletions
diff --git a/graphics/xpm/Makefile b/graphics/xpm/Makefile
index 9de228936c7..c0c7ced254f 100644
--- a/graphics/xpm/Makefile
+++ b/graphics/xpm/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.42 2005/06/01 19:31:17 jlam Exp $
+# $NetBSD: Makefile,v 1.43 2005/06/14 18:10:37 jlam Exp $
DISTNAME= xpm-3.4k
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= graphics x11
MASTER_SITES= http://koala.ilog.fr/ftp/pub/xpm/ \
${MASTER_SITE_XCONTRIB:=libraries/}
diff --git a/graphics/xpm/buildlink3.mk b/graphics/xpm/buildlink3.mk
index 10cbdc9ebb2..579b2a1b607 100644
--- a/graphics/xpm/buildlink3.mk
+++ b/graphics/xpm/buildlink3.mk
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.17 2005/06/01 18:02:58 jlam Exp $
+# $NetBSD: buildlink3.mk,v 1.18 2005/06/14 18:10:37 jlam Exp $
BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH}+
XPM_BUILDLINK3_MK:= ${XPM_BUILDLINK3_MK}+
@@ -12,7 +12,7 @@ BUILDLINK_PACKAGES+= xpm
.if !empty(XPM_BUILDLINK3_MK:M+)
BUILDLINK_DEPENDS.xpm+= xpm>=3.4k
-BUILDLINK_RECOMMENDED.xpm?= xpm>=3.4knb2
+BUILDLINK_RECOMMENDED.xpm?= xpm>=3.4knb4
BUILDLINK_PKGSRCDIR.xpm?= ../../graphics/xpm
.endif # XPM_BUILDLINK3_MK
diff --git a/graphics/xpm/distinfo b/graphics/xpm/distinfo
index f163c270d0e..9c8d825fcdd 100644
--- a/graphics/xpm/distinfo
+++ b/graphics/xpm/distinfo
@@ -1,16 +1,24 @@
-$NetBSD: distinfo,v 1.12 2005/03/10 15:23:10 wiz Exp $
+$NetBSD: distinfo,v 1.13 2005/06/14 18:10:37 jlam Exp $
SHA1 (xpm-3.4k.tar.gz) = a8eac19e5772bf7b3b177353686c1401fbf334bd
RMD160 (xpm-3.4k.tar.gz) = 65a2e58f97724a48a6834aab991341771c5a1faf
Size (xpm-3.4k.tar.gz) = 148887 bytes
SHA1 (patch-aa) = 33725beb53dc01b022e5110dbffab4c6a3ae65dc
SHA1 (patch-ab) = 0c8f317cdbde27929790e46d1711ada5e454b79d
-SHA1 (patch-ac) = a0f1692ecfbf0160f5e5a5e3f31ac9398ff667b7
-SHA1 (patch-ad) = 0b6a2640a175d354449cab0198e3cbe1220f46b4
-SHA1 (patch-ae) = 31cf9b37d8d138ffdcee66b16adb4ed22c129763
-SHA1 (patch-af) = 17fed3b0e060f7cee19d21bc3ec5bf1b87dd89a7
-SHA1 (patch-ag) = 68435561f8fe7753c4bb8ce71ee6e53faf1e83d6
-SHA1 (patch-ah) = 075229583814bbdd0a3d7ac8dcb6ad0507d182ff
-SHA1 (patch-ai) = 79472013037a1866739b96e97d740378086cc46f
-SHA1 (patch-aj) = 98048e40c338f69915e233aa11df0f95deff75a4
-SHA1 (patch-ak) = a949e05f82d5ed9ce48348bcedf4811cff119a03
+SHA1 (patch-ac) = 80c8c58a526ccc8651862d87cc5cd92d8aa9fb2d
+SHA1 (patch-ad) = d352c47831955845e5805ac737031f2ff179b0df
+SHA1 (patch-ae) = 9b11253041212c8e43c426be4729363e4f8e122a
+SHA1 (patch-af) = be7953d5baf84d2b08e89576755428d3bc57e8c2
+SHA1 (patch-ag) = 74f8e7ed98e6d6c85168464e71274dc1ecb56297
+SHA1 (patch-ah) = ffa827d23283c9e937071a202f7f7d5b7846d9d0
+SHA1 (patch-ai) = 619392a9bde70210c5f6e0fa1b7f1e278cd68bfb
+SHA1 (patch-aj) = db0de3aff27606aceb67027691cb6f55c549478a
+SHA1 (patch-ak) = 011da5204f825aaaf4aed4536cfb29a7f63efc5d
+SHA1 (patch-al) = 09ceea05f856edd3fad3aedabbdf535c9d919cd9
+SHA1 (patch-am) = 3f69a82cb9ebaa4e0fc7ce5c63a938cec31bbbd3
+SHA1 (patch-an) = f8f0602116e9000f2506230f0d65eac1171c2904
+SHA1 (patch-ao) = 7681e03f1f317ef5e694a464f1efad82d9de78c2
+SHA1 (patch-ap) = 6ccb211e9051374cf7cdb6138a6520943e1cd645
+SHA1 (patch-aq) = 6d3f3554c7d66d3d9879dc2b352310e32799926c
+SHA1 (patch-ar) = c6a5ef0af6568f519467b753aae5050a0513f99e
+SHA1 (patch-as) = f11694bc7fb300450fd07d496975bfb0fbb6b68f
diff --git a/graphics/xpm/patches/patch-ac b/graphics/xpm/patches/patch-ac
index 6434d9a9821..d7401f412bf 100644
--- a/graphics/xpm/patches/patch-ac
+++ b/graphics/xpm/patches/patch-ac
@@ -1,8 +1,8 @@
-$NetBSD: patch-ac,v 1.2 2001/07/06 21:11:34 tron Exp $
+$NetBSD: patch-ac,v 1.3 2005/06/14 18:10:37 jlam Exp $
---- lib/Imakefile.orig Thu Mar 19 20:50:59 1998
-+++ lib/Imakefile Fri Jul 6 23:02:49 2001
-@@ -34,7 +34,7 @@
+--- lib/Imakefile.orig 1998-03-19 14:50:59.000000000 -0500
++++ lib/Imakefile
+@@ -34,7 +34,7 @@ XCOMM default locations
#define XpmLibDir $(USRLIBDIR)
#endif
#ifndef XpmIncDir
@@ -11,7 +11,7 @@ $NetBSD: patch-ac,v 1.2 2001/07/06 21:11:34 tron Exp $
#endif
XCOMM If not already set in top dir,
-@@ -55,7 +55,7 @@
+@@ -55,7 +55,7 @@ REQUIREDLIBS = $(XLIB)
#endif
XCOMM on Dec Alpha we need to define the following to build the shared library
@@ -20,3 +20,21 @@ $NetBSD: patch-ac,v 1.2 2001/07/06 21:11:34 tron Exp $
REQUIREDLIBS = $(LDPRELIB) $(XLIB)
SO_REQLIBS = -lX11 -lc
#endif
+@@ -104,13 +104,15 @@ HEADERS = xpm.h
+ CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \
+ CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \
+ CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \
+- Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c
++ Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \
++ s_popen.c
+
+ OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \
+ CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \
+ CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \
+ CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \
+- Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o
++ Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \
++ s_popen.o
+
+ INCLUDES = -I.
+ LINTLIBS = $(LINTXTOLL) $(LINTXLIB)
diff --git a/graphics/xpm/patches/patch-ad b/graphics/xpm/patches/patch-ad
index bf2231b5152..65017a19e74 100644
--- a/graphics/xpm/patches/patch-ad
+++ b/graphics/xpm/patches/patch-ad
@@ -1,8 +1,8 @@
-$NetBSD: patch-ad,v 1.5 2004/09/16 15:09:01 minskim Exp $
+$NetBSD: patch-ad,v 1.6 2005/06/14 18:10:37 jlam Exp $
---- lib/XpmI.h.orig Thu Mar 19 13:51:00 1998
+--- lib/XpmI.h.orig 1998-03-19 14:51:00.000000000 -0500
+++ lib/XpmI.h
-@@ -42,6 +42,7 @@
+@@ -42,14 +42,17 @@
#ifndef XPMI_h
#define XPMI_h
@@ -10,12 +10,22 @@ $NetBSD: patch-ad,v 1.5 2004/09/16 15:09:01 minskim Exp $
#include "xpm.h"
/*
-@@ -114,6 +115,18 @@ extern FILE *popen();
+ * lets try to solve include files
+ */
+
++#include <sys/types.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ /* stdio.h doesn't declare popen on a Sequent DYNIX OS */
+ #ifdef sequent
+ extern FILE *popen();
+@@ -114,6 +117,18 @@ extern FILE *popen();
boundCheckingCalloc((long)(nelem),(long) (elsize))
#endif
+#if defined(SCO) || defined(__USLC__)
-+#include <stdint.h> /* For SIZE_MAX */
++#include <stdint.h> /* For SIZE_MAX */
+#endif
+#include <limits.h>
+#ifndef SIZE_MAX
@@ -29,7 +39,7 @@ $NetBSD: patch-ad,v 1.5 2004/09/16 15:09:01 minskim Exp $
#define XPMMAXCMTLEN BUFSIZ
typedef struct {
unsigned int type;
-@@ -215,9 +228,9 @@ typedef struct _xpmHashAtom {
+@@ -215,9 +230,9 @@ typedef struct _xpmHashAtom {
} *xpmHashAtom;
typedef struct {
diff --git a/graphics/xpm/patches/patch-ae b/graphics/xpm/patches/patch-ae
index a94b683aaab..4310250ef8a 100644
--- a/graphics/xpm/patches/patch-ae
+++ b/graphics/xpm/patches/patch-ae
@@ -1,8 +1,13 @@
-$NetBSD: patch-ae,v 1.1 2004/09/16 15:09:01 minskim Exp $
+$NetBSD: patch-ae,v 1.2 2005/06/14 18:10:37 jlam Exp $
---- lib/Attrib.c.orig Thu Mar 19 13:50:59 1998
+--- lib/Attrib.c.orig 1998-03-19 14:50:59.000000000 -0500
+++ lib/Attrib.c
-@@ -35,7 +35,7 @@
+@@ -32,13 +32,15 @@
+ * Developed by Arnaud Le Hors *
+ \*****************************************************************************/
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
#include "XpmI.h"
/* 3.2 backward compatibility code */
@@ -10,8 +15,12 @@ $NetBSD: patch-ae,v 1.1 2004/09/16 15:09:01 minskim Exp $
+LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
XpmColor ***oldct));
- LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
-@@ -46,11 +46,14 @@ LFUNC(FreeOldColorTable, void, (XpmColor
+-LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
++LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
+
+ /*
+ * Create a colortable compatible with the old style colortable
+@@ -46,11 +48,14 @@ LFUNC(FreeOldColorTable, void, (XpmColor
static int
CreateOldColorTable(ct, ncolors, oldct)
XpmColor *ct;
@@ -20,10 +29,32 @@ $NetBSD: patch-ae,v 1.1 2004/09/16 15:09:01 minskim Exp $
XpmColor ***oldct;
{
XpmColor **colorTable, **color;
- int a;
+- int a;
++ unsigned int a;
+
-+ if (ncolors >= SIZE_MAX / sizeof(XpmColor *))
++ if (ncolors >= UINT_MAX / sizeof(XpmColor *))
+ return XpmNoMemory;
colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *));
if (!colorTable) {
+@@ -66,9 +71,9 @@ CreateOldColorTable(ct, ncolors, oldct)
+ static void
+ FreeOldColorTable(colorTable, ncolors)
+ XpmColor **colorTable;
+- int ncolors;
++ unsigned int ncolors;
+ {
+- int a, b;
++ unsigned int a, b;
+ XpmColor **color;
+ char **sptr;
+
+@@ -119,7 +124,7 @@ XpmFreeExtensions(extensions, nextension
+ XpmExtension *ext;
+ char **sptr;
+
+- if (extensions) {
++ if (extensions && nextensions > 0) {
