Xpm/lib Attrib.c, 1.1, 1.2 CrBufFrI.c, 1.1, 1.2 CrDatFrI.c, 1.1,
1.2 RdFToBuf.c, 1.1, 1.2 RdFToI.c, 1.1, 1.2 WrFFrBuf.c, 1.1,
1.2 WrFFrI.c, 1.1, 1.2 XpmI.h, 1.1, 1.2 create.c, 1.1,
1.2 data.c, 1.1, 1.2 hashtab.c, 1.1, 1.2 misc.c, 1.1,
1.2 parse.c, 1.1, 1.2 scan.c, 1.1, 1.2 xpm.h, 1.1, 1.2
Daniel Stone
xlibs-commit@pdx.freedesktop.org
Fri Jan 28 11:33:59 PST 2005
- Previous message: Xpm ChangeLog,1.7,1.8 configure.ac,1.3,1.4
- Next message: Xt ChangeLog, 3.15, 3.16 Composite.c, 1.6, 1.7 Converters.c, 3.16,
3.17 Xtos.h, 3.14, 3.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Committed by: daniels
Update of /cvs/xlibs/Xpm/lib
In directory gabe:/tmp/cvs-serv5892/lib
Modified Files:
Attrib.c CrBufFrI.c CrDatFrI.c RdFToBuf.c RdFToI.c WrFFrBuf.c
WrFFrI.c XpmI.h create.c data.c hashtab.c misc.c parse.c
scan.c xpm.h
Log Message:
* lib/Attrib.c:
* lib/CrBufFrI.c:
* lib/CrDatFrI.c:
* lib/RdFToBuf.c:
* lib/RdFToI.c:
* lib/WrFFrBuf.c:
* lib/WrFFrI.c:
* lib/XpmI.h:
* lib/create.c:
* lib/data.c:
* lib/hashtab.c:
* lib/misc.c:
* lib/parse.c:
* lib/scan.c:
* lib/xpm.h:
Import security fixes from X.Org HEAD.
* configure.ac:
Bump to version 3.5.2.
Index: Attrib.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/Attrib.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- Attrib.c 25 Jan 2004 06:25:57 -0000 1.1
+++ Attrib.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -32,13 +32,15 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
#include "XpmI.h"
/* 3.2 backward compatibility code */
-LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors,
+LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
XpmColor ***oldct));
-LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
+LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
/*
* Create a colortable compatible with the old style colortable
@@ -46,11 +48,14 @@
static int
CreateOldColorTable(ct, ncolors, oldct)
XpmColor *ct;
- int ncolors;
+ unsigned int ncolors;
XpmColor ***oldct;
{
XpmColor **colorTable, **color;
- int a;
+ unsigned int a;
+
+ if (ncolors >= UINT_MAX / sizeof(XpmColor *))
+ return XpmNoMemory;
colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *));
if (!colorTable) {
@@ -66,9 +71,9 @@
static void
FreeOldColorTable(colorTable, ncolors)
XpmColor **colorTable;
- int ncolors;
+ unsigned int ncolors;
{
- int a, b;
+ unsigned int a, b;
XpmColor **color;
char **sptr;
@@ -119,7 +124,7 @@
XpmExtension *ext;
char **sptr;
- if (extensions) {
+ if (extensions && nextensions > 0) {
for (i = 0, ext = extensions; i < nextensions; i++, ext++) {
if (ext->name)
XpmFree(ext->name);
Index: CrBufFrI.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/CrBufFrI.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- CrBufFrI.c 25 Jan 2004 06:25:57 -0000 1.1
+++ CrBufFrI.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -31,7 +31,10 @@
* *
* Developed by Arnaud Le Hors *
\*****************************************************************************/
-/* $XFree86: xc/extras/Xpm/lib/CrBufFrI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
+
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
+/* $XFree86$ */
#include "XpmI.h"
@@ -39,15 +42,17 @@
unsigned int *used_size, XpmColor *colors,
unsigned int ncolors, unsigned int cpp));
-LFUNC(WritePixels, void, (char *dataptr, unsigned int *used_size,
+LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
+ unsigned int *used_size,
unsigned int width, unsigned int height,
unsigned int cpp, unsigned int *pixels,
XpmColor *colors));
-LFUNC(WriteExtensions, void, (char *dataptr, unsigned int *used_size,
+LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
+ unsigned int *used_size,
XpmExtension *ext, unsigned int num));
-LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num));
+LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
LFUNC(CommentsSize, int, (XpmInfo *info));
int
@@ -90,10 +95,11 @@
#undef RETURN
#define RETURN(status) \
+do \
{ \
ErrorStatus = status; \
goto error; \
-}
+}while(0)
int
XpmCreateBufferFromXpmImage(buffer_return, image, info)
@@ -107,7 +113,7 @@
unsigned int cmts, extensions, ext_size = 0;
unsigned int l, cmt_size = 0;
char *ptr = NULL, *p;
- unsigned int ptr_size, used_size;
+ unsigned int ptr_size, used_size, tmp;
*buffer_return = NULL;
@@ -129,7 +135,13 @@
#ifdef VOID_SPRINTF
used_size = strlen(buf);
#endif
- ptr_size = used_size + ext_size + cmt_size + 1;
+ ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
+ if(ptr_size <= used_size ||
+ ptr_size <= ext_size ||
+ ptr_size <= cmt_size)
+ {
+ return XpmNoMemory;
+ }
ptr = (char *) XpmMalloc(ptr_size);
if (!ptr)
return XpmNoMemory;
@@ -140,7 +152,7 @@
#ifndef VOID_SPRINTF
used_size +=
#endif
- sprintf(ptr + used_size, "/*%s*/\n", info->hints_cmt);
+ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt);
#ifdef VOID_SPRINTF
used_size += strlen(info->hints_cmt) + 5;
#endif
@@ -158,7 +170,7 @@
#ifndef VOID_SPRINTF
l +=
#endif
- sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot);
+ snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
#ifdef VOID_SPRINTF
l = strlen(buf);
#endif
@@ -180,6 +192,8 @@
l = strlen(buf);
#endif
ptr_size += l;
+ if(ptr_size <= l)
+ RETURN(XpmNoMemory);
p = (char *) XpmRealloc(ptr, ptr_size);
if (!p)
RETURN(XpmNoMemory);
@@ -192,7 +206,7 @@
#ifndef VOID_SPRINTF
used_size +=
#endif
- sprintf(ptr + used_size, "/*%s*/\n", info->colors_cmt);
+ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt);
#ifdef VOID_SPRINTF
used_size += strlen(info->colors_cmt) + 5;
#endif
@@ -208,7 +222,12 @@
* 4 = 1 (for '"') + 3 (for '",\n')
* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
*/
- ptr_size += image->height * (image->width * image->cpp + 4) + 1;
+ if(image->width > UINT_MAX / image->cpp ||
+ (tmp = image->width * image->cpp + 4) <= 4 ||
+ image->height > UINT_MAX / tmp ||
+ (tmp = image->height * tmp + 1) <= 1 ||
+ (ptr_size += tmp) <= tmp)
+ RETURN(XpmNoMemory);
p = (char *) XpmRealloc(ptr, ptr_size);
if (!p)
@@ -220,17 +239,17 @@
#ifndef VOID_SPRINTF
used_size +=
#endif
- sprintf(ptr + used_size, "/*%s*/\n", info->pixels_cmt);
+ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt);
#ifdef VOID_SPRINTF
used_size += strlen(info->pixels_cmt) + 5;
#endif
}
- WritePixels(ptr + used_size, &used_size, image->width, image->height,
+ WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
image->cpp, image->data, image->colorTable);
/* print extensions */
if (extensions)
- WriteExtensions(ptr + used_size, &used_size,
+ WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
