summaryrefslogtreecommitdiff
path: root/src/create.c
diff options
context:
space:
mode:
authorRoland Mainz <roland.mainz@nrubsig.org>2004-12-17 01:09:36 +0000
committerRoland Mainz <roland.mainz@nrubsig.org>2004-12-17 01:09:36 +0000
commit53b0a7a28aa06e69bdc27c2d51e7f1d9c917c866 (patch)
tree291a1323facfbc4a8076ab50d808786fe64e7772 /src/create.c
parent49bb0a3ec1d9b781ec1d8a9fa21934979ddfc6a9 (diff)
xc/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/CrBufFrI.c xc/extras/Xpm/lib/CrDatFrI.c xc/extras/Xpm/lib/RdFToBuf.c xc/extras/Xpm/lib/RdFToI.c xc/extras/Xpm/lib/WrFFrBuf.c xc/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/XpmI.h xc/extras/Xpm/lib/create.c xc/extras/Xpm/lib/data.c xc/extras/Xpm/lib/hashtab.c xc/extras/Xpm/lib/misc.c xc/extras/Xpm/lib/parse.c //bugs.freedesktop.org/show_bug.cgi?id=1920) attachment #1514 (https://bugs.freedesktop.org/attachment.cgi?id=1514): libXpm security fixes for CAN-2004-0914. Patch by Thomas Biege.
Diffstat (limited to 'src/create.c')
-rw-r--r--src/create.c94
1 files changed, 66 insertions, 28 deletions
diff --git a/src/create.c b/src/create.c
index b5b261d..4022322 100644
--- a/src/create.c
+++ b/src/create.c
@@ -1,4 +1,4 @@
-/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */
+/* $XdotOrg: xc/extras/Xpm/lib/create.c,v 1.4 2004/11/25 21:19:11 herrb Exp $ */
/*
* Copyright (C) 1989-95 GROUPE BULL
*
@@ -45,6 +45,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
#include "XpmI.h"
#include <ctype.h>
@@ -586,7 +588,7 @@ CreateColors(display, attributes, colors, ncolors, image_pixels, mask_pixels,
*/
} else {
#endif
- int i;
+ unsigned int i;
#ifndef AMIGA
ncols = visual->map_entries;
@@ -746,12 +748,14 @@ FreeColors(display, colormap, pixels, n, closure)
/* function call in case of error */
+
#undef RETURN
#define RETURN(status) \
+do \
{ \
ErrorStatus = status; \
goto error; \
-}
+} while(0)
int
XpmCreateImageFromXpmImage(display, image,
@@ -817,7 +821,7 @@ XpmCreateImageFromXpmImage(display, image,
ErrorStatus = XpmSuccess;
- if (image->ncolors >= SIZE_MAX / sizeof(Pixel))
+ if (image->ncolors >= UINT_MAX / sizeof(Pixel))
return (XpmNoMemory);
/* malloc pixels index tables */
@@ -992,9 +996,13 @@ CreateXImage(display, visual, depth, format, width, height, image_return)
return (XpmNoMemory);
#if !defined(FOR_MSW) && !defined(AMIGA)
- if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
+ if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
+ XDestroyImage(*image_return);
return XpmNoMemory;
+ }
/* now that bytes_per_line must have been set properly alloc data */
+ if((*image_return)->bytes_per_line == 0 || height == 0)
+ return XpmNoMemory;
(*image_return)->data =
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
@@ -1023,7 +1031,7 @@ CreateXImage(display, visual, depth, format, width, height, image_return)
LFUNC(_putbits, void, (register char *src, int dstoffset,
register int numbits, register char *dst));
-LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));
+LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
static unsigned char Const _reverse_byte[0x100] = {
0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
@@ -1063,12 +1071,12 @@ static unsigned char Const _reverse_byte[0x100] = {
static int
_XReverse_Bytes(bpt, nb)
register unsigned char *bpt;
- register int nb;
+ register unsigned int nb;
{
do {
*bpt = _reverse_byte[*bpt];
bpt++;
- } while (--nb > 0);
+ } while (--nb > 0); /* is nb user-controled? */
return 0;
}
@@ -1207,7 +1215,7 @@ PutImagePixels(image, width, height, pixelindex, pixels)
register char *src;
register char *dst;
register unsigned int *iptr;
- register int x, y, i;
+ register unsigned int x, y, i;
register char *data;
Pixel pixel, px;
int nbytes, depth, ibu, ibpp;
@@ -1217,8 +1225,8 @@ PutImagePixels(image, width, height, pixelindex, pixels)
depth = image->depth;
if (depth == 1) {
ibu = image->bitmap_unit;
- for (y = 0; y < height; y++)
- for (x = 0; x < width; x++, iptr++) {
+ for (y = 0; y < height; y++) /* how can we trust height */
+ for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
pixel = pixels[*iptr];
for (i = 0, px = pixel; i < sizeof(unsigned long);
i++, px >>= 8)
@@ -1293,12 +1301,12 @@ PutImagePixels32(image, width, height, pixelindex, pixels)
{
unsigned char *data;
unsigned int *iptr;
- int y;
+ unsigned int y;
Pixel pixel;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
