1 Index: extras/Xpm/lib/Attrib.c
2 ===================================================================
3 RCS file: /cvs/XF4/xc/extras/Xpm/lib/Attrib.c,v
4 retrieving revision 1.2
6 --- extras/Xpm/lib/Attrib.c 1 Sep 2004 21:01:32 -0000 1.2
7 +++ extras/Xpm/lib/Attrib.c 14 Nov 2004 13:45:02 -0000
9 * Developed by Arnaud Le Hors *
10 \*****************************************************************************/
12 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
16 /* 3.2 backward compatibility code */
17 LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
20 -LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
21 +LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
24 * Create a colortable compatible with the old style colortable
28 XpmColor **colorTable, **color;
32 - if (ncolors >= SIZE_MAX / sizeof(XpmColor *))
33 + if (ncolors >= UINT_MAX / sizeof(XpmColor *))
36 colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *));
39 FreeOldColorTable(colorTable, ncolors)
40 XpmColor **colorTable;
42 + unsigned int ncolors;
54 + if (extensions && nextensions > 0) {
55 for (i = 0, ext = extensions; i < nextensions; i++, ext++) {
58 Index: extras/Xpm/lib/CrBufFrI.c
59 ===================================================================
60 RCS file: /cvs/XF4/xc/extras/Xpm/lib/CrBufFrI.c,v
61 retrieving revision 1.2
62 diff -u -r1.2 CrBufFrI.c
63 --- extras/Xpm/lib/CrBufFrI.c 2 Nov 2004 23:26:39 -0000 1.2
64 +++ extras/Xpm/lib/CrBufFrI.c 14 Nov 2004 13:45:02 -0000
67 * Developed by Arnaud Le Hors *
68 \*****************************************************************************/
70 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
76 unsigned int *used_size, XpmColor *colors,
77 unsigned int ncolors, unsigned int cpp));
79 -LFUNC(WritePixels, void, (char *dataptr, unsigned int *used_size,
80 +LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
81 + unsigned int *used_size,
82 unsigned int width, unsigned int height,
83 unsigned int cpp, unsigned int *pixels,
86 -LFUNC(WriteExtensions, void, (char *dataptr, unsigned int *used_size,
87 +LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
88 + unsigned int *used_size,
89 XpmExtension *ext, unsigned int num));
91 -LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num));
92 +LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
93 LFUNC(CommentsSize, int, (XpmInfo *info));
99 #define RETURN(status) \
102 ErrorStatus = status; \
108 XpmCreateBufferFromXpmImage(buffer_return, image, info)
110 unsigned int cmts, extensions, ext_size = 0;
111 unsigned int l, cmt_size = 0;
112 char *ptr = NULL, *p;
113 - unsigned int ptr_size, used_size;
114 + unsigned int ptr_size, used_size, tmp;
116 *buffer_return = NULL;
120 used_size = strlen(buf);
122 - ptr_size = used_size + ext_size + cmt_size + 1;
123 + ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
124 + if(ptr_size <= used_size ||
125 + ptr_size <= ext_size ||
126 + ptr_size <= cmt_size)
128 + return XpmNoMemory;
130 ptr = (char *) XpmMalloc(ptr_size);
137 - sprintf(ptr + used_size, "/*%s*/\n", info->hints_cmt);
138 + snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt);
140 used_size += strlen(info->hints_cmt) + 5;
146 - sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot);
147 + snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
156 + RETURN(XpmNoMemory);
157 p = (char *) XpmRealloc(ptr, ptr_size);
164 - sprintf(ptr + used_size, "/*%s*/\n", info->colors_cmt);
165 + snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt);
167 used_size += strlen(info->colors_cmt) + 5;
170 * 4 = 1 (for '"') + 3 (for '",\n')
171 * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
173 - ptr_size += image->height * (image->width * image->cpp + 4) + 1;
174 + if(image->width > UINT_MAX / image->cpp ||
175 + (tmp = image->width * image->cpp + 4) <= 4 ||
176 + image->height > UINT_MAX / tmp ||
177 + (tmp = image->height * tmp + 1) <= 1 ||
178 + (ptr_size += tmp) <= tmp)
179 + RETURN(XpmNoMemory);
181 p = (char *) XpmRealloc(ptr, ptr_size);
183 @@ -220,17 +239,17 @@
187 - sprintf(ptr + used_size, "/*%s*/\n", info->pixels_cmt);
188 + snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt);
190 used_size += strlen(info->pixels_cmt) + 5;
193 - WritePixels(ptr + used_size, &used_size, image->width, image->height,
194 + WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
195 image->cpp, image->data, image->colorTable);
197 /* print extensions */
199 - WriteExtensions(ptr + used_size, &used_size,
200 + WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
201 info->extensions, info->nextensions);
203 /* close the array */
205 return (ErrorStatus);
210 WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
213 unsigned int ncolors;
217 + char buf[BUFSIZ] = {0};
218 unsigned int a, key, l;
223 defaults = (char **) colors;
225 + if(cpp > (sizeof(buf) - (s-buf)))
226 + return(XpmNoMemory);
227 strncpy(s, *defaults++, cpp);
230 @@ -274,14 +296,24 @@
234 - sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);
235 + /* assume C99 compliance */
236 + snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
240 + /* now let's check if s points out-of-bounds */
241 + if((s-buf) > sizeof(buf))
242 + return(XpmNoMemory);
245 + if(sizeof(buf) - (s-buf) < 4)
246 + return(XpmNoMemory);
249 + if( *data_size >= UINT_MAX-l ||
250 + *data_size + l <= *used_size ||