info->extensions, info->nextensions);
/* close the array */
@@ -247,6 +266,7 @@
return (ErrorStatus);
}
+
static int
WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
char **dataptr;
@@ -256,7 +276,7 @@
unsigned int ncolors;
unsigned int cpp;
{
- char buf[BUFSIZ];
+ char buf[BUFSIZ] = {0};
unsigned int a, key, l;
char *s, *s2;
char **defaults;
@@ -266,6 +286,8 @@
defaults = (char **) colors;
s = buf + 1;
+ if(cpp > (sizeof(buf) - (s-buf)))
+ return(XpmNoMemory);
strncpy(s, *defaults++, cpp);
s += cpp;
@@ -274,14 +296,24 @@
#ifndef VOID_SPRINTF
s +=
#endif
- sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);
+ /* assume C99 compliance */
+ snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
#ifdef VOID_SPRINTF
s += strlen(s);
#endif
+ /* now let's check if s points out-of-bounds */
+ if((s-buf) > sizeof(buf))
+ return(XpmNoMemory);
}
}
+ if(sizeof(buf) - (s-buf) < 4)
+ return(XpmNoMemory);
strcpy(s, "\",\n");
l = s + 3 - buf;
+ if( *data_size >= UINT_MAX-l ||
+ *data_size + l <= *used_size ||
+ (*data_size + l - *used_size) <= sizeof(buf))
+ return(XpmNoMemory);
s = (char *) XpmRealloc(*dataptr, *data_size + l);
if (!s)
return (XpmNoMemory);
@@ -294,8 +326,9 @@
}
static void
-WritePixels(dataptr, used_size, width, height, cpp, pixels, colors)
+WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
char *dataptr;
+ unsigned int data_size;
unsigned int *used_size;
unsigned int width;
unsigned int height;
@@ -306,27 +339,36 @@
char *s = dataptr;
unsigned int x, y, h;
+ if(height <= 1)
+ return;
+
h = height - 1;
for (y = 0; y < h; y++) {
*s++ = '"';
for (x = 0; x < width; x++, pixels++) {
- strncpy(s, colors[*pixels].string, cpp);
+ if(cpp >= (data_size - (s-dataptr)))
+ return;
+ strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */
s += cpp;
}
+ if((data_size - (s-dataptr)) < 4)
+ return;
strcpy(s, "\",\n");
s += 3;
}
/* duplicate some code to avoid a test in the loop */
*s++ = '"';
for (x = 0; x < width; x++, pixels++) {
- strncpy(s, colors[*pixels].string, cpp);
+ if(cpp >= (data_size - (s-dataptr)))
+ return;
+ strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */
s += cpp;
}
*s++ = '"';
*used_size += s - dataptr;
}
-static int
+static unsigned int
ExtensionsSize(ext, num)
XpmExtension *ext;
unsigned int num;
@@ -335,21 +377,26 @@
char **line;
size = 0;
+ if(num == 0)
+ return(0); /* ok? */
for (x = 0; x < num; x++, ext++) {
/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
size += strlen(ext->name) + 11;
- a = ext->nlines;
+ a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
for (y = 0, line = ext->lines; y < a; y++, line++)
/* 4 = 3 (for ',\n"') + 1 (for '"') */
size += strlen(*line) + 4;
}
/* 13 is for ',\n"XPMENDEXT"' */
+ if(size > UINT_MAX - 13) /* unlikely */
+ return(0);
return size + 13;
}
static void
-WriteExtensions(dataptr, used_size, ext, num)
+WriteExtensions(dataptr, data_size, used_size, ext, num)
char *dataptr;
+ unsigned int data_size;
unsigned int *used_size;
XpmExtension *ext;
unsigned int num;
@@ -362,7 +409,7 @@
#ifndef VOID_SPRINTF
s +=
#endif
- sprintf(s, ",\n\"XPMEXT %s\"", ext->name);
+ snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
#ifdef VOID_SPRINTF
s += strlen(ext->name) + 11;
#endif
@@ -371,13 +418,13 @@
#ifndef VOID_SPRINTF
s +=
#endif
- sprintf(s, ",\n\"%s\"", *line);
+ snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
#ifdef VOID_SPRINTF
s += strlen(*line) + 4;
#endif
}
}
- strcpy(s, ",\n\"XPMENDEXT\"");
+ strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
*used_size += s - dataptr + 13;
}
@@ -388,6 +435,7 @@
int size = 0;
/* 5 = 2 (for "/_*") + 3 (for "*_/\n") */
+ /* wrap possible but *very* unlikely */
if (info->hints_cmt)
size += 5 + strlen(info->hints_cmt);
Index: CrDatFrI.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/CrDatFrI.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- CrDatFrI.c 25 Jan 2004 06:25:57 -0000 1.1
+++ CrDatFrI.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -31,7 +31,9 @@
* *
* Developed by Arnaud Le Hors *
\*****************************************************************************/
-/* $XFree86: xc/extras/Xpm/lib/CrDatFrI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
+/* $XFree86$ */
+
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
#include "XpmI.h"
@@ -39,7 +41,8 @@
XpmColor *colors, unsigned int ncolors,
unsigned int cpp));
-LFUNC(CreatePixels, void, (char **dataptr, unsigned int width,
+LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size,
+ unsigned int width,
unsigned int height, unsigned int cpp,
unsigned int *pixels, XpmColor *colors));
@@ -47,7 +50,8 @@
unsigned int *ext_size,
unsigned int *ext_nlines));
-LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset,
+LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size,
+ unsigned int offset,
XpmExtension *ext, unsigned int num,
unsigned int ext_nlines));
@@ -88,10 +92,11 @@
#undef RETURN
#define RETURN(status) \
+do \
{ \
ErrorStatus = status; \
goto exit; \
-}
+} while(0)
int
XpmCreateDataFromXpmImage(data_return, image, info)
@@ -122,9 +127,17 @@
* alloc a temporary array of char pointer for the header section which
* is the hints line + the color table lines
*/
- header_nlines = 1 + image->ncolors;
+ header_nlines = 1 + image->ncolors; /* this may wrap and/or become 0 */
+
+ /* 2nd check superfluous if we do not need header_nlines any further */
+ if(header_nlines <= image->ncolors ||
+ header_nlines >= UINT_MAX / sizeof(char *))
+ return(XpmNoMemory);
+
header_size = sizeof(char *) * header_nlines;
- header = (char **) XpmCalloc(header_size, sizeof(char *));
+ if (header_size >= UINT_MAX / sizeof(char *))
+ return (XpmNoMemory);
+ header = (char **) XpmCalloc(header_size, sizeof(char *)); /* can we trust image->ncolors */
if (!header)
return (XpmNoMemory);
@@ -168,8 +181,22 @@
/* now we know the size needed, alloc the data and copy the header lines */
offset = image->width * image->cpp + 1;
- data_size = header_size + (image->height + ext_nlines) * sizeof(char *)
- + image->height * offset + ext_size;
+
+ if(offset <= image->width || offset <= image->cpp)
+ RETURN(XpmNoMemory);
+
+ if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *))
+ RETURN(XpmNoMemory);
+ data_size = (image->height + ext_nlines) * sizeof(char *);
+
+ if (image->height > UINT_MAX / offset ||
+ image->height * offset > UINT_MAX - data_size)
+ RETURN(XpmNoMemory);
+ data_size += image->height * offset;
+
+ if( (header_size + ext_size) >= (UINT_MAX - data_size) )
+ RETURN(XpmNoMemory);
+ data_size += header_size + ext_size;