+ for (i = 0, ext = extensions; i < nextensions; i++, ext++) {
+ if (ext->name)
+ XpmFree(ext->name);
diff --git a/graphics/xpm/patches/patch-af b/graphics/xpm/patches/patch-af
index 5a511d00424..192f9986acd 100644
--- a/graphics/xpm/patches/patch-af
+++ b/graphics/xpm/patches/patch-af
@@ -1,13 +1,233 @@
-$NetBSD: patch-af,v 1.1 2004/09/16 15:09:01 minskim Exp $
+$NetBSD: patch-af,v 1.2 2005/06/14 18:10:37 jlam Exp $
---- lib/CrDatFrI.c.orig Thu Mar 19 13:50:59 1998
+--- lib/CrDatFrI.c.orig 1998-03-19 14:50:59.000000000 -0500
+++ lib/CrDatFrI.c
-@@ -123,6 +123,8 @@ XpmCreateDataFromXpmImage(data_return, i
+@@ -32,13 +32,16 @@
+ * Developed by Arnaud Le Hors *
+ \*****************************************************************************/
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
+ #include "XpmI.h"
+
+ LFUNC(CreateColors, int, (char **dataptr, unsigned int *data_size,
+ XpmColor *colors, unsigned int ncolors,
+ unsigned int cpp));
+
+-LFUNC(CreatePixels, void, (char **dataptr, unsigned int width,
++LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size,
++ unsigned int width,
+ unsigned int height, unsigned int cpp,
+ unsigned int *pixels, XpmColor *colors));
+
+@@ -46,7 +49,8 @@ LFUNC(CountExtensions, void, (XpmExtensi
+ unsigned int *ext_size,
+ unsigned int *ext_nlines));
+
+-LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset,
++LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size,
++ unsigned int offset,
+ XpmExtension *ext, unsigned int num,
+ unsigned int ext_nlines));
+
+@@ -87,10 +91,11 @@ XpmCreateDataFromImage(display, data_ret
+
+ #undef RETURN
+ #define RETURN(status) \
++do \
+ { \
+ ErrorStatus = status; \
+ goto exit; \
+-}
++} while(0)
+
+ int
+ XpmCreateDataFromXpmImage(data_return, image, info)
+@@ -121,9 +126,17 @@ XpmCreateDataFromXpmImage(data_return, i
+ * alloc a temporary array of char pointer for the header section which
+ * is the hints line + the color table lines
*/
- header_nlines = 1 + image->ncolors;
+- header_nlines = 1 + image->ncolors;
++ header_nlines = 1 + image->ncolors; /* this may wrap and/or become 0 */
++
++ /* 2nd check superfluous if we do not need header_nlines any further */
++ if(header_nlines <= image->ncolors ||
++ header_nlines >= UINT_MAX / sizeof(char *))
++ return(XpmNoMemory);
++
header_size = sizeof(char *) * header_nlines;
-+ if (header_size >= SIZE_MAX / sizeof(char *))
+- header = (char **) XpmCalloc(header_size, sizeof(char *));
++ if (header_size >= UINT_MAX / sizeof(char *))
+ return (XpmNoMemory);
- header = (char **) XpmCalloc(header_size, sizeof(char *));
++ header = (char **) XpmCalloc(header_size, sizeof(char *)); /* can we trust image->ncolors */
if (!header)
return (XpmNoMemory);
+
+@@ -167,8 +180,22 @@ XpmCreateDataFromXpmImage(data_return, i
+
+ /* now we know the size needed, alloc the data and copy the header lines */
+ offset = image->width * image->cpp + 1;
+- data_size = header_size + (image->height + ext_nlines) * sizeof(char *)
+- + image->height * offset + ext_size;
++
++ if(offset <= image->width || offset <= image->cpp)
++ RETURN(XpmNoMemory);
++
++ if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *))
++ RETURN(XpmNoMemory);
++ data_size = (image->height + ext_nlines) * sizeof(char *);
++
++ if (image->height > UINT_MAX / offset ||
++ image->height * offset > UINT_MAX - data_size)
++ RETURN(XpmNoMemory);
++ data_size += image->height * offset;
++
++ if( (header_size + ext_size) >= (UINT_MAX - data_size) )
++ RETURN(XpmNoMemory);
++ data_size += header_size + ext_size;
+
+ data = (char **) XpmMalloc(data_size);
+ if (!data)
+@@ -176,8 +203,10 @@ XpmCreateDataFromXpmImage(data_return, i
+
+ data_nlines = header_nlines + image->height + ext_nlines;
+ *data = (char *) (data + data_nlines);
++
++ /* can header have less elements then n suggests? */
+ n = image->ncolors;
+- for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) {
++ for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) {
+ strcpy(*sptr, *sptr2);
+ *(sptr + 1) = *sptr + strlen(*sptr2) + 1;
+ }
+@@ -186,12 +215,13 @@ XpmCreateDataFromXpmImage(data_return, i
+ data[header_nlines] = (char *) data + header_size
+ + (image->height + ext_nlines) * sizeof(char *);
+
+- CreatePixels(data + header_nlines, image->width, image->height,
++ CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height,
+ image->cpp, image->data, image->colorTable);
+
+ /* print extensions */
+ if (extensions)
+- CreateExtensions(data + header_nlines + image->height - 1, offset,
++ CreateExtensions(data + header_nlines + image->height - 1,
++ data_size - header_nlines - image->height + 1, offset,
+ info->extensions, info->nextensions,
+ ext_nlines);
+
+@@ -222,23 +252,35 @@ CreateColors(dataptr, data_size, colors,
+ char *s, *s2;
+ char **defaults;
+
++ /* can ncolors be trusted here? */
+ for (a = 0; a < ncolors; a++, colors++, dataptr++) {
+
+ defaults = (char **) colors;
++ if(sizeof(buf) <= cpp)
++ return(XpmNoMemory);
+ strncpy(buf, *defaults++, cpp);
+ s = buf + cpp;
+
++ if(sizeof(buf) <= (s-buf))
++ return XpmNoMemory;
++
+ for (key = 1; key <= NKEYS; key++, defaults++) {
+ if (s2 = *defaults) {
+ #ifndef VOID_SPRINTF
+ s +=
+ #endif
+- sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);
++ /* assume C99 compliance */
++ snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
++
+ #ifdef VOID_SPRINTF
+ s += strlen(s);
+ #endif
++ /* does s point out-of-bounds? */
++ if(sizeof(buf) < (s-buf))
++ return XpmNoMemory;
+ }
+ }
++ /* what about using strdup()? */
+ l = s - buf + 1;
+ s = (char *) XpmMalloc(l);
+ if (!s)
+@@ -250,8 +292,9 @@ CreateColors(dataptr, data_size, colors,
+ }
+
+ static void
+-CreatePixels(dataptr, width, height, cpp, pixels, colors)
++CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors)
+ char **dataptr;
++ unsigned int data_size;
+ unsigned int width;
+ unsigned int height;
+ unsigned int cpp;
+@@ -261,21 +304,38 @@ CreatePixels(dataptr, width, height, cpp
+ char *s;
+ unsigned int x, y, h, offset;
+
++ if(height <= 1)
++ return;
++
+ h = height - 1;
++
+ offset = width * cpp + 1;
++
++ if(offset <= width || offset <= cpp)
++ return;
++
++ /* why trust h? */
+ for (y = 0; y < h; y++, dataptr++) {
+ s = *dataptr;
++ /* why trust width? */
+ for (x = 0; x < width; x++, pixels++) {
+- strncpy(s, colors[*pixels].string, cpp);
++ if(cpp > (data_size - (s - *dataptr)))
++ return;
++ strncpy(s, colors[*pixels].string, cpp); /* why trust pixel? */
+ s += cpp;
+ }
+ *s = '\0';
++ if(offset > data_size)
++ return;
+ *(dataptr + 1) = *dataptr + offset;
+ }
+ /* duplicate some code to avoid a test in the loop */
+ s = *dataptr;
++ /* why trust width? */
+ for (x = 0; x < width; x++, pixels++) {
+- strncpy(s, colors[*pixels].string, cpp);
++ if(cpp > data_size - (s - *dataptr))
++ return;
++ strncpy(s, colors[*pixels].string, cpp); /* why should we trust *pixel? */
+ s += cpp;
+ }
+ *s = '\0';
+@@ -308,8 +368,9 @@ CountExtensions(ext, num, ext_size, ext_
+ }
+
+ static void
+-CreateExtensions(dataptr, offset, ext, num, ext_nlines)
++CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines)
+ char **dataptr;
++ unsigned int data_size;
+ unsigned int offset;
+ XpmExtension *ext;
+ unsigned int num;
+@@ -322,12 +383,12 @@ CreateExtensions(dataptr, offset, ext, n
+ dataptr++;
+ a = 0;
+ for (x = 0; x < num; x++, ext++) {
+- sprintf(*dataptr, "XPMEXT %s", ext->name);
++ snprintf(*dataptr, data_size, "XPMEXT %s", ext->name);
+ a++;
+ if (a < ext_nlines)
+ *(dataptr + 1) = *dataptr + strlen(ext->name) + 8;
+ dataptr++;
+- b = ext->nlines;
++ b = ext->nlines; /* can we trust these values? */
+ for (y = 0, line = ext->lines; y < b; y++, line++) {
+ strcpy(*dataptr, *line);
+ a++;
diff --git a/graphics/xpm/patches/patch-ag b/graphics/xpm/patches/patch-ag
index 65c4d5f2c2f..91a30d37b9e 100644
--- a/graphics/xpm/patches/patch-ag
+++ b/graphics/xpm/patches/patch-ag
@@ -1,53 +1,387 @@
-$NetBSD: patch-ag,v 1.1 2004/09/16 15:09:01 minskim Exp $
+$NetBSD: patch-ag,v 1.2 2005/06/14 18:10:37 jlam Exp $
---- lib/create.c.orig Thu Mar 19 13:51:00 1998
+--- lib/create.c.orig 1998-03-19 14:51:00.000000000 -0500
+++ lib/create.c
-@@ -819,6 +819,9 @@ XpmCreateImageFromXpmImage(display, imag
+@@ -43,6 +43,8 @@
+ * Lorens Younes (d93-hyo@nada.kth.se) 4/96
+ */
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
+ #include "XpmI.h"
+ #include <ctype.h>
+
+@@ -517,7 +519,7 @@ CreateColors(display, attributes, colors
+ /* variables stored in the XpmAttributes structure */
+ Visual *visual;
+ Colormap colormap;
+- XpmColorSymbol *colorsymbols;
