| Age | Commit message (Collapse) | Author |
|---|
|
It has never been used in the autoconf builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
It was only ever used when FOR_MSW was defined, never in the autoconf builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Removes all the "FOR_MSW" code added back in 1994, which hasn't been
buildable in the automake builds.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
There was no way to build this in the automake files
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Assumes all platforms have provided C99 required headers in the 25 years
since the C99 standard was finalized.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X Image for
which the width * depth would overflow the signed int used to
store the bytes_per_line value.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X11 pixmap with
dimensions larger than the unsigned 16-bit integers used in the
X11 protocol for the dimensions.
Reported by Yair Mizrahi of the JFrog Vulnerability Research team
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Found with clang's libfuzzer
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
When the test case for CVE-2022-46285 was run with the Address Sanitizer
enabled, it found an out-of-bounds read in ParseComment() when reading
from a memory buffer instead of a file, as it continued to look for the
closing comment marker past the end of the buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Hides private API from external linkage
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Relies on platforms with O_CLOEXEC support following POSIX requirement
to not copy the close-on-exec flag to the new fd in dup2(), but to leave
it unset instead, since that's how fd's are passed to child processes
to handled compressed files.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
parse.c:74:1: warning: unused function 'xstrlcpy' [-Wunused-function]
xstrlcpy(char *dst, const char *src, size_t dstsize)
^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Makes it match the definition in create.c and eliminates
clang warnings:
create.c:2409:13: warning: empty expression statement has no effect;
remove unnecessary ';' to silence this warning [-Wextra-semi-stmt]
FREE_CIDX;
^
create.c:2440:17: warning: empty expression statement has no effect;
remove unnecessary ';' to silence this warning [-Wextra-semi-stmt]
FREE_CIDX;
^
create.c:2444:13: warning: empty expression statement has no effect;
remove unnecessary ';' to silence this warning [-Wextra-semi-stmt]
FREE_CIDX;
^
create.c:2449:15: warning: empty expression statement has no effect;
remove unnecessary ';' to silence this warning [-Wextra-semi-stmt]
FREE_CIDX;
^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
CrDatFrI.c: In function ‘XpmCreateDataFromXpmImage’:
CrDatFrI.c:245:13: warning: this ‘if’ clause does not guard... [-Wmisleading-indentation]
245 | if (header[l])
| ^~
In file included from CrDatFrI.c:40:
XpmI.h:80:22: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
80 | #define XpmFree(ptr) free(ptr)
| ^~~~
CrDatFrI.c:247:17: note: in expansion of macro ‘XpmFree’
247 | XpmFree(header);
| ^~~~~~~
CrDatFrI.c: In function ‘CreateColors’:
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
If compress is not found, we disable writing to .Z files,
but leave the rest of the compression code active.
If uncompress is not found, we use gzip to read .Z files.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
In this particular error path we have already allocated cidx[0..256]
with 256 instances of fresh and juicy memory. Freeing that is annoying,
but luckily there's a helpful FREE_CIDX macro that does exactly that.
Fixes f80fa6a:
Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height
Found by covscan
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
/usr/bin/gunzip with the correct built-in path, the actual gzip call
will use whichever gzip it finds first, making our patch pointless.
Fix this by explicitly calling gzip -d instead.
https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
[Part of the fix for CVE-2022-4883]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
xpmParseDataAndCreate() calls XDestroyImage() in the error path.
Reproducible with sxpm "zero-width.xpm", that file is in the test/
directory.
The same approach is needed in the bytes_per_line == 0 condition though
here it just plugs a memory leak.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
By default, on all platforms except MinGW, libXpm will detect if a
filename ends in .Z or .gz, and will when reading such a file fork off
an uncompress or gunzip command to read from via a pipe, and when
writing such a file will fork off a compress or gzip command to write
to via a pipe.
In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
to find the commands. If libXpm is called from a program running with
raised privileges, such as via setuid, then a malicious user could set
$PATH to include programs of their choosing to be run with those
privileges.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
When reading XPM images from a file with libXpm 3.5.14 or older, if a
image has a width of 0 and a very large height, the ParsePixels() function
will loop over the entire height calling getc() and ungetc() repeatedly,
or in some circumstances, may loop seemingly forever, which may cause a
denial of service to the calling program when given a small crafted XPM
file to parse.