data = (char **) XpmMalloc(data_size);
if (!data)
@@ -177,8 +204,10 @@
data_nlines = header_nlines + image->height + ext_nlines;
*data = (char *) (data + data_nlines);
+
+ /* can header have less elements then n suggests? */
n = image->ncolors;
- for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) {
+ for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) {
strcpy(*sptr, *sptr2);
*(sptr + 1) = *sptr + strlen(*sptr2) + 1;
}
@@ -187,12 +216,13 @@
data[header_nlines] = (char *) data + header_size
+ (image->height + ext_nlines) * sizeof(char *);
- CreatePixels(data + header_nlines, image->width, image->height,
+ CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height,
image->cpp, image->data, image->colorTable);
/* print extensions */
if (extensions)
- CreateExtensions(data + header_nlines + image->height - 1, offset,
+ CreateExtensions(data + header_nlines + image->height - 1,
+ data_size - header_nlines - image->height + 1, offset,
info->extensions, info->nextensions,
ext_nlines);
@@ -223,23 +253,34 @@
char *s, *s2;
char **defaults;
+ /* can ncolors be trusted here? */
for (a = 0; a < ncolors; a++, colors++, dataptr++) {
defaults = (char **) colors;
+ if(sizeof(buf) <= cpp)
+ return(XpmNoMemory);
strncpy(buf, *defaults++, cpp);
s = buf + cpp;
+ if(sizeof(buf) <= (s-buf))
+ return XpmNoMemory;
+
for (key = 1; key <= NKEYS; key++, defaults++) {
if ((s2 = *defaults)) {
#ifndef VOID_SPRINTF
s +=
#endif
- sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);
+ /* assume C99 compliance */
+ snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
#ifdef VOID_SPRINTF
s += strlen(s);
#endif
+ /* does s point out-of-bounds? */
+ if(sizeof(buf) < (s-buf))
+ return XpmNoMemory;
}
}
+ /* what about using strdup()? */
l = s - buf + 1;
s = (char *) XpmMalloc(l);
if (!s)
@@ -251,8 +292,9 @@
}
static void
-CreatePixels(dataptr, width, height, cpp, pixels, colors)
+CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors)
char **dataptr;
+ unsigned int data_size;
unsigned int width;
unsigned int height;
unsigned int cpp;
@@ -262,21 +304,38 @@
char *s;
unsigned int x, y, h, offset;
+ if(height <= 1)
+ return;
+
h = height - 1;
+
offset = width * cpp + 1;
+
+ if(offset <= width || offset <= cpp)
+ return;
+
+ /* why trust h? */
for (y = 0; y < h; y++, dataptr++) {
s = *dataptr;
+ /* why trust width? */
for (x = 0; x < width; x++, pixels++) {
- strncpy(s, colors[*pixels].string, cpp);
+ if(cpp > (data_size - (s - *dataptr)))
+ return;
+ strncpy(s, colors[*pixels].string, cpp); /* why trust pixel? */
s += cpp;
}
*s = '\0';
+ if(offset > data_size)
+ return;
*(dataptr + 1) = *dataptr + offset;
}
/* duplicate some code to avoid a test in the loop */
s = *dataptr;
+ /* why trust width? */
for (x = 0; x < width; x++, pixels++) {
- strncpy(s, colors[*pixels].string, cpp);
+ if(cpp > data_size - (s - *dataptr))
+ return;
+ strncpy(s, colors[*pixels].string, cpp); /* why should we trust *pixel? */
s += cpp;
}
*s = '\0';
@@ -309,8 +368,9 @@
}
static void
-CreateExtensions(dataptr, offset, ext, num, ext_nlines)
+CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines)
char **dataptr;
+ unsigned int data_size;
unsigned int offset;
XpmExtension *ext;
unsigned int num;
@@ -323,12 +383,12 @@
dataptr++;
a = 0;
for (x = 0; x < num; x++, ext++) {
- sprintf(*dataptr, "XPMEXT %s", ext->name);
+ snprintf(*dataptr, data_size, "XPMEXT %s", ext->name);
a++;
if (a < ext_nlines)
*(dataptr + 1) = *dataptr + strlen(ext->name) + 8;
dataptr++;
- b = ext->nlines;
+ b = ext->nlines; /* can we trust these values? */
for (y = 0, line = ext->lines; y < b; y++, line++) {
strcpy(*dataptr, *line);
a++;
Index: RdFToBuf.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/RdFToBuf.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- RdFToBuf.c 25 Jan 2004 06:25:57 -0000 1.1
+++ RdFToBuf.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -37,6 +37,8 @@
* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
*/
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
#include "XpmI.h"
#include <sys/stat.h>
#if !defined(FOR_MSW) && !defined(WIN32)
@@ -58,7 +60,8 @@
char *filename;
char **buffer_return;
{
- int fd, fcheck, len;
+ int fd, fcheck;
+ off_t len;
char *ptr;
struct stat stats;
FILE *fp;
@@ -82,7 +85,7 @@
close(fd);
return XpmOpenFailed;
}
- len = (int) stats.st_size;
+ len = stats.st_size;
ptr = (char *) XpmMalloc(len + 1);
if (!ptr) {
fclose(fp);
Index: RdFToI.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/RdFToI.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- RdFToI.c 25 Jan 2004 06:25:57 -0000 1.1
+++ RdFToI.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -31,18 +31,16 @@
* *
* Developed by Arnaud Le Hors *
\*****************************************************************************/
-/* $XFree86: xc/extras/Xpm/lib/RdFToI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
+/* $XFree86$ */
+
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
#include "XpmI.h"
-#include <sys/stat.h>
-#if !defined(NO_ZPIPE) && defined(WIN32)
-# define popen _popen
-# define pclose _pclose
-# if defined(STAT_ZFILE)
-# include <io.h>
-# define stat _stat
-# define fstat _fstat
-# endif
+#ifndef NO_ZPIPE
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/wait.h>
#endif
LFUNC(OpenReadFile, int, (char *filename, xpmData *mdata));
@@ -120,6 +118,67 @@
}
#endif /* CXPMPROG */
+#ifndef NO_ZPIPE
+/* Do not depend on errno after read_through */
+FILE*
+xpmPipeThrough(fd, cmd, arg1, mode)
+ int fd;
+ const char* cmd;
+ const char* arg1;
+ const char* mode;
+{
+ FILE* fp;
+ int status, fds[2], in = 0, out = 1;
+ pid_t pid;
+ if ( 'w' == *mode )
+ out = 0, in = 1;
+ if ( pipe(fds) < 0 )
+ return NULL;
+ pid = fork();
+ if ( pid < 0 )
+ goto fail1;
+ if ( 0 == pid )
+ {
+ close(fds[in]);
+ if ( dup2(fds[out], out) < 0 )
+ goto err;
+ close(fds[out]);
+ if ( dup2(fd, in) < 0 )
+ goto err;
+ close(fd);
+ pid = fork();
+ if ( pid < 0 )
+ goto err;
+ if ( 0 == pid )
+ {
+ execlp(cmd, cmd, arg1, NULL);
+ perror(cmd);
+ goto err;
+ }
+ _exit(0);
+ err:
+ _exit(1);
+ }
+ close(fds[out]);
+ /* calling process: wait for first child */
+ while ( waitpid(pid, &status, 0) < 0 && EINTR == errno )
+ ;
+ if ( WIFSIGNALED(status) ||
+ (WIFEXITED(status) && WEXITSTATUS(status) != 0) )
+ goto fail2;
+ fp = fdopen(fds[in], mode);
+ if ( !fp )
+ goto fail2;
+ close(fd); /* still open in 2nd child */
+ return fp;
+fail1:
+ close(fds[out]);
+fail2:
+ close(fds[in]);
+ return NULL;
+}
+#endif
+
/*
* open the given file to be read as an xpmData which is returned.