++ XpmColorSymbol *colorsymbols = NULL;
+ unsigned int numsymbols;
+ XpmAllocColorFunc allocColor;
+ void *closure;
+@@ -525,7 +527,7 @@ CreateColors(display, attributes, colors
+ char *colorname;
+ unsigned int color, key;
+ Bool pixel_defined;
+- XpmColorSymbol *symbol;
++ XpmColorSymbol *symbol = NULL;
+ char **defaults;
+ int ErrorStatus = XpmSuccess;
+ char *s;
+@@ -583,7 +585,7 @@ CreateColors(display, attributes, colors
+ */
+ } else {
+ #endif
+- int i;
++ unsigned int i;
+
+ #ifndef AMIGA
+ ncols = visual->map_entries;
+@@ -743,12 +745,14 @@ FreeColors(display, colormap, pixels, n,
+
+
+ /* function call in case of error */
++
+ #undef RETURN
+ #define RETURN(status) \
++do \
+ { \
+ ErrorStatus = status; \
+ goto error; \
+-}
++} while(0)
+
+ int
+ XpmCreateImageFromXpmImage(display, image,
+@@ -765,7 +769,6 @@ XpmCreateImageFromXpmImage(display, imag
+ unsigned int depth;
+ int bitmap_format;
+ XpmFreeColorsFunc freeColors;
+- void *closure;
+
+ /* variables to return */
+ XImage *ximage = NULL;
+@@ -812,13 +815,12 @@ XpmCreateImageFromXpmImage(display, imag
+ freeColors = attributes->free_colors;
+ else
+ freeColors = FreeColors;
+- if (attributes && (attributes->valuemask & XpmColorClosure))
+- closure = attributes->color_closure;
+- else
+- closure = NULL;
ErrorStatus = XpmSuccess;
-+ if (image->ncolors >= SIZE_MAX / sizeof(Pixel))
++ if (image->ncolors >= UINT_MAX / sizeof(Pixel))
+ return (XpmNoMemory);
+
/* malloc pixels index tables */
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
if (!image_pixels)
-@@ -991,6 +994,8 @@ CreateXImage(display, visual, depth, for
+@@ -991,7 +993,13 @@ CreateXImage(display, visual, depth, for
return (XpmNoMemory);
#if !defined(FOR_MSW) && !defined(AMIGA)
-+ if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
++ if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
++ XDestroyImage(*image_return);
+ return XpmNoMemory;
++ }
/* now that bytes_per_line must have been set properly alloc data */
++ if((*image_return)->bytes_per_line == 0 || height == 0)
++ return XpmNoMemory;
(*image_return)->data =
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
-@@ -2063,6 +2068,9 @@ xpmParseDataAndCreate(display, data, ima
+
+@@ -1020,7 +1028,7 @@ CreateXImage(display, visual, depth, for
+ LFUNC(_putbits, void, (register char *src, int dstoffset,
+ register int numbits, register char *dst));
+
+-LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));
++LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
+
+ static unsigned char Const _reverse_byte[0x100] = {
+ 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
+@@ -1060,12 +1068,12 @@ static unsigned char Const _reverse_byte
+ static int
+ _XReverse_Bytes(bpt, nb)
+ register unsigned char *bpt;
+- register int nb;
++ register unsigned int nb;
+ {
+ do {
+ *bpt = _reverse_byte[*bpt];
+ bpt++;
+- } while (--nb > 0);
++ } while (--nb > 0); /* is nb user-controled? */
+ return 0;
+ }
+
+@@ -1204,18 +1212,18 @@ PutImagePixels(image, width, height, pix
+ register char *src;
+ register char *dst;
+ register unsigned int *iptr;
+- register int x, y, i;
++ register unsigned int x, y;
+ register char *data;
+ Pixel pixel, px;
+- int nbytes, depth, ibu, ibpp;
++ int nbytes, depth, ibu, ibpp, i;
+
+ data = image->data;
+ iptr = pixelindex;
+ depth = image->depth;
+ if (depth == 1) {
+ ibu = image->bitmap_unit;
+- for (y = 0; y < height; y++)
+- for (x = 0; x < width; x++, iptr++) {
++ for (y = 0; y < height; y++) /* how can we trust height */
++ for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
+ pixel = pixels[*iptr];
+ for (i = 0, px = pixel; i < sizeof(unsigned long);
+ i++, px >>= 8)
+@@ -1290,12 +1298,12 @@ PutImagePixels32(image, width, height, p
+ {
+ unsigned char *data;
+ unsigned int *iptr;
+- int y;
++ unsigned int y;
+ Pixel pixel;
+
+ #ifdef WITHOUT_SPEEDUPS
+
+- int x;
++ unsigned int x;
+ unsigned char *addr;
+
+ data = (unsigned char *) image->data;
+@@ -1332,7 +1340,7 @@ PutImagePixels32(image, width, height, p
+
+ #else /* WITHOUT_SPEEDUPS */
+
+- int bpl = image->bytes_per_line;
++ unsigned int bpl = image->bytes_per_line;
+ unsigned char *data_ptr, *max_data;
+
+ data = (unsigned char *) image->data;
+@@ -1400,11 +1408,11 @@ PutImagePixels16(image, width, height, p
+ {
+ unsigned char *data;
+ unsigned int *iptr;
+- int y;
++ unsigned int y;
+
+ #ifdef WITHOUT_SPEEDUPS
+
+- int x;
++ unsigned int x;
+ unsigned char *addr;
+
+ data = (unsigned char *) image->data;
+@@ -1428,7 +1436,7 @@ PutImagePixels16(image, width, height, p
+
+ Pixel pixel;
+
+- int bpl = image->bytes_per_line;
++ unsigned int bpl = image->bytes_per_line;
+ unsigned char *data_ptr, *max_data;
+
+ data = (unsigned char *) image->data;
+@@ -1481,11 +1489,11 @@ PutImagePixels8(image, width, height, pi
+ {
+ char *data;
+ unsigned int *iptr;
+- int y;
++ unsigned int y;
+
+ #ifdef WITHOUT_SPEEDUPS
+
+- int x;
++ unsigned int x;
+
+ data = image->data;
+ iptr = pixelindex;
+@@ -1495,7 +1503,7 @@ PutImagePixels8(image, width, height, pi
+
+ #else /* WITHOUT_SPEEDUPS */
+
+- int bpl = image->bytes_per_line;
++ unsigned int bpl = image->bytes_per_line;
+ char *data_ptr, *max_data;
+
+ data = image->data;
+@@ -1530,12 +1538,12 @@ PutImagePixels1(image, width, height, pi
+ PutImagePixels(image, width, height, pixelindex, pixels);
+ else {
+ unsigned int *iptr;
+- int y;
++ unsigned int y;
+ char *data;
+
+ #ifdef WITHOUT_SPEEDUPS
+
+- int x;
++ unsigned int x;
+
+ data = image->data;
+ iptr = pixelindex;
+@@ -1755,10 +1763,12 @@ PutPixel1(ximage, x, y, pixel)
+ register char *src;
+ register char *dst;
+ register int i;
+- register char *data;
+ Pixel px;
+ int nbytes;
+
++ if(x < 0 || y < 0)
++ return 0;
++
+ for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)
+ ((unsigned char *)&pixel)[i] = px;
+ src = &ximage->data[XYINDEX(x, y, ximage)];
+@@ -1788,9 +1798,11 @@ PutPixel(ximage, x, y, pixel)
+ register char *src;
+ register char *dst;
+ register int i;
+- register char *data;
+ Pixel px;
+- int nbytes, ibpp;
++ unsigned int nbytes, ibpp;
++
++ if(x < 0 || y < 0)
++ return 0;
+
+ ibpp = ximage->bits_per_pixel;
+ if (ximage->depth == 4)
+@@ -1823,6 +1835,9 @@ PutPixel32(ximage, x, y, pixel)
+ {
+ unsigned char *addr;
+
++ if(x < 0 || y < 0)
++ return 0;
++
+ addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
+ *((unsigned long *)addr) = pixel;
+ return 1;
+@@ -1837,6 +1852,9 @@ PutPixel32MSB(ximage, x, y, pixel)
+ {
+ unsigned char *addr;
+
++ if(x < 0 || y < 0)
++ return 0;
++
+ addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
+ addr[0] = pixel >> 24;
+ addr[1] = pixel >> 16;
+@@ -1854,6 +1872,9 @@ PutPixel32LSB(ximage, x, y, pixel)
+ {
+ unsigned char *addr;
+
++ if(x < 0 || y < 0)
++ return 0;
++
+ addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
+ addr[3] = pixel >> 24;
+ addr[2] = pixel >> 16;
+@@ -1871,6 +1892,9 @@ PutPixel16MSB(ximage, x, y, pixel)
+ {
+ unsigned char *addr;
+
++ if(x < 0 || y < 0)
++ return 0;
++
+ addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
+ addr[0] = pixel >> 8;
+ addr[1] = pixel;
+@@ -1886,6 +1910,9 @@ PutPixel16LSB(ximage, x, y, pixel)
+ {
+ unsigned char *addr;
+
++ if(x < 0 || y < 0)
++ return 0;
++
+ addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
+ addr[1] = pixel >> 8;
+ addr[0] = pixel;
+@@ -1899,6 +1926,9 @@ PutPixel8(ximage, x, y, pixel)
+ int y;
+ unsigned long pixel;
+ {
++ if(x < 0 || y < 0)
++ return 0;
++
+ ximage->data[ZINDEX8(x, y, ximage)] = pixel;
+ return 1;
+ }
+@@ -1910,6 +1940,9 @@ PutPixel1MSB(ximage, x, y, pixel)
+ int y;
+ unsigned long pixel;
+ {
++ if(x < 0 || y < 0)
++ return 0;
++
+ if (pixel & 1)
+ ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7);
+ else
+@@ -1924,6 +1957,9 @@ PutPixel1LSB(ximage, x, y, pixel)
+ int y;
+ unsigned long pixel;
+ {
++ if(x < 0 || y < 0)
++ return 0;
++
+ if (pixel & 1)
+ ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7);
+ else
+@@ -1953,7 +1989,6 @@ xpmParseDataAndCreate(display, data, ima
+ unsigned int depth;
+ int bitmap_format;
+ XpmFreeColorsFunc freeColors;
+- void *closure;
+
+ /* variables to return */
+ XImage *ximage = NULL;
+@@ -2011,10 +2046,6 @@ xpmParseDataAndCreate(display, data, ima
+ freeColors = attributes->free_colors;
+ else
+ freeColors = FreeColors;
+- if (attributes && (attributes->valuemask & XpmColorClosure))
+- closure = attributes->color_closure;
+- else
+- closure = NULL;
+
+ cmts = info && (info->valuemask & XpmReturnComments);
+
+@@ -2063,6 +2094,9 @@ xpmParseDataAndCreate(display, data, ima
xpmGetCmt(data, &colors_cmt);
