From 67efde835556a3cc0caff337cc33c3c919002531 Mon Sep 17 00:00:00 2001 From: Jakub Bogusz Date: Thu, 3 Mar 2005 10:32:56 +0000 Subject: [PATCH] - obsolete Changed files: X11-kbd-segv.patch -> 1.2 X11-sparc-kbd.patch -> 1.3 p_i810-accel.diff -> 1.2 xorg-681-CAN-2004-0914.patch -> 1.2 --- X11-kbd-segv.patch | 11 - X11-sparc-kbd.patch | 40 - p_i810-accel.diff | 361 ------- xorg-681-CAN-2004-0914.patch | 1942 ---------------------------------- 4 files changed, 2354 deletions(-) delete mode 100644 X11-kbd-segv.patch delete mode 100644 X11-sparc-kbd.patch delete mode 100644 p_i810-accel.diff delete mode 100644 xorg-681-CAN-2004-0914.patch diff --git a/X11-kbd-segv.patch b/X11-kbd-segv.patch deleted file mode 100644 index cb71078..0000000 --- a/X11-kbd-segv.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- xc/programs/Xserver/hw/xfree86/common/xf86Init.c.orig Fri Aug 20 05:22:39 2004 -+++ xc/programs/Xserver/hw/xfree86/common/xf86Init.c Thu Dec 9 13:24:44 2004 -@@ -1244,7 +1244,7 @@ - /* - * try to deinitialize all input devices - */ -- if (xf86Info.pKeyboard) -+ if (xf86Info.kbdProc && xf86Info.pKeyboard) - (xf86Info.kbdProc)(xf86Info.pKeyboard, DEVICE_CLOSE); - - /* diff --git a/X11-sparc-kbd.patch b/X11-sparc-kbd.patch deleted file mode 100644 index 27b1d4a..0000000 --- a/X11-sparc-kbd.patch +++ /dev/null @@ -1,40 +0,0 @@ ---- X11-6.8.1/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_io.c.orig 2004-04-23 21:54:08.000000000 +0200 -+++ X11-6.8.1/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_io.c 2004-10-31 01:40:55.056608568 +0200 -@@ -114,6 +114,8 @@ - #endif /* KDKBDREP */ - } - -+#undef rate -+ - static int - KIOCSRATE_ioctl_ok(int rate, int delay) { - #ifdef KIOCSRATE -@@ -141,8 +143,6 @@ - #endif /* KIOCSRATE */ - } - --#undef rate -- - void xf86SetKbdRepeat(char rad) - { - #ifdef __sparc__ ---- X11-6.8.1/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_kbd.c.orig 2004-04-23 21:54:08.000000000 +0200 -+++ X11-6.8.1/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_kbd.c 2004-10-31 01:41:26.201873768 +0200 -@@ -142,6 +142,8 @@ - #endif /* KDKBDREP */ - } - -+#undef rate -+ - static int - KIOCSRATE_ioctl_ok(int rate, int delay) { - #ifdef KIOCSRATE -@@ -169,8 +171,6 @@ - #endif /* KIOCSRATE */ - } - --#undef rate -- - static void - SetKbdRepeat(InputInfoPtr pInfo, char rad) - { diff --git a/p_i810-accel.diff b/p_i810-accel.diff deleted file mode 100644 index b9578ed..0000000 --- a/p_i810-accel.diff +++ /dev/null @@ -1,361 +0,0 @@ -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/common.h programs/Xserver/hw/xfree86/drivers/i810/common.h ---- programs/Xserver/hw/xfree86/drivers/i810_old/common.h 2004-09-29 16:03:59.645813735 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/common.h 2004-09-29 16:04:13.974719718 +0200 -@@ -173,7 +173,7 @@ - #define BEGIN_LP_RING(n) \ - unsigned int outring, ringmask; \ - volatile unsigned char *virt; \ -- unsigned int needed; \ -+ int needed; \ - if ((n) & 1) \ - ErrorF("BEGIN_LP_RING called with odd argument: %d\n", n); \ - if ((n) > 2 && (I810_DEBUG&DEBUG_ALWAYS_SYNC)) \ -@@ -206,7 +206,7 @@ - #define BEGIN_LP_RING(n) \ - unsigned int outring, ringmask; \ - volatile unsigned char *virt; \ -- unsigned int needed; \ -+ int needed; \ - if ((n) & 1) \ - ErrorF("BEGIN_LP_RING called with odd argument: %d\n", n); \ - if ((n) > 2 && (I810_DEBUG&DEBUG_ALWAYS_SYNC)) \ -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/i810.h programs/Xserver/hw/xfree86/drivers/i810/i810.h ---- programs/Xserver/hw/xfree86/drivers/i810_old/i810.h 2004-09-29 16:03:59.639814611 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/i810.h 2004-09-29 16:04:13.974719718 +0200 -@@ -172,7 +172,7 @@ - unsigned long OverlayPhysical; - unsigned long OverlayStart; - int colorKey; -- int surfaceAllocation[I810_TOTAL_SURFACES]; -+ unsigned int surfaceAllocation[I810_TOTAL_SURFACES]; - int numSurfaces; - - DGAModePtr DGAModes; -@@ -295,9 +295,10 @@ - extern void I810Sync(ScrnInfoPtr pScrn); - extern unsigned long I810LocalToPhysical(ScrnInfoPtr pScrn, - unsigned long local); --extern int I810AllocLow(I810MemRange * result, I810MemRange * pool, int size); -+extern int I810AllocLow(I810MemRange * result, I810MemRange * pool, -+ int size); - extern int I810AllocHigh(I810MemRange * result, I810MemRange * pool, -- int size); -+ int size); - extern Bool I810AllocateFront(ScrnInfoPtr pScrn); - - extern int I810AllocateGARTMemory(ScrnInfoPtr pScrn); -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/i810_accel.c programs/Xserver/hw/xfree86/drivers/i810/i810_accel.c ---- programs/Xserver/hw/xfree86/drivers/i810_old/i810_accel.c 2004-09-29 16:03:59.612818556 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/i810_accel.c 2004-09-29 16:04:13.975719572 +0200 -@@ -259,7 +259,7 @@ - #ifdef XF86DRI - /* VT switching tries to do this. - */ -- if (!pI810->LockHeld && pI810->directRenderingEnabled) { -+ if ((!pI810->LockHeld && pI810->directRenderingEnabled) || !pScrn->vtSema) { - return; - } - #endif -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/i810_dri.c programs/Xserver/hw/xfree86/drivers/i810/i810_dri.c ---- programs/Xserver/hw/xfree86/drivers/i810_old/i810_dri.c 2004-09-29 16:03:59.671809935 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/i810_dri.c 2004-09-29 16:04:13.977719280 +0200 -@@ -290,7 +290,7 @@ - unsigned long dcacheHandle; - int sysmem_size = 0; - int back_size = 0; -- int pitch_idx = 0; -+ unsigned int pitch_idx = 0; - int bufs; - int width = pScrn->displayWidth * pI810->cpp; - int i; -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/i810_driver.c programs/Xserver/hw/xfree86/drivers/i810/i810_driver.c ---- programs/Xserver/hw/xfree86/drivers/i810_old/i810_driver.c 2004-09-29 16:03:59.553827177 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/i810_driver.c 2004-09-29 16:04:13.979718988 +0200 -@@ -1124,14 +1124,6 @@ - xf86SetOperatingState(resVgaIo, pI810->pEnt->index, ResUnusedOpr); - xf86SetOperatingState(resVgaMem, pI810->pEnt->index, ResDisableOpr); - -- pI810->LpRing = xalloc(sizeof(I810RingBuffer)); -- if (!pI810->LpRing) { -- xf86DrvMsg(pScrn->scrnIndex, X_ERROR, -- "Could not allocate lpring data structure.\n"); -- I810FreeRec(pScrn); -- return FALSE; -- } -- - return TRUE; - } - -@@ -1159,7 +1151,7 @@ - I810MapMem(ScrnInfoPtr pScrn) - { - I810Ptr pI810 = I810PTR(pScrn); -- unsigned i; -+ long i; - - for (i = 2; i < pI810->FbMapSize; i <<= 1) ; - pI810->FbMapSize = i; -@@ -2074,6 +2066,13 @@ - pI810 = I810PTR(pScrn); - hwp = VGAHWPTR(pScrn); - -+ pI810->LpRing = xcalloc(sizeof(I810RingBuffer),1); -+ if (!pI810->LpRing) { -+ xf86DrvMsg(pScrn->scrnIndex, X_ERROR, -+ "Could not allocate lpring data structure.\n"); -+ return FALSE; -+ } -+ - miClearVisualTypes(); - - /* Re-implemented Direct Color support, -jens */ -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/i810_memory.c programs/Xserver/hw/xfree86/drivers/i810/i810_memory.c ---- programs/Xserver/hw/xfree86/drivers/i810_old/i810_memory.c 2004-09-29 16:03:59.659811689 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/i810_memory.c 2004-09-29 16:04:13.980718842 +0200 -@@ -55,7 +55,7 @@ - int - I810AllocLow(I810MemRange * result, I810MemRange * pool, int size) - { -- if (size > pool->Size) -+ if (size > (long)pool->Size) - return 0; - - pool->Size -= size; -@@ -69,7 +69,7 @@ - int - I810AllocHigh(I810MemRange * result, I810MemRange * pool, int size) - { -- if (size > pool->Size) -+ if (size > (long)pool->Size) - return 0; - - pool->Size -= size; -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/i810_reg.h programs/Xserver/hw/xfree86/drivers/i810/i810_reg.h ---- programs/Xserver/hw/xfree86/drivers/i810_old/i810_reg.h 2004-09-29 16:03:59.736800438 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/i810_reg.h 2004-09-29 16:04:13.981718696 +0200 -@@ -459,11 +459,11 @@ - #define I830_HEAD_MASK 0x001FFFFC - - #define RING_START 0x08 --#define START_ADDR 0x00FFFFF8 -+#define START_ADDR 0x03FFFFF8 - #define I830_RING_START_MASK 0xFFFFF000 - - #define RING_LEN 0x0C --#define RING_NR_PAGES 0x000FF000 -+#define RING_NR_PAGES 0x001FF000 - #define I830_RING_NR_PAGES 0x001FF000 - #define RING_REPORT_MASK 0x00000006 - #define RING_REPORT_64K 0x00000002 -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/i830.h programs/Xserver/hw/xfree86/drivers/i810/i830.h ---- programs/Xserver/hw/xfree86/drivers/i810_old/i830.h 2004-09-29 16:03:59.645813735 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/i830.h 2004-09-29 16:04:13.982718550 +0200 -@@ -180,17 +180,17 @@ - int CacheLines; - - /* These are set in PreInit and never changed. */ -- unsigned long FbMapSize; -- unsigned long TotalVideoRam; -+ long FbMapSize; -+ long TotalVideoRam; - I830MemRange StolenMemory; /* pre-allocated memory */ -- unsigned long BIOSMemorySize; /* min stolen pool size */ -+ long BIOSMemorySize; /* min stolen pool size */ - int BIOSMemSizeLoc; - - /* These change according to what has been allocated. */ - long FreeMemory; - I830MemRange MemoryAperture; - I830MemPool StolenPool; -- unsigned long allocatedMemory; -+ long allocatedMemory; - - /* Regions allocated either from the above pools, or from agpgart. */ - /* for single and dual head configurations */ -@@ -348,7 +348,7 @@ - int xoffset; - int yoffset; - -- int SaveGeneration; -+ unsigned int SaveGeneration; - Bool vbeRestoreWorkaround; - Bool displayInfo; - Bool devicePresence; -@@ -415,7 +415,7 @@ - extern Bool I830BindGARTMemory(ScrnInfoPtr pScrn); - extern Bool I830UnbindGARTMemory(ScrnInfoPtr pScrn); - extern unsigned long I830AllocVidMem(ScrnInfoPtr pScrn, I830MemRange *result, -- I830MemPool *pool, unsigned long size, -+ I830MemPool *pool, long size, - unsigned long alignment, int flags); - - extern void