*/
@@ -128,72 +187,62 @@
char *filename;
xpmData *mdata;
{
-#ifndef NO_ZPIPE
- char buf[BUFSIZ];
-# ifdef STAT_ZFILE
- char *compressfile;
- struct stat status;
-# endif
-#endif
-
if (!filename) {
mdata->stream.file = (stdin);
mdata->type = XPMFILE;
} else {
-#ifndef NO_ZPIPE
- int len = strlen(filename);
- if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
- mdata->type = XPMPIPE;
- sprintf(buf, "uncompress -c \"%s\"", filename);
- if (!(mdata->stream.file = popen(buf, "r")))
- return (XpmOpenFailed);
-
- } else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
- mdata->type = XPMPIPE;
- sprintf(buf, "gunzip -qc \"%s\"", filename);
- if (!(mdata->stream.file = popen(buf, "r")))
- return (XpmOpenFailed);
-
- } else {
-# ifdef STAT_ZFILE
- if (!(compressfile = (char *) XpmMalloc(len + 4)))
+ int fd = open(filename, O_RDONLY);
+#if defined(NO_ZPIPE)
+ if ( fd < 0 )
+ return XpmOpenFailed;
+#else
+ const char* ext = NULL;
+ if ( fd >= 0 )
+ ext = strrchr(filename, '.');
+#ifdef STAT_ZFILE /* searching for z-files if the given name not found */
+ else
+ {
+ size_t len = strlen(filename);
+ char *compressfile = (char *) XpmMalloc(len + 4);
+ if ( !compressfile )
return (XpmNoMemory);
-
- sprintf(compressfile, "%s.Z", filename);
- if (!stat(compressfile, &status)) {
- sprintf(buf, "uncompress -c \"%s\"", compressfile);
- if (!(mdata->stream.file = popen(buf, "r"))) {
+ strcpy(compressfile, filename);
+ strcpy(compressfile + len, ext = ".Z");
+ fd = open(compressfile, O_RDONLY);
+ if ( fd < 0 )
+ {
+ strcpy(compressfile + len, ext = ".gz");
+ fd = open(compressfile, O_RDONLY);
+ if ( fd < 0 )
+ {
XpmFree(compressfile);
- return (XpmOpenFailed);
- }
- mdata->type = XPMPIPE;
- } else {
- sprintf(compressfile, "%s.gz", filename);
- if (!stat(compressfile, &status)) {
- sprintf(buf, "gunzip -c \"%s\"", compressfile);
- if (!(mdata->stream.file = popen(buf, "r"))) {
- XpmFree(compressfile);
- return (XpmOpenFailed);
- }
- mdata->type = XPMPIPE;
- } else {
-# endif
-#endif
- if (!(mdata->stream.file = fopen(filename, "r"))) {
-#if !defined(NO_ZPIPE) && defined(STAT_ZFILE)
- XpmFree(compressfile);
-#endif
- return (XpmOpenFailed);
- }
- mdata->type = XPMFILE;
-#ifndef NO_ZPIPE
-# ifdef STAT_ZFILE
+ return XpmOpenFailed;
}
}
XpmFree(compressfile);
-# endif
}
#endif
+ if ( ext && !strcmp(ext, ".Z") )
+ {
+ mdata->type = XPMPIPE;
+ mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r");
+ }
+ else if ( ext && !strcmp(ext, ".gz") )
+ {
+ mdata->type = XPMPIPE;
+ mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r");
+ }
+ else
+#endif /* z-files */
+ {
+ mdata->type = XPMFILE;
+ mdata->stream.file = fdopen(fd, "r");
+ }
+ if (!mdata->stream.file)
+ {
+ close(fd);
+ return (XpmOpenFailed);
+ }
}
mdata->CommentLength = 0;
#ifdef CXPMPROG
@@ -210,15 +259,6 @@
xpmDataClose(mdata)
xpmData *mdata;
{
- switch (mdata->type) {
- case XPMFILE:
- if (mdata->stream.file != (stdin))
- fclose(mdata->stream.file);
- break;
-#ifndef NO_ZPIPE
- case XPMPIPE:
- pclose(mdata->stream.file);
- break;
-#endif
- }
+ if (mdata->stream.file != (stdin))
+ fclose(mdata->stream.file);
}
Index: WrFFrBuf.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/WrFFrBuf.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- WrFFrBuf.c 25 Jan 2004 06:25:57 -0000 1.1
+++ WrFFrBuf.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -32,6 +32,8 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
#include "XpmI.h"
int
@@ -49,7 +51,7 @@
fcheck = fwrite(buffer, len, 1, fp);
fclose(fp);
if (fcheck != 1)
- return XpmOpenFailed;
+ return XpmOpenFailed; /* maybe use a better return value */
return XpmSuccess;
}
Index: WrFFrI.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/WrFFrI.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- WrFFrI.c 25 Jan 2004 06:25:57 -0000 1.1
+++ WrFFrI.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -31,7 +31,7 @@
* *
* Developed by Arnaud Le Hors *
\*****************************************************************************/
-/* $XFree86: xc/extras/Xpm/lib/WrFFrI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
+/* $XFree86$ */
/*
* The code related to AMIGA has been added by
@@ -39,9 +39,13 @@
*/
#include "XpmI.h"
-#if !defined(NO_ZPIPE) && defined(WIN32)
-# define popen _popen
-# define pclose _pclose
+
+#ifndef NO_ZPIPE
+#include "sys/wait.h"
+#include "sys/types.h"
+#include "fcntl.h"
+#include "unistd.h"
+#include "errno.h"
#endif
/* MS Windows define a function called WriteFile @#%#&!!! */
@@ -98,7 +102,7 @@
XpmInfo *info;
{
xpmData mdata;
- char *name, *dot, *s, new_name[BUFSIZ];
+ char *name, *dot, *s, new_name[BUFSIZ] = {0};
int ErrorStatus;
/* open file to write */
@@ -121,7 +125,8 @@
#endif
/* let's try to make a valid C syntax name */
if (index(name, '.')) {
- strcpy(new_name, name);
+ strncpy(new_name, name, sizeof(new_name));
+ new_name[sizeof(new_name)-1] = '\0';
/* change '.' to '_' */
name = s = new_name;
while ((dot = index(s, '.'))) {
@@ -248,6 +253,8 @@
unsigned int x, y, h;
h = height - 1;
+ if (cpp != 0 && width >= (UINT_MAX - 3)/cpp)
+ return XpmNoMemory;
p = buf = (char *) XpmMalloc(width * cpp + 3);
if (!buf)
return (XpmNoMemory);
@@ -295,6 +302,14 @@
fprintf(file, ",\n\"XPMENDEXT\"");
}
+
+#ifndef NO_ZPIPE
+FUNC(xpmPipeThrough, FILE*, (int fd,
+ const char* cmd,
+ const char* arg1,
+ const char* mode));
+#endif
+
/*
* open the given file to be written as an xpmData which is returned
*/
@@ -303,38 +318,32 @@
char *filename;
xpmData *mdata;
{
-#ifndef NO_ZPIPE
- char buf[BUFSIZ];
-
-#endif
-
if (!filename) {
mdata->stream.file = (stdout);
mdata->type = XPMFILE;
} else {
#ifndef NO_ZPIPE
- int len = strlen(filename);
+ size_t len;
+#endif
+ int fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, 0644);
+ if ( fd < 0 )
+ return(XpmOpenFailed);
+#ifndef NO_ZPIPE
+ len = strlen(filename);
if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
- sprintf(buf, "compress > \"%s\"", filename);
- if (!(mdata->stream.file = popen(buf, "w")))
- return (XpmOpenFailed);
-
+ mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w");
mdata->type = XPMPIPE;
} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
- sprintf(buf, "gzip -q > \"%s\"", filename);
- if (!(mdata->stream.file = popen(buf, "w")))
- return (XpmOpenFailed);
-
+ mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w");
mdata->type = XPMPIPE;
- } else {
+ } else
#endif
- if (!(mdata->stream.file = fopen(filename, "w")))
- return (XpmOpenFailed);
-
+ {
+ mdata->stream.file = fdopen(fd, "w");
mdata->type = XPMFILE;
-#ifndef NO_ZPIPE
}
-#endif
+ if (!mdata->stream.file)
+ return (XpmOpenFailed);
}
return (XpmSuccess);
}
@@ -346,15 +355,7 @@
xpmDataClose(mdata)
xpmData *mdata;
{
- switch (mdata->type) {
- case XPMFILE:
- if (mdata->stream.file != (stdout))
- fclose(mdata->stream.file);
- break;
-#ifndef NO_ZPIPE
- case XPMPIPE:
- pclose(mdata->stream.file);
- break;
-#endif
- }
+ if (mdata->stream.file != (stdout))
+ fclose(mdata->stream.file);
}
+
Index: XpmI.h
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/XpmI.h,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- XpmI.h 25 Jan 2004 06:25:57 -0000 1.1
+++ XpmI.h 28 Jan 2005 19:33:57 -0000 1.2
@@ -22,7 +22,7 @@
* used in advertising or otherwise to promote the sale, use or other dealings
* in this Software without prior written authorization from GROUPE BULL.
