diff options
author | Daniel Stone <daniel@fooishbar.org> | 2004-09-15 15:47:39 +0000 |
---|---|---|
committer | Daniel Stone <daniel@fooishbar.org> | 2004-09-15 15:47:39 +0000 |
commit | 19066719975d0dbfa51c6b413a3760ed7cf93ddc (patch) | |
tree | c757de7bbe7881acf219c1f4bf0b3459fbd8cd84 /src/create.c | |
parent | 2773a7214e282f6f673483f5233b880505947c3f (diff) |
Merge patch from Mathieu Herrb to fix several integer overflows and otherXORG-6_8_1
security errors in libXpm.
Diffstat (limited to 'src/create.c')
-rw-r--r-- | src/create.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/create.c b/src/create.c index 790e23e..b5b261d 100644 --- a/src/create.c +++ b/src/create.c @@ -1,3 +1,4 @@ +/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */ /* * Copyright (C) 1989-95 GROUPE BULL * @@ -816,6 +817,9 @@ XpmCreateImageFromXpmImage(display, image, ErrorStatus = XpmSuccess; + if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) + return (XpmNoMemory); + /* malloc pixels index tables */ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); if (!image_pixels) @@ -988,6 +992,8 @@ CreateXImage(display, visual, depth, format, width, height, image_return) return (XpmNoMemory); #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) + return XpmNoMemory; /* now that bytes_per_line must have been set properly alloc data */ (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); @@ -2055,6 +2061,9 @@ xpmParseDataAndCreate(display, data, image_return, shapeimage_return, xpmGetCmt(data, &colors_cmt); /* malloc pixels index tables */ + if (ncolors >= SIZE_MAX / sizeof(Pixel)) + return XpmNoMemory; + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); if (!image_pixels) RETURN(XpmNoMemory); @@ -2309,7 +2318,8 @@ ParseAndPutPixels( } obm = SelectObject(*dc, image->bitmap); #endif - + if (ncolors > 256) + return (XpmFileInvalid); bzero((char *)colidx, 256 * sizeof(short)); for (a = 0; a < ncolors; a++) @@ -2415,6 +2425,9 @@ if (cidx[f]) XpmFree(cidx[f]);} char *s; char buf[BUFSIZ]; + if (cpp >= sizeof(buf)) + return (XpmFileInvalid); + buf[cpp] = '\0'; if (USE_HASHTABLE) { xpmHashAtom *slot; |