I830PrintAllRegisters(I830RegPtr i830Reg); -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/i830_driver.c programs/Xserver/hw/xfree86/drivers/i810/i830_driver.c ---- programs/Xserver/hw/xfree86/drivers/i810_old/i830_driver.c 2004-09-29 16:03:59.646813588 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/i830_driver.c 2004-09-29 16:04:13.986717965 +0200 -@@ -1028,7 +1028,7 @@ - I830MapMem(ScrnInfoPtr pScrn) - { - I830Ptr pI830 = I830PTR(pScrn); -- unsigned i; -+ long i; - - for (i = 2; i < pI830->FbMapSize; i <<= 1) ; - pI830->FbMapSize = i; -@@ -2909,7 +2909,7 @@ - OUTREG(LP_RING + RING_TAIL, 0); - OUTREG(LP_RING + RING_HEAD, 0); - -- if ((pI830->LpRing->mem.Start & I830_RING_START_MASK) != -+ if ((long)(pI830->LpRing->mem.Start & I830_RING_START_MASK) != - pI830->LpRing->mem.Start) { - xf86DrvMsg(pScrn->scrnIndex, X_ERROR, - "I830SetRingRegs: Ring buffer start (%lx) violates its " -@@ -3452,7 +3452,7 @@ - I830Ptr pI8301 = I830PTR(pI830->entityPrivate->pScrn_1); - - temp = INREG(stridereg); -- if (temp / pI8301->cpp != pI830->entityPrivate->pScrn_1->displayWidth) { -+ if (temp / pI8301->cpp != (CARD32)(pI830->entityPrivate->pScrn_1->displayWidth)) { - xf86DrvMsg(pScrn->scrnIndex, X_WARNING, - "Correcting plane %c stride (%d -> %d)\n", PIPE_NAME(pI830->pipe), - (int)(temp / pI8301->cpp), pI830->entityPrivate->pScrn_1->displayWidth); -@@ -3470,7 +3470,7 @@ - sizereg = pI830->pipe ? DSPASIZE : DSPBSIZE; - - temp = INREG(stridereg); -- if (temp / pI8302->cpp != pI830->entityPrivate->pScrn_2->displayWidth) { -+ if (temp / pI8302->cpp != (CARD32)(pI830->entityPrivate->pScrn_2->displayWidth)) { - xf86DrvMsg(pScrn->scrnIndex, X_WARNING, - "Correcting plane %c stride (%d -> %d)\n", PIPE_NAME(!pI830->pipe), - (int)(temp / pI8302->cpp), pI830->entityPrivate->pScrn_2->displayWidth); -@@ -3489,7 +3489,7 @@ - I830Ptr pI8302 = I830PTR(pI830->entityPrivate->pScrn_2); - - temp = INREG(stridereg); -- if (temp / pI8301->cpp != pI830->entityPrivate->pScrn_1->displayWidth) { -+ if (temp / pI8301->cpp != (CARD32)(pI830->entityPrivate->pScrn_1->displayWidth)) { - xf86DrvMsg(pScrn->scrnIndex, X_WARNING, - "Correcting plane %c stride (%d -> %d)\n", PIPE_NAME(pI830->pipe), - (int)(temp / pI8301->cpp), pI830->entityPrivate->pScrn_1->displayWidth); -@@ -3505,7 +3505,7 @@ - sizereg = !pI830->pipe ? DSPASIZE : DSPBSIZE; - - temp = INREG(stridereg); -- if (temp / pI8302->cpp != pI830->entityPrivate->pScrn_2->displayWidth) { -+ if (temp / pI8302->cpp != ((CARD32)pI830->entityPrivate->pScrn_2->displayWidth)) { - xf86DrvMsg(pScrn->scrnIndex, X_WARNING, - "Correcting plane %c stride (%d -> %d)\n", PIPE_NAME(!pI830->pipe), - (int)(temp / pI8302->cpp), pI830->entityPrivate->pScrn_2->displayWidth); -@@ -3526,7 +3526,7 @@ - continue; - - temp = INREG(stridereg); -- if (temp / pI830->cpp != pScrn->displayWidth) { -+ if (temp / pI830->cpp != (CARD32)pScrn->displayWidth) { - xf86DrvMsg(pScrn->scrnIndex, X_WARNING, - "Correcting plane %c stride (%d -> %d)\n", PIPE_NAME(i), - (int)(temp / pI830->cpp), pScrn->displayWidth); -@@ -4527,7 +4527,8 @@ - ScrnInfoPtr pScrn = xf86Screens[pScreen->myNum]; - I830Ptr pI830 = I830PTR(pScrn); - Bool on = xf86IsUnblank(mode); -- CARD32 temp, ctrl, base, i; -+ CARD32 temp, ctrl, base; -+ int i; - - DPRINTF(PFX, "I830BIOSSaveScreen: %d, on is %s\n", mode, BOOLTOSTRING(on)); - -Only in programs/Xserver/hw/xfree86/drivers/i810: i830_driver.c.orig -diff -ur programs/Xserver/hw/xfree86/drivers/i810_old/i830_memory.c programs/Xserver/hw/xfree86/drivers/i810/i830_memory.c ---- programs/Xserver/hw/xfree86/drivers/i810_old/i830_memory.c 2004-09-29 16:03:59.547828054 +0200 -+++ programs/Xserver/hw/xfree86/drivers/i810/i830_memory.c 2004-09-29 16:04:13.988717673 +0200 -@@ -63,10 +63,10 @@ - */ - static unsigned long - AllocFromPool(ScrnInfoPtr pScrn, I830MemRange *result, I830MemPool *pool, -- unsigned long size, unsigned long alignment, int flags) -+ long size, unsigned long alignment, int flags) - { - I830Ptr pI830 = I830PTR(pScrn); -- unsigned long needed, start, end; -+ long needed, start, end; - Bool dryrun = ((flags & ALLOCATE_DRY_RUN) != 0); - - if (!result || !pool || !size) -@@ -94,7 +94,7 @@ - } - } - if (needed > pool->Free.Size) { -- unsigned long extra; -+ long extra; - /* See if the pool can be grown. */ - if (pI830->StolenOnly && !dryrun) - return 0; -@@ -107,7 +107,7 @@ - return 0; - } - -- if (!dryrun && (extra > pI830->MemoryAperture.Size)) -+ if (!dryrun && ((long)extra > pI830->MemoryAperture.Size)) - return 0; - - pool->Free.Size += extra; -@@ -136,7 +136,7 @@ - } - - static unsigned long --AllocFromAGP(ScrnInfoPtr pScrn, I830MemRange *result, unsigned long size, -+AllocFromAGP(ScrnInfoPtr pScrn, I830MemRange *result, long size, - unsigned long alignment, int flags) - { - I830Ptr pI830 = I830PTR(pScrn); -@@ -212,7 +212,7 @@ - - unsigned long - I830AllocVidMem(ScrnInfoPtr pScrn, I830MemRange *result, I830MemPool *pool, -- unsigned long size, unsigned long alignment, int flags) -+ long size, unsigned long alignment, int flags) - { - I830Ptr pI830 = I830PTR(pScrn); - Bool dryrun = ((flags & ALLOCATE_DRY_RUN) != 0); -@@ -392,7 +392,7 @@ - I830Allocate2DMemory(ScrnInfoPtr pScrn, const int flags) - { - I830Ptr pI830 = I830PTR(pScrn); -- unsigned long size, alloced; -+ long size, alloced; - Bool dryrun = ((flags & ALLOCATE_DRY_RUN) != 0); - int verbosity = dryrun ? 