*/
-/* $XFree86: xc/extras/Xpm/lib/XpmI.h,v 1.9 2003/08/06 14:03:58 eich Exp $ */
+/* $XFree86: xc/extras/Xpm/lib/XpmI.h,v 1.7 2001/11/01 23:35:25 dawes Exp $ */
/*****************************************************************************\
* XpmI.h: *
@@ -49,8 +49,10 @@
* lets try to solve include files
*/
+#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
+#include <limits.h>
/* stdio.h doesn't declare popen on a Sequent DYNIX OS */
#ifdef sequent
extern FILE *popen();
@@ -86,6 +88,18 @@
boundCheckingCalloc((long)(nelem),(long) (elsize))
#endif
+#if defined(SCO) || defined(__USLC__)
+#include <stdint.h> /* For SIZE_MAX */
+#endif
+#include <limits.h>
+#ifndef SIZE_MAX
+# ifdef ULONG_MAX
+# define SIZE_MAX ULONG_MAX
+# else
+# define SIZE_MAX UINT_MAX
+# endif
+#endif
+
#define XPMMAXCMTLEN BUFSIZ
typedef struct {
unsigned int type;
@@ -187,9 +201,9 @@
} *xpmHashAtom;
typedef struct {
- int size;
- int limit;
- int used;
+ unsigned int size;
+ unsigned int limit;
+ unsigned int used;
xpmHashAtom *atomTable;
} xpmHashTable;
Index: create.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/create.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- create.c 25 Jan 2004 06:25:57 -0000 1.1
+++ create.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -1,3 +1,4 @@
+/* $XdotOrg: xc/extras/Xpm/lib/create.c,v 1.4 2004/11/25 21:19:11 herrb Exp $ */
/*
* Copyright (C) 1989-95 GROUPE BULL
*
@@ -32,7 +33,7 @@
* *
* Developed by Arnaud Le Hors *
\*****************************************************************************/
-/* $XFree86: xc/extras/Xpm/lib/create.c,v 1.5 2003/10/07 21:25:37 herrb Exp $ */
+/* $XFree86: xc/extras/Xpm/lib/create.c,v 1.4 2003/05/27 22:26:20 tsi Exp $ */
/*
* The code related to FOR_MSW has been added by
@@ -44,6 +45,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
#include "XpmI.h"
#include <ctype.h>
@@ -585,7 +588,7 @@
*/
} else {
#endif
- int i;
+ unsigned int i;
#ifndef AMIGA
ncols = visual->map_entries;
@@ -745,12 +748,14 @@
/* function call in case of error */
+
#undef RETURN
#define RETURN(status) \
+do \
{ \
ErrorStatus = status; \
goto error; \
-}
+} while(0)
int
XpmCreateImageFromXpmImage(display, image,
@@ -816,6 +821,9 @@
ErrorStatus = XpmSuccess;
+ if (image->ncolors >= UINT_MAX / sizeof(Pixel))
+ return (XpmNoMemory);
+
/* malloc pixels index tables */
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
if (!image_pixels)
@@ -988,7 +996,13 @@
return (XpmNoMemory);
#if !defined(FOR_MSW) && !defined(AMIGA)
+ if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
+ XDestroyImage(*image_return);
+ return XpmNoMemory;
+ }
/* now that bytes_per_line must have been set properly alloc data */
+ if((*image_return)->bytes_per_line == 0 || height == 0)
+ return XpmNoMemory;
(*image_return)->data =
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
@@ -1017,7 +1031,7 @@
LFUNC(_putbits, void, (register char *src, int dstoffset,
register int numbits, register char *dst));
-LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));
+LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
static unsigned char Const _reverse_byte[0x100] = {
0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
@@ -1057,12 +1071,12 @@
static int
_XReverse_Bytes(bpt, nb)
register unsigned char *bpt;
- register int nb;
+ register unsigned int nb;
{
do {
*bpt = _reverse_byte[*bpt];
bpt++;
- } while (--nb > 0);
+ } while (--nb > 0); /* is nb user-controled? */
return 0;
}
@@ -1201,7 +1215,7 @@
register char *src;
register char *dst;
register unsigned int *iptr;
- register int x, y, i;
+ register unsigned int x, y, i;
register char *data;
Pixel pixel, px;
int nbytes, depth, ibu, ibpp;
@@ -1211,8 +1225,8 @@
depth = image->depth;
if (depth == 1) {
ibu = image->bitmap_unit;
- for (y = 0; y < height; y++)
- for (x = 0; x < width; x++, iptr++) {
+ for (y = 0; y < height; y++) /* how can we trust height */
+ for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
pixel = pixels[*iptr];
for (i = 0, px = pixel; i < sizeof(unsigned long);
i++, px >>= 8)
@@ -1287,12 +1301,12 @@
{
unsigned char *data;
unsigned int *iptr;
- int y;
+ unsigned int y;
Pixel pixel;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
unsigned char *addr;
data = (unsigned char *) image->data;
@@ -1329,7 +1343,7 @@
#else /* WITHOUT_SPEEDUPS */
- int bpl = image->bytes_per_line;
+ unsigned int bpl = image->bytes_per_line;
unsigned char *data_ptr, *max_data;
data = (unsigned char *) image->data;
@@ -1397,11 +1411,11 @@
{
unsigned char *data;
unsigned int *iptr;
- int y;
+ unsigned int y;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
unsigned char *addr;
data = (unsigned char *) image->data;
@@ -1425,7 +1439,7 @@
Pixel pixel;
- int bpl = image->bytes_per_line;
+ unsigned int bpl = image->bytes_per_line;
unsigned char *data_ptr, *max_data;
data = (unsigned char *) image->data;
@@ -1478,11 +1492,11 @@
{
char *data;
unsigned int *iptr;
- int y;
+ unsigned int y;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
data = image->data;
iptr = pixelindex;
@@ -1492,7 +1506,7 @@
#else /* WITHOUT_SPEEDUPS */
- int bpl = image->bytes_per_line;
+ unsigned int bpl = image->bytes_per_line;
char *data_ptr, *max_data;
data = image->data;
@@ -1527,12 +1541,12 @@
PutImagePixels(image, width, height, pixelindex, pixels);
else {
unsigned int *iptr;
- int y;
+ unsigned int y;
char *data;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
data = image->data;
iptr = pixelindex;
@@ -1755,6 +1769,9 @@
Pixel px;
int nbytes;
+ if(x < 0 || y < 0)
+ return 0;
+
for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)
((unsigned char *)&pixel)[i] = px;
src = &ximage->data[XYINDEX(x, y, ximage)];
