diff options
author | Egbert Eich <eich@suse.de> | 2004-09-21 17:57:35 +0000 |
---|---|---|
committer | Egbert Eich <eich@suse.de> | 2004-09-21 17:57:35 +0000 |
commit | a983dafac59dcb425666a5a5556da4734e50c6c5 (patch) | |
tree | 6fbd73d497da68397e83ee8d27790965f80ca26a | |
parent | 2773a7214e282f6f673483f5233b880505947c3f (diff) |
Merged over libXpm security fix provided by Chris Evans, Matthieu Herrb and
Alan Coopersmith from release 6.8.1.
Fail during initialization with error if font/fontset is not set for
widget. This prevents a sig11 later when the non-existent font/fontset
structs are referenced.
Check if xf86Info.kbdProc pointer is really set before calling it on abort
as this pointer won't be set if the new modular keyboard driver is used
(Matthias Hopf).
Added new libs to the bindist control files.
Removed inclusion of unnecessary kernel header on Linux. This may fail in
an -ansi environment.
-rw-r--r-- | src/Attrib.c | 7 | ||||
-rw-r--r-- | src/CrDatFrI.c | 2 | ||||
-rw-r--r-- | src/WrFFrI.c | 2 | ||||
-rw-r--r-- | src/XpmI.h | 18 | ||||
-rw-r--r-- | src/create.c | 15 | ||||
-rw-r--r-- | src/data.c | 2 | ||||
-rw-r--r-- | src/hashtab.c | 6 | ||||
-rw-r--r-- | src/parse.c | 67 | ||||
-rw-r--r-- | src/scan.c | 18 |
9 files changed, 113 insertions, 24 deletions
diff --git a/src/Attrib.c b/src/Attrib.c index 04b843b..cf7081c 100644 --- a/src/Attrib.c +++ b/src/Attrib.c @@ -35,7 +35,7 @@ #include "XpmI.h" /* 3.2 backward compatibility code */ -LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors, +LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, XpmColor ***oldct)); LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); @@ -46,12 +46,15 @@ LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); static int CreateOldColorTable(ct, ncolors, oldct) XpmColor *ct; - int ncolors; + unsigned int ncolors; XpmColor ***oldct; { XpmColor **colorTable, **color; int a; + if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) + return XpmNoMemory; + colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); if (!colorTable) { *oldct = NULL; diff --git a/src/CrDatFrI.c b/src/CrDatFrI.c index 55f8b06..8bec109 100644 --- a/src/CrDatFrI.c +++ b/src/CrDatFrI.c @@ -124,6 +124,8 @@ XpmCreateDataFromXpmImage(data_return, image, info) */ header_nlines = 1 + image->ncolors; header_size = sizeof(char *) * header_nlines; + if (header_size >= SIZE_MAX / sizeof(char *)) + return (XpmNoMemory); header = (char **) XpmCalloc(header_size, sizeof(char *)); if (!header) return (XpmNoMemory); diff --git a/src/WrFFrI.c b/src/WrFFrI.c index 41b4c0d..5ef5814 100644 --- a/src/WrFFrI.c +++ b/src/WrFFrI.c @@ -248,6 +248,8 @@ WritePixels(file, width, height, cpp, pixels, colors) unsigned int x, y, h; h = height - 1; + if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp) + return XpmNoMemory; p = buf = (char *) XpmMalloc(width * cpp + 3); if (!buf) return (XpmNoMemory); @@ -86,6 +86,18 @@ extern FILE *popen(); boundCheckingCalloc((long)(nelem),(long) (elsize)) #endif +#if defined(SCO) || defined(__USLC__) +#include <stdint.h> /* For SIZE_MAX */ +#endif +#include <limits.h> +#ifndef SIZE_MAX +# ifdef ULONG_MAX +# define SIZE_MAX ULONG_MAX +# else +# define SIZE_MAX UINT_MAX +# endif +#endif + #define XPMMAXCMTLEN BUFSIZ typedef struct { unsigned int type; @@ -187,9 +199,9 @@ typedef struct _xpmHashAtom { } *xpmHashAtom; typedef struct { - int size; - int limit; - int