diff options
author | Roland Mainz <roland.mainz@nrubsig.org> | 2004-12-17 01:09:36 +0000 |
---|---|---|
committer | Roland Mainz <roland.mainz@nrubsig.org> | 2004-12-17 01:09:36 +0000 |
commit | 53b0a7a28aa06e69bdc27c2d51e7f1d9c917c866 (patch) | |
tree | 291a1323facfbc4a8076ab50d808786fe64e7772 /src/create.c | |
parent | 49bb0a3ec1d9b781ec1d8a9fa21934979ddfc6a9 (diff) |
xc/lib/Xpm/ImakefileXORG-6_8_2XORG-6_8_1_904XORG-6_8_1_903XORG-6_8_1_902XORG-6_8_1_901XORG-6_8-branch
xc/extras/Xpm/lib/Attrib.c
xc/extras/Xpm/lib/CrBufFrI.c
xc/extras/Xpm/lib/CrDatFrI.c
xc/extras/Xpm/lib/RdFToBuf.c
xc/extras/Xpm/lib/RdFToI.c
xc/extras/Xpm/lib/WrFFrBuf.c
xc/extras/Xpm/lib/WrFFrI.c
xc/extras/Xpm/lib/XpmI.h
xc/extras/Xpm/lib/create.c
xc/extras/Xpm/lib/data.c
xc/extras/Xpm/lib/hashtab.c
xc/extras/Xpm/lib/misc.c
xc/extras/Xpm/lib/parse.c
//bugs.freedesktop.org/show_bug.cgi?id=1920) attachment #1514
(https://bugs.freedesktop.org/attachment.cgi?id=1514): libXpm security
fixes for CAN-2004-0914. Patch by Thomas Biege.
Diffstat (limited to 'src/create.c')
-rw-r--r-- | src/create.c | 94 |
1 files changed, 66 insertions, 28 deletions
diff --git a/src/create.c b/src/create.c index b5b261d..4022322 100644 --- a/src/create.c +++ b/src/create.c @@ -1,4 +1,4 @@ -/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */ +/* $XdotOrg: xc/extras/Xpm/lib/create.c,v 1.4 2004/11/25 21:19:11 herrb Exp $ */ /* * Copyright (C) 1989-95 GROUPE BULL * @@ -45,6 +45,8 @@ * Lorens Younes (d93-hyo@nada.kth.se) 4/96 */ +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */ + #include "XpmI.h" #include <ctype.h> @@ -586,7 +588,7 @@ CreateColors(display, attributes, colors, ncolors, image_pixels, mask_pixels, */ } else { #endif - int i; + unsigned int i; #ifndef AMIGA ncols = visual->map_entries; @@ -746,12 +748,14 @@ FreeColors(display, colormap, pixels, n, closure) /* function call in case of error */ + #undef RETURN #define RETURN(status) \ +do \ { \ ErrorStatus = status; \ goto error; \ -} +} while(0) int XpmCreateImageFromXpmImage(display, image, @@ -817,7 +821,7 @@ XpmCreateImageFromXpmImage(display, image, ErrorStatus = XpmSuccess; - if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) + if (image->ncolors >= UINT_MAX / sizeof(Pixel)) return (XpmNoMemory); /* malloc pixels index tables */ @@ -992,9 +996,13 @@ CreateXImage(display, visual, depth, format, width, height, image_return) return (XpmNoMemory); #if !defined(FOR_MSW) && !defined(AMIGA) - if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { + XDestroyImage(*image_return); return XpmNoMemory; + } /* now that bytes_per_line must have been set properly alloc data */ + if((*image_return)->bytes_per_line == 0 || height == 0) + return XpmNoMemory; (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); @@ -1023,7 +1031,7 @@ CreateXImage(display, visual, depth, format, width, height, image_return) LFUNC(_putbits, void, (register char *src, int dstoffset, register int numbits, register char *dst)); -LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb)); +LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb)); static unsigned char Const _reverse_byte[0x100] = { 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, @@ -1063,12 +1071,12 @@ static unsigned char Const _reverse_byte[0x100] = { static int _XReverse_Bytes(bpt, nb) register unsigned char *bpt; - register int nb; + register unsigned int nb; { do { *bpt = _reverse_byte[*bpt]; bpt++; - } while (--nb > 0); + } while (--nb > 0); /* is nb user-controled? */ return 0; } @@ -1207,7 +1215,7 @@ PutImagePixels(image, width, height, pixelindex, pixels) register char *src; register char *dst; register unsigned int *iptr; - register int x, y, i; + register unsigned int x, y, i; register char *data; Pixel pixel, px; int nbytes, depth, ibu, ibpp; @@ -1217,8 +1225,8 @@ PutImagePixels(image, width, height, pixelindex, pixels) depth = image->depth; if (depth == 1) { ibu = image->bitmap_unit; - for (y = 0; y < height; y++) - for (x = 0; x < width; x++, iptr++) { + for (y = 0; y < height; y++) /* how can we trust height */ + for (x = 0; x < width; x++, iptr++) { /* how can we trust width */ pixel = pixels[*iptr]; for (i = 0, px = pixel; i < sizeof(unsigned long); i++, px >>= 8) @@ -1293,12 +1301,12 @@ PutImagePixels32(image, width, height, pixelindex, pixels) { unsigned char *data; unsigned int *iptr; - int y; + unsigned int y; Pixel