/* malloc pixels index tables */
-+ if (ncolors >= SIZE_MAX / sizeof(Pixel))
-+ return XpmNoMemory;
++ if (ncolors >= UINT_MAX / sizeof(Pixel))
++ RETURN(XpmNoMemory);
+
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
if (!image_pixels)
RETURN(XpmNoMemory);
-@@ -2317,7 +2325,8 @@ ParseAndPutPixels(
- }
- obm = SelectObject(*dc, image->bitmap);
- #endif
--
-+ if (ncolors > 256)
-+ return (XpmFileInvalid);
-
- bzero((char *)colidx, 256 * sizeof(short));
- for (a = 0; a < ncolors; a++)
-@@ -2422,6 +2431,9 @@ if (cidx[f]) XpmFree(cidx[f]);}
- {
- char *s;
- char buf[BUFSIZ];
-+
-+ if (cpp >= sizeof(buf))
-+ return (XpmFileInvalid);
-
- buf[cpp] = '\0';
- if (USE_HASHTABLE) {
+@@ -2173,7 +2207,7 @@ xpmParseDataAndCreate(display, data, ima
+ * free the hastable
+ */
+ if (ErrorStatus != XpmSuccess)
+- RETURN(ErrorStatus)
++ RETURN(ErrorStatus);
+ else if (USE_HASHTABLE)
+ xpmHashTableFree(&hashtable);
+
+@@ -2364,11 +2398,11 @@ if (cidx[f]) XpmFree(cidx[f]);}
+
+ /* array of pointers malloced by need */
+ unsigned short *cidx[256];
+- int char1;
++ unsigned int char1;
+
+ bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
+ for (a = 0; a < ncolors; a++) {
+- char1 = colorTable[a].string[0];
++ char1 = (unsigned char) colorTable[a].string[0];
+ if (cidx[char1] == NULL) { /* get new memory */
+ cidx[char1] = (unsigned short *)
+ XpmCalloc(256, sizeof(unsigned short));
diff --git a/graphics/xpm/patches/patch-ah b/graphics/xpm/patches/patch-ah
index 423d815392f..759b95d47c0 100644
--- a/graphics/xpm/patches/patch-ah
+++ b/graphics/xpm/patches/patch-ah
@@ -1,13 +1,43 @@
-$NetBSD: patch-ah,v 1.1 2004/09/16 15:09:01 minskim Exp $
+$NetBSD: patch-ah,v 1.2 2005/06/14 18:10:37 jlam Exp $
---- lib/data.c.orig Thu Mar 19 13:51:00 1998
+--- lib/data.c.orig 1998-03-19 14:51:00.000000000 -0500
+++ lib/data.c
-@@ -374,7 +374,7 @@ xpmGetCmt(data, cmt)
+@@ -32,6 +32,8 @@
+ * Developed by Arnaud Le Hors *
+ \*****************************************************************************/
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
+ #ifndef CXPMPROG
+ /* Official version number */
+ static char *RCS_Version = "$XpmVersion: 3.4k $";
+@@ -261,7 +263,7 @@ xpmNextWord(data, buf, buflen)
+ }
+ Ungetc(data, c, file);
+ }
+- return (n);
++ return (n); /* this returns bytes read + 1 */
+ }
+
+ /*
+@@ -374,8 +376,9 @@ xpmGetCmt(data, cmt)
{
if (!data->type)
*cmt = NULL;
- else if (data->CommentLength) {
-+ else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) {
- *cmt = (char *) XpmMalloc(data->CommentLength + 1);
+- *cmt = (char *) XpmMalloc(data->CommentLength + 1);
++ else if (data->CommentLength != 0 && data->CommentLength < UINT_MAX - 1) {
++ if( (*cmt = (char *) XpmMalloc(data->CommentLength + 1)) == NULL)
++ return XpmNoMemory;
strncpy(*cmt, data->Comment, data->CommentLength);
(*cmt)[data->CommentLength] = '\0';
+ data->CommentLength = 0;
+@@ -403,7 +406,7 @@ int
+ xpmParseHeader(data)
+ xpmData *data;
+ {
+- char buf[BUFSIZ];
++ char buf[BUFSIZ+1] = {0};
+ int l, n = 0;
+
+ if (data->type) {
diff --git a/graphics/xpm/patches/patch-ai b/graphics/xpm/patches/patch-ai
index 7f9bb7a60bb..892547010ce 100644
--- a/graphics/xpm/patches/patch-ai
+++ b/graphics/xpm/patches/patch-ai
@@ -1,8 +1,8 @@
-$NetBSD: patch-ai,v 1.1 2004/09/16 15:09:01 minskim Exp $
+$NetBSD: patch-ai,v 1.2 2005/06/14 18:10:37 jlam Exp $
---- lib/hashtab.c.orig Thu Mar 19 13:51:00 1998
+--- lib/hashtab.c.orig 1998-03-19 14:51:00.000000000 -0500
+++ lib/hashtab.c
-@@ -135,7 +135,7 @@ HashTableGrows(table)
+@@ -135,15 +135,17 @@ HashTableGrows(table)
xpmHashTable *table;
{
xpmHashAtom *atomTable = table->atomTable;
@@ -10,12 +10,14 @@ $NetBSD: patch-ai,v 1.1 2004/09/16 15:09:01 minskim Exp $
+ unsigned int size = table->size;
xpmHashAtom *t, *p;
int i;
- int oldSize = size;
-@@ -144,6 +144,8 @@ HashTableGrows(table)
+- int oldSize = size;
++ unsigned int oldSize = size;
+
+ t = atomTable;
HASH_TABLE_GROWS
table->size = size;
table->limit = size / 3;
-+ if (size >= SIZE_MAX / sizeof(*atomTable))
++ if (size >= UINT_MAX / sizeof(*atomTable))
+ return (XpmNoMemory);
atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable));
if (!atomTable)
@@ -24,7 +26,7 @@ $NetBSD: patch-ai,v 1.1 2004/09/16 15:09:01 minskim Exp $
table->size = INITIAL_HASH_SIZE;
table->limit = table->size / 3;
table->used = 0;
-+ if (table->size >= SIZE_MAX / sizeof(*atomTable))
++ if (table->size >= UINT_MAX / sizeof(*atomTable))
+ return (XpmNoMemory);
atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
if (!atomTable)
diff --git a/graphics/xpm/patches/patch-aj b/graphics/xpm/patches/patch-aj
index 040a7ebe2bd..f59f686a198 100644
--- a/graphics/xpm/patches/patch-aj
+++ b/graphics/xpm/patches/patch-aj
@@ -1,33 +1,38 @@
-$NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $
+$NetBSD: patch-aj,v 1.2 2005/06/14 18:10:37 jlam Exp $
---- lib/parse.c.orig Thu Mar 19 13:51:00 1998
+--- lib/parse.c.orig 1998-03-19 14:51:00.000000000 -0500
+++ lib/parse.c
-@@ -41,6 +41,24 @@
+@@ -38,8 +38,29 @@
+ * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
+ */
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
#include "XpmI.h"
#include <ctype.h>
-
++#include <string.h>
++
+#ifdef HAS_STRLCAT
-+# define STRLCAT(dst, src, dstsize) { \
-+ if (strlcat(dst, src, dstsize) >= (dstsize)) \
-+ return (XpmFileInvalid); }
-+# define STRLCPY(dst, src, dstsize) { \
-+ if (strlcpy(dst, src, dstsize) >= (dstsize)) \
-+ return (XpmFileInvalid); }
++# define STRLCAT(dst, src, dstsize) do { \
++ if (strlcat(dst, src, dstsize) >= (dstsize)) \
++ return (XpmFileInvalid); } while(0)
++# define STRLCPY(dst, src, dstsize) do { \
++ if (strlcpy(dst, src, dstsize) >= (dstsize)) \
++ return (XpmFileInvalid); } while(0)
+#else
-+# define STRLCAT(dst, src, dstsize) { \
++# define STRLCAT(dst, src, dstsize) do { \
+ if ((strlen(dst) + strlen(src)) < (dstsize)) \
-+ strcat(dst, src); \
-+ else return (XpmFileInvalid); }
-+# define STRLCPY(dst, src, dstsize) { \
++ strcat(dst, src); \
++ else return (XpmFileInvalid); } while(0)
++# define STRLCPY(dst, src, dstsize) do { \
+ if (strlen(src) < (dstsize)) \
-+ strcpy(dst, src); \
-+ else return (XpmFileInvalid); }
++ strcpy(dst, src); \
++ else return (XpmFileInvalid); } while(0)
+#endif
-+
+
LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
unsigned int height, unsigned int ncolors,
- unsigned int cpp, XpmColor *colorTable,
-@@ -63,7 +81,7 @@ xpmParseValues(data, width, height, ncol
+@@ -63,7 +84,7 @@ xpmParseValues(data, width, height, ncol
unsigned int *extensions;
{
unsigned int l;
@@ -36,12 +41,12 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $
if (!data->format) { /* XPM 2 or 3 */
-@@ -172,10 +190,10 @@ xpmParseColors(data, ncolors, cpp, color
+@@ -172,10 +193,10 @@ xpmParseColors(data, ncolors, cpp, color
XpmColor **colorTablePtr;
xpmHashTable *hashtable;
{
- unsigned int key, l, a, b;
-+ unsigned int key, l, a, b, len;
++ unsigned int key = 0, l, a, b, len;
unsigned int curkey; /* current color key */
unsigned int lastwaskey; /* key read */
- char buf[BUFSIZ];
@@ -49,27 +54,27 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $
char curbuf[BUFSIZ]; /* current buffer */
char **sptr, *s;
XpmColor *color;
-@@ -183,6 +201,8 @@ xpmParseColors(data, ncolors, cpp, color
+@@ -183,6 +204,8 @@ xpmParseColors(data, ncolors, cpp, color
char **defaults;
int ErrorStatus;
-+ if (ncolors >= SIZE_MAX / sizeof(XpmColor))
++ if (ncolors >= UINT_MAX / sizeof(XpmColor))
+ return (XpmNoMemory);
colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
if (!colorTable)
return (XpmNoMemory);
-@@ -194,6 +214,10 @@ xpmParseColors(data, ncolors, cpp, color
+@@ -194,6 +217,10 @@ xpmParseColors(data, ncolors, cpp, color
/*
* read pixel value
*/
-+ if (cpp >= SIZE_MAX - 1) {
++ if (cpp >= UINT_MAX - 1) {
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmNoMemory);
+ }
color->string = (char *) XpmMalloc(cpp + 1);
if (!color->string) {
xpmFreeColorTable(colorTable, ncolors);
-@@ -231,13 +255,14 @@ xpmParseColors(data, ncolors, cpp, color
+@@ -231,13 +258,14 @@ xpmParseColors(data, ncolors, cpp, color
}
if (!lastwaskey && key < NKEYS) { /* open new key */
if (curkey) { /* flush string */
@@ -86,7 +91,7 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $
}
curkey = key + 1; /* set new key */
*curbuf = '\0'; /* reset curbuf */
-@@ -248,9 +273,9 @@ xpmParseColors(data, ncolors, cpp, color
+@@ -248,9 +276,9 @@ xpmParseColors(data, ncolors, cpp, color
return (XpmFileInvalid);
}
if (!lastwaskey)
@@ -98,7 +103,7 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $
lastwaskey = 0;
}
}
-@@ -258,12 +283,13 @@ xpmParseColors(data, ncolors, cpp, color
+@@ -258,12 +286,13 @@ xpmParseColors(data, ncolors, cpp, color
xpmFreeColorTable(colorTable, ncolors);
return (XpmFileInvalid);
}
@@ -114,18 +119,18 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $
}
} else { /* XPM 1 */
/* get to the beginning of the first string */
-@@ -276,6 +302,10 @@ xpmParseColors(data, ncolors, cpp, color
+@@ -276,6 +305,10 @@ xpmParseColors(data, ncolors, cpp, color
/*
* read pixel value
*/
-+ if (cpp >= SIZE_MAX - 1) {
++ if (cpp >= UINT_MAX - 1) {
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmNoMemory);
+ }
color->string = (char *) XpmMalloc(cpp + 1);
if (!color->string) {
xpmFreeColorTable(colorTable, ncolors);
-@@ -304,16 +334,17 @@ xpmParseColors(data, ncolors, cpp, color
+@@ -304,19 +337,20 @@ xpmParseColors(data, ncolors, cpp, color
*curbuf = '\0'; /* init curbuf */
while (l = xpmNextWord(data, buf, BUFSIZ)) {
if (*curbuf != '\0')
@@ -133,7 +138,7 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $
+ STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
buf[l] = '\0';
- strcat(curbuf, buf); /* append buf */
-+ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
++ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
}
- s = (char *) XpmMalloc(strlen(curbuf) + 1);
+ len = strlen(curbuf) + 1;
@@ -146,34 +151,119 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $
+ memcpy(s, curbuf, len);
color->c_color = s;
*curbuf = '\0'; /* reset curbuf */
- if (a < ncolors - 1)
-@@ -338,6 +369,9 @@ ParsePixels(data, width, height, ncolors
- unsigned int *iptr, *iptr2;
+- if (a < ncolors - 1)
++ if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */
+ xpmNextString(data); /* get to the next string */
+ }
+ }
+@@ -335,9 +369,12 @@ ParsePixels(data, width, height, ncolors
+ xpmHashTable *hashtable;
+ unsigned int **pixels;
+ {
+- unsigned int *iptr, *iptr2;
++ unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
unsigned int a, x, y;
-+ if ((height > 0 && width >= SIZE_MAX / height) ||
-+ width * height >= SIZE_MAX / sizeof(unsigned int))
++ if ((height > 0 && width >= UINT_MAX / height) ||
++ width * height >= UINT_MAX / sizeof(unsigned int))
+ return XpmNoMemory;
#ifndef FOR_MSW
iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);
#else
-@@ -361,6 +395,9 @@ ParsePixels(data, width, height, ncolors
+@@ -361,6 +398,11 @@ ParsePixels(data, width, height, ncolors
{
unsigned short colidx[256];
-+ if (ncolors > 256)
++ if (ncolors > 256) {
++ XpmFree(iptr2); /* found by Egbert Eich */
+ return (XpmFileInvalid);
++ }
+
bzero((char *)colidx, 256 * sizeof(short));
for (a = 0; a < ncolors; a++)
colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
-@@ -438,6 +475,9 @@ if (cidx[f]) XpmFree(cidx[f]);}
+@@ -386,16 +428,20 @@ ParsePixels(data, width, height, ncolors
{
+
+ /* free all allocated pointers at all exits */
+-#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \
+-if (cidx[f]) XpmFree(cidx[f]);}
++#define FREE_CIDX \
++do \
++{ \
++ int f; for (f = 0; f < 256; f++) \
++ if (cidx[f]) XpmFree(cidx[f]); \
++} while(0)
+
+ /* array of pointers malloced by need */
+ unsigned short *cidx[256];
+- int char1;
++ unsigned int char1;
+
+ bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
+ for (a = 0; a < ncolors; a++) {
+- char1 = colorTable[a].string[0];
++ char1 = (unsigned char) colorTable[a].string[0];
+ if (cidx[char1] == NULL) { /* get new memory */
+ cidx[char1] = (unsigned short *)
+ XpmCalloc(256, sizeof(unsigned short));
+@@ -439,6 +485,11 @@ if (cidx[f]) XpmFree(cidx[f]);}
char *s;
char buf[BUFSIZ];
-+
-+ if (cpp >= sizeof(buf))
-+ return (XpmFileInvalid);
++ if (cpp >= sizeof(buf)) {
++ XpmFree(iptr2); /* found by Egbert Eich */
++ return (XpmFileInvalid);
++ }
++
buf[cpp] = '\0';
if (USE_HASHTABLE) {
+ xpmHashAtom *slot;
+@@ -447,7 +498,7 @@ if (cidx[f]) XpmFree(cidx[f]);}
+ xpmNextString(data);
+ for (x = 0; x < width; x++, iptr++) {
+ for (a = 0, s = buf; a < cpp; a++, s++)
+- *s = xpmGetC(data);
++ *s = xpmGetC(data); /* int assigned to char, not a problem here */
+ slot = xpmHashSlot(hashtable, buf);
+ if (!*slot) { /* no color matches */
+ XpmFree(iptr2);
+@@ -461,7 +512,7 @@ if (cidx[f]) XpmFree(cidx[f]);}
+ xpmNextString(data);
+ for (x = 0; x < width; x++, iptr++) {
+ for (a = 0, s = buf; a < cpp; a++, s++)
+- *s = xpmGetC(data);
++ *s = xpmGetC(data); /* int assigned to char, not a problem here */
+ for (a = 0; a < ncolors; a++)
+ if (!strcmp(colorTable[a].string, buf))
+ break;
+@@ -516,7 +567,7 @@ xpmParseExtensions(data, extensions, nex
+ while (!notstart && notend) {
+ /* there starts an extension */
+ ext = (XpmExtension *)
+- XpmRealloc(exts, (num + 1) * sizeof(XpmExtension));
++ XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
+ if (!ext) {
+ XpmFree(string);
+ XpmFreeExtensions(exts, num);
+@@ -553,7 +604,7 @@ xpmParseExtensions(data, extensions, nex
+ while ((notstart = strncmp("XPMEXT", string, 6))
+ && (notend = strncmp("XPMENDEXT", string, 9))) {
+ sp = (char **)
+- XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *));
++ XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */
+ if (!sp) {
+ XpmFree(string);
+ ext->nlines = nlines;
+@@ -593,9 +644,9 @@ xpmParseExtensions(data, extensions, nex
+ /* function call in case of error */
+ #undef RETURN
+ #define RETURN(status) \
+-{ \
++do { \
+ goto error; \
+-}
++} while(0)
+
+ /*
+ * This function parses an Xpm file or data and store the found informations
diff --git a/graphics/xpm/patches/patch-ak b/graphics/xpm/patches/patch-ak
index 2485265546a..4647685e318 100644
--- a/graphics/xpm/patches/patch-ak
+++ b/graphics/xpm/patches/patch-ak
@@ -1,54 +1,86 @@
-$NetBSD: patch-ak,v 1.2 2005/03/10 15:23:10 wiz Exp $
+$NetBSD: patch-ak,v 1.3 2005/06/14 18:10:37 jlam Exp $
---- lib/scan.c.orig 1998-03-19 20:51:00.000000000 +0100
+--- lib/scan.c.orig 1998-03-19 14:51:00.000000000 -0500
+++ lib/scan.c
-@@ -103,7 +103,8 @@ LFUNC(MSWGetImagePixels, int, (Display *
+@@ -42,6 +42,8 @@
+ * Lorens Younes (d93-hyo@nada.kth.se) 4/96
+ */
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
+ #include "XpmI.h"
+
+ #define MAXPRINTABLE 92 /* number of printable ascii chars
+@@ -103,7 +105,8 @@ LFUNC(MSWGetImagePixels, int, (Display *
LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp,
XpmAttributes *attributes));
-LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors,
-+LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors,
-+ unsigned int ncolors,
++LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors,
++ unsigned int ncolors,
Pixel *pixels, unsigned int mask,
unsigned int cpp, XpmAttributes *attributes));
-@@ -228,11 +229,17 @@ XpmCreateXpmImageFromImage(display, imag
+@@ -167,10 +170,10 @@ storeMaskPixel(pixel, pmap, index_return
+ /* function call in case of error */
+ #undef RETURN
+ #define RETURN(status) \
+-{ \
++do { \
+ ErrorStatus = status; \
+ goto error; \
+-}
++} while(0)
+
+ /*
+ * This function scans the given image and stores the found informations in
+@@ -191,7 +194,7 @@ XpmCreateXpmImageFromImage(display, imag
+ /* variables to return */
+ PixelsMap pmap;
+ XpmColor *colorTable = NULL;
+- int ErrorStatus;
++ int ErrorStatus = 0;
+
+ /* calculation variables */
+ unsigned int width = 0;
+@@ -228,11 +231,17 @@ XpmCreateXpmImageFromImage(display, imag
else
cpp = 0;
-+ if ((height > 0 && width >= SIZE_MAX / height) ||
-+ width * height >= SIZE_MAX / sizeof(unsigned int))
++ if ((height > 0 && width >= UINT_MAX / height) ||
++ width * height >= UINT_MAX / sizeof(unsigned int))
+ RETURN(XpmNoMemory);
pmap.pixelindex =
(unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
if (!pmap.pixelindex)
RETURN(XpmNoMemory);
-+ if (pmap.size >= SIZE_MAX / sizeof(Pixel))
++ if (pmap.size >= UINT_MAX / sizeof(Pixel))
+ RETURN(XpmNoMemory);
+
pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);
if (!pmap.pixels)
RETURN(XpmNoMemory);
-@@ -298,6 +305,8 @@ XpmCreateXpmImageFromImage(display, imag
+@@ -297,7 +306,8 @@ XpmCreateXpmImageFromImage(display, imag
+ * get rgb values and a string of char, and possibly a name for each
* color
*/
-
-+ if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))
+-
++ if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor))
+ RETURN(XpmNoMemory);
colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
if (!colorTable)
RETURN(XpmNoMemory);
-@@ -356,6 +365,8 @@ ScanTransparentColor(color, cpp, attribu
+@@ -356,6 +366,8 @@ ScanTransparentColor(color, cpp, attribu
/* first get a character string */
a = 0;
-+ if (cpp >= SIZE_MAX - 1)