4 : 1; - const char *s = dryrun ? "[dryrun] " : ""; -@@ -610,9 +610,9 @@ - return FALSE; - } - } else { -- unsigned long lineSize; -- unsigned long extra = 0; -- unsigned long maxFb = 0; -+ long lineSize; -+ long extra = 0; -+ long maxFb = 0; - - /* - * XXX Need to "free" up any 3D allocations if the DRI ended up -@@ -857,7 +857,7 @@ - I830GetExcessMemoryAllocations(ScrnInfoPtr pScrn) - { - I830Ptr pI830 = I830PTR(pScrn); -- unsigned long allocated; -+ long allocated; - - allocated = pI830->StolenPool.Total.Size + pI830->allocatedMemory; - if (allocated > pI830->TotalVideoRam) -@@ -1367,7 +1367,7 @@ - I830Ptr pI830 = I830PTR(pScrn); - int pitch, ntiles, i; - static int nextTile = 0; -- static int tileGeneration = -1; -+ static unsigned int tileGeneration = -1; - - #if 0 - /* Hack to "improve" the alignment of the front buffer. diff --git a/xorg-681-CAN-2004-0914.patch b/xorg-681-CAN-2004-0914.patch deleted file mode 100644 index dd0b1aa..0000000 --- a/xorg-681-CAN-2004-0914.patch +++ /dev/null @@ -1,1942 +0,0 @@ -Index: extras/Xpm/lib/Attrib.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/Attrib.c,v -retrieving revision 1.2 -diff -u -r1.2 Attrib.c ---- extras/Xpm/lib/Attrib.c 1 Sep 2004 21:01:32 -0000 1.2 -+++ extras/Xpm/lib/Attrib.c 14 Nov 2004 13:45:02 -0000 -@@ -32,13 +32,15 @@ - * Developed by Arnaud Le Hors * - \*****************************************************************************/ - -+/* October 2004, source code review by Thomas Biege */ -+ - #include "XpmI.h" - - /* 3.2 backward compatibility code */ - LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, - XpmColor ***oldct)); - --LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); -+LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors)); - - /* - * Create a colortable compatible with the old style colortable -@@ -50,9 +52,9 @@ - XpmColor ***oldct; - { - XpmColor **colorTable, **color; -- int a; -+ unsigned int a; - -- if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) -+ if (ncolors >= UINT_MAX / sizeof(XpmColor *)) - return XpmNoMemory; - - colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); -@@ -69,9 +71,9 @@ - static void - FreeOldColorTable(colorTable, ncolors) - XpmColor **colorTable; -- int ncolors; -+ unsigned int ncolors; - { -- int a, b; -+ unsigned int a, b; - XpmColor **color; - char **sptr; - -@@ -122,7 +124,7 @@ - XpmExtension *ext; - char **sptr; - -- if (extensions) { -+ if (extensions && nextensions > 0) { - for (i = 0, ext = extensions; i < nextensions; i++, ext++) { - if (ext->name) - XpmFree(ext->name); -Index: extras/Xpm/lib/CrBufFrI.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/CrBufFrI.c,v -retrieving revision 1.2 -diff -u -r1.2 CrBufFrI.c ---- extras/Xpm/lib/CrBufFrI.c 2 Nov 2004 23:26:39 -0000 1.2 -+++ extras/Xpm/lib/CrBufFrI.c 14 Nov 2004 13:45:02 -0000 -@@ -31,6 +31,9 @@ - * * - * Developed by Arnaud Le Hors * - \*****************************************************************************/ -+ -+/* October 2004, source code review by Thomas Biege */ -+ - /* $XFree86$ */ - - #include "XpmI.h" -@@ -39,15 +42,17 @@ - unsigned int *used_size, XpmColor *colors, - unsigned int ncolors, unsigned int cpp)); - --LFUNC(WritePixels, void, (char *dataptr, unsigned int *used_size, -+LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size, -+ unsigned int *used_size, - unsigned int width, unsigned int height, - unsigned int cpp, unsigned int *pixels, - XpmColor *colors)); - --LFUNC(WriteExtensions, void, (char *dataptr, unsigned int *used_size, -+LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size, -+ unsigned int *used_size, - XpmExtension *ext, unsigned int num)); - --LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num)); -+LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num)); - LFUNC(CommentsSize, int, (XpmInfo *info)); - - int -@@ -90,10 +95,11 @@ - - #undef RETURN - #define RETURN(status) \ -+do \ - { \ - ErrorStatus = status; \ - goto error; \ --} -+}while(0) - - int - XpmCreateBufferFromXpmImage(buffer_return, image, info) -@@ -107,7 +113,7 @@ - unsigned int cmts, extensions, ext_size = 0; - unsigned int l, cmt_size = 0; - char *ptr = NULL, *p; -- unsigned int ptr_size, used_size; -+ unsigned int ptr_size, used_size, tmp; - - *buffer_return = NULL; - -@@ -129,7 +135,13 @@ - #ifdef VOID_SPRINTF - used_size = strlen(buf); - #endif -- ptr_size = used_size + ext_size + cmt_size + 1; -+ ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */ -+ if(ptr_size <= used_size || -+ ptr_size <= ext_size || -+ ptr_size <= cmt_size) -+ { -+ return XpmNoMemory; -+ } - ptr = (char *) XpmMalloc(ptr_size); - if (!ptr) - return XpmNoMemory; -@@ -140,7 +152,7 @@ - #ifndef VOID_SPRINTF - used_size += - #endif -- sprintf(ptr + used_size, "/*%s*/\n", info->hints_cmt); -+ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt); - #ifdef VOID_SPRINTF - used_size += strlen(info->hints_cmt) + 5; - #endif -@@ -158,7 +170,7 @@ - #ifndef VOID_SPRINTF - l += - #endif -- sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot); -+ snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot); - #ifdef VOID_SPRINTF - l = strlen(buf); - #endif -@@ -180,6 +192,8 @@ - l = strlen(buf); - #endif - ptr_size += l; -+ if(ptr_size <= l) -+ RETURN(XpmNoMemory); - p = (char *) XpmRealloc(ptr, ptr_size); - if (!p) - RETURN(XpmNoMemory); -@@ -192,7 +206,7 @@ - #ifndef VOID_SPRINTF - used_size += - #endif -- sprintf(ptr + used_size, "/*%s*/\n", info->colors_cmt); -+ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt); - #ifdef VOID_SPRINTF - used_size += strlen(info->colors_cmt) + 5; - #endif -@@ -208,7 +222,12 @@ - * 4 = 1 (for '"') + 3 (for '",\n') - * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n') - */ -- ptr_size += image->height * (image->width * image->cpp + 4) + 1; -+ if(image->width > UINT_MAX / image->cpp || -+ (tmp = image->width * image->cpp + 4) <= 4 || -+ image->height > UINT_MAX / tmp || -+ (tmp = image->height * tmp + 1) <= 1 || -+ (ptr_size += tmp) <= tmp) -+ RETURN(XpmNoMemory); - - p = (char *) XpmRealloc(ptr, ptr_size); - if (!p) -@@ -220,17 +239,17 @@ - #ifndef VOID_SPRINTF - used_size += - #endif -- sprintf(ptr + used_size, "/*%s*/\n", info->pixels_cmt); -+ snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt); - #ifdef VOID_SPRINTF - used_size += strlen(info->pixels_cmt) + 5; - #endif - } -- WritePixels(ptr + used_size, &used_size, image->width, image->height, -+ WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height, - image->cpp, image->data, image->colorTable); - - /* print extensions */ - if (extensions) -- WriteExtensions(ptr + used_size, &used_size, -+ WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size, - info->extensions, info->nextensions); - - /* close the array */ -@@ -247,6 +266,7 @@ - return (ErrorStatus); - } - -+ - static int - WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp) - char **dataptr; -@@ -256,7 +276,7 @@ - unsigned int ncolors; - unsigned int cpp; - { -- char buf[BUFSIZ]; -+ char buf[BUFSIZ] = {0}; - unsigned int a, key, l; - char *s, *s2; - char **defaults; -@@ -266,6 +286,8 @@ - - defaults = (char **) colors; - s = buf + 1; -+ if(cpp > (sizeof(buf) - (s-buf))) -+ return(XpmNoMemory); - strncpy(s, *defaults++, cpp); - s += cpp; - -@@ -274,14 +296,24 @@ - #ifndef VOID_SPRINTF - s += - #endif -- sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2); -+ /* assume C99 compliance */ -+ snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2); - #ifdef VOID_SPRINTF - s += strlen(s); - #endif -+ /* now let's check if s points out-of-bounds */ -+ if((s-buf) > sizeof(buf)) -+ return(XpmNoMemory); - } - } -+ if(sizeof(buf) - (s-buf) < 4) -+ return(XpmNoMemory); - strcpy(s, "\",\n"); - l = s + 3 - buf; -+ if( *data_size >= UINT_MAX-l || -+ *data_size + l <= *used_size || -+ (*data_size + l - *used_size) <= sizeof(buf)) -+ return(XpmNoMemory); - s = (char *) XpmRealloc(*dataptr, *data_size + l); - if (!s) - return (XpmNoMemory); -@@ -294,8 +326,9 @@ - } - - static void --WritePixels(dataptr, used_size, width, height, cpp, pixels, colors) -+WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors) - char *dataptr; -+ unsigned int data_size; - unsigned int *used_size; - unsigned int width; - unsigned int height; -@@ -306,27 +339,36 @@ - char *s = dataptr; - unsigned int x, y, h; - -+ if(height <= 1) -+ return; -+ - h = height - 1; - for (y = 0; y < h; y++) { - *s++ = '"'; - for (x = 0; x < width; x++, pixels++) { -- strncpy(s, colors[*pixels].string, cpp); -+ if(cpp >= (data_size - (s-dataptr))) -+ return; -+ strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */ - s += cpp; - } -+ if((data_size - (s-dataptr)) < 4) -+ return; - strcpy(s, "\",\n"); - s += 3; - } - /* duplicate some code to avoid a test in the loop */ - *s++ = '"'; - for (x = 0; x < width; x++, pixels++) { -- strncpy(s, colors[*pixels].string, cpp); -+ if(cpp >= (data_size - (s-dataptr))) -+ return; -+ strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */ - s += cpp; - } - *s++ = '"'; - *used_size += s - dataptr; - } - --static int -+static unsigned int - ExtensionsSize(ext, num) - XpmExtension *ext; - unsigned int num; -@@ -335,21 +377,26 @@ - char **line; - - size = 0; -+ if(num == 0) -+ return(0); /* ok? */ - for (x = 0; x < num; x++, ext++) { - /* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */ - size += strlen(ext->name) + 11; -- a = ext->nlines; -+ a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */ - for (y = 0, line = ext->lines; y < a; y++, line++) - /* 4 = 3 (for ',\n"') + 1 (for '"') */ - size += strlen(*line) + 4; - } - /* 13 is for ',\n"XPMENDEXT"' */ -+ if(size > UINT_MAX - 13) /* unlikely */ -+ return(0); - return size + 13; - } - - static void --WriteExtensions(dataptr, used_size, ext, num) -+WriteExtensions(dataptr, data_size, used_size, ext, num) - char *dataptr; -+ unsigned int data_size; - unsigned int *used_size; - XpmExtension *ext; - unsigned int num; -@@ -362,7 +409,7 @@ - #ifndef VOID_SPRINTF - s += - #endif -- sprintf(s, ",\n\"XPMEXT %s\"", ext->name); -+ snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name); - #ifdef VOID_SPRINTF - s += strlen(ext->name) + 11; - #endif -@@ -371,13 +418,13 @@ - #ifndef VOID_SPRINTF - s += - #endif -- sprintf(s, ",\n\"%s\"", *line); -+ snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line); - #ifdef VOID_SPRINTF - s += strlen(*line) + 4; - #endif - } - } -- strcpy(s, ",\n\"XPMENDEXT\""); -+ strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1); - *used_size += s - dataptr + 13; - } - -@@ -388,6 +435,7 @@ - int size = 0; - - /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */ -+ /* wrap possible but *very* unlikely */ - if (info->hints_cmt) - size += 5 + strlen(info->hints_cmt); - -Index: extras/Xpm/lib/CrDatFrI.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/CrDatFrI.c,v -retrieving revision 1.3 -diff -u -r1.3 CrDatFrI.c ---- extras/Xpm/lib/CrDatFrI.c 2 Nov 2004 23:26:39 -0000 1.3 -+++ extras/Xpm/lib/CrDatFrI.c 14 Nov 2004 13:45:02 -0000 -@@ -33,13 +33,16 @@ - \*****************************************************************************/ - /* $XFree86$ */ - -+/* October 2004, source code review by Thomas Biege */ -+ - #include "XpmI.h" - - LFUNC(CreateColors, int, (char **dataptr, unsigned int *data_size, - XpmColor *colors, unsigned int ncolors, - unsigned int cpp)); - --LFUNC(CreatePixels, void, (char **dataptr, unsigned int width, -+LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size, -+ unsigned int width, - unsigned int height, unsigned int cpp, - unsigned int *pixels, XpmColor *colors)); - -@@ -47,7 +50,8 @@ - unsigned int *ext_size, - unsigned int *ext_nlines)); - --LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset, -+LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size, -+ unsigned int offset, - XpmExtension *ext, unsigned int num, - unsigned int ext_nlines)); - -@@ -88,10 +92,11 @@ - - #undef RETURN - #define RETURN(status) \ -+do \ - { \ - ErrorStatus = status; \ - goto exit; \ --} -+} while(0) - - int - XpmCreateDataFromXpmImage(data_return, image, info) -@@ -122,11 +127,17 @@ - * alloc a temporary array of char pointer for the header section which - * is the hints line + the color table lines - */ -- header_nlines = 1 + image->ncolors; -+ header_nlines = 1 + image->ncolors; /* this may wrap and/or become 0 */ -+ -+ /* 2nd check superfluous if we do not need header_nlines any further */ -+ if(header_nlines <= image->ncolors || -+ header_nlines >= UINT_MAX / sizeof(char *)) -+ return(XpmNoMemory); -+ - header_size = sizeof(char *) * header_nlines; -- if (header_size >= SIZE_MAX / sizeof(char *)) -+ if (header_size >= UINT_MAX / sizeof(char *)) - return (XpmNoMemory); -- header = (char **) XpmCalloc(header_size, sizeof(char *)); -+ header = (char **) XpmCalloc(header_size, sizeof(char *)); /* can we trust image->ncolors */ - if (!header) - return (XpmNoMemory); - -@@ -170,8 +181,22 @@ - - /* now we know the size needed, alloc the data and copy the header lines */ - offset = image->width * image->cpp + 1; -- data_size = header_size + (image->height + ext_nlines) * sizeof(char *) -- + image->height * offset + ext_size; -+ -+ if(offset <= image->width || offset <= image->cpp) -+ RETURN(XpmNoMemory); -+ -+ if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *)) -+ RETURN(XpmNoMemory); -+ data_size = (image->height + ext_nlines) * sizeof(char *); -+ -+ if (image->height > UINT_MAX / offset || -+ image->height * offset > UINT_MAX - data_size) -+ RETURN(XpmNoMemory); -+ data_size += image->height * offset; -+ -+ if( (header_size + ext_size) >= (UINT_MAX - data_size) ) -+ RETURN(XpmNoMemory); -+ data_size += header_size + ext_size; - - data = (char **) XpmMalloc(data_size); - if (!data) -@@ -179,8 +204,10 @@ - - data_nlines = header_nlines + image->height + ext_nlines; - *data = (char *) (data + data_nlines); -+ -+ /* can header have less elements then n suggests? */ - n = image->ncolors; -- for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) { -+ for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) { - strcpy(*sptr, *sptr2); - *(sptr + 1) = *sptr + strlen(*sptr2) + 1; - } -@@ -189,12 +216,13 @@ - data[header_nlines] = (char *) data + header_size - + (image->height + ext_nlines) * sizeof(char *); - -- CreatePixels(data + header_nlines, image->width, image->height, -+ CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height, - image->cpp, image->data, image->colorTable); - - /* print extensions */ - if (extensions) -- CreateExtensions(data + header_nlines + image->height - 1, offset, -+ CreateExtensions(data + header_nlines + image->height - 1, -+ data_size - header_nlines - image->height + 1, offset, - info->extensions, info->nextensions, - ext_nlines); - -@@ -225,23 +253,34 @@ - char *s, *s2; - char **defaults; - -+ /* can ncolors be trusted here? */ - for (a = 0; a < ncolors; a++, colors++, dataptr++) { - - defaults = (char **) colors; -+ if(sizeof(buf) <= cpp) -+ return(XpmNoMemory); - strncpy(buf, *defaults++, cpp); - s = buf + cpp; - -+ if(sizeof(buf) <= (s-buf)) -+ return XpmNoMemory; -+ - for (key = 1; key <= NKEYS; key++, defaults++) { - if ((s2 = *defaults)) { - #ifndef VOID_SPRINTF - s += - #endif -- sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2); -+ /* assume C99 compliance */ -+ snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2); - #ifdef VOID_SPRINTF - s += strlen(s); - #endif -+ /* does s point out-of-bounds? */ -+ if(sizeof(buf) < (s-buf)) -+ return XpmNoMemory; - } - } -+ /* what about using strdup()? */ - l = s - buf + 1; - s = (char *) XpmMalloc(l); - if (!s) -@@ -253,8 +292,9 @@ - } - - static void --CreatePixels(dataptr, width, height, cpp, pixels, colors) -+CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors) - char **dataptr; -+ unsigned int data_size; - unsigned int width; - unsigned int height; - unsigned int cpp; -@@ -264,21 +304,38 @@ - char *s; - unsigned int x, y, h, offset; - -+ if(height <= 1) -+ return; -+ - h = height - 1; -+ - offset = width * cpp + 1; -+ -+ if(offset <= width || offset <= cpp) -+ return; -+ -+ /* why trust h? */ - for (y = 0; y < h; y++, dataptr++) { - s = *dataptr; -+ /* why trust width? */ - for (x = 0; x < width; x++, pixels++) { -- strncpy(s, colors[*pixels].string, cpp); -+ if(cpp > (data_size - (s - *dataptr))) -+ return; -+ strncpy(s, colors[*pixels].string, cpp); /* why trust pixel? */ - s += cpp; - } - *s = '\0'; -+ if(offset > data_size) -+ return; - *(dataptr + 1) = *dataptr + offset; - } - /* duplicate some code to avoid a test in the loop */ - s = *dataptr; -+ /* why trust width? */ - for (x = 0; x < width; x++, pixels++) { -- strncpy(s, colors[*pixels].string, cpp); -+ if(cpp > data_size - (s - *dataptr)) -+ return; -+ strncpy(s, colors[*pixels].string, cpp); /* why should we trust *pixel? */ - s += cpp; - } - *s = '\0'; -@@ -311,8 +368,9 @@ - } - - static void --CreateExtensions(dataptr, offset, ext, num, ext_nlines) -+CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines) - char **dataptr; -+ unsigned int data_size; - unsigned int offset; - XpmExtension *ext; - unsigned int num; -@@ -325,12 +383,12 @@ - dataptr++; - a = 0; - for (x = 0; x < num; x++, ext++) { -- sprintf(*dataptr, "XPMEXT %s", ext->name); -+ snprintf(*dataptr, data_size, "XPMEXT %s", ext->name); - a++; - if (a < ext_nlines) - *(dataptr + 1) = *dataptr + strlen(ext->name) + 8; - dataptr++; -- b = ext->nlines; -+ b = ext->nlines; /* can we trust these values? */ - for (y = 0, line = ext->lines; y < b; y++, line++) { - strcpy(*dataptr, *line); - a++; -Index: extras/Xpm/lib/Imakefile -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/Imakefile,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 Imakefile ---- extras/Xpm/lib/Imakefile 15 Feb 2001 07:59:10 -0000 1.1.1.1 -+++ extras/Xpm/lib/Imakefile 14 Nov 2004 13:45:02 -0000 -@@ -104,13 +104,15 @@ - CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \ - CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \ - CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \ -- Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c -+ Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \ -+ s_popen.c - - OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \ - CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \ - CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \ - CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \ -- Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o -+ Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \ -+ s_popen.o - - INCLUDES = -I. - LINTLIBS = $(LINTXTOLL) $(LINTXLIB) -Index: extras/Xpm/lib/RdFToBuf.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/RdFToBuf.c,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 RdFToBuf.c ---- extras/Xpm/lib/RdFToBuf.c 15 Feb 2001 07:59:10 -0000 1.1.1.1 -+++ extras/Xpm/lib/RdFToBuf.c 14 Nov 2004 13:45:02 -0000 -@@ -37,6 +37,8 @@ - * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94 - */ - -+/* October 2004, source code review by Thomas Biege */ -+ - #include "XpmI.h" - #include - #if !defined(FOR_MSW) && !defined(WIN32) -@@ -58,7 +60,8 @@ - char *filename; - char **buffer_return; - { -- int fd, fcheck, len; -+ int fd, fcheck; -+ off_t len; - char *ptr; - struct stat stats; - FILE *fp; -@@ -82,7 +85,7 @@ - close(fd); - return XpmOpenFailed; - } -- len = (int) stats.st_size; -+ len = stats.st_size; - ptr = (char *) XpmMalloc(len + 1); - if (!ptr) { - fclose(fp); -Index: extras/Xpm/lib/RdFToI.