Closes: #2
Reported-by: Martin Ettl <ettl.martin78@googlemail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
When reading XPM images from a file with libXpm 3.5.14 or older, if a
comment in the file is not closed (i.e. a C-style comment starts with
"/*" and is missing the closing "*/"), the ParseComment() function will
loop forever calling getc() to try to read the rest of the comment,
failing to notice that it has returned EOF, which may cause a denial of
service to the calling program.
Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Found by using:
codespell --builtin clear,rare,usage,informal,code,names
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
We introduced a new label to handle the errors, we should use it
for the rest of the function.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
The original macro might exit the function without freeing `colorTable`.
Move the macros into a slightly less awful helper function and use goto
to clean up in case of error.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Found by Oracle's Parfait 2.2 static analyzer:
Error: File Leak
File Leak [file-ptr-leak]:
Leaked File fp
at line 94 of lib/libXpm/src/RdFToBuf.c in function 'XpmReadFileToBuffer
'.
fp initialized at line 86 with fdopen
fp leaks when len < 0 at line 92.
Introduced-by: commit 8b3024e6871ce50b34bf2dff924774bd654703bc
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=46475
https://bugs.freedesktop.org/attachment.cgi?id=57479
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
The values of file sizes and buffer sizes can exceed current limits.
Therefore, use proper variable types for these operations.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
libXpm uses unsigned int to store sizes, which fits size_t on 32 bit
systems, but leads to issues on 64 bit systems.
On 64 bit systems, it is possible to overflow 32 bit integers while
parsing XPM extensions in a file.
At first, it looks like a rather unimportant detail, because nobody
will seriously open a 4 GB file. But unfortunately XPM has support for
gzip compression out of the box. An attacker can therefore craft a
compressed file which is merely 4 MB in size, which makes an attack
much for feasable.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
libXpm does not properly handle EOF conditions when xpmGetC is called
multiple times in a row to construct a string. Instead of checking
its return value for EOF, the result is automatically casted into a
char and attached to a string.
By carefully crafting the color table in an XPM file, it is possible to
send a libXpm program like gimp into a very long lasting loop and
massive memory allocations.
Otherwise no memory issues arise, therefore this is just a purely
functional patch to dismiss invalid input.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Matthieu Herrb <Matthieu@herrb.eu>
|
|
libXpm is vulnerable to an out of boundary read if an XPM file contains
a color with a symbolic name but without any default color value.
A caller must set XpmColorSymbols and a color with a NULL name in
the supplied XpmAttributes to XpmReadFileToImage (or other functions of
this type) in order to trigger this issue.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
For long arguments, use labs().
Reviewed-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
|
|
When NO_ZPIPE is defined, fcntl.h is not included in WrFFrI.c
although OpenWriteFile uses open, O_WRONLY, O_CREAT and O_TRUNC.
* src/WrFFrI.c: unconditionally include fcntl.h regardless
of NO_ZPIPE being defined or not.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
The filename is always a read-only argument, so it is a good idea
to let the caller now about it.
This patch does not change active code; the place where the attribute
is added will not break source-level compatibility because it adds
no restriction on caller side, just adds information; because the
lib code behaved the same way it will not break the binary interface
either.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Fixes leak found by parfait 1.1 bug checking tool:
File Descriptor Leak: Leaked File Descriptor fd
at line 350 of lib/libXpm/src/WrFFrI.c in function 'OpenWriteFile'.
fd initialized at line 332 with open
fd leaks when strcmp(".Z", (filename + (len - 2))) != 0 at line 337
and strcmp(".gz", (filename + (len - 3))) != 0 at line 340.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
|
|
create.c: In function 'closeness_cmp':
create.c:224:5: warning: cast discards qualifiers from pointer target type
create.c:224:5: warning: cast discards qualifiers from pointer target type
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
This fixes implicit declarations for strdup and strcasecmp.
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Performed with: find * -type f | xargs perl -i -p -e 's{[ \t]+$}{}'
git diff -w & git diff -b show no diffs from this change
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Reduce some complexity in the src makefile as it should not
handle sibling directories.
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>
|
|
It is always included by Automake
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>
|
|
CVS tag removal chopped too much out in this case...
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Jesse Adkins <jesserayadkins@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
The ansification code is minor edit of the patch (by me) at
https://bugs.freedesktop.org/show_bug.cgi?id=14727
as it would not apply cleanly anymore.
|
|
|
