diff options
author | jlam <jlam@pkgsrc.org> | 2005-06-14 18:10:37 +0000 |
---|---|---|
committer | jlam <jlam@pkgsrc.org> | 2005-06-14 18:10:37 +0000 |
commit | 416d289ba6fe62a94fe41c69bc35841ea3aa68a2 (patch) | |
tree | 1b7ee2922136089c601a3f3b3b9f05d0492a8e93 /graphics/xpm | |
parent | ce923579a3a1f50a5e3415d161aa85bce9df2597 (diff) | |
download | pkgsrc-416d289ba6fe62a94fe41c69bc35841ea3aa68a2.tar.gz |
Apply fixes derived from the HEAD branch of X.Org (6.8.99) to address
problems noted in CAN-2004-0914:
Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as
used in XFree86 and other packages, include (1) multiple integer
overflows, (2) out-of-bounds memory accesses, (3) directory
traversal, (4) shell metacharacter, (5) endless loops, and (6)
memory leaks, which could allow remote attackers to obtain
sensitive information, cause a denial of service (application
crash), or execute arbitary code via a certain XPM image file.
Bump PKGREVISION to 4. Since this is a security-related fix, also
bump the BUILDLINK_RECOMMENDED version for this package.
Diffstat (limited to 'graphics/xpm')
-rw-r--r-- | graphics/xpm/Makefile | 4 | ||||
-rw-r--r-- | graphics/xpm/buildlink3.mk | 4 | ||||
-rw-r--r-- | graphics/xpm/distinfo | 28 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ac | 28 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ad | 22 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ae | 45 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-af | 232 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ag | 392 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ah | 40 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ai | 16 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-aj | 176 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ak | 168 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-al | 308 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-am | 32 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-an | 88 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ao | 22 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ap | 103 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-aq | 13 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-ar | 186 | ||||
-rw-r--r-- | graphics/xpm/patches/patch-as | 12 |
20 files changed, 1778 insertions, 141 deletions
diff --git a/graphics/xpm/Makefile b/graphics/xpm/Makefile index 9de228936c7..c0c7ced254f 100644 --- a/graphics/xpm/Makefile +++ b/graphics/xpm/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.42 2005/06/01 19:31:17 jlam Exp $ +# $NetBSD: Makefile,v 1.43 2005/06/14 18:10:37 jlam Exp $ DISTNAME= xpm-3.4k -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= graphics x11 MASTER_SITES= http://koala.ilog.fr/ftp/pub/xpm/ \ ${MASTER_SITE_XCONTRIB:=libraries/} diff --git a/graphics/xpm/buildlink3.mk b/graphics/xpm/buildlink3.mk index 10cbdc9ebb2..579b2a1b607 100644 --- a/graphics/xpm/buildlink3.mk +++ b/graphics/xpm/buildlink3.mk @@ -1,4 +1,4 @@ -# $NetBSD: buildlink3.mk,v 1.17 2005/06/01 18:02:58 jlam Exp $ +# $NetBSD: buildlink3.mk,v 1.18 2005/06/14 18:10:37 jlam Exp $ BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH}+ XPM_BUILDLINK3_MK:= ${XPM_BUILDLINK3_MK}+ @@ -12,7 +12,7 @@ BUILDLINK_PACKAGES+= xpm .if !empty(XPM_BUILDLINK3_MK:M+) BUILDLINK_DEPENDS.xpm+= xpm>=3.4k -BUILDLINK_RECOMMENDED.xpm?= xpm>=3.4knb2 +BUILDLINK_RECOMMENDED.xpm?= xpm>=3.4knb4 BUILDLINK_PKGSRCDIR.xpm?= ../../graphics/xpm .endif # XPM_BUILDLINK3_MK diff --git a/graphics/xpm/distinfo b/graphics/xpm/distinfo index f163c270d0e..9c8d825fcdd 100644 --- a/graphics/xpm/distinfo +++ b/graphics/xpm/distinfo @@ -1,16 +1,24 @@ -$NetBSD: distinfo,v 1.12 2005/03/10 15:23:10 wiz Exp $ +$NetBSD: distinfo,v 1.13 2005/06/14 18:10:37 jlam Exp $ SHA1 (xpm-3.4k.tar.gz) = a8eac19e5772bf7b3b177353686c1401fbf334bd RMD160 (xpm-3.4k.tar.gz) = 65a2e58f97724a48a6834aab991341771c5a1faf Size (xpm-3.4k.tar.gz) = 148887 bytes SHA1 (patch-aa) = 33725beb53dc01b022e5110dbffab4c6a3ae65dc SHA1 (patch-ab) = 0c8f317cdbde27929790e46d1711ada5e454b79d -SHA1 (patch-ac) = a0f1692ecfbf0160f5e5a5e3f31ac9398ff667b7 -SHA1 (patch-ad) = 0b6a2640a175d354449cab0198e3cbe1220f46b4 -SHA1 (patch-ae) = 31cf9b37d8d138ffdcee66b16adb4ed22c129763 -SHA1 (patch-af) = 17fed3b0e060f7cee19d21bc3ec5bf1b87dd89a7 -SHA1 (patch-ag) = 68435561f8fe7753c4bb8ce71ee6e53faf1e83d6 -SHA1 (patch-ah) = 075229583814bbdd0a3d7ac8dcb6ad0507d182ff -SHA1 (patch-ai) = 79472013037a1866739b96e97d740378086cc46f -SHA1 (patch-aj) = 98048e40c338f69915e233aa11df0f95deff75a4 -SHA1 (patch-ak) = a949e05f82d5ed9ce48348bcedf4811cff119a03 +SHA1 (patch-ac) = 80c8c58a526ccc8651862d87cc5cd92d8aa9fb2d +SHA1 (patch-ad) = d352c47831955845e5805ac737031f2ff179b0df +SHA1 (patch-ae) = 9b11253041212c8e43c426be4729363e4f8e122a +SHA1 (patch-af) = be7953d5baf84d2b08e89576755428d3bc57e8c2 +SHA1 (patch-ag) = 74f8e7ed98e6d6c85168464e71274dc1ecb56297 +SHA1 (patch-ah) = ffa827d23283c9e937071a202f7f7d5b7846d9d0 +SHA1 (patch-ai) = 619392a9bde70210c5f6e0fa1b7f1e278cd68bfb +SHA1 (patch-aj) = db0de3aff27606aceb67027691cb6f55c549478a +SHA1 (patch-ak) = 011da5204f825aaaf4aed4536cfb29a7f63efc5d +SHA1 (patch-al) = 09ceea05f856edd3fad3aedabbdf535c9d919cd9 +SHA1 (patch-am) = 3f69a82cb9ebaa4e0fc7ce5c63a938cec31bbbd3 +SHA1 (patch-an) = f8f0602116e9000f2506230f0d65eac1171c2904 +SHA1 (patch-ao) = 7681e03f1f317ef5e694a464f1efad82d9de78c2 +SHA1 (patch-ap) = 6ccb211e9051374cf7cdb6138a6520943e1cd645 +SHA1 (patch-aq) = 6d3f3554c7d66d3d9879dc2b352310e32799926c +SHA1 (patch-ar) = c6a5ef0af6568f519467b753aae5050a0513f99e +SHA1 (patch-as) = f11694bc7fb300450fd07d496975bfb0fbb6b68f diff --git a/graphics/xpm/patches/patch-ac b/graphics/xpm/patches/patch-ac index 6434d9a9821..d7401f412bf 100644 --- a/graphics/xpm/patches/patch-ac +++ b/graphics/xpm/patches/patch-ac @@ -1,8 +1,8 @@ -$NetBSD: patch-ac,v 1.2 2001/07/06 21:11:34 tron Exp $ +$NetBSD: patch-ac,v 1.3 2005/06/14 18:10:37 jlam Exp $ ---- lib/Imakefile.orig Thu Mar 19 20:50:59 1998 -+++ lib/Imakefile Fri Jul 6 23:02:49 2001 -@@ -34,7 +34,7 @@ +--- lib/Imakefile.orig 1998-03-19 14:50:59.000000000 -0500 ++++ lib/Imakefile +@@ -34,7 +34,7 @@ XCOMM default locations #define XpmLibDir $(USRLIBDIR) #endif #ifndef XpmIncDir @@ -11,7 +11,7 @@ $NetBSD: patch-ac,v 1.2 2001/07/06 21:11:34 tron Exp $ #endif XCOMM If not already set in top dir, -@@ -55,7 +55,7 @@ +@@ -55,7 +55,7 @@ REQUIREDLIBS = $(XLIB) #endif XCOMM on Dec Alpha we need to define the following to build the shared library @@ -20,3 +20,21 @@ $NetBSD: patch-ac,v 1.2 2001/07/06 21:11:34 tron Exp $ REQUIREDLIBS = $(LDPRELIB) $(XLIB) SO_REQLIBS = -lX11 -lc #endif +@@ -104,13 +104,15 @@ HEADERS = xpm.h + CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \ + CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \ + CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \ +- Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c ++ Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \ ++ s_popen.c + + OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \ + CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \ + CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \ + CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \ +- Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o ++ Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \ ++ s_popen.o + + INCLUDES = -I. + LINTLIBS = $(LINTXTOLL) $(LINTXLIB) diff --git a/graphics/xpm/patches/patch-ad b/graphics/xpm/patches/patch-ad index bf2231b5152..65017a19e74 100644 --- a/graphics/xpm/patches/patch-ad +++ b/graphics/xpm/patches/patch-ad @@ -1,8 +1,8 @@ -$NetBSD: patch-ad,v 1.5 2004/09/16 15:09:01 minskim Exp $ +$NetBSD: patch-ad,v 1.6 2005/06/14 18:10:37 jlam Exp $ ---- lib/XpmI.h.orig Thu Mar 19 13:51:00 1998 +--- lib/XpmI.h.orig 1998-03-19 14:51:00.000000000 -0500 +++ lib/XpmI.h -@@ -42,6 +42,7 @@ +@@ -42,14 +42,17 @@ #ifndef XPMI_h #define XPMI_h @@ -10,12 +10,22 @@ $NetBSD: patch-ad,v 1.5 2004/09/16 15:09:01 minskim Exp $ #include "xpm.h" /* -@@ -114,6 +115,18 @@ extern FILE *popen(); + * lets try to solve include files + */ + ++#include <sys/types.h> + #include <stdio.h> + #include <stdlib.h> ++#include <limits.h> + /* stdio.h doesn't declare popen on a Sequent DYNIX OS */ + #ifdef sequent + extern FILE *popen(); +@@ -114,6 +117,18 @@ extern FILE *popen(); boundCheckingCalloc((long)(nelem),(long) (elsize)) #endif +#if defined(SCO) || defined(__USLC__) -+#include <stdint.h> /* For SIZE_MAX */ ++#include <stdint.h> /* For SIZE_MAX */ +#endif +#include <limits.h> +#ifndef SIZE_MAX @@ -29,7 +39,7 @@ $NetBSD: patch-ad,v 1.5 2004/09/16 15:09:01 minskim Exp $ #define XPMMAXCMTLEN BUFSIZ typedef struct { unsigned int type; -@@ -215,9 +228,9 @@ typedef struct _xpmHashAtom { +@@ -215,9 +230,9 @@ typedef struct _xpmHashAtom { } *xpmHashAtom; typedef struct { diff --git a/graphics/xpm/patches/patch-ae