summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEgbert Eich <eich@suse.de>2004-09-21 17:57:35 +0000
committerEgbert Eich <eich@suse.de>2004-09-21 17:57:35 +0000
commita983dafac59dcb425666a5a5556da4734e50c6c5 (patch)
tree6fbd73d497da68397e83ee8d27790965f80ca26a
parent2773a7214e282f6f673483f5233b880505947c3f (diff)
Merged over libXpm security fix provided by Chris Evans, Matthieu Herrb and
Alan Coopersmith from release 6.8.1. Fail during initialization with error if font/fontset is not set for widget. This prevents a sig11 later when the non-existent font/fontset structs are referenced. Check if xf86Info.kbdProc pointer is really set before calling it on abort as this pointer won't be set if the new modular keyboard driver is used (Matthias Hopf). Added new libs to the bindist control files. Removed inclusion of unnecessary kernel header on Linux. This may fail in an -ansi environment.
-rw-r--r--src/Attrib.c7
-rw-r--r--src/CrDatFrI.c2
-rw-r--r--src/WrFFrI.c2
-rw-r--r--src/XpmI.h18
-rw-r--r--src/create.c15
-rw-r--r--src/data.c2
-rw-r--r--src/hashtab.c6
-rw-r--r--src/parse.c67
-rw-r--r--src/scan.c18
9 files changed, 113 insertions, 24 deletions
diff --git a/src/Attrib.c b/src/Attrib.c
index 04b843b..cf7081c 100644
--- a/src/Attrib.c
+++ b/src/Attrib.c
@@ -35,7 +35,7 @@
#include "XpmI.h"
/* 3.2 backward compatibility code */
-LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors,
+LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
XpmColor ***oldct));
LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
@@ -46,12 +46,15 @@ LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
static int
CreateOldColorTable(ct, ncolors, oldct)
XpmColor *ct;
- int ncolors;
+ unsigned int ncolors;
XpmColor ***oldct;
{
XpmColor **colorTable, **color;
int a;
+ if (ncolors >= SIZE_MAX / sizeof(XpmColor *))
+ return XpmNoMemory;
+
colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *));
if (!colorTable) {
*oldct = NULL;
diff --git a/src/CrDatFrI.c b/src/CrDatFrI.c
index 55f8b06..8bec109 100644
--- a/src/CrDatFrI.c
+++ b/src/CrDatFrI.c
@@ -124,6 +124,8 @@ XpmCreateDataFromXpmImage(data_return, image, info)
*/
header_nlines = 1 + image->ncolors;
header_size = sizeof(char *) * header_nlines;
+ if (header_size >= SIZE_MAX / sizeof(char *))
+ return (XpmNoMemory);
header = (char **) XpmCalloc(header_size, sizeof(char *));
if (!header)
return (XpmNoMemory);
diff --git a/src/WrFFrI.c b/src/WrFFrI.c
index 41b4c0d..5ef5814 100644
--- a/src/WrFFrI.c
+++ b/src/WrFFrI.c
@@ -248,6 +248,8 @@ WritePixels(file, width, height, cpp, pixels, colors)
unsigned int x, y, h;
h = height - 1;
+ if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp)
+ return XpmNoMemory;
p = buf = (char *) XpmMalloc(width * cpp + 3);
if (!buf)
return (XpmNoMemory);
diff --git a/src/XpmI.h b/src/XpmI.h
index 91f6cd9..5c5b900 100644
--- a/src/XpmI.h
+++ b/src/XpmI.h
@@ -86,6 +86,18 @@ extern FILE *popen();
boundCheckingCalloc((long)(nelem),(long) (elsize))
#endif
+#if defined(SCO) || defined(__USLC__)
+#include <stdint.h> /* For SIZE_MAX */
+#endif
+#include <limits.h>
+#ifndef SIZE_MAX
+# ifdef ULONG_MAX
+# define SIZE_MAX ULONG_MAX
+# else
+# define SIZE_MAX UINT_MAX
+# endif
+#endif
+
#define XPMMAXCMTLEN BUFSIZ
typedef struct {
unsigned int type;
@@ -187,9 +199,9 @@ typedef struct _xpmHashAtom {
} *xpmHashAtom;
typedef struct {
- int size;
- int limit;
- int used;
+ unsigned int size;
+ unsigned int limit;
+ unsigned int used;
xpmHashAtom *atomTable;
} xpmHashTable;
