head 1.3; access; symbols pkgsrc-2013Q2:1.3.0.10 pkgsrc-2013Q2-base:1.3 pkgsrc-2012Q4:1.3.0.8 pkgsrc-2012Q4-base:1.3 pkgsrc-2011Q4:1.3.0.6 pkgsrc-2011Q4-base:1.3 pkgsrc-2011Q2:1.3.0.4 pkgsrc-2011Q2-base:1.3 pkgsrc-2009Q4:1.3.0.2 pkgsrc-2009Q4-base:1.3 pkgsrc-2009Q3:1.2.0.40 pkgsrc-2009Q3-base:1.2 pkgsrc-2009Q2:1.2.0.38 pkgsrc-2009Q2-base:1.2 pkgsrc-2009Q1:1.2.0.36 pkgsrc-2009Q1-base:1.2 pkgsrc-2008Q4:1.2.0.34 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.32 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.30 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.28 pkgsrc-2008Q2-base:1.2 cwrapper:1.2.0.26 pkgsrc-2008Q1:1.2.0.24 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.22 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.20 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.18 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.16 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.14 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.2.0.12 pkgsrc-2006Q3-base:1.2 pkgsrc-2006Q2:1.2.0.10 pkgsrc-2006Q2-base:1.2 pkgsrc-2006Q1:1.2.0.8 pkgsrc-2006Q1-base:1.2 pkgsrc-2005Q4:1.2.0.6 pkgsrc-2005Q4-base:1.2 pkgsrc-2005Q3:1.2.0.4 pkgsrc-2005Q3-base:1.2 pkgsrc-2005Q2:1.2.0.2 pkgsrc-2005Q2-base:1.2 pkgsrc-2005Q1:1.1.0.6 pkgsrc-2005Q1-base:1.1 pkgsrc-2004Q4:1.1.0.4 pkgsrc-2004Q4-base:1.1 pkgsrc-2004Q3:1.1.0.2 pkgsrc-2004Q3-base:1.1; locks; strict; comment @# @; 1.3 date 2009.12.16.20.07.32; author joerg; state dead; branches; next 1.2; 1.2 date 2005.06.14.18.10.37; author jlam; state Exp; branches; next 1.1; 1.1 date 2004.09.16.15.09.01; author minskim; state Exp; branches; next ; desc @@ 1.3 log @Retire old xpm package. Replaced by x11/libXpm. @ text @$NetBSD: patch-ag,v 1.2 2005/06/14 18:10:37 jlam Exp $ --- lib/create.c.orig 1998-03-19 14:51:00.000000000 -0500 +++ lib/create.c @@@@ -43,6 +43,8 @@@@ * Lorens Younes (d93-hyo@@nada.kth.se) 4/96 */ +/* October 2004, source code review by Thomas Biege */ + #include "XpmI.h" #include @@@@ -517,7 +519,7 @@@@ CreateColors(display, attributes, colors /* variables stored in the XpmAttributes structure */ Visual *visual; Colormap colormap; - XpmColorSymbol *colorsymbols; + XpmColorSymbol *colorsymbols = NULL; unsigned int numsymbols; XpmAllocColorFunc allocColor; void *closure; @@@@ -525,7 +527,7 @@@@ CreateColors(display, attributes, colors char *colorname; unsigned int color, key; Bool pixel_defined; - XpmColorSymbol *symbol; + XpmColorSymbol *symbol = NULL; char **defaults; int ErrorStatus = XpmSuccess; char *s; @@@@ -583,7 +585,7 @@@@ CreateColors(display, attributes, colors */ } else { #endif - int i; + unsigned int i; #ifndef AMIGA ncols = visual->map_entries; @@@@ -743,12 +745,14 @@@@ FreeColors(display, colormap, pixels, n, /* function call in case of error */ + #undef RETURN #define RETURN(status) \ +do \ { \ ErrorStatus = status; \ goto error; \ -} +} while(0) int XpmCreateImageFromXpmImage(display, image, @@@@ -765,7 +769,6 @@@@ XpmCreateImageFromXpmImage(display, imag unsigned int depth; int bitmap_format; XpmFreeColorsFunc freeColors; - void *closure; /* variables to return */ XImage *ximage = NULL; @@@@ -812,13 +815,12 @@@@ XpmCreateImageFromXpmImage(display, imag freeColors = attributes->free_colors; else freeColors = FreeColors; - if (attributes && (attributes->valuemask & XpmColorClosure)) - closure = attributes->color_closure; - else - closure = NULL; ErrorStatus = XpmSuccess; + if (image->ncolors >= UINT_MAX / sizeof(Pixel)) + return (XpmNoMemory); + /* malloc pixels index tables */ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); if (!image_pixels) @@@@ -991,7 +993,13 @@@@ CreateXImage(display, visual, depth, for return (XpmNoMemory); #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { + XDestroyImage(*image_return); + return XpmNoMemory; + } /* now that bytes_per_line must have been set properly alloc data */ + if((*image_return)->bytes_per_line == 0 || height == 0) + return XpmNoMemory; (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); @@@@ -1020,7 +1028,7 @@@@ CreateXImage(display, visual, depth, for