251 + (*data_size + l - *used_size) <= sizeof(buf))
252 + return(XpmNoMemory);
253 s = (char *) XpmRealloc(*dataptr, *data_size + l);
255 return (XpmNoMemory);
260 -WritePixels(dataptr, used_size, width, height, cpp, pixels, colors)
261 +WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
263 + unsigned int data_size;
264 unsigned int *used_size;
267 @@ -306,27 +339,36 @@
269 unsigned int x, y, h;
275 for (y = 0; y < h; y++) {
277 for (x = 0; x < width; x++, pixels++) {
278 - strncpy(s, colors[*pixels].string, cpp);
279 + if(cpp >= (data_size - (s-dataptr)))
281 + strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */
284 + if((data_size - (s-dataptr)) < 4)
289 /* duplicate some code to avoid a test in the loop */
291 for (x = 0; x < width; x++, pixels++) {
292 - strncpy(s, colors[*pixels].string, cpp);
293 + if(cpp >= (data_size - (s-dataptr)))
295 + strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */
299 *used_size += s - dataptr;
304 ExtensionsSize(ext, num)
307 @@ -335,21 +377,26 @@
312 + return(0); /* ok? */
313 for (x = 0; x < num; x++, ext++) {
314 /* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
315 size += strlen(ext->name) + 11;
317 + a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
318 for (y = 0, line = ext->lines; y < a; y++, line++)
319 /* 4 = 3 (for ',\n"') + 1 (for '"') */
320 size += strlen(*line) + 4;
322 /* 13 is for ',\n"XPMENDEXT"' */
323 + if(size > UINT_MAX - 13) /* unlikely */
329 -WriteExtensions(dataptr, used_size, ext, num)
330 +WriteExtensions(dataptr, data_size, used_size, ext, num)
332 + unsigned int data_size;
333 unsigned int *used_size;
340 - sprintf(s, ",\n\"XPMEXT %s\"", ext->name);
341 + snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
343 s += strlen(ext->name) + 11;
345 @@ -371,13 +418,13 @@
349 - sprintf(s, ",\n\"%s\"", *line);
350 + snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
352 s += strlen(*line) + 4;
356 - strcpy(s, ",\n\"XPMENDEXT\"");
357 + strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
358 *used_size += s - dataptr + 13;
364 /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */
365 + /* wrap possible but *very* unlikely */
367 size += 5 + strlen(info->hints_cmt);
369 Index: extras/Xpm/lib/CrDatFrI.c
370 ===================================================================
371 RCS file: /cvs/XF4/xc/extras/Xpm/lib/CrDatFrI.c,v
372 retrieving revision 1.3
373 diff -u -r1.3 CrDatFrI.c
374 --- extras/Xpm/lib/CrDatFrI.c 2 Nov 2004 23:26:39 -0000 1.3
375 +++ extras/Xpm/lib/CrDatFrI.c 14 Nov 2004 13:45:02 -0000
377 \*****************************************************************************/
380 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
384 LFUNC(CreateColors, int, (char **dataptr, unsigned int *data_size,
385 XpmColor *colors, unsigned int ncolors,
388 -LFUNC(CreatePixels, void, (char **dataptr, unsigned int width,
389 +LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size,
390 + unsigned int width,
391 unsigned int height, unsigned int cpp,
392 unsigned int *pixels, XpmColor *colors));
395 unsigned int *ext_size,
396 unsigned int *ext_nlines));
398 -LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset,
399 +LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size,
400 + unsigned int offset,
401 XpmExtension *ext, unsigned int num,
402 unsigned int ext_nlines));
407 #define RETURN(status) \
410 ErrorStatus = status; \
416 XpmCreateDataFromXpmImage(data_return, image, info)
417 @@ -122,11 +127,17 @@
418 * alloc a temporary array of char pointer for the header section which
419 * is the hints line + the color table lines
421 - header_nlines = 1 + image->ncolors;
422 + header_nlines = 1 + image->ncolors; /* this may wrap and/or become 0 */
424 + /* 2nd check superfluous if we do not need header_nlines any further */
425 + if(header_nlines <= image->ncolors ||
426 + header_nlines >= UINT_MAX / sizeof(char *))
427 + return(XpmNoMemory);
429 header_size = sizeof(char *) * header_nlines;
430 - if (header_size >= SIZE_MAX / sizeof(char *))
431 + if (header_size >= UINT_MAX / sizeof(char *))
432 return (XpmNoMemory);
433 - header = (char **) XpmCalloc(header_size, sizeof(char *));
434 + header = (char **) XpmCalloc(header_size, sizeof(char *)); /* can we trust image->ncolors */
436 return (XpmNoMemory);
440 /* now we know the size needed, alloc the data and copy the header lines */
441 offset = image->width * image->cpp + 1;
442 - data_size = header_size + (image->height + ext_nlines) * sizeof(char *)
443 - + image->height * offset + ext_size;
445 + if(offset <= image->width || offset <= image->cpp)
446 + RETURN(XpmNoMemory);
448 + if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *))
449 + RETURN(XpmNoMemory);
450 + data_size = (image->height + ext_nlines) * sizeof(char *);
452 + if (image->height > UINT_MAX / offset ||
453 + image->height * offset > UINT_MAX - data_size)
454 + RETURN(XpmNoMemory);
455 + data_size += image->height * offset;
457 + if( (header_size + ext_size) >= (UINT_MAX - data_size) )
458 + RETURN(XpmNoMemory);
459 + data_size += header_size + ext_size;
461 data = (char **) XpmMalloc(data_size);
465 data_nlines = header_nlines + image->height + ext_nlines;
466 *data = (char *) (data + data_nlines);
468 + /* can header have less elements then n suggests? */
470 - for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) {