diff --git a/src/create.c b/src/create.c
index 790e23e..8710c18 100644
--- a/src/create.c
+++ b/src/create.c
@@ -1,3 +1,4 @@
+/* $XdotOrg: xc/extras/Xpm/lib/create.c,v 1.2.4.1 2004/09/15 15:47:39 daniel Exp $ */
/*
* Copyright (C) 1989-95 GROUPE BULL
*
@@ -816,6 +817,9 @@ XpmCreateImageFromXpmImage(display, image,
ErrorStatus = XpmSuccess;
+ if (image->ncolors >= SIZE_MAX / sizeof(Pixel))
+ return (XpmNoMemory);
+
/* malloc pixels index tables */
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
if (!image_pixels)
@@ -988,6 +992,8 @@ CreateXImage(display, visual, depth, format, width, height, image_return)
return (XpmNoMemory);
#if !defined(FOR_MSW) && !defined(AMIGA)
+ if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
+ return XpmNoMemory;
/* now that bytes_per_line must have been set properly alloc data */
(*image_return)->data =
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
@@ -2055,6 +2061,9 @@ xpmParseDataAndCreate(display, data, image_return, shapeimage_return,
xpmGetCmt(data, &colors_cmt);
/* malloc pixels index tables */
+ if (ncolors >= SIZE_MAX / sizeof(Pixel))
+ return XpmNoMemory;
+
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
if (!image_pixels)
RETURN(XpmNoMemory);
@@ -2309,7 +2318,8 @@ ParseAndPutPixels(
}
obm = SelectObject(*dc, image->bitmap);
#endif
-
+ if (ncolors > 256)
+ return (XpmFileInvalid);
bzero((char *)colidx, 256 * sizeof(short));
for (a = 0; a < ncolors; a++)
@@ -2415,6 +2425,9 @@ if (cidx[f]) XpmFree(cidx[f]);}
char *s;
char buf[BUFSIZ];
+ if (cpp >= sizeof(buf))
+ return (XpmFileInvalid);
+
buf[cpp] = '\0';
if (USE_HASHTABLE) {
xpmHashAtom *slot;
diff --git a/src/data.c b/src/data.c
index 8f4dc69..ccd98ed 100644
--- a/src/data.c
+++ b/src/data.c
@@ -375,7 +375,7 @@ xpmGetCmt(data, cmt)
{
if (!data->type)
*cmt = NULL;
- else if (data->CommentLength) {
+ else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) {
*cmt = (char *) XpmMalloc(data->CommentLength + 1);
strncpy(*cmt, data->Comment, data->CommentLength);
(*cmt)[data->CommentLength] = '\0';
diff --git a/src/hashtab.c b/src/hashtab.c
index 7d596ec..f07cb6d 100644
--- a/src/hashtab.c
+++ b/src/hashtab.c
@@ -135,7 +135,7 @@ HashTableGrows(table)
xpmHashTable *table;
{
xpmHashAtom *atomTable = table->atomTable;
- int size = table->size;
+ unsigned int size = table->size;
xpmHashAtom *t, *p;
int i;
int oldSize = size;
@@ -144,6 +144,8 @@ HashTableGrows(table)
HASH_TABLE_GROWS
table->size = size;
table->limit = size / 3;
+ if (size >= SIZE_MAX / sizeof(*atomTable))
+ return (XpmNoMemory);
atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable));
if (!atomTable)
return (XpmNoMemory);
@@ -204,6 +206,8 @@ xpmHashTableInit(table)
table->size = INITIAL_HASH_SIZE;
table->limit = table->size / 3;
table->used = 0;
+ if (table->size >= SIZE_MAX / sizeof(*atomTable))
+ return (XpmNoMemory);
atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
if (!atomTable)
return (XpmNoMemory);
diff --git a/src/parse.c b/src/parse.c
index 3c819a2..d46333b 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -1,3 +1,4 @@
+/* $XdotOrg: xc/extras/Xpm/lib/parse.c,v 1.2.4.1 2004/09/15 15:47:39 daniel Exp $ */
/*
* Copyright (C) 1989-95 GROUPE BULL
*
@@ -44,6 +45,24 @@
#include <ctype.h>
#include <string.h>
+#ifdef HAS_STRLCAT
+# define STRLCAT(dst, src, dstsize) { \
+ if (strlcat(dst, src, dstsize) >= (dstsize)) \
+ return (XpmFileInvalid); }
+# define STRLCPY(dst, src, dstsize) { \
+ if (strlcpy(dst, src, dstsize) >= (dstsize)) \