LFUNC(_putbits, void, (register char *src, int dstoffset, register int numbits, register char *dst)); -LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb)); +LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb)); static unsigned char Const _reverse_byte[0x100] = { 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, @@@@ -1060,12 +1068,12 @@@@ static unsigned char Const _reverse_byte static int _XReverse_Bytes(bpt, nb) register unsigned char *bpt; - register int nb; + register unsigned int nb; { do { *bpt = _reverse_byte[*bpt]; bpt++; - } while (--nb > 0); + } while (--nb > 0); /* is nb user-controled? */ return 0; } @@@@ -1204,18 +1212,18 @@@@ PutImagePixels(image, width, height, pix register char *src; register char *dst; register unsigned int *iptr; - register int x, y, i; + register unsigned int x, y; register char *data; Pixel pixel, px; - int nbytes, depth, ibu, ibpp; + int nbytes, depth, ibu, ibpp, i; data = image->data; iptr = pixelindex; depth = image->depth; if (depth == 1) { ibu = image->bitmap_unit; - for (y = 0; y < height; y++) - for (x = 0; x < width; x++, iptr++) { + for (y = 0; y < height; y++) /* how can we trust height */ + for (x = 0; x < width; x++, iptr++) { /* how can we trust width */ pixel = pixels[*iptr]; for (i = 0, px = pixel; i < sizeof(unsigned long); i++, px >>= 8) @@@@ -1290,12 +1298,12 @@@@ PutImagePixels32(image, width, height, p { unsigned char *data; unsigned int *iptr; - int y; + unsigned int y; Pixel pixel; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; unsigned char *addr; data = (unsigned char *) image->data; @@@@ -1332,7 +1340,7 @@@@ PutImagePixels32(image, width, height, p #else /* WITHOUT_SPEEDUPS */ - int bpl = image->bytes_per_line; + unsigned int bpl = image->bytes_per_line; unsigned char *data_ptr, *max_data; data = (unsigned char *) image->data; @@@@ -1400,11 +1408,11 @@@@ PutImagePixels16(image, width, height, p { unsigned char *data; unsigned int *iptr; - int y; + unsigned int y; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; unsigned char *addr; data = (unsigned char *) image->data; @@@@ -1428,7 +1436,7 @@@@ PutImagePixels16(image, width, height, p Pixel pixel; - int bpl = image->bytes_per_line; + unsigned int bpl = image->bytes_per_line; unsigned char *data_ptr, *max_data; data = (unsigned char *) image->data; @@@@ -1481,11 +1489,11 @@@@ PutImagePixels8(image, width, height, pi { char *data; unsigned int *iptr; - int y; + unsigned int y; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; data = image->data; iptr = pixelindex; @@@@ -1495,7 +1503,7 @@@@ PutImagePixels8(image, width, height, pi #else /* WITHOUT_SPEEDUPS */ - int bpl = image->bytes_per_line; + unsigned int bpl = image->bytes_per_line; char *data_ptr, *max_data; data = image->data; @@@@ -1530,12 +1538,12 @@@@ PutImagePixels1(image, width, height, pi PutImagePixels(image, width, height, pixelindex, pixels); else { unsigned int *iptr; - int y; + unsigned int y; char *data; #ifdef WITHOUT_SPEEDUPS - int x; + unsigned int x; data = image->data; iptr = pixelindex; @@@@ -1755,10 +1763,12 @@@@ PutPixel1(ximage, x, y, pixel) register char *src; register char *dst; register int i; - register char *data; Pixel px; int nbytes; + if(x < 0 || y < 0) + return 0; + for (i=0, px=pixel; i>=8) ((unsigned char *)&pixel)[i] = px; src = &ximage->data[XYINDEX(x, y, ximage)]; @@@@ -1788,9 +1798,11 @@@@ PutPixel(ximage, x, y, pixel) register char *src; register char *dst; register int i; - register char *data; Pixel px; - int nbytes, ibpp; + unsigned int nbytes, ibpp; + + if(x < 0 || y < 0) + return 0; ibpp = ximage->bits_per_pixel; if (ximage->depth == 4) @@@@ -1823,6 +1835,9 @@@@ PutPixel32(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; *((unsigned long *)addr) = pixel; return 1; @@@@ -1837,6 +1852,9 @@@@ PutPixel32MSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; addr[0] = pixel >> 24; addr[1] = pixel >> 16; @@@@ -1854,6 +1872,9 @@@@ PutPixel32LSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; addr[3] = pixel >> 24; addr[2] = pixel >> 16; @@@@ -1871,6 +1892,9 @@@@ PutPixel16MSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; addr[0] = pixel >> 8; addr[1] = pixel; @@@@ -1886,6 +1910,9 @@@@ PutPixel16LSB(ximage, x, y, pixel) { unsigned char *addr; + if(x < 0 || y < 0) + return 0; + addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; addr[1] = pixel >> 8; addr[0] = pixel; @@@@ -1899,6 +1926,9 @@@@ PutPixel8(ximage, x, y, pixel) int y; unsigned long pixel; { + if(x < 0 || y < 0) + return 0; + ximage->data[ZINDEX8(x, y, ximage)] = pixel; return 1; } @@@@ -1910,6 +1940,9 @@@@ PutPixel1MSB(ximage, x, y, pixel) int y; unsigned long pixel; { + if(x < 0 || y < 0) + return 0; + if (pixel & 1) ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7); else @@@@ -1924,6 +1957,9 @@@@ PutPixel1LSB(ximage, x, y, pixel) int y; unsigned long pixel; { + if(x < 0 || y < 0) + return 0; + if (pixel & 1) ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7); else @@@@ -1953,7 +1989,6 @@@@ xpmParseDataAndCreate(display, data, ima unsigned int depth; int bitmap_format; XpmFreeColorsFunc freeColors; - void *closure; /* variables to return */ XImage *ximage = NULL; @@@@ -2011,10 +2046,6 @@@@ xpmParseDataAndCreate(display, data, ima freeColors = attributes->free_colors; else freeColors = FreeColors; - if (attributes && (attributes->valuemask & XpmColorClosure)) - closure = attributes->color_closure; - else - closure = NULL; cmts = info && (info->valuemask & XpmReturnComments); @@@@ -2063,6 +2094,9 @@@@ xpmParseDataAndCreate(display, data, ima xpmGetCmt(data, &colors_cmt); /* malloc pixels index tables */ + if (ncolors >= UINT_MAX / sizeof(Pixel)) + RETURN(XpmNoMemory); + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); if (!image_pixels) RETURN(XpmNoMemory); @@@@ -2173,7 +2207,7 @@@@ xpmParseDataAndCreate(display, data, ima * free the hastable */ if (ErrorStatus != XpmSuccess) - RETURN(ErrorStatus) + RETURN(ErrorStatus); else if (USE_HASHTABLE) xpmHashTableFree(&hashtable); @@@@ -2364,11 +2398,11 @@@@ if (cidx[f]) XpmFree(cidx[f]);} /* array of pointers malloced by need */ unsigned short *cidx[256]; - int char1; + unsigned int char1; bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ for (a = 0; a < ncolors; a++) { - char1 = colorTable[a].string[0]; + char1 = (unsigned char) colorTable[a].string[0]; if (cidx[char1] == NULL) { /* get new memory */ cidx[char1] = (unsigned short *) XpmCalloc(256, sizeof(unsigned short)); @ 1.2 log @Apply fixes derived from the HEAD branch of X.Org (6.8.99) to address problems noted in CAN-2004-0914: Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFree86 and other packages, include (1) multiple integer overflows, (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell metacharacter, (5) endless loops, and (6) memory leaks, which could allow remote attackers to obtain sensitive information, cause a denial of service (application crash), or execute arbitary code via a certain XPM image file. Bump PKGREVISION to 4. Since this is a security-related fix, also bump the BUILDLINK_RECOMMENDED version for this package. @ text @d1 1 a1 1 $NetBSD$ @ 1.1 log @Incorporate security fixes of X.Org X11R6.8.1. Bump PKGREVISION. @ text @d3 1 a3 1 --- lib/create.c.orig Thu Mar 19 13:51:00 1998 d5 68 a72 1 @@@@ -819,6 +819,9 @@@@ XpmCreateImageFromXpmImage(display, imag d76 1 a76 1 + if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) d82 1 a82 1 @@@@ -991,6 +994,8 @@@@ CreateXImage(display, visual, depth, for d86 2 a87 1 + if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) d89 1 d91 2 d95 261 a355 1 @@@@ -2063,6 +2068,9 @@@@ xpmParseDataAndCreate(display, data, ima d359 2 a360 2 + if (ncolors >= SIZE_MAX / sizeof(Pixel)) + return XpmNoMemory; d365 15 a379 17 @@@@ -2317,7 +2325,8 @@@@ ParseAndPutPixels( } obm = SelectObject(*dc, image->bitmap); #endif - + if (ncolors > 256) + return (XpmFileInvalid); bzero((char *)colidx, 256 * sizeof(short)); for (a = 0; a < ncolors; a++) @@@@ -2422,6 +2431,9 @@@@ if (cidx[f]) XpmFree(cidx[f]);} { char *s; char buf[BUFSIZ]; + + if (cpp >= sizeof(buf)) + return (XpmFileInvalid); d381 7 a387 2 buf[cpp] = '\0'; if (USE_HASHTABLE) { @