From 0cf9ea55c1e939fd6694cadead8cf20344b223d3 Mon Sep 17 00:00:00 2001 From: minskim Date: Thu, 16 Sep 2004 15:09:01 +0000 Subject: Incorporate security fixes of X.Org X11R6.8.1. Bump PKGREVISION. --- graphics/xpm/Makefile | 4 +- graphics/xpm/buildlink3.mk | 3 +- graphics/xpm/distinfo | 13 ++- graphics/xpm/patches/patch-aa | 21 ++++- graphics/xpm/patches/patch-ad | 38 ++++++++- graphics/xpm/patches/patch-ae | 29 +++++++ graphics/xpm/patches/patch-af | 13 +++ graphics/xpm/patches/patch-ag | 53 +++++++++++++ graphics/xpm/patches/patch-ah | 13 +++ graphics/xpm/patches/patch-ai | 31 ++++++++ graphics/xpm/patches/patch-aj | 179 ++++++++++++++++++++++++++++++++++++++++++ graphics/xpm/patches/patch-ak | 68 ++++++++++++++++ 12 files changed, 452 insertions(+), 13 deletions(-) create mode 100644 graphics/xpm/patches/patch-ae create mode 100644 graphics/xpm/patches/patch-af create mode 100644 graphics/xpm/patches/patch-ag create mode 100644 graphics/xpm/patches/patch-ah create mode 100644 graphics/xpm/patches/patch-ai create mode 100644 graphics/xpm/patches/patch-aj create mode 100644 graphics/xpm/patches/patch-ak (limited to 'graphics/xpm') diff --git a/graphics/xpm/Makefile b/graphics/xpm/Makefile index 07f58ded997..54476accab7 100644 --- a/graphics/xpm/Makefile +++ b/graphics/xpm/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.37 2004/05/15 06:03:11 grant Exp $ +# $NetBSD: Makefile,v 1.38 2004/09/16 15:09:01 minskim Exp $ DISTNAME= xpm-3.4k -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= graphics x11 MASTER_SITES= http://koala.ilog.fr/ftp/pub/xpm/ \ ${MASTER_SITE_XCONTRIB:=libraries/} diff --git a/graphics/xpm/buildlink3.mk b/graphics/xpm/buildlink3.mk index 9d4e6e41549..a65009e8ee6 100644 --- a/graphics/xpm/buildlink3.mk +++ b/graphics/xpm/buildlink3.mk @@ -1,4 +1,4 @@ -# $NetBSD: buildlink3.mk,v 1.15 2004/03/10 17:57:14 jlam Exp $ +# $NetBSD: buildlink3.mk,v 1.16 2004/09/16 15:09:01 minskim Exp $ BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH}+ XPM_BUILDLINK3_MK:= ${XPM_BUILDLINK3_MK}+ @@ -12,6 +12,7 @@ BUILDLINK_PACKAGES+= xpm .if !empty(XPM_BUILDLINK3_MK:M+) BUILDLINK_DEPENDS.xpm+= xpm>=3.4k +BUILDLINK_RECOMMENDED.xpm?= xpm>=3.4knb2 BUILDLINK_PKGSRCDIR.xpm?= ../../graphics/xpm USE_X11= yes diff --git a/graphics/xpm/distinfo b/graphics/xpm/distinfo index 175e00e71b0..f085a34e32c 100644 --- a/graphics/xpm/distinfo +++ b/graphics/xpm/distinfo @@ -1,8 +1,15 @@ -$NetBSD: distinfo,v 1.9 2002/08/25 18:39:26 jlam Exp $ +$NetBSD: distinfo,v 1.10 2004/09/16 15:09:01 minskim Exp $ SHA1 (xpm-3.4k.tar.gz) = a8eac19e5772bf7b3b177353686c1401fbf334bd Size (xpm-3.4k.tar.gz) = 148887 bytes -SHA1 (patch-aa) = 86264a0d832382eef43af740f16bcdf9448f4573 +SHA1 (patch-aa) = 33725beb53dc01b022e5110dbffab4c6a3ae65dc SHA1 (patch-ab) = 0c8f317cdbde27929790e46d1711ada5e454b79d SHA1 (patch-ac) = a0f1692ecfbf0160f5e5a5e3f31ac9398ff667b7 -SHA1 (patch-ad) = fb85487779cf5430224ae6f0a8cdc55350687eae +SHA1 (patch-ad) = 0b6a2640a175d354449cab0198e3cbe1220f46b4 +SHA1 (patch-ae) = 31cf9b37d8d138ffdcee66b16adb4ed22c129763 +SHA1 (patch-af) = 