b/graphics/xpm/patches/patch-ae index a94b683aaab..4310250ef8a 100644 --- a/graphics/xpm/patches/patch-ae +++ b/graphics/xpm/patches/patch-ae @@ -1,8 +1,13 @@ -$NetBSD: patch-ae,v 1.1 2004/09/16 15:09:01 minskim Exp $ +$NetBSD: patch-ae,v 1.2 2005/06/14 18:10:37 jlam Exp $ ---- lib/Attrib.c.orig Thu Mar 19 13:50:59 1998 +--- lib/Attrib.c.orig 1998-03-19 14:50:59.000000000 -0500 +++ lib/Attrib.c -@@ -35,7 +35,7 @@ +@@ -32,13 +32,15 @@ + * Developed by Arnaud Le Hors * + \*****************************************************************************/ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ #include "XpmI.h" /* 3.2 backward compatibility code */ @@ -10,8 +15,12 @@ $NetBSD: patch-ae,v 1.1 2004/09/16 15:09:01 minskim Exp $ +LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, XpmColor ***oldct)); - LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); -@@ -46,11 +46,14 @@ LFUNC(FreeOldColorTable, void, (XpmColor +-LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); ++LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors)); + + /* + * Create a colortable compatible with the old style colortable +@@ -46,11 +48,14 @@ LFUNC(FreeOldColorTable, void, (XpmColor static int CreateOldColorTable(ct, ncolors, oldct) XpmColor *ct; @@ -20,10 +29,32 @@ $NetBSD: patch-ae,v 1.1 2004/09/16 15:09:01 minskim Exp $ XpmColor ***oldct; { XpmColor **colorTable, **color; - int a; +- int a; ++ unsigned int a; + -+ if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) ++ if (ncolors >= UINT_MAX / sizeof(XpmColor *)) + return XpmNoMemory; colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); if (!colorTable) { +@@ -66,9 +71,9 @@ CreateOldColorTable(ct, ncolors, oldct) + static void + FreeOldColorTable(colorTable, ncolors) + XpmColor **colorTable; +- int ncolors; ++ unsigned int ncolors; + { +- int a, b; ++ unsigned int a, b; + XpmColor **color; + char **sptr; + +@@ -119,7 +124,7 @@ XpmFreeExtensions(extensions, nextension + XpmExtension *ext; + char **sptr; + +- if (extensions) { ++ if (extensions && nextensions > 0) { + for (i = 0, ext = extensions; i < nextensions; i++, ext++) { + if (ext->name) + XpmFree(ext->name); diff --git a/graphics/xpm/patches/patch-af b/graphics/xpm/patches/patch-af index 5a511d00424..192f9986acd 100644 --- a/graphics/xpm/patches/patch-af +++ b/graphics/xpm/patches/patch-af @@ -1,13 +1,233 @@ -$NetBSD: patch-af,v 1.1 2004/09/16 15:09:01 minskim Exp $ +$NetBSD: patch-af,v 1.2 2005/06/14 18:10:37 jlam Exp $ ---- lib/CrDatFrI.c.orig Thu Mar 19 13:50:59 1998 +--- lib/CrDatFrI.c.orig 1998-03-19 14:50:59.000000000 -0500 +++ lib/CrDatFrI.c -@@ -123,6 +123,8 @@ XpmCreateDataFromXpmImage(data_return, i +@@ -32,13 +32,16 @@ + * Developed by Arnaud Le Hors * + \*****************************************************************************/ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ + #include "XpmI.h" + + LFUNC(CreateColors, int, (char **dataptr, unsigned int *data_size, + XpmColor *colors, unsigned int ncolors, + unsigned int cpp)); + +-LFUNC(CreatePixels, void, (char **dataptr, unsigned int width, ++LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size, ++ unsigned int width, + unsigned int height, unsigned int cpp, + unsigned int *pixels, XpmColor *colors)); + +@@ -46,7 +49,8 @@ LFUNC(CountExtensions, void, (XpmExtensi + unsigned int *ext_size, + unsigned int *ext_nlines)); + +-LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset, ++LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size, ++ unsigned int offset, + XpmExtension *ext, unsigned int num, + unsigned int ext_nlines)); + +@@ -87,10 +91,11 @@ XpmCreateDataFromImage(display, data_ret + + #undef RETURN + #define RETURN(status) \ ++do \ + { \ + ErrorStatus = status; \ + goto exit; \ +-} ++} while(0) + + int + XpmCreateDataFromXpmImage(data_return, image, info) +@@ -121,9 +126,17 @@ XpmCreateDataFromXpmImage(data_return, i + * alloc a temporary array of char pointer for the header section which + * is the hints line + the color table lines */ - header_nlines = 1 + image->ncolors; +- header_nlines = 1 + image->ncolors; ++ header_nlines = 1 + image->ncolors; /* this may wrap and/or become 0 */ ++ ++ /* 2nd check superfluous if we do not need header_nlines any further */ ++ if(header_nlines <= image->ncolors || ++ header_nlines >= UINT_MAX / sizeof(char *)) ++ return(XpmNoMemory); ++ header_size = sizeof(char *) * header_nlines; -+ if (header_size >= SIZE_MAX / sizeof(char *)) +- header = (char **) XpmCalloc(header_size, sizeof(char *)); ++ if (header_size >= UINT_MAX / sizeof(char *)) + return (XpmNoMemory); - header = (char **) XpmCalloc(header_size, sizeof(char *)); ++ header = (char **) XpmCalloc(header_size, sizeof(char *)); /* can we trust image->ncolors */ if (!header) return (XpmNoMemory); + +@@ -167,8 +180,22 @@ XpmCreateDataFromXpmImage(data_return, i + + /* now we know the size needed, alloc the data and copy the header lines */ + offset = image->width * image->cpp + 1; +- data_size = header_size + (image->height + ext_nlines) * sizeof(char *) +- + image->height * offset + ext_size; ++ ++ if(offset <= image->width || offset <= image->cpp) ++ RETURN(XpmNoMemory); ++ ++ if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *)) ++ RETURN(XpmNoMemory); ++ data_size = (image->height + ext_nlines) * sizeof(char *); ++ ++ if (image->height > UINT_MAX / offset || ++ image->height * offset > UINT_MAX - data_size) ++ RETURN(XpmNoMemory); ++ data_size += image->height * offset; ++ ++ if( (header_size + ext_size) >= (UINT_MAX - data_size) ) ++ RETURN(XpmNoMemory); ++ data_size += header_size + ext_size; + + data = (char **) XpmMalloc(data_size); + if (!data) +@@ -176,8 +203,10 @@ XpmCreateDataFromXpmImage(data_return, i + + data_nlines = header_nlines + image->height + ext_nlines; + *data = (char *) (data + data_nlines); ++ ++ /* can header have less elements then n suggests? */ + n = image->ncolors; +- for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) { ++ for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) { + strcpy(*sptr, *sptr2); + *(sptr + 1) = *sptr + strlen(*sptr2) + 1; + } +@@ -186,12 +215,13 @@ XpmCreateDataFromXpmImage(data_return, i + data[header_nlines] = (char *) data + header_size + + (image->height + ext_nlines) * sizeof(char *); + +- CreatePixels(data + header_nlines, image->width, image->height, ++ CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height, + image->cpp, image->data, image->colorTable); + + /* print extensions */ + if (extensions) +- CreateExtensions(data + header_nlines + image->height - 1, offset, ++ CreateExtensions(data + header_nlines + image->height - 1, ++ data_size - header_nlines - image->height + 1, offset, + info->extensions, info->nextensions, + ext_nlines); + +@@ -222,23 +252,35 @@ CreateColors(dataptr, data_size, colors, + char *s, *s2; + char **defaults; + ++ /* can ncolors be trusted here? */ + for (a = 0; a < ncolors; a++, colors++, dataptr++) { + + defaults = (char **) colors; ++ if(sizeof(buf) <= cpp) ++ return(XpmNoMemory); + strncpy(buf, *defaults++, cpp); + s = buf + cpp; + ++ if(sizeof(buf) <= (s-buf)) ++ return XpmNoMemory; ++ + for (key = 1; key <= NKEYS; key++, defaults++) { + if (s2 = *defaults) { + #ifndef VOID_SPRINTF + s += + #endif +- sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2); ++ /* assume C99 compliance */ ++ snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2); ++ + #ifdef VOID_SPRINTF + s += strlen(s); + #endif ++ /* does s point out-of-bounds? */ ++ if(sizeof(buf) < (s-buf)) ++ return XpmNoMemory; + } + } ++ /* what about using strdup()? */ + l = s - buf + 1; + s = (char *) XpmMalloc(l); + if (!s) +@@ -250,8 +292,9 @@ CreateColors(dataptr, data_size, colors, + } + + static void +-CreatePixels(dataptr, width, height, cpp, pixels, colors) ++CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors) + char **dataptr; ++ unsigned int data_size; + unsigned int width; + unsigned int height; + unsigned int cpp; +@@ -261,21 +304,38 @@ CreatePixels(dataptr, width, height, cpp + char *s; + unsigned int x, y, h, offset; + ++ if(height <= 1) ++ return; ++ + h = height - 1; ++ + offset = width * cpp + 1; ++ ++ if(offset <= width || offset <= cpp) ++ return; ++ ++ /* why trust h? */ + for (y = 0; y < h; y++, dataptr++) { + s = *dataptr; ++ /* why trust width? */ + for (x = 0; x < width; x++, pixels++) { +- strncpy(s, colors[*pixels].string, cpp); ++ if(cpp > (data_size - (s - *dataptr))) ++ return; ++ strncpy(s, colors[*pixels].string, cpp); /* why trust pixel? */ + s += cpp; + } + *s = '\0'; ++ if(offset > data_size) ++ return; + *(dataptr + 1) = *dataptr + offset; + } + /* duplicate some code to avoid a test in the loop */ + s = *dataptr; ++ /* why trust width? */ + for (x = 0; x < width; x++, pixels++) { +- strncpy(s, colors[*pixels].string, cpp); ++ if(cpp > data_size - (s - *dataptr)) ++ return; ++ strncpy(s, colors[*pixels].string, cpp); /* why should we trust *pixel? */ + s += cpp; + } + *s = '\0'; +@@ -308,8 +368,9 @@ CountExtensions(ext, num, ext_size, ext_ + } + + static void +-CreateExtensions(dataptr, offset, ext, num, ext_nlines) ++CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines) + char **dataptr; ++ unsigned int data_size; + unsigned int offset; + XpmExtension *ext; + unsigned int num; +@@ -322,12 +383,12 @@ CreateExtensions(dataptr, offset, ext, n + dataptr++; + a = 0; + for (x = 0; x < num; x++, ext++) { +- sprintf(*dataptr, "XPMEXT %s", ext->name); ++ snprintf(*dataptr, data_size, "XPMEXT %s", ext->name); + a++; + if (a < ext_nlines) + *(dataptr + 1) = *dataptr + strlen(ext->name) + 8; + dataptr++; +- b = ext->nlines; ++ b = ext->nlines; /* can we trust these values? */ + for (y = 0, line = ext->lines; y < b; y++, line++) { + strcpy(*dataptr, *line); + a++; diff --git a/graphics/xpm/patches/patch-ag b/graphics/xpm/patches/patch-ag index 65c4d5f2c2f..91a30d37b9e 100644 --- a/graphics/xpm/patches/patch-ag +++ b/graphics/xpm/patches/patch-ag @@ -1,53 +1,387 @@ -$NetBSD: patch-ag,v 1.1 2004/09/16 15:09:01 minskim Exp $ +$NetBSD: patch-ag,v 1.2 2005/06/14 18:10:37 jlam Exp $ ---- lib/create.c.orig Thu Mar 19 13:51:00 1998 +--- lib/create.c.orig 1998-03-19 14:51:00.000000000 -0500 +++ lib/create.c -@@ -819,6 +819,9 @@ XpmCreateImageFromXpmImage(display, imag +@@ -43,6 +43,8 @@ + * Lorens Younes (d93-hyo@nada.kth.se) 4/96 + */ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ + #include "XpmI.h" + #include <ctype.h> + +@@ -517,7 +519,7 @@ CreateColors(display, attributes, colors + /* variables stored in the XpmAttributes structure */ + Visual *visual; + Colormap colormap; +- XpmColorSymbol *colorsymbols; ++ XpmColorSymbol *colorsymbols = NULL; + unsigned int numsymbols; + XpmAllocColorFunc allocColor; + void *closure; +@@ -525,7 +527,7 @@ CreateColors(display, attributes, colors + char *colorname; + unsigned int color, key; + Bool pixel_defined; +- XpmColorSymbol *symbol; ++ XpmColorSymbol *symbol = NULL; + char **defaults; + int ErrorStatus = XpmSuccess; + char *s; +@@ -583,7 +585,7 @@ CreateColors(display, attributes, colors + */ + } else { + #endif +- int i; ++ unsigned int i; + + #ifndef AMIGA + ncols = visual->map_entries; +@@ -743,12 +745,14 @@ FreeColors(display, colormap, pixels, n, + + + /* function call in case of error */ ++ + #undef RETURN + #define RETURN(status) \ ++do \ + { \ + ErrorStatus = status; \ + goto error; \ +-} ++} while(0) + + int + XpmCreateImageFromXpmImage(display, image, +@@ -765,7 +769,6 @@ XpmCreateImageFromXpmImage(display, imag + unsigned int depth; + int bitmap_format; + XpmFreeColorsFunc freeColors; +- void *closure; + + /* variables to return */ + XImage *ximage = NULL; +@@ -812,13 +815,12 @@ XpmCreateImageFromXpmImage(display, imag + freeColors = attributes->free_colors; + else + freeColors = FreeColors; +- if (attributes && (attributes->valuemask & XpmColorClosure)) +- closure = attributes->color_closure; +- else +- closure = NULL; ErrorStatus = XpmSuccess; -+ if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) ++ if (image->ncolors >= UINT_MAX / sizeof(Pixel)) + return (XpmNoMemory); + /* malloc pixels index tables */ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); if (!image_pixels) -@@ -991,6 +994,8 @@ CreateXImage(display, visual, depth, for +@@ -991,7 +993,13 @@ CreateXImage(display, visual, depth, for return (XpmNoMemory); #if !defined(FOR_MSW) && !defined(AMIGA) -+ if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) ++ if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { ++ XDestroyImage(*image_return); + return XpmNoMemory; ++ } /* now that bytes_per_line must have been set properly alloc data */ ++ if((*image_return)->bytes_per_line == 0 || height == 0) ++ return XpmNoMemory; (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); -@@ -2063,6 +2068,9 @@ xpmParseDataAndCreate(display, data, ima + +@@ -1020,7 +1028,7 @@ CreateXImage(display, visual, depth, for + LFUNC(_putbits, void, (register char *src, int dstoffset, + register int numbits, register char *dst)); + +-LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb)); ++LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb)); + + static unsigned char Const _reverse_byte[0x100] = { + 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, +@@ -1060,12 +1068,12 @@ static unsigned char Const _reverse_byte + static int + _XReverse_Bytes(bpt, nb) + register unsigned char *bpt; +- register int nb; ++ register unsigned int nb; + { + do { + *bpt = _reverse_byte[*bpt]; + bpt++; +- } while (--nb > 0); ++ } while (--nb > 0); /* is nb user-controled? */ + return 0; + } + +@@ -1204,18 +1212,18 @@ PutImagePixels(image, width, height, pix + register char *src; + register char *dst; + register unsigned int *iptr; +- register int x, y, i; ++ register unsigned int x, y; + register char *data; + Pixel pixel, px; +- int nbytes, depth, ibu, ibpp; ++ int nbytes, depth, ibu, ibpp, i; + + data = image->data; + iptr = pixelindex; + depth = image->depth; + if (depth == 1) { + ibu = image->bitmap_unit; +- for (y = 0; y < height; y++) +- for (x = 0; x < width; x++, iptr++) { ++ for (y = 0; y < height; y++) /* how can we trust height */ ++ for (x = 0; x < width; x++, iptr++) { /* how can we trust width */ + pixel = pixels[*iptr]; + for (i = 0, px = pixel; i < sizeof(unsigned long); + i++, px >>= 8) +@@ -1290,12 +1298,12 @@ PutImagePixels32(image, width, height, p + { + unsigned char *data; + unsigned int *iptr; +- int y; ++ unsigned int y; + Pixel pixel; + + #ifdef WITHOUT_SPEEDUPS + +- int x; ++ unsigned int x; + unsigned char *addr; + + data = (unsigned char *) image->data; +@@ -1332,7 +1340,7 @@ PutImagePixels32(image, width, height, p + + #else /* WITHOUT_SPEEDUPS */ + +- int bpl = image->bytes_per_line; ++ unsigned int bpl = image->bytes_per_line; + unsigned char *data_ptr, *max_data; + + data = (unsigned char *) image->data; +@@ -1400,11 +1408,11 @@ PutImagePixels16(image, width, height, p + { + unsigned char *data; + unsigned int *iptr; +- int y; ++ unsigned int y; + + #ifdef WITHOUT_SPEEDUPS + +- int x; ++ unsigned int x; + unsigned char *addr; + + data = (unsigned char *) image->data; +@@ -1428,7 +1436,7 @@ PutImagePixels16(image, width, height, p + + Pixel pixel; + +- int bpl = image->bytes_per_line; ++ unsigned int bpl = image->bytes_per_line; + unsigned char *data_ptr, *max_data; + + data = (unsigned char *) image->data; +@@ -1481,11 +1489,11 @@ PutImagePixels8(image, width, height, pi + { + char *data; + unsigned int *iptr; +- int y; ++ unsigned int y; + + #ifdef WITHOUT_SPEEDUPS + +- int x; ++ unsigned int x; + + data = image->data; + iptr = pixelindex; +@@ -1495,7 +1503,7 @@ PutImagePixels8(image, width, height, pi + + #else /* WITHOUT_SPEEDUPS */ + +- int bpl = image->bytes_per_line; ++ unsigned int bpl = image->bytes_per_line; + char *data_ptr, *max_data; + + data = image->data; +@@ -1530,12 +1538,12 @@ PutImagePixels1(image, width, height, pi + PutImagePixels(image, width, height, pixelindex, pixels); + else { + unsigned int *iptr; +- int y; ++ unsigned int y; + char *data; + + #ifdef WITHOUT_SPEEDUPS + +- int x; ++ unsigned int x; + + data = image->data; + iptr = pixelindex; +@@ -1755,10 +1763,12 @@ PutPixel1(ximage, x, y, pixel) + register char *src; + register char *dst; + register int i; +- register char *data; + Pixel px; + int nbytes; + ++ if(x < 0 || y < 0) ++ return 0; ++ + for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8) + ((unsigned char *)&pixel)[i] = px; + src = &ximage->data[XYINDEX(x, y, ximage)]; +@@ -1788,9 +1798,11 @@ PutPixel(ximage, x, y, pixel) + register char *src; + register char *dst; + register int i; +- register char *data; + Pixel px; +- int nbytes, ibpp; ++ unsigned int nbytes, ibpp; ++ ++ if(x < 0 || y < 0) ++ return 0; + + ibpp = ximage->bits_per_pixel; + if (ximage->depth == 4) +@@ -1823,6 +1835,9 @@ PutPixel32(ximage, x, y, pixel) + { + unsigned char *addr; + ++ if(x < 0 || y < 0) ++ return 0; ++ + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; + *((unsigned long *)addr) = pixel; + return 1; +@@ -1837,6 +1852,9 @@ PutPixel32MSB(ximage, x, y, pixel) + { + unsigned char *addr; + ++ if(x < 0 || y < 0) ++ return 0; ++ + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; + addr[0] = pixel >> 24; + addr[1] = pixel >> 16; +@@ -1854,6 +1872,9 @@ PutPixel32LSB(ximage, x, y, pixel) + { + unsigned char *addr; + ++ if(x < 0 || y < 0) ++ return 0; ++ + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; + addr[3] = pixel >> 24; + addr[2] = pixel >> 16; +@@ -1871,6 +1892,9 @@ PutPixel16MSB(ximage, x, y, pixel) + { + unsigned char *addr; + ++ if(x < 0 || y < 0) ++ return 0; ++ + addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; + addr[0] = pixel >> 