+ return (XpmFileInvalid); }
+#else
+# define STRLCAT(dst, src, dstsize) { \
+ if ((strlen(dst) + strlen(src)) < (dstsize)) \
+ strcat(dst, src); \
+ else return (XpmFileInvalid); }
+# define STRLCPY(dst, src, dstsize) { \
+ if (strlen(src) < (dstsize)) \
+ strcpy(dst, src); \
+ else return (XpmFileInvalid); }
+#endif
+
LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
unsigned int height, unsigned int ncolors,
unsigned int cpp, XpmColor *colorTable,
@@ -66,7 +85,7 @@ xpmParseValues(data, width, height, ncolors, cpp,
unsigned int *extensions;
{
unsigned int l;
- char buf[BUFSIZ];
+ char buf[BUFSIZ + 1];
if (!data->format) { /* XPM 2 or 3 */
@@ -175,10 +194,10 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable)
XpmColor **colorTablePtr;
xpmHashTable *hashtable;
{
- unsigned int key = 0, l, a, b;
+ unsigned int key = 0, l, a, b, len;
unsigned int curkey; /* current color key */
unsigned int lastwaskey; /* key read */
- char buf[BUFSIZ];
+ char buf[BUFSIZ+1];
char curbuf[BUFSIZ]; /* current buffer */
char **sptr, *s;
XpmColor *color;
@@ -186,6 +205,8 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable)
char **defaults;
int ErrorStatus;
+ if (ncolors >= SIZE_MAX / sizeof(XpmColor))
+ return (XpmNoMemory);
colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
if (!colorTable)
return (XpmNoMemory);
@@ -197,6 +218,10 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable)
/*
* read pixel value
*/
+ if (cpp >= SIZE_MAX - 1) {
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmNoMemory);
+ }
color->string = (char *) XpmMalloc(cpp + 1);
if (!color->string) {
xpmFreeColorTable(colorTable, ncolors);
@@ -234,13 +259,14 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable)
}
if (!lastwaskey && key < NKEYS) { /* open new key */
if (curkey) { /* flush string */
- s = (char *) XpmMalloc(strlen(curbuf) + 1);
+ len = strlen(curbuf) + 1;
+ s = (char *) XpmMalloc(len);
if (!s) {
xpmFreeColorTable(colorTable, ncolors);
return (XpmNoMemory);
}
defaults[curkey] = s;
- strcpy(s, curbuf);
+ memcpy(s, curbuf, len);
}
curkey = key + 1; /* set new key */
*curbuf = '\0'; /* reset curbuf */
@@ -251,9 +277,9 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable)
return (XpmFileInvalid);
}
if (!lastwaskey)
- strcat(curbuf, " "); /* append space */
+ STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */
buf[l] = '\0';
- strcat(curbuf, buf);/* append buf */
+ STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */
lastwaskey = 0;
}
}
@@ -261,12 +287,13 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable)
xpmFreeColorTable(colorTable, ncolors);
return (XpmFileInvalid);
}
- s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1);
+ len = strlen(curbuf) + 1;
+ s = defaults[curkey] = (char *) XpmMalloc(len);
if (!s) {
xpmFreeColorTable(colorTable, ncolors);
return (XpmNoMemory);
}
- strcpy(s, curbuf);
+ memcpy(s, curbuf, len);
}
} else { /* XPM 1 */
/* get to the beginning of the first string */
@@ -279,6 +306,10 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable)
/*
* read pixel value
*/
+ if (cpp >= SIZE_MAX - 1) {
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmNoMemory);
+ }
color->string = (char *) XpmMalloc(cpp + 1);
if (!color->string) {
xpmFreeColorTable(colorTable, ncolors);
@@ -307,16 +338,17 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable)
*curbuf = '\0'; /* init curbuf */
while ((l = xpmNextWord(data, buf, BUFSIZ))) {
if (*curbuf != '\0')
- strcat(curbuf, " ");/* append space */
+ STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
buf[l] = '\0';
- strcat(curbuf, buf); /* append buf */
+ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
}
- s = (char *) XpmMalloc(strlen(curbuf) + 1);
+ len = strlen(curbuf) + 1;
+ s = (char *) XpmMalloc(len);
if (!s) {
xpmFreeColorTable(colorTable, ncolors);
return (XpmNoMemory);
}
- strcpy(s, curbuf);
+ memcpy(s, curbuf, len);
color->c_color = s;
*curbuf = '\0'; /* reset curbuf */
if (a < ncolors - 1)
@@ -341,6 +373,9 @@ ParsePixels(data, width, height, ncolors, cpp, colorTable, hashtable, pixels)
unsigned int *iptr, *iptr2;
unsigned int a, x, y;
+ if ((height > 0 && width >= SIZE_MAX / height) ||
+ width * height >= SIZE_MAX / sizeof(unsigned int))
+ return XpmNoMemory;
#ifndef FOR_MSW
iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);
#else
@@ -364,6 +399,9 @@ ParsePixels(data, width, height, ncolors, cpp, colorTable, hashtable, pixels)
{
unsigned short colidx[256];
+ if (ncolors > 256)
+ return (XpmFileInvalid);
+
bzero((char *)colidx, 256 * sizeof(short));
for (a = 0; a < ncolors; a++)
colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
@@ -442,6 +480,9 @@ if (cidx[f]) XpmFree(cidx[f]);}
char *s;
char buf[BUFSIZ];
+ if (cpp >= sizeof(buf))
+ return (XpmFileInvalid);
+
buf[cpp] = '\0';
if (USE_HASHTABLE) {
xpmHashAtom *slot;
diff --git a/src/scan.c b/src/scan.c
index 4142e7f..230c7e6 100644
--- a/src/scan.c
+++ b/src/scan.c
@@ -107,7 +107,8 @@ LFUNC(MSWGetImagePixels, int, (Display *d, XImage *image, unsigned int width,
LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp,
XpmAttributes *attributes));
-LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors,
+LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors,
+ unsigned int ncolors,
Pixel *pixels, unsigned int mask,
unsigned int cpp, XpmAttributes *attributes));
@@ -232,11 +233,17 @@ XpmCreateXpmImageFromImage(display, image, shapeimage,
else
cpp = 0;
+ if ((height > 0 && width >= SIZE_MAX / height) ||
+ width * height >= SIZE_MAX / sizeof(unsigned int))
+ RETURN(XpmNoMemory);
pmap.pixelindex =
(unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
if (!pmap.pixelindex)
RETURN(XpmNoMemory);
+ if (pmap.size >= SIZE_MAX / sizeof(Pixel))
+ RETURN(XpmNoMemory);
+
pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);
if (!pmap.pixels)
RETURN(XpmNoMemory);
@@ -301,7 +308,8 @@ XpmCreateXpmImageFromImage(display, image, shapeimage,
* get rgb values and a string of char, and possibly a name for each
* color
*/
-
+ if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))
+ RETURN(XpmNoMemory);
colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
if (!colorTable)
RETURN(XpmNoMemory);
@@ -360,6 +368,8 @@ ScanTransparentColor(color, cpp, attributes)
/* first get a character string */
a = 0;
+ if (cpp >= SIZE_MAX - 1)
+ return (XpmNoMemory);
if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
return (XpmNoMemory);
*s++ = printable[c = a % MAXPRINTABLE];
@@ -407,7 +417,7 @@ static int
ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes)
Display *display;
XpmColor *colors;
- int ncolors;
+ unsigned int ncolors;
Pixel *pixels;
unsigned int mask;
unsigned int cpp;
@@ -451,6 +461,8 @@ ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes)
}
/* first get character strings and rgb values */
+ if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1)
+ return (XpmNoMemory);
xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
if (!xcolors)
return (XpmNoMemory);