From a983dafac59dcb425666a5a5556da4734e50c6c5 Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Tue, 21 Sep 2004 17:57:35 +0000 Subject: Merged over libXpm security fix provided by Chris Evans, Matthieu Herrb and Alan Coopersmith from release 6.8.1. Fail during initialization with error if font/fontset is not set for widget. This prevents a sig11 later when the non-existent font/fontset structs are referenced. Check if xf86Info.kbdProc pointer is really set before calling it on abort as this pointer won't be set if the new modular keyboard driver is used (Matthias Hopf). Added new libs to the bindist control files. Removed inclusion of unnecessary kernel header on Linux. This may fail in an -ansi environment. --- src/scan.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'src/scan.c') diff --git a/src/scan.c b/src/scan.c index 4142e7f..230c7e6 100644 --- a/src/scan.c +++ b/src/scan.c @@ -107,7 +107,8 @@ LFUNC(MSWGetImagePixels, int, (Display *d, XImage *image, unsigned int width, LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp, XpmAttributes *attributes)); -LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors, +LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, + unsigned int ncolors, Pixel *pixels, unsigned int mask, unsigned int cpp, XpmAttributes *attributes)); @@ -232,11 +233,17 @@ XpmCreateXpmImageFromImage(display, image, shapeimage, else cpp = 0; + if ((height > 0 && width >= SIZE_MAX / height) || + width * height >= SIZE_MAX / sizeof(unsigned int)) + RETURN(XpmNoMemory); pmap.pixelindex = (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); if (!pmap.pixelindex) RETURN(XpmNoMemory); + if (pmap.size >= SIZE_MAX / sizeof(Pixel)) + RETURN(XpmNoMemory); + pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); if (!pmap.pixels) RETURN(XpmNoMemory); @@ -301,7 +308,8 @@ XpmCreateXpmImageFromImage(display, image, shapeimage, * get rgb values and a string of char, and possibly a name for each * color */ - + if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) + RETURN(XpmNoMemory); colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); if (!colorTable) RETURN(XpmNoMemory); @@ -360,6 +368,8 @@ ScanTransparentColor(color, cpp, attributes) /* first get a character string */ a = 0; + if (cpp >= SIZE_MAX - 1) + return (XpmNoMemory); if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) return (XpmNoMemory); *s++ = printable[c = a % MAXPRINTABLE]; @@ -407,7 +417,7 @@ static int ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) Display *display; XpmColor *colors; - int ncolors; + unsigned int ncolors; Pixel *pixels; unsigned int mask; unsigned int cpp; @@ -451,6 +461,8 @@ ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) } /* first get character strings and rgb values */ + if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) + return (XpmNoMemory); xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); if (!xcolors) return (XpmNoMemory); -- cgit v1.2.3