471 + for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) {
472 strcpy(*sptr, *sptr2);
473 *(sptr + 1) = *sptr + strlen(*sptr2) + 1;
475 @@ -189,12 +216,13 @@
476 data[header_nlines] = (char *) data + header_size
477 + (image->height + ext_nlines) * sizeof(char *);
479 - CreatePixels(data + header_nlines, image->width, image->height,
480 + CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height,
481 image->cpp, image->data, image->colorTable);
483 /* print extensions */
485 - CreateExtensions(data + header_nlines + image->height - 1, offset,
486 + CreateExtensions(data + header_nlines + image->height - 1,
487 + data_size - header_nlines - image->height + 1, offset,
488 info->extensions, info->nextensions,
491 @@ -225,23 +253,34 @@
495 + /* can ncolors be trusted here? */
496 for (a = 0; a < ncolors; a++, colors++, dataptr++) {
498 defaults = (char **) colors;
499 + if(sizeof(buf) <= cpp)
500 + return(XpmNoMemory);
501 strncpy(buf, *defaults++, cpp);
504 + if(sizeof(buf) <= (s-buf))
505 + return XpmNoMemory;
507 for (key = 1; key <= NKEYS; key++, defaults++) {
508 if ((s2 = *defaults)) {
512 - sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);
513 + /* assume C99 compliance */
514 + snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
518 + /* does s point out-of-bounds? */
519 + if(sizeof(buf) < (s-buf))
520 + return XpmNoMemory;
523 + /* what about using strdup()? */
525 s = (char *) XpmMalloc(l);
531 -CreatePixels(dataptr, width, height, cpp, pixels, colors)
532 +CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors)
534 + unsigned int data_size;
538 @@ -264,21 +304,38 @@
540 unsigned int x, y, h, offset;
547 offset = width * cpp + 1;
549 + if(offset <= width || offset <= cpp)
553 for (y = 0; y < h; y++, dataptr++) {
555 + /* why trust width? */
556 for (x = 0; x < width; x++, pixels++) {
557 - strncpy(s, colors[*pixels].string, cpp);
558 + if(cpp > (data_size - (s - *dataptr)))
560 + strncpy(s, colors[*pixels].string, cpp); /* why trust pixel? */
564 + if(offset > data_size)
566 *(dataptr + 1) = *dataptr + offset;
568 /* duplicate some code to avoid a test in the loop */
570 + /* why trust width? */
571 for (x = 0; x < width; x++, pixels++) {
572 - strncpy(s, colors[*pixels].string, cpp);
573 + if(cpp > data_size - (s - *dataptr))
575 + strncpy(s, colors[*pixels].string, cpp); /* why should we trust *pixel? */
583 -CreateExtensions(dataptr, offset, ext, num, ext_nlines)
584 +CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines)
586 + unsigned int data_size;
590 @@ -325,12 +383,12 @@
593 for (x = 0; x < num; x++, ext++) {
594 - sprintf(*dataptr, "XPMEXT %s", ext->name);
595 + snprintf(*dataptr, data_size, "XPMEXT %s", ext->name);
598 *(dataptr + 1) = *dataptr + strlen(ext->name) + 8;
601 + b = ext->nlines; /* can we trust these values? */
602 for (y = 0, line = ext->lines; y < b; y++, line++) {
603 strcpy(*dataptr, *line);
605 Index: extras/Xpm/lib/Imakefile
606 ===================================================================
607 RCS file: /cvs/XF4/xc/extras/Xpm/lib/Imakefile,v
608 retrieving revision 1.1.1.1
609 diff -u -r1.1.1.1 Imakefile
610 --- extras/Xpm/lib/Imakefile 15 Feb 2001 07:59:10 -0000 1.1.1.1
611 +++ extras/Xpm/lib/Imakefile 14 Nov 2004 13:45:02 -0000
612 @@ -104,13 +104,15 @@
613 CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \
614 CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \
615 CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \
616 - Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c
617 + Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \
620 OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \
621 CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \
622 CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \
623 CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \
624 - Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o
625 + Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \
629 LINTLIBS = $(LINTXTOLL) $(LINTXLIB)
630 Index: extras/Xpm/lib/RdFToBuf.c
631 ===================================================================
632 RCS file: /cvs/XF4/xc/extras/Xpm/lib/RdFToBuf.c,v
633 retrieving revision 1.1.1.1
634 diff -u -r1.1.1.1 RdFToBuf.c
635 --- extras/Xpm/lib/RdFToBuf.c 15 Feb 2001 07:59:10 -0000 1.1.1.1
636 +++ extras/Xpm/lib/RdFToBuf.c 14 Nov 2004 13:45:02 -0000
638 * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
641 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
644 #include <sys/stat.h>
645 #if !defined(FOR_MSW) && !defined(WIN32)
648 char **buffer_return;
650 - int fd, fcheck, len;
658 return XpmOpenFailed;
660 - len = (int) stats.st_size;
661 + len = stats.st_size;
662 ptr = (char *) XpmMalloc(len + 1);
665 Index: extras/Xpm/lib/RdFToI.c
666 ===================================================================
667 RCS file: /cvs/XF4/xc/extras/Xpm/lib/RdFToI.c,v
668 retrieving revision 1.2
669 diff -u -r1.2 RdFToI.c
670 --- extras/Xpm/lib/RdFToI.c 2 Nov 2004 23:26:39 -0000 1.2
671 +++ extras/Xpm/lib/RdFToI.c 14 Nov 2004 13:45:02 -0000
673 \*****************************************************************************/
676 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
679 #include <sys/stat.h>
680 #if !defined(NO_ZPIPE) && defined(WIN32)
683 * open the given file to be read as an xpmData which is returned.
