Fix out out boundary read on unknown colors

libXpm is vulnerable to an out of boundary read if an XPM file contains a color with a symbolic name but without any default color value. A caller must set XpmColorSymbols and a color with a NULL name in the supplied XpmAttributes to XpmReadFileToImage (or other functions of this type) in order to trigger this issue. Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2016-12-06 22:31:53 +0100
committer: Matthieu Herrb <matthieu@herrb.eu> 2016-12-12 22:47:05 +0100
commit: c46dedeba15edf7216d62633ed6daf40cd1f5bfd (patch)
tree: d5468509391274c8714b6018e57a9529bb164e95
parent: 42ca8d956276bc00bec09e410d76daf053ae35f9 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/create.c b/src/create.c
index d013da9..a750846 100644
--- a/src/create.c
+++ b/src/create.c
@@ -647,7 +647,8 @@ CreateColors(
 			while (def_index <= 5 && defaults[def_index] == NULL)
 			    ++def_index;
 		    }
-		    if (def_index >= 2 && defaults[def_index] != NULL &&
+		    if (def_index >= 2 && def_index <= 5 &&
+			defaults[def_index] != NULL &&
 			!xpmstrcasecmp(symbol->value, defaults[def_index]))
 			break;
 		}
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2016-12-06 22:31:53 +0100
committer	Matthieu Herrb <matthieu@herrb.eu>	2016-12-12 22:47:05 +0100
commit	c46dedeba15edf7216d62633ed6daf40cd1f5bfd (patch)
tree	d5468509391274c8714b6018e57a9529bb164e95
parent	42ca8d956276bc00bec09e410d76daf053ae35f9 (diff)