pixel; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; unsigned char *addr; data = (unsigned char *) image->data; @@ -1335,7 +1343,7 @@ PutImagePixels32(image, width, height, pixelindex, pixels) #else /* WITHOUT_SPEEDUPS */ - int bpl = image->bytes_per_line; + unsigned int bpl = image->bytes_per_line; unsigned char *data_ptr, *max_data; data = (unsigned char *) image->data; @@ -1403,11 +1411,11 @@ PutImagePixels16(image, width, height, pixelindex, pixels) { unsigned char *data; unsigned int *iptr; - int y; + unsigned int y; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; unsigned char *addr; data = (unsigned char *) image->data; @@ -1431,7 +1439,7 @@ PutImagePixels16(image, width, height, pixelindex, pixels) Pixel pixel; - int bpl = image->bytes_per_line; + unsigned int bpl = image->bytes_per_line; unsigned char *data_ptr, *max_data; data = (unsigned char *) image->data; @@ -1484,11 +1492,11 @@ PutImagePixels8(image, width, height, pixelindex, pixels) { char *data; unsigned int *iptr; - int y; + unsigned int y; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; data = image->data; iptr = pixelindex; @@ -1498,7 +1506,7 @@ PutImagePixels8(image, width, height, pixelindex, pixels) #else /* WITHOUT_SPEEDUPS */ - int bpl = image->bytes_per_line; + unsigned int bpl = image->bytes_per_line; char *data_ptr, *max_data; data = image->data; @@ -1533,12 +1541,12 @@ PutImagePixels1(image, width, height, pixelindex, pixels) PutImagePixels(image, width, height, pixelindex, pixels); else { unsigned int *iptr; - int y; + unsigned int y; char *data; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; data = image->data; iptr = pixelindex; @@ -1761,6 +1769,9 @@ PutPixel1(ximage, x, y, pixel) Pixel px; int nbytes; + if(x < 0 || y < 0) + return 0; + for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8) ((unsigned char *)&pixel)[i] = px; src = &ximage->data[XYINDEX(x, y, ximage)]; @@ -1791,7 +1802,10 @@ PutPixel(ximage, x, y, pixel) register char *dst; register int i; Pixel px; - int nbytes, ibpp; + unsigned int nbytes, ibpp; + + if(x < 0 || y < 0) + return 0; ibpp = ximage->bits_per_pixel; if (ximage->depth == 4) @@ -1825,6 +1839,9 @@ PutPixel32(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; *((unsigned long *)addr) = pixel; return 1; @@ -1840,6 +1857,9 @@ PutPixel32MSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; addr[0] = pixel >> 24; addr[1] = pixel >> 16; @@ -1857,6 +1877,9 @@ PutPixel32LSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; addr[3] = pixel >> 24; addr[2] = pixel >> 16; @@ -1874,6 +1897,9 @@ PutPixel16MSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; addr[0] = pixel >> 8; addr[1] = pixel; @@ -1889,6 +1915,9 @@ PutPixel16LSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; addr[1] = pixel >> 8; addr[0] = pixel; @@ -1902,6 +1931,9 @@ PutPixel8(ximage, x, y, pixel) int y; unsigned long pixel; { + if(x < 0 || y < 0) + return 0; + ximage->data[ZINDEX8(x, y, ximage)] = pixel; return 1; } @@ -1913,6 +1945,9 @@ PutPixel1MSB(ximage, x, y, pixel) int y; unsigned long pixel; { + if(x < 0 || y < 0) + return 0; + if (pixel & 1) ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7); else @@ -1927,6 +1962,9 @@ PutPixel1LSB(ximage, x, y, pixel) int y; unsigned long pixel; { + if(x < 0 || y < 0) + return 0; + if (pixel & 1) ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7); else @@ -2061,8 +2099,8 @@ xpmParseDataAndCreate(display, data, image_return, shapeimage_return, xpmGetCmt(data, &colors_cmt); /* malloc pixels index tables */ - if (ncolors >= SIZE_MAX / sizeof(Pixel)) - return XpmNoMemory; + if (ncolors >= UINT_MAX / sizeof(Pixel)) + RETURN(XpmNoMemory); image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); if (!image_pixels) @@ -2174,7 +2212,7 @@ xpmParseDataAndCreate(display, data, image_return, shapeimage_return, * free the hastable */ if (ErrorStatus != XpmSuccess) - RETURN(ErrorStatus) + RETURN(ErrorStatus); else if (USE_HASHTABLE) xpmHashTableFree(&hashtable); @@ -2366,11 +2404,11 @@ if (cidx[f]) XpmFree(cidx[f]);} /* array of pointers malloced by need */ unsigned short *cidx[256]; - int char1; + unsigned int char1; bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ for (a = 0; a < ncolors; a++) { - char1 = colorTable[a].string[0]; + char1 = (unsigned char) colorTable[a].string[0]; if (cidx[char1] == NULL) { /* get new memory */ cidx[char1] = (unsigned short *) XpmCalloc(256, sizeof(unsigned short)); |