8; + addr[1] = pixel; +@@ -1886,6 +1910,9 @@ PutPixel16LSB(ximage, x, y, pixel) + { + unsigned char *addr; + ++ if(x < 0 || y < 0) ++ return 0; ++ + addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; + addr[1] = pixel >> 8; + addr[0] = pixel; +@@ -1899,6 +1926,9 @@ PutPixel8(ximage, x, y, pixel) + int y; + unsigned long pixel; + { ++ if(x < 0 || y < 0) ++ return 0; ++ + ximage->data[ZINDEX8(x, y, ximage)] = pixel; + return 1; + } +@@ -1910,6 +1940,9 @@ PutPixel1MSB(ximage, x, y, pixel) + int y; + unsigned long pixel; + { ++ if(x < 0 || y < 0) ++ return 0; ++ + if (pixel & 1) + ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7); + else +@@ -1924,6 +1957,9 @@ PutPixel1LSB(ximage, x, y, pixel) + int y; + unsigned long pixel; + { ++ if(x < 0 || y < 0) ++ return 0; ++ + if (pixel & 1) + ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7); + else +@@ -1953,7 +1989,6 @@ xpmParseDataAndCreate(display, data, ima + unsigned int depth; + int bitmap_format; + XpmFreeColorsFunc freeColors; +- void *closure; + + /* variables to return */ + XImage *ximage = NULL; +@@ -2011,10 +2046,6 @@ xpmParseDataAndCreate(display, data, ima + freeColors = attributes->free_colors; + else + freeColors = FreeColors; +- if (attributes && (attributes->valuemask & XpmColorClosure)) +- closure = attributes->color_closure; +- else +- closure = NULL; + + cmts = info && (info->valuemask & XpmReturnComments); + +@@ -2063,6 +2094,9 @@ xpmParseDataAndCreate(display, data, ima xpmGetCmt(data, &colors_cmt); /* malloc pixels index tables */ -+ if (ncolors >= SIZE_MAX / sizeof(Pixel)) -+ return XpmNoMemory; ++ if (ncolors >= UINT_MAX / sizeof(Pixel)) ++ RETURN(XpmNoMemory); + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); if (!image_pixels) RETURN(XpmNoMemory); -@@ -2317,7 +2325,8 @@ ParseAndPutPixels( - } - obm = SelectObject(*dc, image->bitmap); - #endif -- -+ if (ncolors > 256) -+ return (XpmFileInvalid); - - bzero((char *)colidx, 256 * sizeof(short)); - for (a = 0; a < ncolors; a++) -@@ -2422,6 +2431,9 @@ if (cidx[f]) XpmFree(cidx[f]);} - { - char *s; - char buf[BUFSIZ]; -+ -+ if (cpp >= sizeof(buf)) -+ return (XpmFileInvalid); - - buf[cpp] = '\0'; - if (USE_HASHTABLE) { +@@ -2173,7 +2207,7 @@ xpmParseDataAndCreate(display, data, ima + * free the hastable + */ + if (ErrorStatus != XpmSuccess) +- RETURN(ErrorStatus) ++ RETURN(ErrorStatus); + else if (USE_HASHTABLE) + xpmHashTableFree(&hashtable); + +@@ -2364,11 +2398,11 @@ if (cidx[f]) XpmFree(cidx[f]);} + + /* array of pointers malloced by need */ + unsigned short *cidx[256]; +- int char1; ++ unsigned int char1; + + bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ + for (a = 0; a < ncolors; a++) { +- char1 = colorTable[a].string[0]; ++ char1 = (unsigned char) colorTable[a].string[0]; + if (cidx[char1] == NULL) { /* get new memory */ + cidx[char1] = (unsigned short *) + XpmCalloc(256, sizeof(unsigned short)); diff --git a/graphics/xpm/patches/patch-ah b/graphics/xpm/patches/patch-ah index 423d815392f..759b95d47c0 100644 --- a/graphics/xpm/patches/patch-ah +++ b/graphics/xpm/patches/patch-ah @@ -1,13 +1,43 @@ -$NetBSD: patch-ah,v 1.1 2004/09/16 15:09:01 minskim Exp $ +$NetBSD: patch-ah,v 1.2 2005/06/14 18:10:37 jlam Exp $ ---- lib/data.c.orig Thu Mar 19 13:51:00 1998 +--- lib/data.c.orig 1998-03-19 14:51:00.000000000 -0500 +++ lib/data.c -@@ -374,7 +374,7 @@ xpmGetCmt(data, cmt) +@@ -32,6 +32,8 @@ + * Developed by Arnaud Le Hors * + \*****************************************************************************/ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ + #ifndef CXPMPROG + /* Official version number */ + static char *RCS_Version = "$XpmVersion: 3.4k $"; +@@ -261,7 +263,7 @@ xpmNextWord(data, buf, buflen) + } + Ungetc(data, c, file); + } +- return (n); ++ return (n); /* this returns bytes read + 1 */ + } + + /* +@@ -374,8 +376,9 @@ xpmGetCmt(data, cmt) { if (!data->type) *cmt = NULL; - else if (data->CommentLength) { -+ else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) { - *cmt = (char *) XpmMalloc(data->CommentLength + 1); +- *cmt = (char *) XpmMalloc(data->CommentLength + 1); ++ else if (data->CommentLength != 0 && data->CommentLength < UINT_MAX - 1) { ++ if( (*cmt = (char *) XpmMalloc(data->CommentLength + 1)) == NULL) ++ return XpmNoMemory; strncpy(*cmt, data->Comment, data->CommentLength); (*cmt)[data->CommentLength] = '\0'; + data->CommentLength = 0; +@@ -403,7 +406,7 @@ int + xpmParseHeader(data) + xpmData *data; + { +- char buf[BUFSIZ]; ++ char buf[BUFSIZ+1] = {0}; + int l, n = 0; + + if (data->type) { diff --git a/graphics/xpm/patches/patch-ai b/graphics/xpm/patches/patch-ai index 7f9bb7a60bb..892547010ce 100644 --- a/graphics/xpm/patches/patch-ai +++ b/graphics/xpm/patches/patch-ai @@ -1,8 +1,8 @@ -$NetBSD: patch-ai,v 1.1 2004/09/16 15:09:01 minskim Exp $ +$NetBSD: patch-ai,v 1.2 2005/06/14 18:10:37 jlam Exp $ ---- lib/hashtab.c.orig Thu Mar 19 13:51:00 1998 +--- lib/hashtab.c.orig 1998-03-19 14:51:00.000000000 -0500 +++ lib/hashtab.c -@@ -135,7 +135,7 @@ HashTableGrows(table) +@@ -135,15 +135,17 @@ HashTableGrows(table) xpmHashTable *table; { xpmHashAtom *atomTable = table->atomTable; @@ -10,12 +10,14 @@ $NetBSD: patch-ai,v 1.1 2004/09/16 15:09:01 minskim Exp $ + unsigned int size = table->size; xpmHashAtom *t, *p; int i; - int oldSize = size; -@@ -144,6 +144,8 @@ HashTableGrows(table) +- int oldSize = size; ++ unsigned int oldSize = size; + + t = atomTable; HASH_TABLE_GROWS table->size = size; table->limit = size / 3; -+ if (size >= SIZE_MAX / sizeof(*atomTable)) ++ if (size >= UINT_MAX / sizeof(*atomTable)) + return (XpmNoMemory); atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); if (!atomTable) @@ -24,7 +26,7 @@ $NetBSD: patch-ai,v 1.1 2004/09/16 15:09:01 minskim Exp $ table->size = INITIAL_HASH_SIZE; table->limit = table->size / 3; table->used = 0; -+ if (table->size >= SIZE_MAX / sizeof(*atomTable)) ++ if (table->size >= UINT_MAX / sizeof(*atomTable)) + return (XpmNoMemory); atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); if (!atomTable) diff --git a/graphics/xpm/patches/patch-aj b/graphics/xpm/patches/patch-aj index 040a7ebe2bd..f59f686a198 100644 --- a/graphics/xpm/patches/patch-aj +++ b/graphics/xpm/patches/patch-aj @@ -1,33 +1,38 @@ -$NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $ +$NetBSD: patch-aj,v 1.2 2005/06/14 18:10:37 jlam Exp $ ---- lib/parse.c.orig Thu Mar 19 13:51:00 1998 +--- lib/parse.c.orig 1998-03-19 14:51:00.000000000 -0500 +++ lib/parse.c -@@ -41,6 +41,24 @@ +@@ -38,8 +38,29 @@ + * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94 + */ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ #include "XpmI.h" #include <ctype.h> - ++#include <string.h> ++ +#ifdef HAS_STRLCAT -+# define STRLCAT(dst, src, dstsize) { \ -+ if (strlcat(dst, src, dstsize) >= (dstsize)) \ -+ return (XpmFileInvalid); } -+# define STRLCPY(dst, src, dstsize) { \ -+ if (strlcpy(dst, src, dstsize) >= (dstsize)) \ -+ return (XpmFileInvalid); } ++# define STRLCAT(dst, src, dstsize) do { \ ++ if (strlcat(dst, src, dstsize) >= (dstsize)) \ ++ return (XpmFileInvalid); } while(0) ++# define STRLCPY(dst, src, dstsize) do { \ ++ if (strlcpy(dst, src, dstsize) >= (dstsize)) \ ++ return (XpmFileInvalid); } while(0) +#else -+# define STRLCAT(dst, src, dstsize) { \ ++# define STRLCAT(dst, src, dstsize) do { \ + if ((strlen(dst) + strlen(src)) < (dstsize)) \ -+ strcat(dst, src); \ -+ else return (XpmFileInvalid); } -+# define STRLCPY(dst, src, dstsize) { \ ++ strcat(dst, src); \ ++ else return (XpmFileInvalid); } while(0) ++# define STRLCPY(dst, src, dstsize) do { \ + if (strlen(src) < (dstsize)) \ -+ strcpy(dst, src); \ -+ else return (XpmFileInvalid); } ++ strcpy(dst, src); \ ++ else return (XpmFileInvalid); } while(0) +#endif -+ + LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, unsigned int height, unsigned int ncolors, - unsigned int cpp, XpmColor *colorTable, -@@ -63,7 +81,7 @@ xpmParseValues(data, width, height, ncol +@@ -63,7 +84,7 @@ xpmParseValues(data, width, height, ncol unsigned int *extensions; { unsigned int l; @@ -36,12 +41,12 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $ if (!data->format) { /* XPM 2 or 3 */ -@@ -172,10 +190,10 @@ xpmParseColors(data, ncolors, cpp, color +@@ -172,10 +193,10 @@ xpmParseColors(data, ncolors, cpp, color XpmColor **colorTablePtr; xpmHashTable *hashtable; { - unsigned int key, l, a, b; -+ unsigned int key, l, a, b, len; ++ unsigned int key = 0, l, a, b, len; unsigned int curkey; /* current color key */ unsigned int lastwaskey; /* key read */ - char buf[BUFSIZ]; @@ -49,27 +54,27 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $ char curbuf[BUFSIZ]; /* current buffer */ char **sptr, *s; XpmColor *color; -@@ -183,6 +201,8 @@ xpmParseColors(data, ncolors, cpp, color +@@ -183,6 +204,8 @@ xpmParseColors(data, ncolors, cpp, color char **defaults; int