686 + FILE *s_popen(char *cmd, const char *type);
688 +# define s_popen popen
692 OpenReadFile(filename, mdata)
694 @@ -141,17 +149,21 @@
695 mdata->type = XPMFILE;
698 - int len = strlen(filename);
699 + size_t len = strlen(filename);
702 + filename[len-1] == '/')
703 + return(XpmOpenFailed);
704 if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
705 mdata->type = XPMPIPE;
706 - sprintf(buf, "uncompress -c \"%s\"", filename);
707 - if (!(mdata->stream.file = popen(buf, "r")))
708 + snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename);
709 + if (!(mdata->stream.file = s_popen(buf, "r")))
710 return (XpmOpenFailed);
712 } else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
713 mdata->type = XPMPIPE;
714 - sprintf(buf, "gunzip -qc \"%s\"", filename);
715 - if (!(mdata->stream.file = popen(buf, "r")))
716 + snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename);
717 + if (!(mdata->stream.file = s_popen(buf, "r")))
718 return (XpmOpenFailed);
721 @@ -159,19 +171,19 @@
722 if (!(compressfile = (char *) XpmMalloc(len + 4)))
723 return (XpmNoMemory);
725 - sprintf(compressfile, "%s.Z", filename);
726 + snprintf(compressfile, len+4, "%s.Z", filename);
727 if (!stat(compressfile, &status)) {
728 - sprintf(buf, "uncompress -c \"%s\"", compressfile);
729 - if (!(mdata->stream.file = popen(buf, "r"))) {
730 + snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile);
731 + if (!(mdata->stream.file = s_popen(buf, "r"))) {
732 XpmFree(compressfile);
733 return (XpmOpenFailed);
735 mdata->type = XPMPIPE;
737 - sprintf(compressfile, "%s.gz", filename);
738 + snprintf(compressfile, len+4, "%s.gz", filename);
739 if (!stat(compressfile, &status)) {
740 - sprintf(buf, "gunzip -c \"%s\"", compressfile);
741 - if (!(mdata->stream.file = popen(buf, "r"))) {
742 + snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile);
743 + if (!(mdata->stream.file = s_popen(buf, "r"))) {
744 XpmFree(compressfile);
745 return (XpmOpenFailed);
751 - pclose(mdata->stream.file);
752 + fclose(mdata->stream.file);
756 Index: extras/Xpm/lib/WrFFrBuf.c
757 ===================================================================
758 RCS file: /cvs/XF4/xc/extras/Xpm/lib/WrFFrBuf.c,v
759 retrieving revision 1.1.1.1
760 diff -u -r1.1.1.1 WrFFrBuf.c
761 --- extras/Xpm/lib/WrFFrBuf.c 15 Feb 2001 07:59:10 -0000 1.1.1.1
762 +++ extras/Xpm/lib/WrFFrBuf.c 14 Nov 2004 13:45:02 -0000
764 * Developed by Arnaud Le Hors *
765 \*****************************************************************************/
767 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
773 fcheck = fwrite(buffer, len, 1, fp);
776 - return XpmOpenFailed;
777 + return XpmOpenFailed; /* maybe use a better return value */
781 Index: extras/Xpm/lib/WrFFrI.c
782 ===================================================================
783 RCS file: /cvs/XF4/xc/extras/Xpm/lib/WrFFrI.c,v
784 retrieving revision 1.3
785 diff -u -r1.3 WrFFrI.c
786 --- extras/Xpm/lib/WrFFrI.c 2 Nov 2004 23:26:39 -0000 1.3
787 +++ extras/Xpm/lib/WrFFrI.c 14 Nov 2004 13:45:02 -0000
789 * Lorens Younes (d93-hyo@nada.kth.se) 4/96
792 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
795 #if !defined(NO_ZPIPE) && defined(WIN32)
796 # define popen _popen
801 - char *name, *dot, *s, new_name[BUFSIZ];
802 + char *name, *dot, *s, new_name[BUFSIZ] = {0};
805 /* open file to write */
808 /* let's try to make a valid C syntax name */
809 if (index(name, '.')) {
810 - strcpy(new_name, name);
811 + strncpy(new_name, name, sizeof(new_name));
812 + new_name[sizeof(new_name)-1] = 0;
813 /* change '.' to '_' */
815 while ((dot = index(s, '.'))) {
818 if (index(name, '-')) {
819 if (name != new_name) {
820 - strcpy(new_name, name);
821 + strncpy(new_name, name, sizeof(new_name));
822 + new_name[sizeof(new_name)-1] = 0;
825 /* change '-' to '_' */
827 unsigned int x, y, h;
830 - if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp)
831 + if (cpp != 0 && width >= (UINT_MAX - 3)/cpp)
833 p = buf = (char *) XpmMalloc(width * cpp + 3);
837 * open the given file to be written as an xpmData which is returned
840 + FILE *s_popen(char *cmd, const char *type);
842 +# define s_popen popen
845 OpenWriteFile(filename, mdata)
847 @@ -315,16 +324,23 @@
848 mdata->type = XPMFILE;
851 - int len = strlen(filename);
852 + size_t len = strlen(filename);
855 + filename[0] == '/' ||
856 + strstr(filename, "../") != NULL ||
857 + filename[len-1] == '/')
858 + return(XpmOpenFailed);
860 if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
861 - sprintf(buf, "compress > \"%s\"", filename);
862 - if (!(mdata->stream.file = popen(buf, "w")))
863 + snprintf(buf, sizeof(buf), "compress > \"%s\"", filename);
864 + if (!(mdata->stream.file = s_popen(buf, "w")))
865 return (XpmOpenFailed);
867 mdata->type = XPMPIPE;
868 } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
869 - sprintf(buf, "gzip -q > \"%s\"", filename);
870 - if (!(mdata->stream.file = popen(buf, "w")))
871 + snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename);
872 + if (!(mdata->stream.file = s_popen(buf, "w")))
873 return (XpmOpenFailed);
875 mdata->type = XPMPIPE;
880 - pclose(mdata->stream.file);
881 + fclose(mdata->stream.file);
885 Index: extras/Xpm/lib/XpmI.h
886 ===================================================================
887 RCS file: /cvs/XF4/xc/extras/Xpm/lib/XpmI.h,v
888 retrieving revision 1.8
890 --- extras/Xpm/lib/XpmI.h 2 Nov 2004 23:26:39 -0000 1.8