++ if (cpp >= UINT_MAX - 1)
+ return (XpmNoMemory);
if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
return (XpmNoMemory);
*s++ = printable[c = a % MAXPRINTABLE];
-@@ -403,7 +414,7 @@ static int
+@@ -403,7 +415,7 @@ static int
ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes)
Display *display;
XpmColor *colors;
@@ -57,22 +89,120 @@ $NetBSD: patch-ak,v 1.2 2005/03/10 15:23:10 wiz Exp $
Pixel *pixels;
unsigned int mask;
unsigned int cpp;
-@@ -447,6 +458,8 @@ ScanOtherColors(display, colors, ncolors
+@@ -423,10 +435,10 @@ ScanOtherColors(display, colors, ncolors
+ XpmColor *color;
+ XColor *xcolors = NULL, *xcolor;
+ char *colorname, *s;
+- XpmColor *colorTable, **oldColorTable = NULL;
++ XpmColor *colorTable = NULL, **oldColorTable = NULL;
+ unsigned int ancolors = 0;
+- Pixel *apixels;
+- unsigned int mask_pixel;
++ Pixel *apixels = NULL;
++ unsigned int mask_pixel = 0;
+ Bool found;
+
+ /* retrieve information from the XpmAttributes */
+@@ -447,6 +459,8 @@ ScanOtherColors(display, colors, ncolors
}
/* first get character strings and rgb values */
-+ if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1)
++ if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1)
+ return (XpmNoMemory);
xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
if (!xcolors)
return (XpmNoMemory);
-@@ -615,6 +628,9 @@ GetImagePixels(image, width, height, pma
+@@ -603,8 +617,8 @@ GetImagePixels(image, width, height, pma
+ char *dst;
+ unsigned int *iptr;
+ char *data;
+- int x, y, i;
+- int bits, depth, ibu, ibpp, offset;
++ unsigned int x, y;
++ int bits, depth, ibu, ibpp, offset, i;
+ unsigned long lbt;
+ Pixel pixel, px;
+
+@@ -615,6 +629,9 @@ GetImagePixels(image, width, height, pma
ibpp = image->bits_per_pixel;
offset = image->xoffset;
+ if (image->bitmap_unit < 0)
-+ return (XpmNoMemory);
++ return (XpmNoMemory);
+
if ((image->bits_per_pixel | image->depth) == 1) {
ibu = image->bitmap_unit;
for (y = 0; y < height; y++)
+@@ -705,7 +722,7 @@ GetImagePixels32(image, width, height, p
+ unsigned char *addr;
+ unsigned char *data;
+ unsigned int *iptr;
+- int x, y;
++ unsigned int x, y;
+ unsigned long lbt;
+ Pixel pixel;
+ int depth;
+@@ -770,7 +787,7 @@ GetImagePixels16(image, width, height, p
+ unsigned char *addr;
+ unsigned char *data;
+ unsigned int *iptr;
+- int x, y;
++ unsigned int x, y;
+ unsigned long lbt;
+ Pixel pixel;
+ int depth;
+@@ -815,7 +832,7 @@ GetImagePixels8(image, width, height, pm
+ {
+ unsigned int *iptr;
+ unsigned char *data;
+- int x, y;
++ unsigned int x, y;
+ unsigned long lbt;
+ Pixel pixel;
+ int depth;
+@@ -848,7 +865,7 @@ GetImagePixels1(image, width, height, pm
+ int (*storeFunc) ();
+ {
+ unsigned int *iptr;
+- int x, y;
++ unsigned int x, y;
+ char *data;
+ Pixel pixel;
+ int xoff, yoff, offset, bpl;
+@@ -884,11 +901,11 @@ GetImagePixels1(image, width, height, pm
+ # else /* AMIGA */
+
+ #define CLEAN_UP(status) \
+-{\
++do {\
+ if (pixels) XpmFree (pixels);\
+ if (tmp_img) FreeXImage (tmp_img);\
+ return (status);\
+-}
++} while(0)
+
+ static int
+ AGetImagePixels (
+@@ -909,7 +926,7 @@ AGetImagePixels (
+
+ tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth);
+ if (tmp_img == NULL)
+- CLEAN_UP (XpmNoMemory)
++ CLEAN_UP (XpmNoMemory);
+
+ iptr = pmap->pixelindex;
+ for (y = 0; y < height; ++y)
+@@ -918,11 +935,11 @@ AGetImagePixels (
+ for (x = 0; x < width; ++x, ++iptr)
+ {
+ if ((*storeFunc) (pixels[x], pmap, iptr))
+- CLEAN_UP (XpmNoMemory)
++ CLEAN_UP (XpmNoMemory);
+ }
+ }
+
+- CLEAN_UP (XpmSuccess)
++ CLEAN_UP (XpmSuccess);
+ }
+
+ #undef CLEAN_UP
diff --git a/graphics/xpm/patches/patch-al b/graphics/xpm/patches/patch-al
new file mode 100644
index 00000000000..fc52ed0cd6f
--- /dev/null
+++ b/graphics/xpm/patches/patch-al
@@ -0,0 +1,308 @@
+$NetBSD: patch-al,v 1.1 2005/06/14 18:10:37 jlam Exp $
+
+--- lib/CrBufFrI.c.orig 1998-03-19 14:50:59.000000000 -0500
++++ lib/CrBufFrI.c
+@@ -32,21 +32,27 @@
+ * Developed by Arnaud Le Hors *
+ \*****************************************************************************/
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
++/* $XFree86$ */
++
+ #include "XpmI.h"
+
+ LFUNC(WriteColors, int, (char **dataptr, unsigned int *data_size,
+ unsigned int *used_size, XpmColor *colors,
+ unsigned int ncolors, unsigned int cpp));
+
+-LFUNC(WritePixels, void, (char *dataptr, unsigned int *used_size,
++LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
++ unsigned int *used_size,
+ unsigned int width, unsigned int height,
+ unsigned int cpp, unsigned int *pixels,
+ XpmColor *colors));
+
+-LFUNC(WriteExtensions, void, (char *dataptr, unsigned int *used_size,
++LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
++ unsigned int *used_size,
+ XpmExtension *ext, unsigned int num));
+
+-LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num));
++LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
+ LFUNC(CommentsSize, int, (XpmInfo *info));
+
+ int
+@@ -89,10 +95,11 @@ XpmCreateBufferFromImage(display, buffer
+
+ #undef RETURN
+ #define RETURN(status) \
++do \
+ { \
+ ErrorStatus = status; \
+ goto error; \
+-}
++}while(0)
+
+ int
+ XpmCreateBufferFromXpmImage(buffer_return, image, info)
+@@ -106,7 +113,7 @@ XpmCreateBufferFromXpmImage(buffer_retur
+ unsigned int cmts, extensions, ext_size = 0;
+ unsigned int l, cmt_size = 0;
+ char *ptr = NULL, *p;
+- unsigned int ptr_size, used_size;
++ unsigned int ptr_size, used_size, tmp;
+
+ *buffer_return = NULL;
+
+@@ -128,7 +135,13 @@ XpmCreateBufferFromXpmImage(buffer_retur
+ #ifdef VOID_SPRINTF
+ used_size = strlen(buf);
+ #endif
+- ptr_size = used_size + ext_size + cmt_size + 1;
++ ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
++ if(ptr_size <= used_size ||
++ ptr_size <= ext_size ||
++ ptr_size <= cmt_size)
++ {
++ return XpmNoMemory;
++ }
+ ptr = (char *) XpmMalloc(ptr_size);
+ if (!ptr)
+ return XpmNoMemory;
+@@ -139,7 +152,7 @@ XpmCreateBufferFromXpmImage(buffer_retur
+ #ifndef VOID_SPRINTF
+ used_size +=
+ #endif
+- sprintf(ptr + used_size, "/*%s*/\n", info->hints_cmt);
++ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt);
+ #ifdef VOID_SPRINTF
+ used_size += strlen(info->hints_cmt) + 5;
+ #endif
+@@ -157,7 +170,7 @@ XpmCreateBufferFromXpmImage(buffer_retur
+ #ifndef VOID_SPRINTF
+ l +=
+ #endif
+- sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot);
++ snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
+ #ifdef VOID_SPRINTF
+ l = strlen(buf);
+ #endif
+@@ -179,6 +192,8 @@ XpmCreateBufferFromXpmImage(buffer_retur
+ l = strlen(buf);
+ #endif
+ ptr_size += l;
++ if(ptr_size <= l)
++ RETURN(XpmNoMemory);
+ p = (char *) XpmRealloc(ptr, ptr_size);
+ if (!p)
+ RETURN(XpmNoMemory);
+@@ -191,7 +206,7 @@ XpmCreateBufferFromXpmImage(buffer_retur
+ #ifndef VOID_SPRINTF
+ used_size +=
+ #endif
+- sprintf(ptr + used_size, "/*%s*/\n", info->colors_cmt);
++ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt);
+ #ifdef VOID_SPRINTF
+ used_size += strlen(info->colors_cmt) + 5;
+ #endif
+@@ -207,7 +222,12 @@ XpmCreateBufferFromXpmImage(buffer_retur
+ * 4 = 1 (for '"') + 3 (for '",\n')
+ * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
+ */
+- ptr_size += image->height * (image->width * image->cpp + 4) + 1;
++ if(image->width > UINT_MAX / image->cpp ||
++ (tmp = image->width * image->cpp + 4) <= 4 ||
++ image->height > UINT_MAX / tmp ||
++ (tmp = image->height * tmp + 1) <= 1 ||
++ (ptr_size += tmp) <= tmp)
++ RETURN(XpmNoMemory);
+
+ p = (char *) XpmRealloc(ptr, ptr_size);
+ if (!p)
+@@ -219,17 +239,17 @@ XpmCreateBufferFromXpmImage(buffer_retur
+ #ifndef VOID_SPRINTF
+ used_size +=
+ #endif
+- sprintf(ptr + used_size, "/*%s*/\n", info->pixels_cmt);
++ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt);
+ #ifdef VOID_SPRINTF
+ used_size += strlen(info->pixels_cmt) + 5;
+ #endif
+ }
+- WritePixels(ptr + used_size, &used_size, image->width, image->height,
++ WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
+ image->cpp, image->data, image->colorTable);
+
+ /* print extensions */
+ if (extensions)
+- WriteExtensions(ptr + used_size, &used_size,
++ WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
+ info->extensions, info->nextensions);
+
+ /* close the array */
+@@ -246,6 +266,7 @@ error:
+ return (ErrorStatus);
+ }
+
++
+ static int
+ WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
+ char **dataptr;
+@@ -255,7 +276,7 @@ WriteColors(dataptr, data_size, used_siz
+ unsigned int ncolors;
+ unsigned int cpp;
+ {
+- char buf[BUFSIZ];
++ char buf[BUFSIZ] = {0};
+ unsigned int a, key, l;
+ char *s, *s2;
+ char **defaults;