@@ -1785,7 +1802,10 @@
register char *dst;
register int i;
Pixel px;
- int nbytes, ibpp;
+ unsigned int nbytes, ibpp;
+
+ if(x < 0 || y < 0)
+ return 0;
ibpp = ximage->bits_per_pixel;
if (ximage->depth == 4)
@@ -1819,6 +1839,9 @@
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
*((unsigned long *)addr) = pixel;
return 1;
@@ -1834,6 +1857,9 @@
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
addr[0] = pixel >> 24;
addr[1] = pixel >> 16;
@@ -1851,6 +1877,9 @@
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
addr[3] = pixel >> 24;
addr[2] = pixel >> 16;
@@ -1868,6 +1897,9 @@
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
addr[0] = pixel >> 8;
addr[1] = pixel;
@@ -1883,6 +1915,9 @@
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
addr[1] = pixel >> 8;
addr[0] = pixel;
@@ -1896,6 +1931,9 @@
int y;
unsigned long pixel;
{
+ if(x < 0 || y < 0)
+ return 0;
+
ximage->data[ZINDEX8(x, y, ximage)] = pixel;
return 1;
}
@@ -1907,6 +1945,9 @@
int y;
unsigned long pixel;
{
+ if(x < 0 || y < 0)
+ return 0;
+
if (pixel & 1)
ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7);
else
@@ -1921,6 +1962,9 @@
int y;
unsigned long pixel;
{
+ if(x < 0 || y < 0)
+ return 0;
+
if (pixel & 1)
ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7);
else
@@ -2055,6 +2099,9 @@
xpmGetCmt(data, &colors_cmt);
/* malloc pixels index tables */
+ if (ncolors >= UINT_MAX / sizeof(Pixel))
+ RETURN(XpmNoMemory);
+
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
if (!image_pixels)
RETURN(XpmNoMemory);
@@ -2165,7 +2212,7 @@
* free the hastable
*/
if (ErrorStatus != XpmSuccess)
- RETURN(ErrorStatus)
+ RETURN(ErrorStatus);
else if (USE_HASHTABLE)
xpmHashTableFree(&hashtable);
@@ -2309,7 +2356,8 @@
}
obm = SelectObject(*dc, image->bitmap);
#endif
-
+ if (ncolors > 256)
+ return (XpmFileInvalid);
bzero((char *)colidx, 256 * sizeof(short));
for (a = 0; a < ncolors; a++)
@@ -2356,11 +2404,11 @@
/* array of pointers malloced by need */
unsigned short *cidx[256];
- int char1;
+ unsigned int char1;
bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
for (a = 0; a < ncolors; a++) {
- char1 = colorTable[a].string[0];
+ char1 = (unsigned char) colorTable[a].string[0];
if (cidx[char1] == NULL) { /* get new memory */
cidx[char1] = (unsigned short *)
XpmCalloc(256, sizeof(unsigned short));
@@ -2415,6 +2463,9 @@
char *s;
char buf[BUFSIZ];
+ if (cpp >= sizeof(buf))
+ return (XpmFileInvalid);
+
buf[cpp] = '\0';
if (USE_HASHTABLE) {
xpmHashAtom *slot;
Index: data.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/data.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- data.c 25 Jan 2004 06:25:57 -0000 1.1
+++ data.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -31,7 +31,9 @@
* *
* Developed by Arnaud Le Hors *
\*****************************************************************************/
-/* $XFree86: xc/extras/Xpm/lib/data.c,v 1.4 2002/01/07 19:40:49 dawes Exp $ */
+/* $XFree86: xc/extras/Xpm/lib/data.c,v 1.3 2001/10/28 03:32:10 tsi Exp $ */
+
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
#ifndef CXPMPROG
#if 0
@@ -262,7 +264,7 @@
}
Ungetc(data, c, file);
}
- return (n);
+ return (n); /* this returns bytes read + 1 */
}
/*
@@ -375,8 +377,9 @@
{
if (!data->type)
*cmt = NULL;
- else if (data->CommentLength) {
- *cmt = (char *) XpmMalloc(data->CommentLength + 1);
+ else if (data->CommentLength != 0 && data->CommentLength < UINT_MAX - 1) {
+ if( (*cmt = (char *) XpmMalloc(data->CommentLength + 1)) == NULL)
+ return XpmNoMemory;
strncpy(*cmt, data->Comment, data->CommentLength);
(*cmt)[data->CommentLength] = '\0';
data->CommentLength = 0;
@@ -400,7 +403,7 @@
xpmParseHeader(data)
xpmData *data;
{
- char buf[BUFSIZ];
+ char buf[BUFSIZ+1] = {0};
int l, n = 0;
if (data->type) {
Index: hashtab.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/hashtab.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- hashtab.c 25 Jan 2004 06:25:57 -0000 1.1
+++ hashtab.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -135,15 +135,17 @@
xpmHashTable *table;
{
xpmHashAtom *atomTable = table->atomTable;
- int size = table->size;
+ unsigned int size = table->size;
xpmHashAtom *t, *p;
int i;
- int oldSize = size;
+ unsigned int oldSize = size;
t = atomTable;
HASH_TABLE_GROWS
table->size = size;
table->limit = size / 3;
+ if (size >= UINT_MAX / sizeof(*atomTable))
+ return (XpmNoMemory);
atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable));
if (!atomTable)
return (XpmNoMemory);
@@ -204,6 +206,8 @@
table->size = INITIAL_HASH_SIZE;
table->limit = table->size / 3;
table->used = 0;
+ if (table->size >= UINT_MAX / sizeof(*atomTable))
+ return (XpmNoMemory);
atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
if (!atomTable)
return (XpmNoMemory);
Index: misc.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/misc.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- misc.c 25 Jan 2004 06:25:57 -0000 1.1
+++ misc.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -44,7 +44,7 @@
char *s1;
{
char *s2;
- int l = strlen(s1) + 1;
+ size_t l = strlen(s1) + 1;
if (s2 = (char *) XpmMalloc(l))
strcpy(s2, s1);
Index: parse.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/parse.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- parse.c 25 Jan 2004 06:25:57 -0000 1.1
+++ parse.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -1,3 +1,4 @@
+/* $XdotOrg: xc/extras/Xpm/lib/parse.c,v 1.4 2004/11/25 21:19:11 herrb Exp $ */
/*
* Copyright (C) 1989-95 GROUPE BULL
*
@@ -22,7 +23,7 @@
* used in advertising or otherwise to promote the sale, use or other dealings
* in this Software without prior written authorization from GROUPE BULL.
