head 1.4; access; symbols pkgsrc-2013Q2:1.4.0.10 pkgsrc-2013Q2-base:1.4 pkgsrc-2012Q4:1.4.0.8 pkgsrc-2012Q4-base:1.4 pkgsrc-2011Q4:1.4.0.6 pkgsrc-2011Q4-base:1.4 pkgsrc-2011Q2:1.4.0.4 pkgsrc-2011Q2-base:1.4 pkgsrc-2009Q4:1.4.0.2 pkgsrc-2009Q4-base:1.4 pkgsrc-2009Q3:1.3.0.40 pkgsrc-2009Q3-base:1.3 pkgsrc-2009Q2:1.3.0.38 pkgsrc-2009Q2-base:1.3 pkgsrc-2009Q1:1.3.0.36 pkgsrc-2009Q1-base:1.3 pkgsrc-2008Q4:1.3.0.34 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.3.0.32 pkgsrc-2008Q3-base:1.3 cube-native-xorg:1.3.0.30 cube-native-xorg-base:1.3 pkgsrc-2008Q2:1.3.0.28 pkgsrc-2008Q2-base:1.3 cwrapper:1.3.0.26 pkgsrc-2008Q1:1.3.0.24 pkgsrc-2008Q1-base:1.3 pkgsrc-2007Q4:1.3.0.22 pkgsrc-2007Q4-base:1.3 pkgsrc-2007Q3:1.3.0.20 pkgsrc-2007Q3-base:1.3 pkgsrc-2007Q2:1.3.0.18 pkgsrc-2007Q2-base:1.3 pkgsrc-2007Q1:1.3.0.16 pkgsrc-2007Q1-base:1.3 pkgsrc-2006Q4:1.3.0.14 pkgsrc-2006Q4-base:1.3 pkgsrc-2006Q3:1.3.0.12 pkgsrc-2006Q3-base:1.3 pkgsrc-2006Q2:1.3.0.10 pkgsrc-2006Q2-base:1.3 pkgsrc-2006Q1:1.3.0.8 pkgsrc-2006Q1-base:1.3 pkgsrc-2005Q4:1.3.0.6 pkgsrc-2005Q4-base:1.3 pkgsrc-2005Q3:1.3.0.4 pkgsrc-2005Q3-base:1.3 pkgsrc-2005Q2:1.3.0.2 pkgsrc-2005Q2-base:1.3 pkgsrc-2005Q1:1.2.0.2 pkgsrc-2005Q1-base:1.2 pkgsrc-2004Q4:1.1.0.4 pkgsrc-2004Q4-base:1.1 pkgsrc-2004Q3:1.1.0.2 pkgsrc-2004Q3-base:1.1; locks; strict; comment @# @; 1.4 date 2009.12.16.20.07.32; author joerg; state dead; branches; next 1.3; 1.3 date 2005.06.14.18.10.37; author jlam; state Exp; branches; next 1.2; 1.2 date 2005.03.10.15.23.10; author wiz; state Exp; branches; next 1.1; 1.1 date 2004.09.16.15.09.01; author minskim; state Exp; branches 1.1.4.1; next ; 1.1.4.1 date 2005.03.11.06.38.33; author snj; state Exp; branches; next ; desc @@ 1.4 log @Retire old xpm package. Replaced by x11/libXpm. @ text @$NetBSD: patch-ak,v 1.3 2005/06/14 18:10:37 jlam Exp $ --- lib/scan.c.orig 1998-03-19 14:51:00.000000000 -0500 +++ lib/scan.c @@@@ -42,6 +42,8 @@@@ * Lorens Younes (d93-hyo@@nada.kth.se) 4/96 */ +/* October 2004, source code review by Thomas Biege */ + #include "XpmI.h" #define MAXPRINTABLE 92 /* number of printable ascii chars @@@@ -103,7 +105,8 @@@@ LFUNC(MSWGetImagePixels, int, (Display * LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp, XpmAttributes *attributes)); -LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors, +LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, + unsigned int ncolors, Pixel *pixels, unsigned int mask, unsigned int cpp, XpmAttributes *attributes)); @@@@ -167,10 +170,10 @@@@ storeMaskPixel(pixel, pmap, index_return /* function call in case of error */ #undef RETURN #define RETURN(status) \ -{ \ +do { \ ErrorStatus = status; \ goto error; \ -} +} while(0) /* * This function scans the given image and stores the found informations in @@@@ -191,7 +194,7 @@@@ XpmCreateXpmImageFromImage(display, imag /* variables to return */ PixelsMap pmap; XpmColor *colorTable = NULL; - int ErrorStatus; + int ErrorStatus = 0; /* calculation variables */ unsigned int width = 0; @@@@ -228,11 +231,17 @@@@ XpmCreateXpmImageFromImage(display, imag else cpp = 0; + if ((height > 0 && width >= UINT_MAX / height) || + width * height >= UINT_MAX / sizeof(unsigned int)) + RETURN(XpmNoMemory); pmap.pixelindex = (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); if (!pmap.pixelindex) RETURN(XpmNoMemory); + if (pmap.size >= UINT_MAX / sizeof(Pixel)) + RETURN(XpmNoMemory); + pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); if (!pmap.pixels) RETURN(XpmNoMemory); @@@@ -297,7 +306,8 @@@@ XpmCreateXpmImageFromImage(display, imag * get rgb values and a string of char, and possibly a name for each * color */ - + if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor)) + RETURN(XpmNoMemory); colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); if (!colorTable) RETURN(XpmNoMemory); @@@@ -356,6 +366,8 @@@@ ScanTransparentColor(color, cpp, attribu /* first get a character string */ a = 0; + if (cpp >= UINT_MAX - 1) + return (XpmNoMemory); if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) return (XpmNoMemory); *s++ = printable[c = a % MAXPRINTABLE]; @@@@ -403,7 +415,7 @@@@ static int ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) Display *display; XpmColor *colors; - int ncolors; + unsigned int ncolors; Pixel *pixels; unsigned int mask; unsigned int cpp; @@@@ -423,10 +435,10 @@@@ ScanOtherColors(display, colors, ncolors XpmColor *color; XColor *xcolors = NULL, *xcolor; char *colorname, *s; - XpmColor *colorTable, **oldColorTable = NULL; + XpmColor *colorTable = NULL, **oldColorTable = NULL; unsigned int ancolors = 0; - Pixel *apixels; - unsigned int mask_pixel; + Pixel *apixels = NULL; + unsigned int mask_pixel = 0; Bool found; /* retrieve information from the XpmAttributes */ @@@@ -447,6 +459,8 @@@@ ScanOtherColors(display, colors, ncolors } /* first get character strings and rgb values */ + if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1) + return (XpmNoMemory); xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); if (!xcolors) return (XpmNoMemory); @@@@ -603,8 +617,8 @@@@ GetImagePixels(image, width, height, pma char *dst; unsigned int *iptr; char *data; - int x, y, i; - int bits, depth, ibu, ibpp, offset; + unsigned int x, y; + int bits, depth, ibu, ibpp, offset, i; unsigned long lbt; Pixel pixel, px; @@@@ -615,6 +629,9 @@@@ GetImagePixels(image, width, height, pma ibpp = image->bits_per_pixel; offset = image->xoffset; + if (image->bitmap_unit < 0) + return (XpmNoMemory); + if ((image->bits_per_pixel | image->depth) == 1) { ibu = image->bitmap_unit; for (y = 0; y < height; y++) @@@@ -705,7 +722,7 @@@@ GetImagePixels32(image, width, height, p unsigned char *addr; unsigned char *data; unsigned int *iptr; - int x, y; + unsigned int x, y; unsigned long lbt; Pixel pixel; int depth; @@@@ -770,7 +787,7 @@@@ GetImagePixels16(image, width, height, p unsigned char *addr; unsigned char *data; unsigned int *iptr; - int x, y; + unsigned int x, y; unsigned long lbt; Pixel pixel; int depth; @@@@ -815,7 +832,7 @@@@ GetImagePixels8(image, width, height, pm { unsigned int *iptr; unsigned char *data; - int x, y; + unsigned int x, y; unsigned long lbt; Pixel pixel; int depth; @@@@ -848,7 +865,7 @@@@ GetImagePixels1(image, width, height, pm int (*storeFunc) (); { unsigned int *iptr; - int x, y; + unsigned int x, y; char *data; Pixel pixel; int xoff, yoff, offset, bpl; @@@@ -884,11 +901,11 @@@@ GetImagePixels1(image, width, height, pm # else /* AMIGA */ #define CLEAN_UP(status) \ -{\ +do {\ if (pixels) XpmFree (pixels);\ if (tmp_img) FreeXImage (tmp_img);\ return (status);\ -} +} while(0) static int AGetImagePixels ( @@@@ -909,7 +926,7 @@@@ AGetImagePixels ( tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth); if (tmp_img == NULL) - CLEAN_UP (XpmNoMemory) + CLEAN_UP (XpmNoMemory); iptr = pmap->pixelindex; for (y = 0; y < height; ++y) @@@@ -918,11 +935,11 @@@@ AGetImagePixels ( for (x = 0; x < width; ++x, ++iptr) { if ((*storeFunc) (pixels[x], pmap, iptr)) - CLEAN_UP (XpmNoMemory) + CLEAN_UP (XpmNoMemory); } } - CLEAN_UP (XpmSuccess) + CLEAN_UP (XpmSuccess); } #undef CLEAN_UP @ 1.3 log @Apply fixes derived from the HEAD branch of X.Org (6.8.99) to address problems noted in CAN-2004-0914: Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFree86 and other packages, include (1) multiple integer overflows, (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell metacharacter, (5) endless loops, and (6) memory leaks, which could allow remote attackers to obtain sensitive information, cause a denial of service (application crash), or execute arbitary code via a certain XPM image file. Bump PKGREVISION to 4. Since this is a security-related fix, also bump the BUILDLINK_RECOMMENDED version for this package. @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @Add patch to fix CAN-2005-0605. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: patch-ak,v 1.1 2004/09/16 15:09:01 minskim Exp $ d3 1 a3 1 --- lib/scan.c.orig 1998-03-19 20:51:00.000000000 +0100 d5 10 a14 1 @@@@ -103,7 +103,8 @@@@ LFUNC(MSWGetImagePixels, int, (Display * d19 2 a20 2 +LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, + unsigned int ncolors, d24 23 a46 1 @@@@ -228,11 +229,17 @@@@ XpmCreateXpmImageFromImage(display, imag d50 2 a51 2 + if ((height > 0 && width >= SIZE_MAX / height) || + width * height >= SIZE_MAX / sizeof(unsigned int)) d58 1 a58 1 + if (pmap.size >= SIZE_MAX / sizeof(Pixel)) d64 2 a65 1 @@@@ -298,6 +305,8 @@@@ XpmCreateXpmImageFromImage(display, imag d68 2 a69 2 + if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) d74 1 a74 1 @@@@ -356,6 +365,8 @@@@ ScanTransparentColor(color, cpp, attribu d78 1 a78 1 + if (cpp >= SIZE_MAX - 1) d83 1 a83 1 @@@@ -403,7 +414,7 @@@@ static int d92 15 a106 1 @@@@ -447,6 +458,8 @@@@ ScanOtherColors(display, colors, ncolors d110 1 a110 1 + if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) d115 12 a126 1 @@@@ -615,6 +628,9 @@@@ GetImagePixels(image, width, height, pma d131 1 a131 1 + return (XpmNoMemory); d136 73 @ 1.1 log @Incorporate security fixes of X.Org X11R6.8.1. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- lib/scan.c.orig Thu Mar 19 13:51:00 1998 d69 10 @ 1.1.4.1 log @Pullup ticket 350 - requested by Lubomir Sedlacik security fix for xpm Revisions pulled up: - pkgsrc/graphics/xpm/Makefile 1.39 - pkgsrc/graphics/xpm/distinfo 1.12 - pkgsrc/graphics/xpm/patches/patch-ak 1.2 Module Name: pkgsrc Committed By: wiz Date: Thu Mar 10 15:23:10 UTC 2005 Modified Files: pkgsrc/graphics/xpm: Makefile distinfo pkgsrc/graphics/xpm/patches: patch-ak Log Message: Add patch to fix CAN-2005-0605. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: patch-ak,v 1.2 2005/03/10 15:23:10 wiz Exp $ d3 1 a3 1 --- lib/scan.c.orig 1998-03-19 20:51:00.000000000 +0100 a68 10 @@@@ -615,6 +628,9 @@@@ GetImagePixels(image, width, height, pma ibpp = image->bits_per_pixel; offset = image->xoffset; + if (image->bitmap_unit < 0) + return (XpmNoMemory); + if ((image->bits_per_pixel | image->depth) == 1) { ibu = image->bitmap_unit; for (y = 0; y < height; y++) @