+@@ -265,6 +286,8 @@ WriteColors(dataptr, data_size, used_siz
+
+ defaults = (char **) colors;
+ s = buf + 1;
++ if(cpp > (sizeof(buf) - (s-buf)))
++ return(XpmNoMemory);
+ strncpy(s, *defaults++, cpp);
+ s += cpp;
+
+@@ -273,14 +296,24 @@ WriteColors(dataptr, data_size, used_siz
+ #ifndef VOID_SPRINTF
+ s +=
+ #endif
+- sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);
++ /* assume C99 compliance */
++ snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
+ #ifdef VOID_SPRINTF
+ s += strlen(s);
+ #endif
++ /* now let's check if s points out-of-bounds */
++ if((s-buf) > sizeof(buf))
++ return(XpmNoMemory);
+ }
+ }
++ if(sizeof(buf) - (s-buf) < 4)
++ return(XpmNoMemory);
+ strcpy(s, "\",\n");
+ l = s + 3 - buf;
++ if( *data_size >= UINT_MAX-l ||
++ *data_size + l <= *used_size ||
++ (*data_size + l - *used_size) <= sizeof(buf))
++ return(XpmNoMemory);
+ s = (char *) XpmRealloc(*dataptr, *data_size + l);
+ if (!s)
+ return (XpmNoMemory);
+@@ -293,8 +326,9 @@ WriteColors(dataptr, data_size, used_siz
+ }
+
+ static void
+-WritePixels(dataptr, used_size, width, height, cpp, pixels, colors)
++WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
+ char *dataptr;
++ unsigned int data_size;
+ unsigned int *used_size;
+ unsigned int width;
+ unsigned int height;
+@@ -305,27 +339,36 @@ WritePixels(dataptr, used_size, width, h
+ char *s = dataptr;
+ unsigned int x, y, h;
+
++ if(height <= 1)
++ return;
++
+ h = height - 1;
+ for (y = 0; y < h; y++) {
+ *s++ = '"';
+ for (x = 0; x < width; x++, pixels++) {
+- strncpy(s, colors[*pixels].string, cpp);
++ if(cpp >= (data_size - (s-dataptr)))
++ return;
++ strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */
+ s += cpp;
+ }
++ if((data_size - (s-dataptr)) < 4)
++ return;
+ strcpy(s, "\",\n");
+ s += 3;
+ }
+ /* duplicate some code to avoid a test in the loop */
+ *s++ = '"';
+ for (x = 0; x < width; x++, pixels++) {
+- strncpy(s, colors[*pixels].string, cpp);
++ if(cpp >= (data_size - (s-dataptr)))
++ return;
++ strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */
+ s += cpp;
+ }
+ *s++ = '"';
+ *used_size += s - dataptr;
+ }
+
+-static int
++static unsigned int
+ ExtensionsSize(ext, num)
+ XpmExtension *ext;
+ unsigned int num;
+@@ -334,21 +377,26 @@ ExtensionsSize(ext, num)
+ char **line;
+
+ size = 0;
++ if(num == 0)
++ return(0); /* ok? */
+ for (x = 0; x < num; x++, ext++) {
+ /* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
+ size += strlen(ext->name) + 11;
+- a = ext->nlines;
++ a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
+ for (y = 0, line = ext->lines; y < a; y++, line++)
+ /* 4 = 3 (for ',\n"') + 1 (for '"') */
+ size += strlen(*line) + 4;
+ }
+ /* 13 is for ',\n"XPMENDEXT"' */
++ if(size > UINT_MAX - 13) /* unlikely */
++ return(0);
+ return size + 13;
+ }
+
+ static void
+-WriteExtensions(dataptr, used_size, ext, num)
++WriteExtensions(dataptr, data_size, used_size, ext, num)
+ char *dataptr;
++ unsigned int data_size;
+ unsigned int *used_size;
+ XpmExtension *ext;
+ unsigned int num;
+@@ -361,7 +409,7 @@ WriteExtensions(dataptr, used_size, ext,
+ #ifndef VOID_SPRINTF
+ s +=
+ #endif
+- sprintf(s, ",\n\"XPMEXT %s\"", ext->name);
++ snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
+ #ifdef VOID_SPRINTF
+ s += strlen(ext->name) + 11;
+ #endif
+@@ -370,13 +418,13 @@ WriteExtensions(dataptr, used_size, ext,
+ #ifndef VOID_SPRINTF
+ s +=
+ #endif
+- sprintf(s, ",\n\"%s\"", *line);
++ snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
+ #ifdef VOID_SPRINTF
+ s += strlen(*line) + 4;
+ #endif
+ }
+ }
+- strcpy(s, ",\n\"XPMENDEXT\"");
++ strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
+ *used_size += s - dataptr + 13;
+ }
+
+@@ -387,6 +435,7 @@ CommentsSize(info)
+ int size = 0;
+
+ /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */
++ /* wrap possible but *very* unlikely */
+ if (info->hints_cmt)
+ size += 5 + strlen(info->hints_cmt);
+
diff --git a/graphics/xpm/patches/patch-am b/graphics/xpm/patches/patch-am
new file mode 100644
index 00000000000..9e30fe71f99
--- /dev/null
+++ b/graphics/xpm/patches/patch-am
@@ -0,0 +1,32 @@
+$NetBSD: patch-am,v 1.1 2005/06/14 18:10:37 jlam Exp $
+
+--- lib/RdFToBuf.c.orig 1998-03-19 14:51:00.000000000 -0500
++++ lib/RdFToBuf.c
+@@ -37,6 +37,8 @@
+ * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
+ */
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
+ #include "XpmI.h"
+ #include <sys/stat.h>
+ #if !defined(FOR_MSW) && !defined(WIN32)
+@@ -58,7 +60,8 @@ XpmReadFileToBuffer(filename, buffer_ret
+ char *filename;
+ char **buffer_return;
+ {
+- int fd, fcheck, len;
++ int fd, fcheck;
++ off_t len;
+ char *ptr;
+ struct stat stats;
+ FILE *fp;
+@@ -82,7 +85,7 @@ XpmReadFileToBuffer(filename, buffer_ret
+ close(fd);
+ return XpmOpenFailed;
+ }
+- len = (int) stats.st_size;
++ len = stats.st_size;
+ ptr = (char *) XpmMalloc(len + 1);
+ if (!ptr) {
+ fclose(fp);
diff --git a/graphics/xpm/patches/patch-an b/graphics/xpm/patches/patch-an
new file mode 100644
index 00000000000..8674035313d
--- /dev/null
+++ b/graphics/xpm/patches/patch-an
@@ -0,0 +1,88 @@
+$NetBSD: patch-an,v 1.1 2005/06/14 18:10:37 jlam Exp $
+
+--- lib/RdFToI.c.orig 1998-03-19 14:51:00.000000000 -0500
++++ lib/RdFToI.c
+@@ -32,6 +32,8 @@
+ * Developed by Arnaud Le Hors *
+ \*****************************************************************************/
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
+ #include "XpmI.h"
+ #include <sys/stat.h>
+ #if !defined(NO_ZPIPE) && defined(WIN32)
+@@ -122,6 +124,12 @@ XpmReadFileToXpmImage(filename, image, i
+ /*
+ * open the given file to be read as an xpmData which is returned.
+ */
++#ifndef NO_ZPIPE
++ FILE *s_popen(char *cmd, const char *type);
++#else
++# define s_popen popen
++#endif
++
+ static int
+ OpenReadFile(filename, mdata)
+ char *filename;
+@@ -139,17 +147,21 @@ OpenReadFile(filename, mdata)
+ mdata->type = XPMFILE;
+ } else {
+ #ifndef NO_ZPIPE
+- int len = strlen(filename);
++ size_t len = strlen(filename);
++
++ if(len == 0 ||
++ filename[len-1] == '/')
++ return(XpmOpenFailed);
+ if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
+ mdata->type = XPMPIPE;
+- sprintf(buf, "uncompress -c \"%s\"", filename);
+- if (!(mdata->stream.file = popen(buf, "r")))
++ snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename);
++ if (!(mdata->stream.file = s_popen(buf, "r")))
+ return (XpmOpenFailed);
+
+ } else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
+ mdata->type = XPMPIPE;
+- sprintf(buf, "gunzip -qc \"%s\"", filename);
+- if (!(mdata->stream.file = popen(buf, "r")))
++ snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename);
++ if (!(mdata->stream.file = s_popen(buf, "r")))
+ return (XpmOpenFailed);
+
+ } else {
+@@ -157,19 +169,19 @@ OpenReadFile(filename, mdata)
+ if (!(compressfile = (char *) XpmMalloc(len + 4)))
+ return (XpmNoMemory);
+
+- sprintf(compressfile, "%s.Z", filename);
++ snprintf(compressfile, len+4, "%s.Z", filename);
+ if (!stat(compressfile, &status)) {
+- sprintf(buf, "uncompress -c \"%s\"", compressfile);
+- if (!(mdata->stream.file = popen(buf, "r"))) {
++ snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile);
++ if (!(mdata->stream.file = s_popen(buf, "r"))) {
+ XpmFree(compressfile);
+ return (XpmOpenFailed);
+ }
+ mdata->type = XPMPIPE;
+ } else {
+- sprintf(compressfile, "%s.gz", filename);
++ snprintf(compressfile, len+4, "%s.gz", filename);
+ if (!stat(compressfile, &status)) {
+- sprintf(buf, "gunzip -c \"%s\"", compressfile);
+- if (!(mdata->stream.file = popen(buf, "r"))) {
++ snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile);
++ if (!(mdata->stream.file = s_popen(buf, "r"))) {
+ XpmFree(compressfile);
+ return (XpmOpenFailed);
+ }
+@@ -215,7 +227,7 @@ xpmDataClose(mdata)
+ break;
+ #ifndef NO_ZPIPE
+ case XPMPIPE:
+- pclose(mdata->stream.file);
++ fclose(mdata->stream.file);
+ break;
+ #endif
+ }
diff --git a/graphics/xpm/patches/patch-ao b/graphics/xpm/patches/patch-ao
new file mode 100644
index 00000000000..a25cb30642a
--- /dev/null
+++ b/graphics/xpm/patches/patch-ao
@@ -0,0 +1,22 @@
+$NetBSD: patch-ao,v 1.1 2005/06/14 18:10:37 jlam Exp $
+
+--- lib/WrFFrBuf.c.orig 1998-03-19 14:51:00.000000000 -0500
++++ lib/WrFFrBuf.c
+@@ -32,6 +32,8 @@
+ * Developed by Arnaud Le Hors *
+ \*****************************************************************************/
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
+ #include "XpmI.h"
+
+ int
+@@ -49,7 +51,7 @@ XpmWriteFileFromBuffer(filename, buffer)
+ fcheck = fwrite(buffer, len, 1, fp);
+ fclose(fp);
