$NetBSD: patch-ag,v 1.2 2005/06/14 18:10:37 jlam Exp $ --- lib/create.c.orig 1998-03-19 14:51:00.000000000 -0500 +++ lib/create.c @@ -43,6 +43,8 @@ * Lorens Younes (d93-hyo@nada.kth.se) 4/96 */ +/* October 2004, source code review by Thomas Biege */ + #include "XpmI.h" #include @@ -517,7 +519,7 @@ CreateColors(display, attributes, colors /* variables stored in the XpmAttributes structure */ Visual *visual; Colormap colormap; - XpmColorSymbol *colorsymbols; + XpmColorSymbol *colorsymbols = NULL; unsigned int numsymbols; XpmAllocColorFunc allocColor; void *closure; @@ -525,7 +527,7 @@ CreateColors(display, attributes, colors char *colorname; unsigned int color, key; Bool pixel_defined; - XpmColorSymbol *symbol; + XpmColorSymbol *symbol = NULL; char **defaults; int ErrorStatus = XpmSuccess; char *s; @@ -583,7 +585,7 @@ CreateColors(display, attributes, colors */ } else { #endif - int i; + unsigned int i; #ifndef AMIGA ncols = visual->map_entries; @@ -743,12 +745,14 @@ FreeColors(display, colormap, pixels, n, /* function call in case of error */ + #undef RETURN #define RETURN(status) \ +do \ { \ ErrorStatus = status; \ goto error; \ -} +} while(0) int XpmCreateImageFromXpmImage(display, image, @@ -765,7 +769,6 @@ XpmCreateImageFromXpmImage(display, imag unsigned int depth; int bitmap_format; XpmFreeColorsFunc freeColors; - void *closure; /* variables to return */ XImage *ximage = NULL; @@ -812,13 +815,12 @@ XpmCreateImageFromXpmImage(display, imag freeColors = attributes->free_colors; else freeColors = FreeColors; - if (attributes && (attributes->valuemask & XpmColorClosure)) - closure = attributes->color_closure; - else - closure = NULL; ErrorStatus = XpmSuccess; + if (image->ncolors >= UINT_MAX / sizeof(Pixel)) + return (XpmNoMemory); + /* malloc pixels index tables */ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); if (!image_pixels) @@ -991,7 +993,13 @@ CreateXImage(display, visual, depth, for return (XpmNoMemory); #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { + XDestroyImage(*image_return); + return XpmNoMemory; + } /* now that bytes_per_line must have been set properly alloc data */ + if((*image_return)->bytes_per_line == 0 || height == 0) + return XpmNoMemory; (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); @@ -1020,7 +1028,7 @@ CreateXImage(display, visual, depth, for LFUNC(_putbits, void, (register char *src, int dstoffset, register int numbits, register char *dst)); -LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb)); +LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb)); static unsigned char Const _reverse_byte[0x100] = { 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, @@ -1060,12 +1068,12 @@ static unsigned char Const _reverse_byte static int _XReverse_Bytes(bpt, nb) register unsigned char *bpt; - register int nb; + register unsigned int nb; { do { *bpt = _reverse_byte[*bpt]; bpt++; - } while (--nb > 0); + } while (--nb > 0); /* is nb user-controled? */ return 0; } @@ -1204,18 +1212,18 @@ PutImagePixels(image, width, height, pix register char *src; register char *dst; register unsigned int *iptr; - register int x, y, i; + register unsigned int x, y; register char *data; Pixel pixel, px; - int nbytes, depth, ibu, ibpp; + int nbytes, depth, ibu, ibpp, i; data = image->data; iptr = pixelindex; depth = image->depth; if (depth == 1) { ibu = image->bitmap_unit; - for (y = 0; y < height; y++) - for (x = 0; x < width; x++, iptr++) { + for (y = 0; y < height; y++) /* how can we trust height */ + for (x = 0; x < width; x++, iptr++) { /* how can we trust width */ pixel = pixels[*iptr]; for (i = 0, px = pixel; i < sizeof(unsigned long); i++, px >>= 8) @@ -1290,12 +1298,12 @@ PutImagePixels32(image, width, height, p { unsigned char *data; unsigned int *iptr; - int y; + unsigned int y; Pixel pixel; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; unsigned char *addr; data = (unsigned char *) image->data; @@ -1332,7 +1340,7 @@ PutImagePixels32(image, width, height, p #else /* WITHOUT_SPEEDUPS */ - int bpl = image->bytes_per_line; + unsigned int bpl = image->bytes_per_line; unsigned char *data_ptr, *max_data; data = (unsigned char *) image->data; @@ -1400,11 +1408,11 @@ PutImagePixels16(image, width, height, p { unsigned char *data; unsigned int *iptr; - int y; + unsigned int y; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; unsigned char *addr; data = (unsigned char *) image->data; @@ -1428,7 +1436,7 @@ PutImagePixels16(image, width, height, p Pixel pixel; - int bpl = image->bytes_per_line; + unsigned int bpl = image->bytes_per_line; unsigned char *data_ptr, *max_data; data = (unsigned char *) image->data; @@ -1481,11 +1489,11 @@ PutImagePixels8(image, width, height, pi { char *data; unsigned int *iptr; - int y; + unsigned int y; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; data = image->data; iptr = pixelindex; @@ -1495,7 +1503,7 @@ PutImagePixels8(image, width, height, pi #else /* WITHOUT_SPEEDUPS */ - int bpl = image->bytes_per_line; + unsigned int bpl = image->bytes_per_line; char *data_ptr, *max_data; data = image->data; @@ -1530,12 +1538,12 @@ PutImagePixels1(image, width, height, pi PutImagePixels(image, width, height, pixelindex, pixels); else { unsigned int *iptr; - int y; + unsigned int y; char *data; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; data = image->data; iptr = pixelindex; @@ -1755,10 +1763,12 @@ PutPixel1(ximage, x, y, pixel) register char *src; register char *dst; register int i; - register char *data; Pixel px; int nbytes; + if(x < 0 || y < 0) + return 0; + for (i=0, px=pixel; i>=8) ((unsigned char *)&pixel)[i] = px; src = &ximage->data[XYINDEX(x, y, ximage)]; @@ -1788,9 +1798,11 @@ PutPixel(ximage, x, y, pixel) register char *src; register char *dst; register int i; - register char *data; Pixel px; - int nbytes, ibpp; + unsigned int nbytes, ibpp; + + if(x < 0 || y < 0) + return 0; ibpp = ximage->bits_per_pixel; if (ximage->depth == 4) @@ -1823,6 +1835,9 @@ PutPixel32(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; *((unsigned long *)addr) = pixel; return 1; @@ -1837,6 +1852,9 @@ PutPixel32MSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; addr[0] = pixel >> 24; addr[1] = pixel >> 16; @@ -1854,6 +1872,9 @@ PutPixel32LSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; addr[3] = pixel >> 24; addr[2] = pixel >> 16; @@ -1871,6 +1892,9 @@ PutPixel16MSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; addr[0] = pixel >> 8; addr[1] = pixel; @@ -1886,6 +1910,9 @@ PutPixel16LSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; addr[1] = pixel >> 8; addr[0] = pixel; @@ -1899,6 +1926,9 @@ PutPixel8(ximage, x, y, pixel) int y; unsigned long pixel; { + if(x < 0 || y < 0) + return 0; + ximage->data[ZINDEX8(x, y, ximage)] = pixel; return 1; } @@ -1910,6 +1940,9 @@ PutPixel1MSB(ximage, x, y, pixel) int y; unsigned long pixel; { + if(x < 0 || y < 0) + return 0; + if (pixel & 1) ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7); else @@ -1924,6 +1957,9 @@ PutPixel1LSB(ximage, x, y, pixel) int y; unsigned long pixel; { + if(x < 0 || y < 0) + return 0; + if (pixel & 1) ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7); else @@ -1953,7 +1989,6 @@ xpmParseDataAndCreate(display, data, ima unsigned int depth; int bitmap_format; XpmFreeColorsFunc freeColors; - void *closure; /* variables to return */ XImage *ximage = NULL; @@ -2011,10 +2046,6 @@ xpmParseDataAndCreate(display, data, ima freeColors = attributes->free_colors; else freeColors = FreeColors; - if (attributes && (attributes->valuemask & XpmColorClosure)) - closure = attributes->color_closure; - else - closure = NULL; cmts = info && (info->valuemask & XpmReturnComments); @@ -2063,6 +2094,9 @@ xpmParseDataAndCreate(display, data, ima xpmGetCmt(data, &colors_cmt); /* malloc pixels index tables */ + if (ncolors >= UINT_MAX / sizeof(Pixel)) + RETURN(XpmNoMemory); + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); if (!image_pixels) RETURN(XpmNoMemory); @@ -2173,7 +2207,7 @@ xpmParseDataAndCreate(display, data, ima * free the hastable */ if (ErrorStatus != XpmSuccess) - RETURN(ErrorStatus) + RETURN(ErrorStatus); else if (USE_HASHTABLE) xpmHashTableFree(&hashtable); @@ -2364,11 +2398,11 @@ if (cidx[f]) XpmFree(cidx[f]);} /* array of pointers malloced by need */ unsigned short *cidx[256]; - int char1; + unsigned int char1; bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ for (a = 0; a < ncolors; a++) { - char1 = colorTable[a].string[0]; + char1 = (unsigned char) colorTable[a].string[0]; if (cidx[char1] == NULL) { /* get new memory */ cidx[char1] = (unsigned short *) XpmCalloc(256, sizeof(unsigned short));