891 +++ extras/Xpm/lib/XpmI.h 14 Nov 2004 13:45:03 -0000
893 * lets try to solve include files
896 +#include <sys/types.h>
900 /* stdio.h doesn't declare popen on a Sequent DYNIX OS */
902 extern FILE *popen();
903 Index: extras/Xpm/lib/create.c
904 ===================================================================
905 RCS file: /cvs/XF4/xc/extras/Xpm/lib/create.c,v
906 retrieving revision 1.5
907 diff -u -r1.5 create.c
908 --- extras/Xpm/lib/create.c 2 Nov 2004 23:26:39 -0000 1.5
909 +++ extras/Xpm/lib/create.c 14 Nov 2004 13:45:05 -0000
911 * Lorens Younes (d93-hyo@nada.kth.se) 4/96
914 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
927 ncols = visual->map_entries;
928 @@ -746,12 +748,14 @@
931 /* function call in case of error */
934 #define RETURN(status) \
937 ErrorStatus = status; \
943 XpmCreateImageFromXpmImage(display, image,
946 ErrorStatus = XpmSuccess;
948 - if (image->ncolors >= SIZE_MAX / sizeof(Pixel))
949 + if (image->ncolors >= UINT_MAX / sizeof(Pixel))
950 return (XpmNoMemory);
952 /* malloc pixels index tables */
954 return (XpmNoMemory);
956 #if !defined(FOR_MSW) && !defined(AMIGA)
957 - if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
958 + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
959 + XDestroyImage(*image_return);
962 /* now that bytes_per_line must have been set properly alloc data */
963 + if((*image_return)->bytes_per_line == 0 || height == 0)
964 + return XpmNoMemory;
965 (*image_return)->data =
966 (char *) XpmMalloc((*image_return)->bytes_per_line * height);
968 @@ -1023,7 +1031,7 @@
969 LFUNC(_putbits, void, (register char *src, int dstoffset,
970 register int numbits, register char *dst));
972 -LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));
973 +LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
975 static unsigned char Const _reverse_byte[0x100] = {
976 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
977 @@ -1063,12 +1071,12 @@
979 _XReverse_Bytes(bpt, nb)
980 register unsigned char *bpt;
982 + register unsigned int nb;
985 *bpt = _reverse_byte[*bpt];
987 - } while (--nb > 0);
988 + } while (--nb > 0); /* is nb user-controled? */
992 @@ -1207,7 +1215,7 @@
995 register unsigned int *iptr;
996 - register int x, y, i;
997 + register unsigned int x, y, i;
1000 int nbytes, depth, ibu, ibpp;
1001 @@ -1217,8 +1225,8 @@
1002 depth = image->depth;
1004 ibu = image->bitmap_unit;
1005 - for (y = 0; y < height; y++)
1006 - for (x = 0; x < width; x++, iptr++) {
1007 + for (y = 0; y < height; y++) /* how can we trust height */
1008 + for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
1009 pixel = pixels[*iptr];
1010 for (i = 0, px = pixel; i < sizeof(unsigned long);
1012 @@ -1293,12 +1301,12 @@
1014 unsigned char *data;
1020 #ifdef WITHOUT_SPEEDUPS
1024 unsigned char *addr;
1026 data = (unsigned char *) image->data;
1027 @@ -1335,7 +1343,7 @@
1029 #else /* WITHOUT_SPEEDUPS */
1031 - int bpl = image->bytes_per_line;
1032 + unsigned int bpl = image->bytes_per_line;
1033 unsigned char *data_ptr, *max_data;
1035 data = (unsigned char *) image->data;
1036 @@ -1403,11 +1411,11 @@
1038 unsigned char *data;
1043 #ifdef WITHOUT_SPEEDUPS
1047 unsigned char *addr;
1049 data = (unsigned char *) image->data;
1050 @@ -1431,7 +1439,7 @@
1054 - int bpl = image->bytes_per_line;
1055 + unsigned int bpl = image->bytes_per_line;
1056 unsigned char *data_ptr, *max_data;
1058 data = (unsigned char *) image->data;
1059 @@ -1484,11 +1492,11 @@
1066 #ifdef WITHOUT_SPEEDUPS
1073 @@ -1498,7 +1506,7 @@
1075 #else /* WITHOUT_SPEEDUPS */
1077 - int bpl = image->bytes_per_line;
1078 + unsigned int bpl = image->bytes_per_line;
1079 char *data_ptr, *max_data;
1082 @@ -1533,12 +1541,12 @@
1083 PutImagePixels(image, width, height, pixelindex, pixels);
1090 #ifdef WITHOUT_SPEEDUPS
1097 @@ -1761,6 +1769,9 @@
1101 + if(x < 0 || y < 0)
1104 for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)
1105 ((unsigned char *)&pixel)[i] = px;
1106 src = &ximage->data[XYINDEX(x, y, ximage)];
1107 @@ -1791,7 +1802,10 @@
1112 + unsigned int nbytes, ibpp;
1114 + if(x < 0 || y < 0)
1117 ibpp = ximage->bits_per_pixel;
1118 if (ximage->depth == 4)
1119 @@ -1825,6 +1839,9 @@
1121 unsigned char *addr;
1123 + if(x < 0 || y < 0)
1126 addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1127 *((unsigned long *)addr) = pixel;
1129 @@ -1840,6 +1857,9 @@
1131 unsigned char *addr;
1133 + if(x < 0 || y < 0)
1136 addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1137 addr[0] = pixel >> 24;
1138 addr[1] = pixel >> 16;
1139 @@ -1857,6 +1877,9 @@
1141 unsigned char *addr;
1143 + if(x < 0 || y < 0)
1146 addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1147 addr[3] = pixel >> 24;
1148 addr[2] = pixel >> 16;
1149 @@ -1874,6 +1897,9 @@
1151 unsigned char *addr;
1153 + if(x < 0 || y < 0)
1156 addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
1157 addr[0] = pixel >> 8;
1159 @@ -1889,6 +1915,9 @@
1161 unsigned char *addr;
1163 + if(x < 0 || y < 0)
1166 addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
1167 addr[1] = pixel >> 8;
1169 @@ -1902,6 +1931,9 @@
1171 unsigned long pixel;
1173 + if(x < 0 || y < 0)
1176 ximage->data[ZINDEX8(x, y, ximage)] = pixel;
1179 @@ -1913,6 +1945,9 @@
1181 unsigned long pixel;
1183 + if(x < 0 || y < 0)
1187 ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7);
1189 @@ -1927,6 +1962,9 @@
1191 unsigned long pixel;
1193 + if(x < 0 || y < 0)
1197 ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7);