+ if (fcheck != 1)
+- return XpmOpenFailed;
++ return XpmOpenFailed; /* maybe use a better return value */
+
+ return XpmSuccess;
+ }
diff --git a/graphics/xpm/patches/patch-ap b/graphics/xpm/patches/patch-ap
new file mode 100644
index 00000000000..fbc27d9b439
--- /dev/null
+++ b/graphics/xpm/patches/patch-ap
@@ -0,0 +1,103 @@
+$NetBSD: patch-ap,v 1.1 2005/06/14 18:10:37 jlam Exp $
+
+--- lib/WrFFrI.c.orig 1998-03-19 14:51:00.000000000 -0500
++++ lib/WrFFrI.c
+@@ -37,6 +37,8 @@
+ * Lorens Younes (d93-hyo@nada.kth.se) 4/96
+ */
+
++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
++
+ #include "XpmI.h"
+ #if !defined(NO_ZPIPE) && defined(WIN32)
+ # define popen _popen
+@@ -97,7 +99,7 @@ XpmWriteFileFromXpmImage(filename, image
+ XpmInfo *info;
+ {
+ xpmData mdata;
+- char *name, *dot, *s, new_name[BUFSIZ];
++ char *name, *dot, *s, new_name[BUFSIZ] = {0};
+ int ErrorStatus;
+
+ /* open file to write */
+@@ -119,8 +121,9 @@ XpmWriteFileFromXpmImage(filename, image
+ name++;
+ #endif
+ /* let's try to make a valid C syntax name */
+- if (dot = index(name, '.')) {
+- strcpy(new_name, name);
++ if (index(name, '.')) {
++ strncpy(new_name, name, sizeof(new_name));
++ new_name[sizeof(new_name)-1] = 0;
+ /* change '.' to '_' */
+ name = s = new_name;
+ while (dot = index(s, '.')) {
+@@ -130,7 +133,8 @@ XpmWriteFileFromXpmImage(filename, image
+ }
+ if (dot = index(name, '-')) {
+ if (name != new_name) {
+- strcpy(new_name, name);
++ strncpy(new_name, name, sizeof(new_name));
++ new_name[sizeof(new_name)-1] = 0;
+ name = new_name;
+ }
+ /* change '-' to '_' */
+@@ -247,6 +251,8 @@ WritePixels(file, width, height, cpp, pi
+ unsigned int x, y, h;
+
+ h = height - 1;
++ if (cpp != 0 && width >= (UINT_MAX - 3)/cpp)
++ return XpmNoMemory;
+ p = buf = (char *) XpmMalloc(width * cpp + 3);
+ if (!buf)
+ return (XpmNoMemory);
+@@ -297,6 +303,11 @@ WriteExtensions(file, ext, num)
+ /*
+ * open the given file to be written as an xpmData which is returned
+ */
++#ifndef NO_ZPIPE
++ FILE *s_popen(char *cmd, const char *type);
++#else
++# define s_popen popen
++#endif
+ static int
+ OpenWriteFile(filename, mdata)
+ char *filename;
+@@ -312,16 +323,23 @@ OpenWriteFile(filename, mdata)
+ mdata->type = XPMFILE;
+ } else {
+ #ifndef NO_ZPIPE
+- int len = strlen(filename);
++ size_t len = strlen(filename);
++
++ if(len == 0 ||
++ filename[0] == '/' ||
++ strstr(filename, "../") != NULL ||
++ filename[len-1] == '/')
++ return(XpmOpenFailed);
++
+ if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
+- sprintf(buf, "compress > \"%s\"", filename);
+- if (!(mdata->stream.file = popen(buf, "w")))
++ snprintf(buf, sizeof(buf), "compress > \"%s\"", filename);
++ if (!(mdata->stream.file = s_popen(buf, "w")))
+ return (XpmOpenFailed);
+
+ mdata->type = XPMPIPE;
+ } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
+- sprintf(buf, "gzip -q > \"%s\"", filename);
+- if (!(mdata->stream.file = popen(buf, "w")))
++ snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename);
++ if (!(mdata->stream.file = s_popen(buf, "w")))
+ return (XpmOpenFailed);
+
+ mdata->type = XPMPIPE;
+@@ -352,7 +370,7 @@ xpmDataClose(mdata)
+ break;
+ #ifndef NO_ZPIPE
+ case XPMPIPE:
+- pclose(mdata->stream.file);
++ fclose(mdata->stream.file);
+ break;
+ #endif
+ }
diff --git a/graphics/xpm/patches/patch-aq b/graphics/xpm/patches/patch-aq
new file mode 100644
index 00000000000..d12d49aacec
--- /dev/null
+++ b/graphics/xpm/patches/patch-aq
@@ -0,0 +1,13 @@
+$NetBSD: patch-aq,v 1.1 2005/06/14 18:10:37 jlam Exp $
+
+--- lib/misc.c.orig 1998-03-19 14:51:00.000000000 -0500
++++ lib/misc.c
+@@ -44,7 +44,7 @@ xpmstrdup(s1)
+ char *s1;
+ {
+ char *s2;
+- int l = strlen(s1) + 1;
++ size_t l = strlen(s1) + 1;
+
+ if (s2 = (char *) XpmMalloc(l))
+ strcpy(s2, s1);
diff --git a/graphics/xpm/patches/patch-ar b/graphics/xpm/patches/patch-ar
new file mode 100644
index 00000000000..cf710810695
--- /dev/null
+++ b/graphics/xpm/patches/patch-ar
@@ -0,0 +1,186 @@
+$NetBSD: patch-ar,v 1.1 2005/06/14 18:10:37 jlam Exp $
+
+--- /dev/null 2005-06-14 01:17:00.000000000 -0400
++++ lib/s_popen.c 2005-06-14 00:03:23.000000000 -0400
+@@ -0,0 +1,181 @@
++/*
++ * Copyright (C) 2004 The X.Org fundation
++ *
++ * Permission is hereby granted, free of charge, to any person
++ * obtaining a copy of this software and associated documentation
++ * files (the "Software"), to deal in the Software without
++ * restriction, including without limitation the rights to use, copy,
++ * modify, merge, publish, distribute, sublicense, and/or sell copies
++ * of the Software, and to permit persons to whom the Software is fur-
++ * nished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be
++ * included in all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR
++ * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
++ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
++ *
++ * Except as contained in this notice, the name of the X.Org fundation
++ * shall not be used in advertising or otherwise to promote the sale,
++ * use or other dealings in this Software without prior written
++ * authorization from the X.Org fundation.
++ */
++
++/*
++** This is a secure but NOT 100% compatible replacement for popen()
++** Note: - don't use pclose() use fclose() for closing the returned
++** filedesc.!!!
++**
++** Known Bugs: - unable to use i/o-redirection like > or <
++** Author: - Thomas Biege <thomas@suse.de>
++** Credits: - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when
++** calling strtok()
++*/
++
++#include <sys/types.h>
++#include <sys/wait.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <string.h>
++
++#define __SEC_POPEN_TOKEN " "
++
++FILE *s_popen(char *cmd, const char *type)
++{
++ pid_t pid;
++ int pfd[2];
++ int rpipe = 0, wpipe = 0, i;
++ char **argv;
++ char *ptr;
++ char *cmdcpy;
++
++
++ if(cmd == NULL || cmd == "")
++ return(NULL);
++
++ if(type[0] != 'r' && type[0] != 'w')
++ return(NULL);
++
++ if ((cmdcpy = strdup(cmd)) == NULL)
++ return(NULL);
++
++ argv = NULL;
++ if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL)
++ {
++ free(cmdcpy);
++ return(NULL);
++ }
++
++ for(i = 0;; i++)
++ {
++ if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL)
++ {
++ free(cmdcpy);
++ return(NULL);
++ }
++
++ if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL)
++ {
++ free(cmdcpy);
++ return(NULL);
++ }
++
++ strcpy(argv[i], ptr);
++
++ if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL)
++ {
++ if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL)
++ {
++ free(cmdcpy);
++ return(NULL);
++ }
++ argv[i+1] = NULL;
++ break;
++ }
++ }
++
++
++ if(type[0] == 'r')
++ rpipe = 1;
++ else
++ wpipe = 1;
++
++ if (pipe(pfd) < 0)
++ {
++ free(cmdcpy);
++ return(NULL);
++ }
++
++ if((pid = fork()) < 0)
++ {
++ close(pfd[0]);
++ close(pfd[1]);
++ free(cmdcpy);
++ return(NULL);
++ }
++
++ if(pid == 0) /* child */
++ {
++ if((pid = fork()) < 0)
++ {
++ close(pfd[0]);
++ close(pfd[1]);
++ free(cmdcpy);
++ return(NULL);
++ }
++ if(pid > 0)
++ {
++ exit(0); /* child nr. 1 exits */
++ }
++
++ /* child nr. 2 */
++ if(rpipe)
++ {
++ close(pfd[0]); /* close reading end, we don't need it */
++ dup2(STDOUT_FILENO, STDERR_FILENO);
++ if (pfd[1] != STDOUT_FILENO)
++ dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */
++ }
++ else
++ {
++ close(pfd[1]); /* close writing end, we don't need it */
++ if (pfd[0] != STDIN_FILENO)
++ dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */
++ }
++
++ if(strchr(argv[0], '/') == NULL)
++ execvp(argv[0], argv); /* search in $PATH */
++ else
++ execv(argv[0], argv);
++
++ close(pfd[0]);
++ close(pfd[1]);
++ free(cmdcpy);
++ return(NULL); /* exec failed.. ooops! */
++ }
++ else /* parent */
++ {
++ waitpid(pid, NULL, 0); /* wait for child nr. 1 */
++
++ if(rpipe)
++ {
++ close(pfd[1]);
++ free(cmdcpy);
++ return(fdopen(pfd[0], "r"));
++ }
++ else
++ {
++ close(pfd[0]);
++ free(cmdcpy);
++ return(fdopen(pfd[1], "w"));
++ }
++
++ }
++}
++
diff --git a/graphics/xpm/patches/patch-as b/graphics/xpm/patches/patch-as
new file mode 100644
index 00000000000..9c74075938d
--- /dev/null
+++ b/graphics/xpm/patches/patch-as
@@ -0,0 +1,12 @@
+$NetBSD: patch-as,v 1.1 2005/06/14 18:10:37 jlam Exp $
+
+--- cxpm/cxpm.c.orig 1998-03-19 14:51:01.000000000 -0500
++++ cxpm/cxpm.c
+@@ -77,6 +77,7 @@ sUngetc(data, c)
+ #include "../lib/data.c"
+ #include "../lib/parse.c"
+ #include "../lib/RdFToI.c" /* only for OpenReadFile and xpmDataClose */
++#include "../lib/s_popen.c"
+ #include "../lib/hashtab.c"
+ #include "../lib/misc.c"
+ #include "../lib/Attrib.c"