unsigned char *addr;
data = (unsigned char *) image->data;
@@ -1335,7 +1343,7 @@ PutImagePixels32(image, width, height, pixelindex, pixels)
#else /* WITHOUT_SPEEDUPS */
- int bpl = image->bytes_per_line;
+ unsigned int bpl = image->bytes_per_line;
unsigned char *data_ptr, *max_data;
data = (unsigned char *) image->data;
@@ -1403,11 +1411,11 @@ PutImagePixels16(image, width, height, pixelindex, pixels)
{
unsigned char *data;
unsigned int *iptr;
- int y;
+ unsigned int y;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
unsigned char *addr;
data = (unsigned char *) image->data;
@@ -1431,7 +1439,7 @@ PutImagePixels16(image, width, height, pixelindex, pixels)
Pixel pixel;
- int bpl = image->bytes_per_line;
+ unsigned int bpl = image->bytes_per_line;
unsigned char *data_ptr, *max_data;
data = (unsigned char *) image->data;
@@ -1484,11 +1492,11 @@ PutImagePixels8(image, width, height, pixelindex, pixels)
{
char *data;
unsigned int *iptr;
- int y;
+ unsigned int y;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
data = image->data;
iptr = pixelindex;
@@ -1498,7 +1506,7 @@ PutImagePixels8(image, width, height, pixelindex, pixels)
#else /* WITHOUT_SPEEDUPS */
- int bpl = image->bytes_per_line;
+ unsigned int bpl = image->bytes_per_line;
char *data_ptr, *max_data;
data = image->data;
@@ -1533,12 +1541,12 @@ PutImagePixels1(image, width, height, pixelindex, pixels)
PutImagePixels(image, width, height, pixelindex, pixels);
else {
unsigned int *iptr;
- int y;
+ unsigned int y;
char *data;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
data = image->data;
iptr = pixelindex;
@@ -1761,6 +1769,9 @@ PutPixel1(ximage, x, y, pixel)
Pixel px;
int nbytes;
+ if(x < 0 || y < 0)
+ return 0;
+
for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)
((unsigned char *)&pixel)[i] = px;
src = &ximage->data[XYINDEX(x, y, ximage)];
@@ -1791,7 +1802,10 @@ PutPixel(ximage, x, y, pixel)
register char *dst;
register int i;
Pixel px;
- int nbytes, ibpp;
+ unsigned int nbytes, ibpp;
+
+ if(x < 0 || y < 0)
+ return 0;
ibpp = ximage->bits_per_pixel;
if (ximage->depth == 4)
@@ -1825,6 +1839,9 @@ PutPixel32(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
*((unsigned long *)addr) = pixel;
return 1;
@@ -1840,6 +1857,9 @@ PutPixel32MSB(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
addr[0] = pixel >> 24;
addr[1] = pixel >> 16;
@@ -1857,6 +1877,9 @@ PutPixel32LSB(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
addr[3] = pixel >> 24;
addr[2] = pixel >> 16;
@@ -1874,6 +1897,9 @@ PutPixel16MSB(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
addr[0] = pixel >> 8;
addr[1] = pixel;
@@ -1889,6 +1915,9 @@ PutPixel16LSB(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
addr[1] = pixel >> 8;
addr[0] = pixel;
@@ -1902,6 +1931,9 @@ PutPixel8(ximage, x, y, pixel)
int y;
unsigned long pixel;
{
+ if(x < 0 || y < 0)
+ return 0;
+
ximage->data[ZINDEX8(x, y, ximage)] = pixel;
return 1;
}
@@ -1913,6 +1945,9 @@ PutPixel1MSB(ximage, x, y, pixel)
int y;
unsigned long pixel;
{
+ if(x < 0 || y < 0)
+ return 0;
+
if (pixel & 1)
ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7);
else
@@ -1927,6 +1962,9 @@ PutPixel1LSB(ximage, x, y, pixel)
int y;
unsigned long pixel;
{
+ if(x < 0 || y < 0)
+ return 0;
+
if (pixel & 1)
ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7);
else
@@ -2061,8 +2099,8 @@ xpmParseDataAndCreate(display, data, image_return, shapeimage_return,
xpmGetCmt(data, &colors_cmt);
/* malloc pixels index tables */
- if (ncolors >= SIZE_MAX / sizeof(Pixel))
- return XpmNoMemory;
+ if (ncolors >= UINT_MAX / sizeof(Pixel))
+ RETURN(XpmNoMemory);
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
if (!image_pixels)
@@ -2174,7 +2212,7 @@ xpmParseDataAndCreate(display, data, image_return, shapeimage_return,
* free the hastable
*/
if (ErrorStatus != XpmSuccess)
- RETURN(ErrorStatus)
+ RETURN(ErrorStatus);
else if (USE_HASHTABLE)
xpmHashTableFree(&hashtable);
@@ -2366,11 +2404,11 @@ if (cidx[f]) XpmFree(cidx[f]);}
/* array of pointers malloced by need */
unsigned short *cidx[256];
- int char1;
+ unsigned int char1;
bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
for (a = 0; a < ncolors; a++) {
- char1 = colorTable[a].string[0];
+ char1 = (unsigned char) colorTable[a].string[0];
if (cidx[char1] == NULL) { /* get new memory */
cidx[char1] = (unsigned short *)
XpmCalloc(256, sizeof(unsigned short));