1199 @@ -2061,8 +2099,8 @@
1200 xpmGetCmt(data, &colors_cmt);
1202 /* malloc pixels index tables */
1203 - if (ncolors >= SIZE_MAX / sizeof(Pixel))
1204 - return XpmNoMemory;
1205 + if (ncolors >= UINT_MAX / sizeof(Pixel))
1206 + RETURN(XpmNoMemory);
1208 image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
1210 @@ -2174,7 +2212,7 @@
1213 if (ErrorStatus != XpmSuccess)
1214 - RETURN(ErrorStatus)
1215 + RETURN(ErrorStatus);
1216 else if (USE_HASHTABLE)
1217 xpmHashTableFree(&hashtable);
1219 @@ -2366,11 +2404,11 @@
1221 /* array of pointers malloced by need */
1222 unsigned short *cidx[256];
1224 + unsigned int char1;
1226 bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
1227 for (a = 0; a < ncolors; a++) {
1228 - char1 = colorTable[a].string[0];
1229 + char1 = (unsigned char) colorTable[a].string[0];
1230 if (cidx[char1] == NULL) { /* get new memory */
1231 cidx[char1] = (unsigned short *)
1232 XpmCalloc(256, sizeof(unsigned short));
1233 Index: extras/Xpm/lib/data.c
1234 ===================================================================
1235 RCS file: /cvs/XF4/xc/extras/Xpm/lib/data.c,v
1236 retrieving revision 1.3
1237 diff -u -r1.3 data.c
1238 --- extras/Xpm/lib/data.c 2 Nov 2004 23:26:39 -0000 1.3
1239 +++ extras/Xpm/lib/data.c 14 Nov 2004 13:45:05 -0000
1241 \*****************************************************************************/
1242 /* $XFree86: xc/extras/Xpm/lib/data.c,v 1.3 2001/10/28 03:32:10 tsi Exp $ */
1244 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
1248 /* Official version number */
1251 Ungetc(data, c, file);
1254 + return (n); /* this returns bytes read + 1 */
1262 - else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) {
1263 - *cmt = (char *) XpmMalloc(data->CommentLength + 1);
1264 + else if (data->CommentLength != 0 && data->CommentLength < UINT_MAX - 1) {
1265 + if( (*cmt = (char *) XpmMalloc(data->CommentLength + 1)) == NULL)
1266 + return XpmNoMemory;
1267 strncpy(*cmt, data->Comment, data->CommentLength);
1268 (*cmt)[data->CommentLength] = '\0';
1269 data->CommentLength = 0;
1271 xpmParseHeader(data)
1275 + char buf[BUFSIZ+1] = {0};
1279 Index: extras/Xpm/lib/hashtab.c
1280 ===================================================================
1281 RCS file: /cvs/XF4/xc/extras/Xpm/lib/hashtab.c,v
1282 retrieving revision 1.2
1283 diff -u -r1.2 hashtab.c
1284 --- extras/Xpm/lib/hashtab.c 1 Sep 2004 21:01:33 -0000 1.2
1285 +++ extras/Xpm/lib/hashtab.c 14 Nov 2004 13:45:05 -0000
1286 @@ -138,13 +138,13 @@
1287 unsigned int size = table->size;
1290 - int oldSize = size;
1291 + unsigned int oldSize = size;
1296 table->limit = size / 3;
1297 - if (size >= SIZE_MAX / sizeof(*atomTable))
1298 + if (size >= UINT_MAX / sizeof(*atomTable))
1299 return (XpmNoMemory);
1300 atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable));
1303 table->size = INITIAL_HASH_SIZE;
1304 table->limit = table->size / 3;
1306 - if (table->size >= SIZE_MAX / sizeof(*atomTable))
1307 + if (table->size >= UINT_MAX / sizeof(*atomTable))
1308 return (XpmNoMemory);
1309 atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
1311 Index: extras/Xpm/lib/misc.c
1312 ===================================================================
1313 RCS file: /cvs/XF4/xc/extras/Xpm/lib/misc.c,v
1314 retrieving revision 1.1.1.1
1315 diff -u -r1.1.1.1 misc.c
1316 --- extras/Xpm/lib/misc.c 15 Feb 2001 07:59:10 -0000 1.1.1.1
1317 +++ extras/Xpm/lib/misc.c 14 Nov 2004 13:45:05 -0000
1322 - int l = strlen(s1) + 1;
1323 + size_t l = strlen(s1) + 1;
1325 if (s2 = (char *) XpmMalloc(l))
1327 Index: extras/Xpm/lib/parse.c
1328 ===================================================================
1329 RCS file: /cvs/XF4/xc/extras/Xpm/lib/parse.c,v
1330 retrieving revision 1.3
1331 diff -u -r1.3 parse.c
1332 --- extras/Xpm/lib/parse.c 2 Nov 2004 23:26:39 -0000 1.3
1333 +++ extras/Xpm/lib/parse.c 14 Nov 2004 13:45:05 -0000
1335 * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
1338 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
1345 -# define STRLCAT(dst, src, dstsize) { \
1346 +# define STRLCAT(dst, src, dstsize) do { \
1347 if (strlcat(dst, src, dstsize) >= (dstsize)) \
1348 - return (XpmFileInvalid); }
1349 -# define STRLCPY(dst, src, dstsize) { \
1350 + return (XpmFileInvalid); } while(0)
1351 +# define STRLCPY(dst, src, dstsize) do { \
1352 if (strlcpy(dst, src, dstsize) >= (dstsize)) \
1353 - return (XpmFileInvalid); }
1354 + return (XpmFileInvalid); } while(0)
1356 -# define STRLCAT(dst, src, dstsize) { \
1357 +# define STRLCAT(dst, src, dstsize) do { \
1358 if ((strlen(dst) + strlen(src)) < (dstsize)) \
1360 - else return (XpmFileInvalid); }
1361 -# define STRLCPY(dst, src, dstsize) { \
1362 + else return (XpmFileInvalid); } while(0)
1363 +# define STRLCPY(dst, src, dstsize) do { \
1364 if (strlen(src) < (dstsize)) \
1366 - else return (XpmFileInvalid); }
1367 + else return (XpmFileInvalid); } while(0)
1370 LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
1375 - if (ncolors >= SIZE_MAX / sizeof(XpmColor))
1376 + if (ncolors >= UINT_MAX / sizeof(XpmColor))
1377 return (XpmNoMemory);
1378 colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
1384 - if (cpp >= SIZE_MAX - 1) {
1385 + if (cpp >= UINT_MAX - 1) {
1386 xpmFreeColorTable(colorTable, ncolors);
1387 return (XpmNoMemory);
1390 return (XpmFileInvalid);
1393 - STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */
1394 + STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
1396 - STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */
1397 + STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
1402 xpmFreeColorTable(colorTable, ncolors);
1403 return (XpmFileInvalid);
1405 - len = strlen(curbuf) + 1;
1406 + len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
1407 s = defaults[curkey] = (char *) XpmMalloc(len);
1409 xpmFreeColorTable(colorTable, ncolors);
1414 - if (cpp >= SIZE_MAX - 1) {
1415 + if (cpp >= UINT_MAX - 1) {
1416 xpmFreeColorTable(colorTable, ncolors);
1417 return (XpmNoMemory);
1420 memcpy(s, curbuf, len);
1422 *curbuf = '\0'; /* reset curbuf */
1423 - if (a < ncolors - 1)
1424 + if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */
1425 xpmNextString(data); /* get to the next string */
1428 @@ -370,11 +372,11 @@
1429 xpmHashTable *hashtable;
1430 unsigned int **pixels;
1432 - unsigned int *iptr, *iptr2;
1433 + unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
1434 unsigned int a, x, y;
1436 - if ((height > 0 && width >= SIZE_MAX / height) ||
1437 - width * height >= SIZE_MAX / sizeof(unsigned int))
1438 + if ((height > 0 && width >= UINT_MAX / height) ||
1439 + width * height >= UINT_MAX / sizeof(unsigned int))
1442 iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);
1443 @@ -399,8 +401,10 @@
1445 unsigned short colidx[256];
1447 - if (ncolors > 256)
1448 + if (ncolors > 256) {
1449 + XpmFree(iptr2); /* found by Egbert Eich */
1450 return (XpmFileInvalid);
1453 bzero((char *)colidx, 256 * sizeof(short));
1454 for (a = 0; a < ncolors; a++)
1455 @@ -427,16 +431,20 @@
1458 /* free all allocated pointers at all exits */
1459 -#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \
1460 -if (cidx[f]) XpmFree(cidx[f]);}
1461 +#define FREE_CIDX \
1464 + int f; for (f = 0; f < 256; f++) \
1465 + if (cidx[f]) XpmFree(cidx[f]); \
1468 /* array of pointers malloced by need */
1469 unsigned short *cidx[256];
1471 + unsigned int char1;
1473 bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
1474 for (a = 0; a < ncolors; a++) {
1475 - char1 = colorTable[a].string[0];
1476 + char1 = (unsigned char) colorTable[a].string[0];
1477 if (cidx[char1] == NULL) { /* get new memory */
1478 cidx[char1] = (unsigned short *)
1479 XpmCalloc(256, sizeof(unsigned short));
1480 @@ -480,8 +488,10 @@
1484 - if (cpp >= sizeof(buf))
1485 + if (cpp >= sizeof(buf)) {
1486 + XpmFree(iptr2); /* found by Egbert Eich */
1487 return (XpmFileInvalid);
1491 if (USE_HASHTABLE) {
1493 xpmNextString(data);
1494 for (x = 0; x < width; x++, iptr++) {
1495 for (a = 0, s = buf; a < cpp; a++, s++)
1496 - *s = xpmGetC(data);
1497 + *s = xpmGetC(data); /* int assigned to char, not a problem here */
1498 slot = xpmHashSlot(hashtable, buf);
1499 if (!*slot) { /* no color matches */
1502 xpmNextString(data);
1503 for (x = 0; x < width; x++, iptr++) {
1504 for (a = 0, s = buf; a < cpp; a++, s++)
1505 - *s = xpmGetC(data);
1506 + *s = xpmGetC(data); /* int assigned to char, not a problem here */
1507 for (a = 0; a < ncolors; a++)
1508 if (!strcmp(colorTable[a].string, buf))
1511 while (!notstart && notend) {
1512 /* there starts an extension */
1513 ext = (XpmExtension *)
1514 - XpmRealloc(exts, (num + 1) * sizeof(XpmExtension));
1515 + XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
1518 XpmFreeExtensions(exts, num);
1520 while ((notstart = strncmp("XPMEXT", string, 6))
1521 && (notend = strncmp("XPMENDEXT", string, 9))) {
1523 - XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *));
1524 + XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */
1527 ext->nlines = nlines;
1529 /* function call in case of error */
1531 #define RETURN(status) \
1539 * This function parses an Xpm file or data and store the found informations
1540 Index: extras/Xpm/lib/s_popen.c
1541 ===================================================================
1542 RCS file: extras/Xpm/lib/s_popen.c
1543 diff -N extras/Xpm/lib/s_popen.c
1544 --- /dev/null 1 Jan 1970 00:00:00 -0000
1545 +++ extras/Xpm/lib/s_popen.c 14 Nov 2004 13:45:05 -0000
1548 + * Copyright (C) 2004 The X.Org fundation
1550 + * Permission is hereby granted, free of charge, to any person
1551 + * obtaining a copy of this software and associated documentation
1552 + * files (the "Software"), to deal in the Software without
1553 + * restriction, including without limitation the rights to use, copy,
1554 + * modify, merge, publish, distribute, sublicense, and/or sell copies
1555 + * of the Software, and to permit persons to whom the Software is fur-
1556 + * nished to do so, subject to the following conditions:
1558 + * The above copyright notice and this permission notice shall be
1559 + * included in all copies or substantial portions of the Software.
1561 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
1562 + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
1563 + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
1564 + * NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR
1565 + * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
1566 + * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
1567 + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
1569 + * Except as contained in this notice, the name of the X.Org fundation
1570 + * shall not be used in advertising or otherwise to promote the sale,
1571 + * use or other dealings in this Software without prior written
1572 + * authorization from the X.Org fundation.