17fed3b0e060f7cee19d21bc3ec5bf1b87dd89a7 +SHA1 (patch-ag) = 68435561f8fe7753c4bb8ce71ee6e53faf1e83d6 +SHA1 (patch-ah) = 075229583814bbdd0a3d7ac8dcb6ad0507d182ff +SHA1 (patch-ai) = 79472013037a1866739b96e97d740378086cc46f +SHA1 (patch-aj) = 98048e40c338f69915e233aa11df0f95deff75a4 +SHA1 (patch-ak) = b84999d5e981bbe6edd6fc76310681c16263e8b5 diff --git a/graphics/xpm/patches/patch-aa b/graphics/xpm/patches/patch-aa index a19ae55407e..3e8b8189c51 100644 --- a/graphics/xpm/patches/patch-aa +++ b/graphics/xpm/patches/patch-aa @@ -1,8 +1,21 @@ -$NetBSD: patch-aa,v 1.3 1998/08/07 10:40:55 agc Exp $ +$NetBSD: patch-aa,v 1.4 2004/09/16 15:09:01 minskim Exp $ ---- Imakefile.orig Thu Mar 19 14:50:59 1998 -+++ Imakefile Sat Jul 4 05:08:45 1998 -@@ -59,6 +59,7 @@ +--- Imakefile.orig Thu Mar 19 13:50:59 1998 ++++ Imakefile +@@ -51,14 +51,19 @@ SPRINTFDEF = -DVOID_SPRINTF + # endif + # endif + #endif ++#if HasStrlcat ++STRLCATDEF = -DHAS_STRLCAT ++#endif ++ + #if defined(Win32Architecture) + ZPIPEDEF = -DNO_ZPIPE + #endif + +-DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(ZPIPEDEF) ++DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(STRLCATDEF) $(ZPIPEDEF) XCOMM You can uncomment the following line to avoid building the shared lib XCOMM IMAKE_DEFINES = -DSharedLibXpm=NO diff --git a/graphics/xpm/patches/patch-ad b/graphics/xpm/patches/patch-ad index 2e6bdd2ba23..bf2231b5152 100644 --- a/graphics/xpm/patches/patch-ad +++ b/graphics/xpm/patches/patch-ad @@ -1,7 +1,7 @@ -$NetBSD: patch-ad,v 1.4 2002/08/25 18:39:26 jlam Exp $ +$NetBSD: patch-ad,v 1.5 2004/09/16 15:09:01 minskim Exp $ ---- lib/XpmI.h.orig Thu Mar 19 20:51:00 1998 -+++ lib/XpmI.h Mon May 13 00:33:23 2002 +--- lib/XpmI.h.orig Thu Mar 19 13:51:00 1998 ++++ lib/XpmI.h @@ -42,6 +42,7 @@ #ifndef XPMI_h #define XPMI_h @@ -10,3 +10,35 @@ $NetBSD: patch-ad,v 1.4 2002/08/25 18:39:26 jlam Exp $ #include "xpm.h" /* +@@ -114,6 +115,18 @@ extern FILE *popen(); + boundCheckingCalloc((long)(nelem),(long) (elsize)) + #endif + ++#if defined(SCO) || defined(__USLC__) ++#include /* For SIZE_MAX */ ++#endif ++#include ++#ifndef SIZE_MAX ++# ifdef ULONG_MAX ++# define SIZE_MAX ULONG_MAX ++# else ++# define SIZE_MAX UINT_MAX ++# endif ++#endif ++ + #define XPMMAXCMTLEN BUFSIZ + typedef struct { + unsigned int type; +@@ -215,9 +228,9 @@ typedef struct _xpmHashAtom { + } *xpmHashAtom; + + typedef struct { +- int size; +- int limit; +- int used; ++ unsigned int size; ++ unsigned int limit; ++ unsigned int used; + xpmHashAtom *atomTable; + } xpmHashTable; + diff --git a/graphics/xpm/patches/patch-ae b/graphics/xpm/patches/patch-ae new file mode 100644 index 00000000000..a94b683aaab --- /dev/null +++ b/graphics/xpm/patches/patch-ae @@ -0,0 +1,29 @@ +$NetBSD: patch-ae,v 1.1 2004/09/16 15:09:01 minskim Exp $ + +--- lib/Attrib.c.orig Thu Mar 19 13:50:59 1998 ++++ lib/Attrib.c +@@ -35,7 +35,7 @@ + #include "XpmI.h" + + /* 3.2 backward compatibility code */ +-LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors, ++LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, + XpmColor ***oldct)); + + LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); +@@ -46,11 +46,14 @@ LFUNC(FreeOldColorTable, void, (XpmColor + static int + CreateOldColorTable(ct, ncolors, oldct) + XpmColor *ct; +- int ncolors; ++ unsigned int ncolors; + XpmColor ***oldct; + { + XpmColor **colorTable, **color; + int a; ++ ++ if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) ++ return XpmNoMemory; + + colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); + if (!colorTable) { diff --git a/graphics/xpm/patches/patch-af b/graphics/xpm/patches/patch-af new file mode 100644 index 00000000000..5a511d00424 --- /dev/null +++ b/graphics/xpm/patches/patch-af @@ -0,0 +1,13 @@ +$NetBSD: patch-af,v 1.1 2004/09/16 15:09:01 minskim Exp $ + +--- lib/CrDatFrI.c.orig Thu Mar 19 13:50:59 1998 ++++ lib/CrDatFrI.c +@@ -123,6 +123,8 @@ XpmCreateDataFromXpmImage(data_return, i + */ + header_nlines = 1 + image->ncolors; + header_size = sizeof(char *) * header_nlines; ++ if (header_size >= SIZE_MAX / sizeof(char *)) ++ return (XpmNoMemory); + header = (char **) XpmCalloc(header_size, sizeof(char *)); + if (!header) + return (XpmNoMemory); diff --git a/graphics/xpm/patches/patch-ag b/graphics/xpm/patches/patch-ag new file mode 100644 index 00000000000..65c4d5f2c2f --- /dev/null +++ b/graphics/xpm/patches/patch-ag @@ -0,0 +1,53 @@ +$NetBSD: patch-ag,v 1.1 2004/09/16 15:09:01 minskim Exp $ + +--- lib/create.c.orig Thu Mar 19 13:51:00 1998 ++++ lib/create.c +@@ -819,6 +819,9 @@ XpmCreateImageFromXpmImage(display, imag + + ErrorStatus = XpmSuccess; + ++ if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) ++ return (XpmNoMemory); ++ + /* malloc pixels index tables */ + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); + if (!image_pixels) +@@ -991,6 +994,8 @@ CreateXImage(display, visual, depth, for + return (XpmNoMemory); + + #if !defined(FOR_MSW) && !defined(AMIGA) ++ if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) ++ return XpmNoMemory; + /* now that bytes_per_line must have been set properly alloc data */ + (*image_return)->data = + (char *) XpmMalloc((*image_return)->bytes_per_line * height); +@@ -2063,6 +2068,9 @@ xpmParseDataAndCreate(display, data, ima + xpmGetCmt(data, &colors_cmt); + + /* malloc pixels index tables */ ++ if (ncolors >= SIZE_MAX / sizeof(Pixel)) ++ return XpmNoMemory; ++ + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); + if (!image_pixels) + RETURN(XpmNoMemory); +@@ -2317,7 +2325,8 @@ ParseAndPutPixels( + } + obm = SelectObject(*dc, image->bitmap); + #endif +- ++ if (ncolors > 256) ++ return (XpmFileInvalid); + + bzero((char *)colidx, 256 * sizeof(short)); + for (a = 0; a < ncolors; a++) +@@ -2422,6 +2431,9 @@ if (cidx[f]) XpmFree(cidx[f]);} + { + char *s; + char buf[BUFSIZ]; ++ ++ if (cpp >= sizeof(buf)) ++ return (XpmFileInvalid); + + buf[cpp] = '\0'; + if (USE_HASHTABLE) { diff --git a/graphics/xpm/patches/patch-ah b/graphics/xpm/patches/patch-ah new file mode 100644 index 00000000000..423d815392f --- /dev/null +++ b/graphics/xpm/patches/patch-ah @@ -0,0 +1,13 @@ +$NetBSD: patch-ah,v 1.1 2004/09/16 15:09:01 minskim Exp $ + +--- lib/data.c.orig Thu Mar 19 13:51:00 1998 ++++ lib/data.c +@@ -374,7 +374,7 @@ xpmGetCmt(data, cmt) + { + if (!data->type) + *cmt = NULL; +- else if (data->CommentLength) { ++ else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) { + *cmt = (char *) XpmMalloc(data->CommentLength + 1); + strncpy(*cmt, data->Comment, data->CommentLength); + (*cmt)[data->CommentLength] = '\0'; diff --git a/graphics/xpm/patches/patch-ai b/graphics/xpm/patches/patch-ai new file mode 100644 index 00000000000..7f9bb7a60bb --- /dev/null +++ b/graphics/xpm/patches/patch-ai @@ -0,0 +1,31 @@ +$NetBSD: patch-ai,v 1.1 2004/09/16 15:09:01 minskim Exp $ + +--- lib/hashtab.c.orig Thu Mar 19 13:51:00 1998 ++++ lib/hashtab.c +@@ -135,7 +135,7 @@ HashTableGrows(table) + xpmHashTable *table; + { + xpmHashAtom *atomTable = table->atomTable; +- int size = table->size; ++ unsigned int size = table->size; + xpmHashAtom *t, *p; + int i; + int oldSize = size; +@@ -144,6 +144,8 @@ HashTableGrows(table) + HASH_TABLE_GROWS + table->size = size; + table->limit = size / 3; ++ if (size >= SIZE_MAX / sizeof(*atomTable)) ++ return (XpmNoMemory); + atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); + if (!atomTable) + return (XpmNoMemory); +@@ -204,6 +206,8 @@ xpmHashTableInit(table) + table->size = INITIAL_HASH_SIZE; + table->limit = table->size / 3; + table->used = 0; ++ if (table->size >= SIZE_MAX / sizeof(*atomTable)) ++ return (XpmNoMemory); + atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); + if (!atomTable) + return (XpmNoMemory); diff --git a/graphics/xpm/patches/patch-aj b/graphics/xpm/patches/patch-aj new file mode 100644 index 00000000000..040a7ebe2bd --- /dev/null +++ b/graphics/xpm/patches/patch-aj @@ -0,0 +1,179 @@ +$NetBSD: patch-aj,v 1.1 2004/09/16 15:09:01 minskim Exp $ + +--- lib/parse.c.orig Thu Mar 19 13:51:00 1998 ++++ lib/parse.c +@@ -41,6 +41,24 @@ + #include "XpmI.h" + #include + ++#ifdef HAS_STRLCAT ++# define STRLCAT(dst, src, dstsize) { \ ++ if (strlcat(dst, src, dstsize) >= (dstsize)) \ ++ return (XpmFileInvalid); } ++# define STRLCPY(dst, src, dstsize) { \ ++ if (strlcpy(dst, src, dstsize) >= (dstsize)) \ ++ return (XpmFileInvalid); } ++#else ++# define STRLCAT(dst, src, dstsize) { \ ++ if ((strlen(dst) + strlen(src)) < (dstsize)) \ ++ strcat(dst, src); \ ++ else return (XpmFileInvalid); } ++# define STRLCPY(dst, src, dstsize) { \ ++ if (strlen(src) < (dstsize)) \ ++ strcpy(dst, src); \ ++ else return (XpmFileInvalid); } ++#endif ++ + LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, + unsigned int height, unsigned int ncolors, + unsigned int cpp, XpmColor *colorTable, +@@ -63,7 +81,7 @@ xpmParseValues(data, width, height, ncol + unsigned int *extensions; + { + unsigned int l; +- char buf[BUFSIZ]; ++ char buf[BUFSIZ + 1]; + + if (!data->format) { /* XPM 2 or 3 */ + +@@ -172,10 +190,10 @@ xpmParseColors(data, ncolors, cpp, color + XpmColor **colorTablePtr; + xpmHashTable *hashtable; + { +- unsigned int key, l, a, b; ++ unsigned int key, l, a, b, len; + unsigned int curkey; /* current color key */ + unsigned int lastwaskey; /* key