*/
-/* $XFree86: xc/extras/Xpm/lib/parse.c,v 1.3 2001/10/28 03:32:10 tsi Exp $ */
+/* $XFree86: xc/extras/Xpm/lib/parse.c,v 1.2 2000/09/26 15:56:43 tsi Exp $ */
/*****************************************************************************\
* parse.c: *
@@ -33,17 +34,37 @@
* *
* Developed by Arnaud Le Hors *
\*****************************************************************************/
-/* $XFree86: xc/extras/Xpm/lib/parse.c,v 1.3 2001/10/28 03:32:10 tsi Exp $ */
+/* $XFree86$ */
/*
* The code related to FOR_MSW has been added by
* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
*/
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
#include "XpmI.h"
#include <ctype.h>
#include <string.h>
+#ifdef HAS_STRLCAT
+# define STRLCAT(dst, src, dstsize) do { \
+ if (strlcat(dst, src, dstsize) >= (dstsize)) \
+ return (XpmFileInvalid); } while(0)
+# define STRLCPY(dst, src, dstsize) do { \
+ if (strlcpy(dst, src, dstsize) >= (dstsize)) \
+ return (XpmFileInvalid); } while(0)
+#else
+# define STRLCAT(dst, src, dstsize) do { \
+ if ((strlen(dst) + strlen(src)) < (dstsize)) \
+ strcat(dst, src); \
+ else return (XpmFileInvalid); } while(0)
+# define STRLCPY(dst, src, dstsize) do { \
+ if (strlen(src) < (dstsize)) \
+ strcpy(dst, src); \
+ else return (XpmFileInvalid); } while(0)
+#endif
+
LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
unsigned int height, unsigned int ncolors,
unsigned int cpp, XpmColor *colorTable,
@@ -66,7 +87,7 @@
unsigned int *extensions;
{
unsigned int l;
- char buf[BUFSIZ];
+ char buf[BUFSIZ + 1];
if (!data->format) { /* XPM 2 or 3 */
@@ -175,10 +196,10 @@
XpmColor **colorTablePtr;
xpmHashTable *hashtable;
{
- unsigned int key = 0, l, a, b;
+ unsigned int key = 0, l, a, b, len;
unsigned int curkey; /* current color key */
unsigned int lastwaskey; /* key read */
- char buf[BUFSIZ];
+ char buf[BUFSIZ+1];
char curbuf[BUFSIZ]; /* current buffer */
char **sptr, *s;
XpmColor *color;
@@ -186,6 +207,8 @@
char **defaults;
int ErrorStatus;
+ if (ncolors >= UINT_MAX / sizeof(XpmColor))
+ return (XpmNoMemory);
colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
if (!colorTable)
return (XpmNoMemory);
@@ -197,6 +220,10 @@
/*
* read pixel value
*/
+ if (cpp >= UINT_MAX - 1) {
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmNoMemory);
+ }
color->string = (char *) XpmMalloc(cpp + 1);
if (!color->string) {
xpmFreeColorTable(colorTable, ncolors);
@@ -234,13 +261,14 @@
}
if (!lastwaskey && key < NKEYS) { /* open new key */
if (curkey) { /* flush string */
- s = (char *) XpmMalloc(strlen(curbuf) + 1);
+ len = strlen(curbuf) + 1;
+ s = (char *) XpmMalloc(len);
if (!s) {
xpmFreeColorTable(colorTable, ncolors);
return (XpmNoMemory);
}
defaults[curkey] = s;
- strcpy(s, curbuf);
+ memcpy(s, curbuf, len);
}
curkey = key + 1; /* set new key */
*curbuf = '\0'; /* reset curbuf */
@@ -251,9 +279,9 @@
return (XpmFileInvalid);
}
if (!lastwaskey)
- strcat(curbuf, " "); /* append space */
+ STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
buf[l] = '\0';
- strcat(curbuf, buf);/* append buf */
+ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
lastwaskey = 0;
}
}
@@ -261,12 +289,13 @@
xpmFreeColorTable(colorTable, ncolors);
return (XpmFileInvalid);
}
- s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1);
+ len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
+ s = defaults[curkey] = (char *) XpmMalloc(len);
if (!s) {
xpmFreeColorTable(colorTable, ncolors);
return (XpmNoMemory);
}
- strcpy(s, curbuf);
+ memcpy(s, curbuf, len);
}
} else { /* XPM 1 */
/* get to the beginning of the first string */
@@ -279,6 +308,10 @@
/*
* read pixel value
*/
+ if (cpp >= UINT_MAX - 1) {
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmNoMemory);
+ }
color->string = (char *) XpmMalloc(cpp + 1);
if (!color->string) {
xpmFreeColorTable(colorTable, ncolors);
@@ -307,19 +340,20 @@
*curbuf = '\0'; /* init curbuf */
while ((l = xpmNextWord(data, buf, BUFSIZ))) {
if (*curbuf != '\0')
- strcat(curbuf, " ");/* append space */
+ STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
buf[l] = '\0';
- strcat(curbuf, buf); /* append buf */
+ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
}
- s = (char *) XpmMalloc(strlen(curbuf) + 1);
+ len = strlen(curbuf) + 1;
+ s = (char *) XpmMalloc(len);
if (!s) {
xpmFreeColorTable(colorTable, ncolors);
return (XpmNoMemory);
}
- strcpy(s, curbuf);
+ memcpy(s, curbuf, len);
color->c_color = s;
*curbuf = '\0'; /* reset curbuf */
- if (a < ncolors - 1)
+ if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */
xpmNextString(data); /* get to the next string */
}
}
@@ -338,9 +372,12 @@
xpmHashTable *hashtable;
unsigned int **pixels;
{
- unsigned int *iptr, *iptr2;
+ unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
unsigned int a, x, y;
+ if ((height > 0 && width >= UINT_MAX / height) ||
+ width * height >= UINT_MAX / sizeof(unsigned int))
+ return XpmNoMemory;
#ifndef FOR_MSW
iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);
#else
@@ -364,6 +401,11 @@
{
unsigned short colidx[256];
+ if (ncolors > 256) {
+ XpmFree(iptr2); /* found by Egbert Eich */
+ return (XpmFileInvalid);
+ }
+
bzero((char *)colidx, 256 * sizeof(short));
for (a = 0; a < ncolors; a++)
colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
@@ -389,16 +431,20 @@
{
/* free all allocated pointers at all exits */
-#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \
-if (cidx[f]) XpmFree(cidx[f]);}
+#define FREE_CIDX \
+do \
+{ \
+ int f; for (f = 0; f < 256; f++) \
+ if (cidx[f]) XpmFree(cidx[f]); \
+} while(0)
/* array of pointers malloced by need */
unsigned short *cidx[256];
- int char1;
+ unsigned int char1;
bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
for (a = 0; a < ncolors; a++) {
- char1 = colorTable[a].string[0];
+ char1 = (unsigned char) colorTable[a].string[0];
if (cidx[char1] == NULL) { /* get new memory */
cidx[char1] = (unsigned short *)
XpmCalloc(256, sizeof(unsigned short));
@@ -442,6 +488,11 @@
char *s;
char buf[BUFSIZ];
+ if (cpp >= sizeof(buf)) {
+ XpmFree(iptr2); /* found by Egbert Eich */
+ return (XpmFileInvalid);
+ }
+
buf[cpp] = '\0';
if (USE_HASHTABLE) {
xpmHashAtom *slot;
@@ -450,7 +501,7 @@
xpmNextString(data);
for (x = 0; x < width; x++, iptr++) {
for (a = 0, s = buf; a < cpp; a++, s++)
- *s = xpmGetC(data);
+ *s = xpmGetC(data); /* int assigned to char, not a problem here */
slot = xpmHashSlot(hashtable, buf);
if (!*slot) { /* no color matches */
XpmFree(iptr2);