1576 +** This is a secure but NOT 100% compatible replacement for popen()
1577 +** Note: - don't use pclose() use fclose() for closing the returned
1580 +** Known Bugs: - unable to use i/o-redirection like > or <
1581 +** Author: - Thomas Biege <thomas@suse.de>
1582 +** Credits: - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when
1583 +** calling strtok()
1586 +#include <sys/types.h>
1587 +#include <sys/wait.h>
1589 +#include <stdlib.h>
1590 +#include <unistd.h>
1591 +#include <string.h>
1593 +#define __SEC_POPEN_TOKEN " "
1595 +FILE *s_popen(char *cmd, const char *type)
1599 + int rpipe = 0, wpipe = 0, i;
1605 + if(cmd == NULL || cmd == "")
1608 + if(type[0] != 'r' && type[0] != 'w')
1611 + if ((cmdcpy = strdup(cmd)) == NULL)
1615 + if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL)
1623 + if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL)
1629 + if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL)
1635 + strcpy(argv[i], ptr);
1637 + if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL)
1639 + if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL)
1650 + if(type[0] == 'r')
1655 + if (pipe(pfd) < 0)
1661 + if((pid = fork()) < 0)
1669 + if(pid == 0) /* child */
1671 + if((pid = fork()) < 0)
1680 + exit(0); /* child nr. 1 exits */
1686 + close(pfd[0]); /* close reading end, we don't need it */
1687 + dup2(STDOUT_FILENO, STDERR_FILENO);
1688 + if (pfd[1] != STDOUT_FILENO)
1689 + dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */
1693 + close(pfd[1]); /* close writing end, we don't need it */
1694 + if (pfd[0] != STDIN_FILENO)
1695 + dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */
1698 + if(strchr(argv[0], '/') == NULL)
1699 + execvp(argv[0], argv); /* search in $PATH */
1701 + execv(argv[0], argv);
1706 + return(NULL); /* exec failed.. ooops! */
1710 + waitpid(pid, NULL, 0); /* wait for child nr. 1 */
1716 + return(fdopen(pfd[0], "r"));
1722 + return(fdopen(pfd[1], "w"));
1728 Index: extras/Xpm/lib/scan.c
1729 ===================================================================
1730 RCS file: /cvs/XF4/xc/extras/Xpm/lib/scan.c,v
1731 retrieving revision 1.3
1732 diff -u -r1.3 scan.c
1733 --- extras/Xpm/lib/scan.c 2 Nov 2004 23:26:39 -0000 1.3
1734 +++ extras/Xpm/lib/scan.c 14 Nov 2004 13:45:05 -0000
1736 * Lorens Younes (d93-hyo@nada.kth.se) 4/96
1739 +/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
1743 #define MAXPRINTABLE 92 /* number of printable ascii chars
1744 @@ -172,10 +174,10 @@
1745 /* function call in case of error */
1747 #define RETURN(status) \
1750 ErrorStatus = status; \
1756 * This function scans the given image and stores the found informations in
1757 @@ -233,15 +235,15 @@
1761 - if ((height > 0 && width >= SIZE_MAX / height) ||
1762 - width * height >= SIZE_MAX / sizeof(unsigned int))
1763 + if ((height > 0 && width >= UINT_MAX / height) ||
1764 + width * height >= UINT_MAX / sizeof(unsigned int))
1765 RETURN(XpmNoMemory);
1767 (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
1768 if (!pmap.pixelindex)
1769 RETURN(XpmNoMemory);
1771 - if (pmap.size >= SIZE_MAX / sizeof(Pixel))
1772 + if (pmap.size >= UINT_MAX / sizeof(Pixel))
1773 RETURN(XpmNoMemory);
1775 pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);
1777 * get rgb values and a string of char, and possibly a name for each
1780 - if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))
1781 + if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor))
1782 RETURN(XpmNoMemory);
1783 colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
1787 /* first get a character string */
1789 - if (cpp >= SIZE_MAX - 1)
1790 + if (cpp >= UINT_MAX - 1)
1791 return (XpmNoMemory);
1792 if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
1793 return (XpmNoMemory);
1797 /* first get character strings and rgb values */
1798 - if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1)
1799 + if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1)
1800 return (XpmNoMemory);
1801 xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
1808 + unsigned int x, y, i;
1809 int bits, depth, ibu, ibpp, offset;
1813 unsigned char *addr;
1814 unsigned char *data;
1817 + unsigned int x, y;
1822 unsigned char *addr;
1823 unsigned char *data;
1826 + unsigned int x, y;
1833 unsigned char *data;
1835 + unsigned int x, y;
1840 storeFuncPtr storeFunc;
1844 + unsigned int x, y;
1847 int xoff, yoff, offset, bpl;
1848 @@ -900,11 +902,11 @@
1851 #define CLEAN_UP(status) \
1854 if (pixels) XpmFree (pixels);\
1855 if (tmp_img) FreeXImage (tmp_img);\
1864 tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth);
1865 if (tmp_img == NULL)
1866 - CLEAN_UP (XpmNoMemory)
1867 + CLEAN_UP (XpmNoMemory);
1869 iptr = pmap->pixelindex;
1870 for (y = 0; y < height; ++y)
1871 @@ -934,11 +936,11 @@
1872 for (x = 0; x < width; ++x, ++iptr)
1874 if ((*storeFunc) (pixels[x], pmap, iptr))
1875 - CLEAN_UP (XpmNoMemory)
1876 + CLEAN_UP (XpmNoMemory);
1880 - CLEAN_UP (XpmSuccess)
1881 + CLEAN_UP (XpmSuccess);
1885 Index: lib/Xpm/Imakefile
1886 ===================================================================
1887 RCS file: /cvs/XF4/xc/lib/Xpm/Imakefile,v
1888 retrieving revision 1.3
1889 diff -u -r1.3 Imakefile
1890 --- lib/Xpm/Imakefile 2 Nov 2004 23:47:45 -0000 1.3
1891 +++ lib/Xpm/Imakefile 14 Nov 2004 13:45:05 -0000
1893 STRLCATDEF = -DHAS_STRLCAT
1897 +SNPRINTFDEF = -DHAS_SNPRINTF
1899 +SNPRINTFDEF = -Dsnprintf=_XpmSnprintf
1900 +SNPRINTFSRCS = snprintf.c
1901 +SNPRINTFOBJS = snprintf.o
1904 #if defined(Win32Architecture)
1905 ZPIPEDEF = -DNO_ZPIPE
1908 DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(STRLCATDEF) \
1909 - $(ZPIPEDEF) $(ZFILEDEF)
1910 + $(SNPRINTFDEF) $(ZPIPEDEF) $(ZFILEDEF)
1915 CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \
1916 CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \
1917 CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \
1918 - Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c
1919 + Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \
1920 + s_popen.c $(SNPRINTFSRCS)
1922 OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \
1923 CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \
1924 CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \
1925 CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \
1926 - Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o
1927 + Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \
1928 + s_popen.o $(SNPRINTFOBJS)
1930 XPMDIR = $(TOP)/extras/Xpm
1931 XPMLIBDIR = $(TOP)/extras/Xpm/lib
1932 @@ -104,5 +114,10 @@
1933 LinkSourceFile(RdFToBuf.c,$(XPMLIBDIR))
1934 LinkSourceFile(WrFFrBuf.c,$(XPMLIBDIR))
1935 LinkSourceFile(xpm.h,$(XPMLIBDIR))
1936 +LinkSourceFile(s_popen.c,$(XPMLIBDIR))
1939 +LinkSourceFile(snprintf.c,$(LIBSRC)/misc)