ErrorStatus; -+ if (ncolors >= SIZE_MAX / sizeof(XpmColor)) ++ if (ncolors >= UINT_MAX / sizeof(XpmColor)) + return (XpmNoMemory); colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); if (!colorTable) return (XpmNoMemory); -@@ -194,6 +214,10 @@ xpmParseColors(data, ncolors, cpp, color +@@ -194,6 +217,10 @@ xpmParseColors(data, ncolors, cpp, color /* * read pixel value */ -+ if (cpp >= SIZE_MAX - 1) { ++ if (cpp >= UINT_MAX - 1) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } color->string = (char *) XpmMalloc(cpp + 1); if (!color->string) { xpmFreeColorTable(colorTable, ncolors); -@@ -231,13 +255,14 @@ xpmParseColors(data, ncolors, cpp, color +@@ -231,13 +258,14 @@ xpmParseColors(data, ncolors, cpp, color } if (!lastwaskey && key < NKEYS) { /* open new key */ if (curkey) { /* flush string */ @@ -86,7 +91,7 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $ } curkey = key + 1; /* set new key */ *curbuf = '\0'; /* reset curbuf */ -@@ -248,9 +273,9 @@ xpmParseColors(data, ncolors, cpp, color +@@ -248,9 +276,9 @@ xpmParseColors(data, ncolors, cpp, color return (XpmFileInvalid); } if (!lastwaskey) @@ -98,7 +103,7 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $ lastwaskey = 0; } } -@@ -258,12 +283,13 @@ xpmParseColors(data, ncolors, cpp, color +@@ -258,12 +286,13 @@ xpmParseColors(data, ncolors, cpp, color xpmFreeColorTable(colorTable, ncolors); return (XpmFileInvalid); } @@ -114,18 +119,18 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $ } } else { /* XPM 1 */ /* get to the beginning of the first string */ -@@ -276,6 +302,10 @@ xpmParseColors(data, ncolors, cpp, color +@@ -276,6 +305,10 @@ xpmParseColors(data, ncolors, cpp, color /* * read pixel value */ -+ if (cpp >= SIZE_MAX - 1) { ++ if (cpp >= UINT_MAX - 1) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } color->string = (char *) XpmMalloc(cpp + 1); if (!color->string) { xpmFreeColorTable(colorTable, ncolors); -@@ -304,16 +334,17 @@ xpmParseColors(data, ncolors, cpp, color +@@ -304,19 +337,20 @@ xpmParseColors(data, ncolors, cpp, color *curbuf = '\0'; /* init curbuf */ while (l = xpmNextWord(data, buf, BUFSIZ)) { if (*curbuf != '\0') @@ -133,7 +138,7 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $ + STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */ buf[l] = '\0'; - strcat(curbuf, buf); /* append buf */ -+ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */ ++ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */ } - s = (char *) XpmMalloc(strlen(curbuf) + 1); + len = strlen(curbuf) + 1; @@ -146,34 +151,119 @@ $NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $ + memcpy(s, curbuf, len); color->c_color = s; *curbuf = '\0'; /* reset curbuf */ - if (a < ncolors - 1) -@@ -338,6 +369,9 @@ ParsePixels(data, width, height, ncolors - unsigned int *iptr, *iptr2; +- if (a < ncolors - 1) ++ if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */ + xpmNextString(data); /* get to the next string */ + } + } +@@ -335,9 +369,12 @@ ParsePixels(data, width, height, ncolors + xpmHashTable *hashtable; + unsigned int **pixels; + { +- unsigned int *iptr, *iptr2; ++ unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ unsigned int a, x, y; -+ if ((height > 0 && width >= SIZE_MAX / height) || -+ width * height >= SIZE_MAX / sizeof(unsigned int)) ++ if ((height > 0 && width >= UINT_MAX / height) || ++ width * height >= UINT_MAX / sizeof(unsigned int)) + return XpmNoMemory; #ifndef FOR_MSW iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); #else -@@ -361,6 +395,9 @@ ParsePixels(data, width, height, ncolors +@@ -361,6 +398,11 @@ ParsePixels(data, width, height, ncolors { unsigned short colidx[256]; -+ if (ncolors > 256) ++ if (ncolors > 256) { ++ XpmFree(iptr2); /* found by Egbert Eich */ + return (XpmFileInvalid); ++ } + bzero((char *)colidx, 256 * sizeof(short)); for (a = 0; a < ncolors; a++) colidx[(unsigned char)colorTable[a].string[0]] = a + 1; -@@ -438,6 +475,9 @@ if (cidx[f]) XpmFree(cidx[f]);} +@@ -386,16 +428,20 @@ ParsePixels(data, width, height, ncolors { + + /* free all allocated pointers at all exits */ +-#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \ +-if (cidx[f]) XpmFree(cidx[f]);} ++#define FREE_CIDX \ ++do \ ++{ \ ++ int f; for (f = 0; f < 256; f++) \ ++ if (cidx[f]) XpmFree(cidx[f]); \ ++} while(0) + + /* array of pointers malloced by need */ + unsigned short *cidx[256]; +- int char1; ++ unsigned int char1; + + bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ + for (a = 0; a < ncolors; a++) { +- char1 = colorTable[a].string[0]; ++ char1 = (unsigned char) colorTable[a].string[0]; + if (cidx[char1] == NULL) { /* get new memory */ + cidx[char1] = (unsigned short *) + XpmCalloc(256, sizeof(unsigned short)); +@@ -439,6 +485,11 @@ if (cidx[f]) XpmFree(cidx[f]);} char *s; char buf[BUFSIZ]; -+ -+ if (cpp >= sizeof(buf)) -+ return (XpmFileInvalid); ++ if (cpp >= sizeof(buf)) { ++ XpmFree(iptr2); /* found by Egbert Eich */ ++ return (XpmFileInvalid); ++ } ++ buf[cpp] = '\0'; if (USE_HASHTABLE) { + xpmHashAtom *slot; +@@ -447,7 +498,7 @@ if (cidx[f]) XpmFree(cidx[f]);} + xpmNextString(data); + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) +- *s = xpmGetC(data); ++ *s = xpmGetC(data); /* int assigned to char, not a problem here */ + slot = xpmHashSlot(hashtable, buf); + if (!*slot) { /* no color matches */ + XpmFree(iptr2); +@@ -461,7 +512,7 @@ if (cidx[f]) XpmFree(cidx[f]);} + xpmNextString(data); + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) +- *s = xpmGetC(data); ++ *s = xpmGetC(data); /* int assigned to char, not a problem here */ + for (a = 0; a < ncolors; a++) + if (!strcmp(colorTable[a].string, buf)) + break; +@@ -516,7 +567,7 @@ xpmParseExtensions(data, extensions, nex + while (!notstart && notend) { + /* there starts an extension */ + ext = (XpmExtension *) +- XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); ++ XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */ + if (!ext) { + XpmFree(string); + XpmFreeExtensions(exts, num); +@@ -553,7 +604,7 @@ xpmParseExtensions(data, extensions, nex + while ((notstart = strncmp("XPMEXT", string, 6)) + && (notend = strncmp("XPMENDEXT", string, 9))) { + sp = (char **) +- XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); ++ XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */ + if (!sp) { + XpmFree(string); + ext->nlines = nlines; +@@ -593,9 +644,9 @@ xpmParseExtensions(data, extensions, nex + /* function call in case of error */ + #undef RETURN + #define RETURN(status) \ +-{ \ ++do { \ + goto error; \ +-} ++} while(0) + + /* + * This function parses an Xpm file or data and store the found informations diff --git a/graphics/xpm/patches/patch-ak b/graphics/xpm/patches/patch-ak index 2485265546a..4647685e318 100644 --- a/graphics/xpm/patches/patch-ak +++ b/graphics/xpm/patches/patch-ak @@ -1,54 +1,86 @@ -$NetBSD: patch-ak,v 1.2 2005/03/10 15:23:10 wiz Exp $ +$NetBSD: patch-ak,v 1.3 2005/06/14 18:10:37 jlam Exp $ ---- lib/scan.c.orig 1998-03-19 20:51:00.000000000 +0100 +--- lib/scan.c.orig 1998-03-19 14:51:00.000000000 -0500 +++ lib/scan.c -@@ -103,7 +103,8 @@ LFUNC(MSWGetImagePixels, int, (Display * +@@ -42,6 +42,8 @@ + * Lorens Younes (d93-hyo@nada.kth.se) 4/96 + */ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ + #include "XpmI.h" + + #define MAXPRINTABLE 92 /* number of printable ascii chars +@@ -103,7 +105,8 @@ LFUNC(MSWGetImagePixels, int, (Display * LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp, XpmAttributes *attributes)); -LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors, -+LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, -+ unsigned int ncolors, ++LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, ++ unsigned int ncolors, Pixel *pixels, unsigned int mask, unsigned int cpp, XpmAttributes *attributes)); -@@ -228,11 +229,17 @@ XpmCreateXpmImageFromImage(display, imag +@@ -167,10 +170,10 @@ storeMaskPixel(pixel, pmap, index_return + /* function call in case of error */ + #undef RETURN + #define RETURN(status) \ +-{ \ ++do { \ + ErrorStatus = status; \ + goto error; \ +-} ++} while(0) + + /* + * This function scans the given image and stores the found informations in +@@ -191,7 +194,7 @@ XpmCreateXpmImageFromImage(display, imag + /* variables to return */ + PixelsMap pmap; + XpmColor *colorTable = NULL; +- int ErrorStatus; ++ int ErrorStatus = 0; + + /* calculation variables */ + unsigned int width = 0; +@@ -228,11 +231,17 @@ XpmCreateXpmImageFromImage(display, imag else cpp = 0; -+ if ((height > 0 && width >= SIZE_MAX / height) || -+ width * height >= SIZE_MAX / sizeof(unsigned int)) ++ if ((height > 0 && width >= UINT_MAX / height) || ++ width * height >= UINT_MAX / sizeof(unsigned int)) + RETURN(XpmNoMemory); pmap.pixelindex = (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); if (!pmap.pixelindex) RETURN(XpmNoMemory); -+ if (pmap.size >= SIZE_MAX / sizeof(Pixel)) ++ if (pmap.size >= UINT_MAX / sizeof(Pixel)) + RETURN(XpmNoMemory); + pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); if (!pmap.pixels) RETURN(XpmNoMemory); -@@ -298,6 +305,8 @@ XpmCreateXpmImageFromImage(display, imag +@@ -297,7 +306,8 @@ XpmCreateXpmImageFromImage(display, imag + * get rgb values and a string of char, and possibly a name for each * color */ - -+ if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) +- ++ if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor)) + RETURN(XpmNoMemory); colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); if (!colorTable) RETURN(XpmNoMemory); -@@ -356,6 +365,8 @@ ScanTransparentColor(color, cpp, attribu +@@ -356,6 +366,8 @@ ScanTransparentColor(color, cpp, attribu /* first get a character string */ a = 0; -+ if (cpp >= SIZE_MAX - 1) ++ if (cpp >= UINT_MAX - 1) + return (XpmNoMemory); if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) return (XpmNoMemory); *s++ = printable[c = a % MAXPRINTABLE]; -@@ -403,7 +414,7 @@ static int +@@ -403,7 +415,7 @@ static int ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) Display *display; XpmColor *colors; @@ -57,22 +89,120 @@ $NetBSD: patch-ak,v 1.2 2005/03/10 15:23:10 wiz Exp $ Pixel *pixels; unsigned int mask; unsigned int cpp; -@@ -447,6 +458,8 @@ ScanOtherColors(display, colors, ncolors +@@ -423,10 +435,10 @@ ScanOtherColors(display, colors, ncolors + XpmColor *color; + XColor *xcolors = NULL, *xcolor; + char *colorname, *s; +- XpmColor *colorTable, **oldColorTable = NULL; ++ XpmColor *colorTable = NULL, **oldColorTable = NULL; + unsigned int ancolors = 0; +- Pixel *apixels; +- unsigned int mask_pixel; ++ Pixel *apixels = NULL; ++ unsigned int mask_pixel = 0; + Bool found; + + /* retrieve information from the XpmAttributes */ +@@ -447,6 +459,8 @@ ScanOtherColors(display, colors, ncolors } /* first get character strings and rgb values */ -+ if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) ++ if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1) + return (XpmNoMemory); xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); if (!xcolors) return (XpmNoMemory); -@@ -615,6 +628,9 @@ GetImagePixels(image, width, height, pma +@@ -603,8 +617,8 @@ GetImagePixels(image, width, height, pma + char *dst; + unsigned int *iptr; + char *data; +- int x, y, i; +- int bits, depth, ibu, ibpp, offset; ++ unsigned int x, y; ++ int bits, depth, ibu, ibpp, offset, i; + unsigned long lbt; + Pixel pixel, px; + +@@ -615,6 +629,9 @@ GetImagePixels(image, width, height, pma ibpp = image->bits_per_pixel; offset = image->xoffset; + if (image->bitmap_unit < 0) -+ return (XpmNoMemory); ++ return (XpmNoMemory); + if ((image->bits_per_pixel | image->depth) == 1) { ibu = image->bitmap_unit; for (y = 0; y < height; y++) +@@ -705,7 +722,7 @@ GetImagePixels32(image, width, height, p + unsigned char *addr; + unsigned char *data; + unsigned int *iptr; +- int x, y; ++ unsigned int x, y; + unsigned long lbt; + Pixel pixel; + int depth; +@@ -770,7 +787,7 @@ GetImagePixels16(image, width, height, p + unsigned char *addr; + unsigned char *data; + unsigned int *iptr; +- int x, y; ++ unsigned int x, y; + unsigned long lbt; + Pixel pixel; + int depth; +@@ -815,7 +832,7 @@ GetImagePixels8(image, width, height, pm + { + unsigned int *iptr; + unsigned char *data; +- int x, y; ++ unsigned int x, y; + unsigned long lbt; + Pixel pixel; + int depth; +@@ -848,7 +865,7 @@ GetImagePixels1(image, width, height, pm + int (*storeFunc) (); + { + unsigned int *iptr; +- int x, y; ++ unsigned int x, y; + char *data; + Pixel pixel; + int xoff, yoff, offset, bpl; +@@ -884,11 +901,11 @@ GetImagePixels1(image, width, height, pm + # else /* AMIGA */ + + #define CLEAN_UP(status) \ +-{\ ++do {\ + if (pixels) XpmFree (pixels);\ + if (tmp_img) FreeXImage (tmp_img);\ + return (status);\ +-} ++} while(0) + + static int + AGetImagePixels ( +@@ -909,7 +926,7 @@ AGetImagePixels ( + + tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth); + if (tmp_img == NULL) +- CLEAN_UP (XpmNoMemory) ++ CLEAN_UP (XpmNoMemory); + + iptr = pmap->pixelindex; + for (y = 0; y < height; ++y) +@@ -918,11 +935,11 @@ AGetImagePixels ( + for (x = 0; x < width; ++x, ++iptr) + { + if ((*storeFunc) (pixels[x], pmap, iptr)) +- CLEAN_UP (XpmNoMemory) ++ CLEAN_UP (XpmNoMemory); + } + } + +- CLEAN_UP (XpmSuccess) ++ CLEAN_UP (XpmSuccess); + } + + #undef CLEAN_UP diff --git a/graphics/xpm/patches/patch-al b/graphics/xpm/patches/patch-al new file mode 100644 index 00000000000..fc52ed0cd6f --- /dev/null +++ b/graphics/xpm/patches/patch-al @@ -0,0 +1,308 @@ +$NetBSD: patch-al,v 1.1 2005/06/14 18:10:37 jlam Exp $ + +--- lib/CrBufFrI.c.orig 1998-03-19 14:50:59.000000000 -0500 ++++ lib/CrBufFrI.c +@@ -32,21 +32,27 @@ + * Developed by Arnaud Le Hors * + \*****************************************************************************/ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ ++/* $XFree86$ */ ++ + #include "XpmI.h" + + LFUNC(WriteColors, int, (char **dataptr, unsigned int *data_size, + unsigned int *used_size, XpmColor *colors, + unsigned int ncolors, unsigned int cpp)); + +-LFUNC(WritePixels, void, (char *dataptr, unsigned int *used_size, ++LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size, ++ unsigned int *used_size, + unsigned int width, unsigned int height, + unsigned int cpp, unsigned int *pixels, + XpmColor *colors)); + +-LFUNC(WriteExtensions, void, (char *dataptr, unsigned int *used_size, ++LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size, ++ unsigned int *used_size, + XpmExtension *ext, unsigned int num)); + +-LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num)); ++LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num)); + LFUNC(CommentsSize, int, (XpmInfo *info)); + + int +@@ -89,10 +95,11 @@ XpmCreateBufferFromImage(display, buffer + + #undef RETURN + #define RETURN(status) \ ++do \ + { \ + ErrorStatus = status; \ + goto error; \ +-} ++}while(0) + + int + XpmCreateBufferFromXpmImage(buffer_return, image, info) +@@ -106,7 +113,7 @@ XpmCreateBufferFromXpmImage(buffer_retur + unsigned int cmts, extensions, ext_size = 0; + unsigned int l, cmt_size = 0; + char *ptr = NULL, *p; +- unsigned int ptr_size, used_size; ++ unsigned int ptr_size, used_size, tmp; + + *buffer_return = NULL; + +@@ -128,7 +135,13 @@ XpmCreateBufferFromXpmImage(buffer_retur + #ifdef VOID_SPRINTF + used_size = strlen(buf); + #endif +- ptr_size = used_size + ext_size + cmt_size + 1; ++ ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */ ++ if(ptr_size <= used_size || ++ ptr_size <= ext_size || ++ ptr_size <= cmt_size) ++ { ++ return XpmNoMemory; ++ } + ptr = (char *) XpmMalloc(ptr_size); + if (!ptr) + return XpmNoMemory; +@@ -139,7 +152,7 @@ XpmCreateBufferFromXpmImage(buffer_retur + #ifndef VOID_SPRINTF + used_size += + #endif +- sprintf(ptr + used_size, "/*%s*/\n", info->hints_cmt); ++ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt); + #ifdef VOID_SPRINTF + used_size += strlen(info->hints_cmt) + 5; + #endif +@@ -157,7 +170,7 @@ XpmCreateBufferFromXpmImage(buffer_retur + #ifndef VOID_SPRINTF + l += + #endif +- sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot); ++ snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot); + #ifdef VOID_SPRINTF + l = strlen(buf); + #endif +@@ -179,6 +192,8 @@ XpmCreateBufferFromXpmImage(buffer_retur + l = strlen(buf); + #endif + ptr_size += l; ++ if(ptr_size <= l) ++ RETURN(XpmNoMemory); + p = (char *) XpmRealloc(ptr, ptr_size); + if (!p) + RETURN(XpmNoMemory); +@@ -191,7 +206,7 @@ XpmCreateBufferFromXpmImage(buffer_retur + #ifndef VOID_SPRINTF + used_size += + #endif +- sprintf(ptr + used_size, "/*%s*/\n", info->colors_cmt); ++ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt); + #ifdef VOID_SPRINTF + used_size += strlen(info->colors_cmt) + 5; + #endif +@@ -207,7 +222,12 @@ XpmCreateBufferFromXpmImage(buffer_retur + * 4 = 1 (for '"') + 3 (for '",\n') + * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n') + */ +- ptr_size += image->height * (image->width * image->cpp + 4) + 1; ++ if(image->width > UINT_MAX / image->cpp || ++ (tmp = image->width * image->cpp + 4) <= 4 || ++ image->height > UINT_MAX / tmp || ++ (tmp = image->height * tmp + 1) <= 1 || ++ (ptr_size += tmp) <= tmp) ++ RETURN(XpmNoMemory); + + p = (char *) XpmRealloc(ptr, ptr_size); + if (!p) +@@ -219,17 +239,17 @@ XpmCreateBufferFromXpmImage(buffer_retur + #ifndef VOID_SPRINTF + used_size += + #endif +- sprintf(ptr + used_size, "/*%s*/\n", info->pixels_cmt); ++ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt); + #ifdef VOID_SPRINTF + used_size += strlen(info->pixels_cmt) + 5; + #endif + } +- WritePixels(ptr + used_size, &used_size, image->width, image->height, ++ WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height, + image->cpp, image->data, image->colorTable); + + /* print