@@ -464,7 +515,7 @@
xpmNextString(data);
for (x = 0; x < width; x++, iptr++) {
for (a = 0, s = buf; a < cpp; a++, s++)
- *s = xpmGetC(data);
+ *s = xpmGetC(data); /* int assigned to char, not a problem here */
for (a = 0; a < ncolors; a++)
if (!strcmp(colorTable[a].string, buf))
break;
@@ -519,7 +570,7 @@
while (!notstart && notend) {
/* there starts an extension */
ext = (XpmExtension *)
- XpmRealloc(exts, (num + 1) * sizeof(XpmExtension));
+ XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
if (!ext) {
XpmFree(string);
XpmFreeExtensions(exts, num);
@@ -556,7 +607,7 @@
while ((notstart = strncmp("XPMEXT", string, 6))
&& (notend = strncmp("XPMENDEXT", string, 9))) {
sp = (char **)
- XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *));
+ XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */
if (!sp) {
XpmFree(string);
ext->nlines = nlines;
@@ -596,9 +647,9 @@
/* function call in case of error */
#undef RETURN
#define RETURN(status) \
-{ \
+do { \
goto error; \
-}
+} while(0)
/*
* This function parses an Xpm file or data and store the found informations
Index: scan.c
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/scan.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- scan.c 25 Jan 2004 06:25:57 -0000 1.1
+++ scan.c 28 Jan 2005 19:33:57 -0000 1.2
@@ -31,7 +31,7 @@
* *
* Developed by Arnaud Le Hors *
\*****************************************************************************/
-/* $XFree86: xc/extras/Xpm/lib/scan.c,v 1.3 2002/01/07 19:40:49 dawes Exp $ */
+/* $XFree86: xc/extras/Xpm/lib/scan.c,v 1.2 2001/10/28 03:32:11 tsi Exp $ */
/*
* The code related to FOR_MSW has been added by
@@ -43,6 +43,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
#include "XpmI.h"
#define MAXPRINTABLE 92 /* number of printable ascii chars
@@ -107,7 +109,8 @@
LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp,
XpmAttributes *attributes));
-LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors,
+LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors,
+ unsigned int ncolors,
Pixel *pixels, unsigned int mask,
unsigned int cpp, XpmAttributes *attributes));
@@ -171,10 +174,10 @@
/* function call in case of error */
#undef RETURN
#define RETURN(status) \
-{ \
+do { \
ErrorStatus = status; \
goto error; \
-}
+} while(0)
/*
* This function scans the given image and stores the found informations in
@@ -232,11 +235,17 @@
else
cpp = 0;
+ if ((height > 0 && width >= UINT_MAX / height) ||
+ width * height >= UINT_MAX / sizeof(unsigned int))
+ RETURN(XpmNoMemory);
pmap.pixelindex =
(unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
if (!pmap.pixelindex)
RETURN(XpmNoMemory);
+ if (pmap.size >= UINT_MAX / sizeof(Pixel))
+ RETURN(XpmNoMemory);
+
pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);
if (!pmap.pixels)
RETURN(XpmNoMemory);
@@ -301,7 +310,8 @@
* get rgb values and a string of char, and possibly a name for each
* color
*/
-
+ if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor))
+ RETURN(XpmNoMemory);
colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
if (!colorTable)
RETURN(XpmNoMemory);
@@ -360,6 +370,8 @@
/* first get a character string */
a = 0;
+ if (cpp >= UINT_MAX - 1)
+ return (XpmNoMemory);
if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
return (XpmNoMemory);
*s++ = printable[c = a % MAXPRINTABLE];
@@ -407,7 +419,7 @@
ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes)
Display *display;
XpmColor *colors;
- int ncolors;
+ unsigned int ncolors;
Pixel *pixels;
unsigned int mask;
unsigned int cpp;
@@ -451,6 +463,8 @@
}
/* first get character strings and rgb values */
+ if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1)
+ return (XpmNoMemory);
xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
if (!xcolors)
return (XpmNoMemory);
@@ -607,7 +621,7 @@
char *dst;
unsigned int *iptr;
char *data;
- int x, y, i;
+ unsigned int x, y, i;
int bits, depth, ibu, ibpp, offset;
unsigned long lbt;
Pixel pixel, px;
@@ -709,7 +723,7 @@
unsigned char *addr;
unsigned char *data;
unsigned int *iptr;
- int x, y;
+ unsigned int x, y;
unsigned long lbt;
Pixel pixel;
int depth;
@@ -774,7 +788,7 @@
unsigned char *addr;
unsigned char *data;
unsigned int *iptr;
- int x, y;
+ unsigned int x, y;
unsigned long lbt;
Pixel pixel;
int depth;
@@ -819,7 +833,7 @@
{
unsigned int *iptr;
unsigned char *data;
- int x, y;
+ unsigned int x, y;
unsigned long lbt;
Pixel pixel;
int depth;
@@ -852,7 +866,7 @@
storeFuncPtr storeFunc;
{
unsigned int *iptr;
- int x, y;
+ unsigned int x, y;
char *data;
Pixel pixel;
int xoff, yoff, offset, bpl;
@@ -888,11 +902,11 @@
# else /* AMIGA */
#define CLEAN_UP(status) \
-{\
+do {\
if (pixels) XpmFree (pixels);\
if (tmp_img) FreeXImage (tmp_img);\
return (status);\
-}
+} while(0)
static int
AGetImagePixels (
@@ -913,7 +927,7 @@
tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth);
if (tmp_img == NULL)
- CLEAN_UP (XpmNoMemory)
+ CLEAN_UP (XpmNoMemory);
iptr = pmap->pixelindex;
for (y = 0; y < height; ++y)
@@ -922,11 +936,11 @@
for (x = 0; x < width; ++x, ++iptr)
{
if ((*storeFunc) (pixels[x], pmap, iptr))
- CLEAN_UP (XpmNoMemory)
+ CLEAN_UP (XpmNoMemory);
}
}
- CLEAN_UP (XpmSuccess)
+ CLEAN_UP (XpmSuccess);
}
#undef CLEAN_UP
Index: xpm.h
===================================================================
RCS file: /cvs/xlibs/Xpm/lib/xpm.h,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- xpm.h 25 Jan 2004 06:25:57 -0000 1.1
+++ xpm.h 28 Jan 2005 19:33:57 -0000 1.2
@@ -22,7 +22,7 @@
* used in advertising or otherwise to promote the sale, use or other dealings
* in this Software without prior written authorization from GROUPE BULL.
*/
-/* $XFree86: xc/extras/Xpm/lib/xpm.h,v 1.3 2003/11/17 22:20:02 dawes Exp $ */
+/* $XFree86: xc/extras/Xpm/lib/xpm.h,v 1.2 2001/08/22 23:36:44 dawes Exp $ */
/*****************************************************************************\
* xpm.h: *
@@ -284,9 +284,7 @@
* functions declarations
*/
-#ifdef __cplusplus
-extern "C" {
-#endif
+_XFUNCPROTOBEGIN
/* FOR_MSW, all ..Pixmap.. are excluded, only the ..XImage.. are used */
/* Same for Amiga! */
@@ -440,10 +438,7 @@
FUNC(XpmFree, void, (void *ptr));
-#ifdef __cplusplus
-} /* for C++ V2.0 */
-#endif
-
+_XFUNCPROTOEND
/* backward compatibility */
- Previous message: Xpm ChangeLog,1.7,1.8 configure.ac,1.3,1.4
- Next message: Xt ChangeLog, 3.15, 3.16 Composite.c, 1.6, 1.7 Converters.c, 3.16,
3.17 Xtos.h, 3.14, 3.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the xlibs-commit
mailing list