used; + unsigned int size; + unsigned int limit; + unsigned int used; xpmHashAtom *atomTable; } xpmHashTable; diff --git a/src/create.c b/src/create.c index 790e23e..8710c18 100644 --- a/src/create.c +++ b/src/create.c @@ -1,3 +1,4 @@ +/* $XdotOrg: xc/extras/Xpm/lib/create.c,v 1.2.4.1 2004/09/15 15:47:39 daniel Exp $ */ /* * Copyright (C) 1989-95 GROUPE BULL * @@ -816,6 +817,9 @@ XpmCreateImageFromXpmImage(display, image, ErrorStatus = XpmSuccess; + if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) + return (XpmNoMemory); + /* malloc pixels index tables */ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); if (!image_pixels) @@ -988,6 +992,8 @@ CreateXImage(display, visual, depth, format, width, height, image_return) return (XpmNoMemory); #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) + return XpmNoMemory; /* now that bytes_per_line must have been set properly alloc data */ (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); @@ -2055,6 +2061,9 @@ xpmParseDataAndCreate(display, data, image_return, shapeimage_return, xpmGetCmt(data, &colors_cmt); /* malloc pixels index tables */ + if (ncolors >= SIZE_MAX / sizeof(Pixel)) + return XpmNoMemory; + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); if (!image_pixels) RETURN(XpmNoMemory); @@ -2309,7 +2318,8 @@ ParseAndPutPixels( } obm = SelectObject(*dc, image->bitmap); #endif - + if (ncolors > 256) + return (XpmFileInvalid); bzero((char *)colidx, 256 * sizeof(short)); for (a = 0; a < ncolors; a++) @@ -2415,6 +2425,9 @@ if (cidx[f]) XpmFree(cidx[f]);} char *s; char buf[BUFSIZ]; + if (cpp >= sizeof(buf)) + return (XpmFileInvalid); + buf[cpp] = '\0'; if (USE_HASHTABLE) { xpmHashAtom *slot; @@ -375,7 +375,7 @@ xpmGetCmt(data, cmt) { if (!data->type) *cmt = NULL; - else if (data->CommentLength) { + else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) { *cmt = (char *) XpmMalloc(data->CommentLength + 1); strncpy(*cmt, data->Comment, data->CommentLength); (*cmt)[data->CommentLength] = '\0'; diff --git a/src/hashtab.c b/src/hashtab.c index 7d596ec..f07cb6d 100644 --- a/src/hashtab.c +++ b/src/hashtab.c @@ -135,7 +135,7 @@ HashTableGrows(table) xpmHashTable *table; { xpmHashAtom *atomTable = table->atomTable; - int size = table->size; + unsigned int size = table->size; xpmHashAtom *t, *p; int i; int oldSize = size; @@ -144,6 +144,8 @@ HashTableGrows(table) HASH_TABLE_GROWS table->size = size; table->limit = size / 3; + if (size >= SIZE_MAX / sizeof(*atomTable)) + return (XpmNoMemory); atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); if (!atomTable) return (XpmNoMemory); @@ -204,6 +206,8 @@ xpmHashTableInit(table) table->size = INITIAL_HASH_SIZE; table->limit = table->size / 3; table->used = 0; + if (table->size >= SIZE_MAX / sizeof(*atomTable)) + return (XpmNoMemory); atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); if (!atomTable) return (XpmNoMemory); diff --git a/src/parse.c b/src/parse.c index 3c819a2..d46333b 100644 --- a/src/parse.c +++ b/src/parse.c @@ -1,3 +1,4 @@ +/* $XdotOrg: xc/extras/Xpm/lib/parse.c,v 1.2.4.1 2004/09/15 15:47:39 daniel Exp $ */ /* * Copyright (C) 1989-95 GROUPE BULL * @@ -44,6 +45,24 @@ #include <ctype.h> #include <string.h> +#ifdef HAS_STRLCAT +# define STRLCAT(dst, src, dstsize) { \ + if (strlcat(dst, src, dstsize) >= (dstsize)) \ + return (XpmFileInvalid); } +# define STRLCPY(dst, src, dstsize) { \ + if (strlcpy(dst, src, dstsize) >= (dstsize)) \ + return (XpmFileInvalid); } +#else +# define STRLCAT(dst, src, dstsize) { \ + if ((strlen(dst) + strlen(src)) < (dstsize)) \ + strcat(dst, src); \ + else return (XpmFileInvalid); } +# define STRLCPY(dst, src, dstsize) { \ + if (strlen(src) < (dstsize)) \ + strcpy(dst, src); \ + else return (XpmFileInvalid); } +#endif + LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, unsigned int height, unsigned int ncolors, unsigned int cpp, XpmColor *colorTable, @@ -66,7 +85,7 @@ xpmParseValues(data, width, height, ncolors, cpp, unsigned int *extensions; { unsigned int l; - char buf[BUFSIZ]; + char buf[BUFSIZ + 1]; if (!data->format) { /* XPM 2 or 3 */ @@ -175,10 +194,10 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable) XpmColor **colorTablePtr; xpmHashTable *hashtable; { - unsigned int key = 0, l, a, b; + unsigned int key = 0, l, a, b, len; unsigned int curkey; /* current color key */ unsigned int lastwaskey; /* key read */ - char buf[BUFSIZ]; + char buf[BUFSIZ+1]; char curbuf[BUFSIZ]; /* current buffer */ char **sptr, *s; XpmColor *color; @@ -186,6 +205,8 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable) char **defaults; int ErrorStatus; + if (ncolors >= SIZE_MAX / sizeof(XpmColor)) + return (XpmNoMemory); colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); if (!colorTable) return (XpmNoMemory); @@ -197,6 +218,10 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable) /* * read pixel value */ + if (cpp >= SIZE_MAX - 1) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } color->string = (char *) XpmMalloc(cpp + 1); if (!color->string) { xpmFreeColorTable(colorTable, ncolors); @@ -234,13 +259,14 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable) } if (!lastwaskey && key < NKEYS) { /* open new key */ if (curkey) { /* flush string */ - s = (char *) XpmMalloc(strlen(curbuf) + 1); + len = strlen(curbuf) + 1; + s = (char *) XpmMalloc(len); if (!s) { xpmFreeColorTable(colorTable, ncolors); return (XpmNoMemory); } defaults[curkey] = s; - strcpy(s, curbuf); + memcpy(s, curbuf, len); } curkey = key + 1; /* set new key */ *curbuf = '\0'; /* reset curbuf */ @@ -251,9 +277,9 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable) return (XpmFileInvalid); } if (!lastwaskey) - strcat(curbuf, " "); /* append space */ + STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */ buf[l] = '\0'; - strcat(curbuf, buf);/* append buf */ + STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */ lastwaskey = 0; } } @@ -261,12 +287,13 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable) xpmFreeColorTable(colorTable, ncolors); return (XpmFileInvalid); } - s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1); + len = strlen(curbuf) + 1; + s = defaults[curkey] = (char *) XpmMalloc(len); if (!s) { xpmFreeColorTable(colorTable, ncolors); return (XpmNoMemory); } - strcpy(s, curbuf); + memcpy(s, curbuf, len); } } else { /* XPM 1 */ /* get to the beginning of the first string */ @@ -279,6 +306,10 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable) /* * read pixel value */ + if (cpp >= SIZE_MAX - 1) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } color->string = (char *) XpmMalloc(cpp + 1); if (!color->string) { xpmFreeColorTable(colorTable, ncolors); @@ -307,16 +338,17 @@ xpmParseColors(data, ncolors, cpp, colorTablePtr, hashtable) *curbuf = '\0'; /* init curbuf */ while ((l = xpmNextWord(data, buf, BUFSIZ))) { if (*curbuf != '\0') - strcat(curbuf, " ");/* append space */ + STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */ buf[l] = '\0'; - strcat(curbuf, buf); /* append buf */ + STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */ } - s = (char *) XpmMalloc(strlen(curbuf) + 1); + len = strlen(curbuf) + 1; + s = (char *) XpmMalloc(len); if (!s) { xpmFreeColorTable(colorTable, ncolors); return (XpmNoMemory); } - strcpy(s, curbuf); + memcpy(s, curbuf, len); color->c_color = s; *curbuf = '\0'; /* reset curbuf */ if (a < ncolors - 1) @@ -341,6 +373,9 @@ ParsePixels(data, width, height, ncolors, cpp, colorTable, hashtable, pixels) unsigned int *iptr, *iptr2; unsigned int a, x, y; + if ((height > 0 && width >= SIZE_MAX / height) || + width * height >= SIZE_MAX / sizeof(unsigned int)) + return XpmNoMemory; #ifndef FOR_MSW iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); #else @@ -364,6 +399,9 @@ ParsePixels(data, width, height, ncolors, cpp, colorTable, hashtable, pixels) { unsigned short colidx[256]; + if (ncolors > 256) + return (XpmFileInvalid); + bzero((char *)colidx, 256 * sizeof(short)); for (a = 0; a < ncolors; a++) colidx[(unsigned char)colorTable[a].string[0]] = a + 1; @@ -442,6 +480,9 @@ if (cidx[f]) XpmFree(cidx[f]);} char *s; char buf[BUFSIZ]; + if (cpp >= sizeof(buf)) + return (XpmFileInvalid); + buf[cpp] = '\0'; if (USE_HASHTABLE) { xpmHashAtom *slot; @@ -107,7 +107,8 @@ LFUNC(MSWGetImagePixels, int, (Display *d, XImage *image, unsigned int width, LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp, XpmAttributes *attributes)); -LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors, +LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, + unsigned int ncolors, Pixel *pixels, unsigned int mask, unsigned int cpp, XpmAttributes *attributes)); @@ -232,11 +233,17 @@ XpmCreateXpmImageFromImage(display, image, shapeimage, else cpp = 0; + if ((height > 0 && width >= SIZE_MAX / height) || + width * height >= SIZE_MAX / sizeof(unsigned int)) + RETURN(XpmNoMemory); pmap.pixelindex = (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); if (!pmap.pixelindex) RETURN(XpmNoMemory); + if (pmap.size >= SIZE_MAX / sizeof(Pixel)) + RETURN(XpmNoMemory); + pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); if (!pmap.pixels) RETURN(XpmNoMemory); @@ -301,7 +308,8 @@ XpmCreateXpmImageFromImage(display, image, shapeimage, * get rgb values and a string of char, and possibly a name for each * color */ - + if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) + RETURN(XpmNoMemory); colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); if (!colorTable) RETURN(XpmNoMemory); @@ -360,6 +368,8 @@ ScanTransparentColor(color, cpp, attributes) /* first get a character string */ a = 0; + if (cpp >= SIZE_MAX - 1) + return (XpmNoMemory); if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) return (XpmNoMemory); *s++ = printable[c = a % MAXPRINTABLE]; @@ -407,7 +417,7 @@ static int ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) Display *display; XpmColor *colors; - int ncolors; + unsigned int ncolors; Pixel *pixels; unsigned int mask; unsigned int cpp; @@ -451,6 +461,8 @@ ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) } /* first get character strings and rgb values */ + if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) + return (XpmNoMemory); xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); if (!xcolors) return (XpmNoMemory); |