read */ +- char buf[BUFSIZ]; ++ char buf[BUFSIZ+1]; + char curbuf[BUFSIZ]; /* current buffer */ + char **sptr, *s; + XpmColor *color; +@@ -183,6 +201,8 @@ xpmParseColors(data, ncolors, cpp, color + char **defaults; + int ErrorStatus; + ++ if (ncolors >= SIZE_MAX / sizeof(XpmColor)) ++ return (XpmNoMemory); + colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); + if (!colorTable) + return (XpmNoMemory); +@@ -194,6 +214,10 @@ xpmParseColors(data, ncolors, cpp, color + /* + * read pixel value + */ ++ if (cpp >= SIZE_MAX - 1) { ++ xpmFreeColorTable(colorTable, ncolors); ++ return (XpmNoMemory); ++ } + color->string = (char *) XpmMalloc(cpp + 1); + if (!color->string) { + xpmFreeColorTable(colorTable, ncolors); +@@ -231,13 +255,14 @@ xpmParseColors(data, ncolors, cpp, color + } + if (!lastwaskey && key < NKEYS) { /* open new key */ + if (curkey) { /* flush string */ +- s = (char *) XpmMalloc(strlen(curbuf) + 1); ++ len = strlen(curbuf) + 1; ++ s = (char *) XpmMalloc(len); + if (!s) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } + defaults[curkey] = s; +- strcpy(s, curbuf); ++ memcpy(s, curbuf, len); + } + curkey = key + 1; /* set new key */ + *curbuf = '\0'; /* reset curbuf */ +@@ -248,9 +273,9 @@ xpmParseColors(data, ncolors, cpp, color + return (XpmFileInvalid); + } + if (!lastwaskey) +- strcat(curbuf, " "); /* append space */ ++ STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */ + buf[l] = '\0'; +- strcat(curbuf, buf);/* append buf */ ++ STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */ + lastwaskey = 0; + } + } +@@ -258,12 +283,13 @@ xpmParseColors(data, ncolors, cpp, color + xpmFreeColorTable(colorTable, ncolors); + return (XpmFileInvalid); + } +- s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1); ++ len = strlen(curbuf) + 1; ++ s = defaults[curkey] = (char *) XpmMalloc(len); + if (!s) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } +- strcpy(s, curbuf); ++ memcpy(s, curbuf, len); + } + } else { /* XPM 1 */ + /* get to the beginning of the first string */ +@@ -276,6 +302,10 @@ xpmParseColors(data, ncolors, cpp, color + /* + * read pixel value + */ ++ if (cpp >= SIZE_MAX - 1) { ++ xpmFreeColorTable(colorTable, ncolors); ++ return (XpmNoMemory); ++ } + color->string = (char *) XpmMalloc(cpp + 1); + if (!color->string) { + xpmFreeColorTable(colorTable, ncolors); +@@ -304,16 +334,17 @@ xpmParseColors(data, ncolors, cpp, color + *curbuf = '\0'; /* init curbuf */ + while (l = xpmNextWord(data, buf, BUFSIZ)) { + if (*curbuf != '\0') +- strcat(curbuf, " ");/* append space */ ++ STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */ + buf[l] = '\0'; +- strcat(curbuf, buf); /* append buf */ ++ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */ + } +- s = (char *) XpmMalloc(strlen(curbuf) + 1); ++ len = strlen(curbuf) + 1; ++ s = (char *) XpmMalloc(len); + if (!s) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } +- strcpy(s, curbuf); ++ memcpy(s, curbuf, len); + color->c_color = s; + *curbuf = '\0'; /* reset curbuf */ + if (a < ncolors - 1) +@@ -338,6 +369,9 @@ ParsePixels(data, width, height, ncolors + unsigned int *iptr, *iptr2; + unsigned int a, x, y; + ++ if ((height > 0 && width >= SIZE_MAX / height) || ++ width * height >= SIZE_MAX / sizeof(unsigned int)) ++ return XpmNoMemory; + #ifndef FOR_MSW + iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); + #else +@@ -361,6 +395,9 @@ ParsePixels(data, width, height, ncolors + { + unsigned short colidx[256]; + ++ if (ncolors > 256) ++ return (XpmFileInvalid); ++ + bzero((char *)colidx, 256 * sizeof(short)); + for (a = 0; a < ncolors; a++) + colidx[(unsigned char)colorTable[a].string[0]] = a + 1; +@@ -438,6 +475,9 @@ if (cidx[f]) XpmFree(cidx[f]);} + { + char *s; + char buf[BUFSIZ]; ++ ++ if (cpp >= sizeof(buf)) ++ return (XpmFileInvalid); + + buf[cpp] = '\0'; + if (USE_HASHTABLE) { diff --git a/graphics/xpm/patches/patch-ak b/graphics/xpm/patches/patch-ak new file mode 100644 index 00000000000..3b7624a8839 --- /dev/null +++ b/graphics/xpm/patches/patch-ak @@ -0,0 +1,68 @@ +$NetBSD: patch-ak,v 1.1 2004/09/16 15:09:01 minskim Exp $ + +--- lib/scan.c.orig Thu Mar 19 13:51:00 1998 ++++ lib/scan.c +@@ -103,7 +103,8 @@ LFUNC(MSWGetImagePixels, int, (Display * + LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp, + XpmAttributes *attributes)); + +-LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors, ++LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, ++ unsigned int ncolors, + Pixel *pixels, unsigned int mask, + unsigned int cpp, XpmAttributes *attributes)); + +@@ -228,11 +229,17 @@ XpmCreateXpmImageFromImage(display, imag + else + cpp = 0; + ++ if ((height > 0 && width >= SIZE_MAX / height) || ++ width * height >= SIZE_MAX / sizeof(unsigned int)) ++ RETURN(XpmNoMemory); + pmap.pixelindex = + (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); + if (!pmap.pixelindex) + RETURN(XpmNoMemory); + ++ if (pmap.size >= SIZE_MAX / sizeof(Pixel)) ++ RETURN(XpmNoMemory); ++ + pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); + if (!pmap.pixels) + RETURN(XpmNoMemory); +@@ -298,6 +305,8 @@ XpmCreateXpmImageFromImage(display, imag + * color + */ + ++ if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) ++ RETURN(XpmNoMemory); + colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); + if (!colorTable) + RETURN(XpmNoMemory); +@@ -356,6 +365,8 @@ ScanTransparentColor(color, cpp, attribu + + /* first get a character string */ + a = 0; ++ if (cpp >= SIZE_MAX - 1) ++ return (XpmNoMemory); + if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) + return (XpmNoMemory); + *s++ = printable[c = a % MAXPRINTABLE]; +@@ -403,7 +414,7 @@ static int + ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) + Display *display; + XpmColor *colors; +- int ncolors; ++ unsigned int ncolors; + Pixel *pixels; + unsigned int mask; + unsigned int cpp; +@@ -447,6 +458,8 @@ ScanOtherColors(display, colors, ncolors + } + + /* first get character strings and rgb values */ ++ if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) ++ return (XpmNoMemory); + xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); + if (!xcolors) + return (XpmNoMemory); -- cgit v1.2.3