extensions */ + if (extensions) +- WriteExtensions(ptr + used_size, &used_size, ++ WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size, + info->extensions, info->nextensions); + + /* close the array */ +@@ -246,6 +266,7 @@ error: + return (ErrorStatus); + } + ++ + static int + WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp) + char **dataptr; +@@ -255,7 +276,7 @@ WriteColors(dataptr, data_size, used_siz + unsigned int ncolors; + unsigned int cpp; + { +- char buf[BUFSIZ]; ++ char buf[BUFSIZ] = {0}; + unsigned int a, key, l; + char *s, *s2; + char **defaults; +@@ -265,6 +286,8 @@ WriteColors(dataptr, data_size, used_siz + + defaults = (char **) colors; + s = buf + 1; ++ if(cpp > (sizeof(buf) - (s-buf))) ++ return(XpmNoMemory); + strncpy(s, *defaults++, cpp); + s += cpp; + +@@ -273,14 +296,24 @@ WriteColors(dataptr, data_size, used_siz + #ifndef VOID_SPRINTF + s += + #endif +- sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2); ++ /* assume C99 compliance */ ++ snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2); + #ifdef VOID_SPRINTF + s += strlen(s); + #endif ++ /* now let's check if s points out-of-bounds */ ++ if((s-buf) > sizeof(buf)) ++ return(XpmNoMemory); + } + } ++ if(sizeof(buf) - (s-buf) < 4) ++ return(XpmNoMemory); + strcpy(s, "\",\n"); + l = s + 3 - buf; ++ if( *data_size >= UINT_MAX-l || ++ *data_size + l <= *used_size || ++ (*data_size + l - *used_size) <= sizeof(buf)) ++ return(XpmNoMemory); + s = (char *) XpmRealloc(*dataptr, *data_size + l); + if (!s) + return (XpmNoMemory); +@@ -293,8 +326,9 @@ WriteColors(dataptr, data_size, used_siz + } + + static void +-WritePixels(dataptr, used_size, width, height, cpp, pixels, colors) ++WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors) + char *dataptr; ++ unsigned int data_size; + unsigned int *used_size; + unsigned int width; + unsigned int height; +@@ -305,27 +339,36 @@ WritePixels(dataptr, used_size, width, h + char *s = dataptr; + unsigned int x, y, h; + ++ if(height <= 1) ++ return; ++ + h = height - 1; + for (y = 0; y < h; y++) { + *s++ = '"'; + for (x = 0; x < width; x++, pixels++) { +- strncpy(s, colors[*pixels].string, cpp); ++ if(cpp >= (data_size - (s-dataptr))) ++ return; ++ strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */ + s += cpp; + } ++ if((data_size - (s-dataptr)) < 4) ++ return; + strcpy(s, "\",\n"); + s += 3; + } + /* duplicate some code to avoid a test in the loop */ + *s++ = '"'; + for (x = 0; x < width; x++, pixels++) { +- strncpy(s, colors[*pixels].string, cpp); ++ if(cpp >= (data_size - (s-dataptr))) ++ return; ++ strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */ + s += cpp; + } + *s++ = '"'; + *used_size += s - dataptr; + } + +-static int ++static unsigned int + ExtensionsSize(ext, num) + XpmExtension *ext; + unsigned int num; +@@ -334,21 +377,26 @@ ExtensionsSize(ext, num) + char **line; + + size = 0; ++ if(num == 0) ++ return(0); /* ok? */ + for (x = 0; x < num; x++, ext++) { + /* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */ + size += strlen(ext->name) + 11; +- a = ext->nlines; ++ a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */ + for (y = 0, line = ext->lines; y < a; y++, line++) + /* 4 = 3 (for ',\n"') + 1 (for '"') */ + size += strlen(*line) + 4; + } + /* 13 is for ',\n"XPMENDEXT"' */ ++ if(size > UINT_MAX - 13) /* unlikely */ ++ return(0); + return size + 13; + } + + static void +-WriteExtensions(dataptr, used_size, ext, num) ++WriteExtensions(dataptr, data_size, used_size, ext, num) + char *dataptr; ++ unsigned int data_size; + unsigned int *used_size; + XpmExtension *ext; + unsigned int num; +@@ -361,7 +409,7 @@ WriteExtensions(dataptr, used_size, ext, + #ifndef VOID_SPRINTF + s += + #endif +- sprintf(s, ",\n\"XPMEXT %s\"", ext->name); ++ snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name); + #ifdef VOID_SPRINTF + s += strlen(ext->name) + 11; + #endif +@@ -370,13 +418,13 @@ WriteExtensions(dataptr, used_size, ext, + #ifndef VOID_SPRINTF + s += + #endif +- sprintf(s, ",\n\"%s\"", *line); ++ snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line); + #ifdef VOID_SPRINTF + s += strlen(*line) + 4; + #endif + } + } +- strcpy(s, ",\n\"XPMENDEXT\""); ++ strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1); + *used_size += s - dataptr + 13; + } + +@@ -387,6 +435,7 @@ CommentsSize(info) + int size = 0; + + /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */ ++ /* wrap possible but *very* unlikely */ + if (info->hints_cmt) + size += 5 + strlen(info->hints_cmt); + diff --git a/graphics/xpm/patches/patch-am b/graphics/xpm/patches/patch-am new file mode 100644 index 00000000000..9e30fe71f99 --- /dev/null +++ b/graphics/xpm/patches/patch-am @@ -0,0 +1,32 @@ +$NetBSD: patch-am,v 1.1 2005/06/14 18:10:37 jlam Exp $ + +--- lib/RdFToBuf.c.orig 1998-03-19 14:51:00.000000000 -0500 ++++ lib/RdFToBuf.c +@@ -37,6 +37,8 @@ + * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94 + */ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ + #include "XpmI.h" + #include <sys/stat.h> + #if !defined(FOR_MSW) && !defined(WIN32) +@@ -58,7 +60,8 @@ XpmReadFileToBuffer(filename, buffer_ret + char *filename; + char **buffer_return; + { +- int fd, fcheck, len; ++ int fd, fcheck; ++ off_t len; + char *ptr; + struct stat stats; + FILE *fp; +@@ -82,7 +85,7 @@ XpmReadFileToBuffer(filename, buffer_ret + close(fd); + return XpmOpenFailed; + } +- len = (int) stats.st_size; ++ len = stats.st_size; + ptr = (char *) XpmMalloc(len + 1); + if (!ptr) { + fclose(fp); diff --git a/graphics/xpm/patches/patch-an b/graphics/xpm/patches/patch-an new file mode 100644 index 00000000000..8674035313d --- /dev/null +++ b/graphics/xpm/patches/patch-an @@ -0,0 +1,88 @@ +$NetBSD: patch-an,v 1.1 2005/06/14 18:10:37 jlam Exp $ + +--- lib/RdFToI.c.orig 1998-03-19 14:51:00.000000000 -0500 ++++ lib/RdFToI.c +@@ -32,6 +32,8 @@ + * Developed by Arnaud Le Hors * + \*****************************************************************************/ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ + #include "XpmI.h" + #include <sys/stat.h> + #if !defined(NO_ZPIPE) && defined(WIN32) +@@ -122,6 +124,12 @@ XpmReadFileToXpmImage(filename, image, i + /* + * open the given file to be read as an xpmData which is returned. + */ ++#ifndef NO_ZPIPE ++ FILE *s_popen(char *cmd, const char *type); ++#else ++# define s_popen popen ++#endif ++ + static int + OpenReadFile(filename, mdata) + char *filename; +@@ -139,17 +147,21 @@ OpenReadFile(filename, mdata) + mdata->type = XPMFILE; + } else { + #ifndef NO_ZPIPE +- int len = strlen(filename); ++ size_t len = strlen(filename); ++ ++ if(len == 0 || ++ filename[len-1] == '/') ++ return(XpmOpenFailed); + if ((len > 2) && !strcmp(".Z", filename + (len - 2))) { + mdata->type = XPMPIPE; +- sprintf(buf, "uncompress -c \"%s\"", filename); +- if (!(mdata->stream.file = popen(buf, "r"))) ++ snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename); ++ if (!(mdata->stream.file = s_popen(buf, "r"))) + return (XpmOpenFailed); + + } else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) { + mdata->type = XPMPIPE; +- sprintf(buf, "gunzip -qc \"%s\"", filename); +- if (!(mdata->stream.file = popen(buf, "r"))) ++ snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename); ++ if (!(mdata->stream.file = s_popen(buf, "r"))) + return (XpmOpenFailed); + + } else { +@@ -157,19 +169,19 @@ OpenReadFile(filename, mdata) + if (!(compressfile = (char *) XpmMalloc(len + 4))) + return (XpmNoMemory); + +- sprintf(compressfile, "%s.Z", filename); ++ snprintf(compressfile, len+4, "%s.Z", filename); + if (!stat(compressfile, &status)) { +- sprintf(buf, "uncompress -c \"%s\"", compressfile); +- if (!(mdata->stream.file = popen(buf, "r"))) { ++ snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile); ++ if (!(mdata->stream.file = s_popen(buf, "r"))) { + XpmFree(compressfile); + return (XpmOpenFailed); + } + mdata->type = XPMPIPE; + } else { +- sprintf(compressfile, "%s.gz", filename); ++ snprintf(compressfile, len+4, "%s.gz", filename); + if (!stat(compressfile, &status)) { +- sprintf(buf, "gunzip -c \"%s\"", compressfile); +- if (!(mdata->stream.file = popen(buf, "r"))) { ++ snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile); ++ if (!