1 files changed, 10 insertions, 16 deletions

diff --git a/audio/xmms/patches/patch-aq b/audio/xmms/patches/patch-aq
index 17524c30cdd..394017c94b8 100644
--- a/audio/xmms/patches/patch-aq
+++ b/audio/xmms/patches/patch-aq
@@ -1,7 +1,7 @@
-$NetBSD: patch-aq,v 1.3 2007/04/10 12:19:40 drochner Exp $
+$NetBSD: patch-aq,v 1.4 2007/11/29 18:36:40 wiz Exp $
 
---- ./xmms/bmp.c.orig	2002-02-12 00:15:56.000000000 +0100
-+++ ./xmms/bmp.c
+--- xmms/bmp.c.orig	2006-07-16 13:40:04.000000000 +0000
++++ xmms/bmp.c
 @@ -19,6 +19,12 @@
   */
  #include "xmms.h"
@@ -12,10 +12,10 @@ $NetBSD: patch-aq,v 1.3 2007/04/10 12:19:40 drochner Exp $
 +#define UINT32_MAX 0xffffffffU
 +#endif
 +
- typedef struct tagRGBQUAD
+ struct rgb_quad
  {
  	guchar rgbBlue;
-@@ -184,7 +190,7 @@ GdkPixmap *read_bmp(gchar * filename)
+@@ -183,7 +189,7 @@ GdkPixmap *read_bmp(gchar * filename)
  	}
  	else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
  	{
@@ -24,23 +24,17 @@ $NetBSD: patch-aq,v 1.3 2007/04/10 12:19:40 drochner Exp $
  
  		ncols = offset - headSize - 14;
  		if (headSize == 12)
-@@ -200,10 +206,18 @@ GdkPixmap *read_bmp(gchar * filename)
- 		}
- 	}
+@@ -203,6 +209,13 @@ GdkPixmap *read_bmp(gchar * filename)
  	fseek(file, offset, SEEK_SET);
+ 	buffer = g_malloc(imgsize);
+ 	fread(buffer, imgsize, 1, file);
 +	/* verify buffer size */
 +	if (!h || !w ||
 +	    w > (((UINT32_MAX - 3) / 3) / h) ||
 +	    h > (((UINT32_MAX - 3) / 3) / w)) {
 +		g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
-+		fclose(file);
-+		return NULL;
++		goto failure;
 +	}
-+	data = g_malloc0((w * 3 * h) + 3);      /* +3 is just for safety */
- 	buffer = g_malloc(imgsize);
- 	fread(buffer, imgsize, 1, file);
- 	fclose(file);
--	data = g_malloc0((w * 3 * h) + 3);	/* +3 is just for safety */
+ 	data = g_malloc0((w * 3 * h) + 3);	/* +3 is just for safety */
  
  	if (bitcount == 1)
- 		read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);