(mdata->stream.file = s_popen(buf, "r"))) { + XpmFree(compressfile); + return (XpmOpenFailed); + } +@@ -215,7 +227,7 @@ xpmDataClose(mdata) + break; + #ifndef NO_ZPIPE + case XPMPIPE: +- pclose(mdata->stream.file); ++ fclose(mdata->stream.file); + break; + #endif + } diff --git a/graphics/xpm/patches/patch-ao b/graphics/xpm/patches/patch-ao new file mode 100644 index 00000000000..a25cb30642a --- /dev/null +++ b/graphics/xpm/patches/patch-ao @@ -0,0 +1,22 @@ +$NetBSD: patch-ao,v 1.1 2005/06/14 18:10:37 jlam Exp $ + +--- lib/WrFFrBuf.c.orig 1998-03-19 14:51:00.000000000 -0500 ++++ lib/WrFFrBuf.c +@@ -32,6 +32,8 @@ + * Developed by Arnaud Le Hors * + \*****************************************************************************/ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ + #include "XpmI.h" + + int +@@ -49,7 +51,7 @@ XpmWriteFileFromBuffer(filename, buffer) + fcheck = fwrite(buffer, len, 1, fp); + fclose(fp); + if (fcheck != 1) +- return XpmOpenFailed; ++ return XpmOpenFailed; /* maybe use a better return value */ + + return XpmSuccess; + } diff --git a/graphics/xpm/patches/patch-ap b/graphics/xpm/patches/patch-ap new file mode 100644 index 00000000000..fbc27d9b439 --- /dev/null +++ b/graphics/xpm/patches/patch-ap @@ -0,0 +1,103 @@ +$NetBSD: patch-ap,v 1.1 2005/06/14 18:10:37 jlam Exp $ + +--- lib/WrFFrI.c.orig 1998-03-19 14:51:00.000000000 -0500 ++++ lib/WrFFrI.c +@@ -37,6 +37,8 @@ + * Lorens Younes (d93-hyo@nada.kth.se) 4/96 + */ + ++/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ ++ + #include "XpmI.h" + #if !defined(NO_ZPIPE) && defined(WIN32) + # define popen _popen +@@ -97,7 +99,7 @@ XpmWriteFileFromXpmImage(filename, image + XpmInfo *info; + { + xpmData mdata; +- char *name, *dot, *s, new_name[BUFSIZ]; ++ char *name, *dot, *s, new_name[BUFSIZ] = {0}; + int ErrorStatus; + + /* open file to write */ +@@ -119,8 +121,9 @@ XpmWriteFileFromXpmImage(filename, image + name++; + #endif + /* let's try to make a valid C syntax name */ +- if (dot = index(name, '.')) { +- strcpy(new_name, name); ++ if (index(name, '.')) { ++ strncpy(new_name, name, sizeof(new_name)); ++ new_name[sizeof(new_name)-1] = 0; + /* change '.' to '_' */ + name = s = new_name; + while (dot = index(s, '.')) { +@@ -130,7 +133,8 @@ XpmWriteFileFromXpmImage(filename, image + } + if (dot = index(name, '-')) { + if (name != new_name) { +- strcpy(new_name, name); ++ strncpy(new_name, name, sizeof(new_name)); ++ new_name[sizeof(new_name)-1] = 0; + name = new_name; + } + /* change '-' to '_' */ +@@ -247,6 +251,8 @@ WritePixels(file, width, height, cpp, pi + unsigned int x, y, h; + + h = height - 1; ++ if (cpp != 0 && width >= (UINT_MAX - 3)/cpp) ++ return XpmNoMemory; + p = buf = (char *) XpmMalloc(width * cpp + 3); + if (!buf) + return (XpmNoMemory); +@@ -297,6 +303,11 @@ WriteExtensions(file, ext, num) + /* + * open the given file to be written as an xpmData which is returned + */ ++#ifndef NO_ZPIPE ++ FILE *s_popen(char *cmd, const char *type); ++#else ++# define s_popen popen ++#endif + static int + OpenWriteFile(filename, mdata) + char *filename; +@@ -312,16 +323,23 @@ OpenWriteFile(filename, mdata) + mdata->type = XPMFILE; + } else { + #ifndef NO_ZPIPE +- int len = strlen(filename); ++ size_t len = strlen(filename); ++ ++ if(len == 0 || ++ filename[0] == '/' || ++ strstr(filename, "../") != NULL || ++ filename[len-1] == '/') ++ return(XpmOpenFailed); ++ + if (len > 2 && !strcmp(".Z", filename + (len - 2))) { +- sprintf(buf, "compress > \"%s\"", filename); +- if (!(mdata->stream.file = popen(buf, "w"))) ++ snprintf(buf, sizeof(buf), "compress > \"%s\"", filename); ++ if (!(mdata->stream.file = s_popen(buf, "w"))) + return (XpmOpenFailed); + + mdata->type = XPMPIPE; + } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { +- sprintf(buf, "gzip -q > \"%s\"", filename); +- if (!(mdata->stream.file = popen(buf, "w"))) ++ snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename); ++ if (!(mdata->stream.file = s_popen(buf, "w"))) + return (XpmOpenFailed); + + mdata->type = XPMPIPE; +@@ -352,7 +370,7 @@ xpmDataClose(mdata) + break; + #ifndef NO_ZPIPE + case XPMPIPE: +- pclose(mdata->stream.file); ++ fclose(mdata->stream.file); + break; + #endif + } diff --git a/graphics/xpm/patches/patch-aq b/graphics/xpm/patches/patch-aq new file mode 100644 index 00000000000..d12d49aacec --- /dev/null +++ b/graphics/xpm/patches/patch-aq @@ -0,0 +1,13 @@ +$NetBSD: patch-aq,v 1.1 2005/06/14 18:10:37 jlam Exp $ + +--- lib/misc.c.orig 1998-03-19 14:51:00.000000000 -0500 ++++ lib/misc.c +@@ -44,7 +44,7 @@ xpmstrdup(s1) + char *s1; + { + char *s2; +- int l = strlen(s1) + 1; ++ size_t l = strlen(s1) + 1; + + if (s2 = (char *) XpmMalloc(l)) + strcpy(s2, s1); diff --git a/graphics/xpm/patches/patch-ar b/graphics/xpm/patches/patch-ar new file mode 100644 index 00000000000..cf710810695 --- /dev/null +++ b/graphics/xpm/patches/patch-ar @@ -0,0 +1,186 @@ +$NetBSD: patch-ar,v 1.1 2005/06/14 18:10:37 jlam Exp $ + +--- /dev/null 2005-06-14 01:17:00.000000000 -0400 ++++ lib/s_popen.c 2005-06-14 00:03:23.000000000 -0400 +@@ -0,0 +1,181 @@ ++/* ++ * Copyright (C) 2004 The X.Org fundation ++ * ++ * Permission is hereby granted, free of charge, to any person ++ * obtaining a copy of this software and associated documentation ++ * files (the "Software"), to deal in the Software without ++ * restriction, including without limitation the rights to use, copy, ++ * modify, merge, publish, distribute, sublicense, and/or sell copies ++ * of the Software, and to permit persons to whom the Software is fur- ++ * nished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR ++ * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF ++ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ * ++ * Except as contained in this notice, the name of the X.Org fundation ++ * shall not be used in advertising or otherwise to promote the sale, ++ * use or other dealings in this Software without prior written ++ * authorization from the X.Org fundation. ++ */ ++ ++/* ++** This is a secure but NOT 100% compatible replacement for popen() ++** Note: - don't use pclose() use fclose() for closing the returned ++** filedesc.!!! ++** ++** Known Bugs: - unable to use i/o-redirection like > or < ++** Author: - Thomas Biege <thomas@suse.de> ++** Credits: - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when ++** calling strtok() ++*/ ++ ++#include <sys/types.h> ++#include <sys/wait.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <unistd.h> ++#include <string.h> ++ ++#define __SEC_POPEN_TOKEN " " ++ ++FILE *s_popen(char *cmd, const char *type) ++{ ++ pid_t pid; ++ int pfd[2]; ++ int rpipe = 0, wpipe = 0, i; ++ char **argv; ++ char *ptr; ++ char *cmdcpy; ++ ++ ++ if(cmd == NULL || cmd == "") ++ return(NULL); ++ ++ if(type[0] != 'r' && type[0] != 'w') ++ return(NULL); ++ ++ if ((cmdcpy = strdup(cmd)) == NULL) ++ return(NULL); ++ ++ argv = NULL; ++ if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL) ++ { ++ free(cmdcpy); ++ return(NULL); ++ } ++ ++ for(i = 0;; i++) ++ { ++ if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL) ++ { ++ free(cmdcpy); ++ return(NULL); ++ } ++ ++ if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL) ++ { ++ free(cmdcpy); ++ return(NULL); ++ } ++ ++ strcpy(argv[i], ptr); ++ ++ if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL) ++ { ++ if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL) ++ { ++ free(cmdcpy); ++ return(NULL); ++ } ++ argv[i+1] = NULL; ++ break; ++ } ++ } ++ ++ ++ if(type[0] == 'r') ++ rpipe = 1; ++ else ++ wpipe = 1; ++ ++ if (pipe(pfd) < 0) ++ { ++ free(cmdcpy); ++ return(NULL); ++ } ++ ++ if((pid = fork()) < 0) ++ { ++ close(pfd[0]); ++ close(pfd[1]); ++ free(cmdcpy); ++ return(NULL); ++ } ++ ++ if(pid == 0) /* child */ ++ { ++ if((pid = fork()) < 0) ++ { ++ close(pfd[0]); ++ close(pfd[1]); ++ free(cmdcpy); ++ return(NULL); ++ } ++ if(pid > 0) ++ { ++ exit(0); /* child nr. 1 exits */ ++ } ++ ++ /* child nr. 2 */ ++ if(rpipe) ++ { ++ close(pfd[0]); /* close reading end, we don't need it */ ++ dup2(STDOUT_FILENO, STDERR_FILENO); ++ if (pfd[1] != STDOUT_FILENO) ++ dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */ ++ } ++ else ++ { ++ close(pfd[1]); /* close writing end, we don't need it */ ++ if (pfd[0] != STDIN_FILENO) ++ dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */ ++ } ++ ++ if(strchr(argv[0], '/') == NULL) ++ execvp(argv[0], argv); /* search in $PATH */ ++ else ++ execv(argv[0], argv); ++ ++ close(pfd[0]); ++ close(pfd[1]); ++ free(cmdcpy); ++ return(NULL); /* exec failed.. ooops! */ ++ } ++ else /* parent */ ++ { ++ waitpid(pid, NULL, 0); /* wait for child nr. 1 */ ++ ++ if(rpipe) ++ { ++ close(pfd[1]); ++ free(cmdcpy); ++ return(fdopen(pfd[0], "r")); ++ } ++ else ++ { ++ close(pfd[0]); ++ free(cmdcpy); ++ return(fdopen(pfd[1], "w")); ++ } ++ ++ } ++} ++ diff --git a/graphics/xpm/patches/patch-as b/graphics/xpm/patches/patch-as new file mode 100644 index 00000000000..9c74075938d --- /dev/null +++ b/graphics/xpm/patches/patch-as @@ -0,0 +1,12 @@ +$NetBSD: patch-as,v 1.1 2005/06/14 18:10:37 jlam Exp $ + +--- cxpm/cxpm.c.orig 1998-03-19 14:51:01.000000000 -0500 ++++ cxpm/cxpm.c +@@ -77,6 +77,7 @@ sUngetc(data, c) + #include "../lib/data.c" + #include "../lib/parse.c" + #include "../lib/RdFToI.c" /* only for OpenReadFile and xpmDataClose */ ++#include "../lib/s_popen.c" + #include "../lib/hashtab.c" + #include "../lib/misc.c" + #include "../lib/Attrib.c" |