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/RdFToI.c,v -retrieving revision 1.2 -diff -u -r1.2 RdFToI.c ---- extras/Xpm/lib/RdFToI.c 2 Nov 2004 23:26:39 -0000 1.2 -+++ extras/Xpm/lib/RdFToI.c 14 Nov 2004 13:45:02 -0000 -@@ -33,6 +33,8 @@ - \*****************************************************************************/ - /* $XFree86$ */ - -+/* October 2004, source code review by Thomas Biege */ -+ - #include "XpmI.h" - #include - #if !defined(NO_ZPIPE) && defined(WIN32) -@@ -123,6 +125,12 @@ - /* - * open the given file to be read as an xpmData which is returned. - */ -+#ifndef NO_ZPIPE -+ FILE *s_popen(char *cmd, const char *type); -+#else -+# define s_popen popen -+#endif -+ - static int - OpenReadFile(filename, mdata) - char *filename; -@@ -141,17 +149,21 @@ - mdata->type = XPMFILE; - } else { - #ifndef NO_ZPIPE -- int len = strlen(filename); -+ size_t len = strlen(filename); -+ -+ if(len == 0 || -+ filename[len-1] == '/') -+ return(XpmOpenFailed); - if ((len > 2) && !strcmp(".Z", filename + (len - 2))) { - mdata->type = XPMPIPE; -- sprintf(buf, "uncompress -c \"%s\"", filename); -- if (!(mdata->stream.file = popen(buf, "r"))) -+ snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename); -+ if (!(mdata->stream.file = s_popen(buf, "r"))) - return (XpmOpenFailed); - - } else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) { - mdata->type = XPMPIPE; -- sprintf(buf, "gunzip -qc \"%s\"", filename); -- if (!(mdata->stream.file = popen(buf, "r"))) -+ snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename); -+ if (!(mdata->stream.file = s_popen(buf, "r"))) - return (XpmOpenFailed); - - } else { -@@ -159,19 +171,19 @@ - if (!(compressfile = (char *) XpmMalloc(len + 4))) - return (XpmNoMemory); - -- sprintf(compressfile, "%s.Z", filename); -+ snprintf(compressfile, len+4, "%s.Z", filename); - if (!stat(compressfile, &status)) { -- sprintf(buf, "uncompress -c \"%s\"", compressfile); -- if (!(mdata->stream.file = popen(buf, "r"))) { -+ snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile); -+ if (!(mdata->stream.file = s_popen(buf, "r"))) { - XpmFree(compressfile); - return (XpmOpenFailed); - } - mdata->type = XPMPIPE; - } else { -- sprintf(compressfile, "%s.gz", filename); -+ snprintf(compressfile, len+4, "%s.gz", filename); - if (!stat(compressfile, &status)) { -- sprintf(buf, "gunzip -c \"%s\"", compressfile); -- if (!(mdata->stream.file = popen(buf, "r"))) { -+ snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile); -+ if (!(mdata->stream.file = s_popen(buf, "r"))) { - XpmFree(compressfile); - return (XpmOpenFailed); - } -@@ -217,7 +229,7 @@ - break; - #ifndef NO_ZPIPE - case XPMPIPE: -- pclose(mdata->stream.file); -+ fclose(mdata->stream.file); - break; - #endif - } -Index: extras/Xpm/lib/WrFFrBuf.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/WrFFrBuf.c,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 WrFFrBuf.c ---- extras/Xpm/lib/WrFFrBuf.c 15 Feb 2001 07:59:10 -0000 1.1.1.1 -+++ extras/Xpm/lib/WrFFrBuf.c 14 Nov 2004 13:45:02 -0000 -@@ -32,6 +32,8 @@ - * Developed by Arnaud Le Hors * - \*****************************************************************************/ - -+/* October 2004, source code review by Thomas Biege */ -+ - #include "XpmI.h" - - int -@@ -49,7 +51,7 @@ - fcheck = fwrite(buffer, len, 1, fp); - fclose(fp); - if (fcheck != 1) -- return XpmOpenFailed; -+ return XpmOpenFailed; /* maybe use a better return value */ - - return XpmSuccess; - } -Index: extras/Xpm/lib/WrFFrI.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/WrFFrI.c,v -retrieving revision 1.3 -diff -u -r1.3 WrFFrI.c ---- extras/Xpm/lib/WrFFrI.c 2 Nov 2004 23:26:39 -0000 1.3 -+++ extras/Xpm/lib/WrFFrI.c 14 Nov 2004 13:45:02 -0000 -@@ -38,6 +38,8 @@ - * Lorens Younes (d93-hyo@nada.kth.se) 4/96 - */ - -+/* October 2004, source code review by Thomas Biege */ -+ - #include "XpmI.h" - #if !defined(NO_ZPIPE) && defined(WIN32) - # define popen _popen -@@ -98,7 +100,7 @@ - XpmInfo *info; - { - xpmData mdata; -- char *name, *dot, *s, new_name[BUFSIZ]; -+ char *name, *dot, *s, new_name[BUFSIZ] = {0}; - int ErrorStatus; - - /* open file to write */ -@@ -121,7 +123,8 @@ - #endif - /* let's try to make a valid C syntax name */ - if (index(name, '.')) { -- strcpy(new_name, name); -+ strncpy(new_name, name, sizeof(new_name)); -+ new_name[sizeof(new_name)-1] = 0; - /* change '.' to '_' */ - name = s = new_name; - while ((dot = index(s, '.'))) { -@@ -131,7 +134,8 @@ - } - if (index(name, '-')) { - if (name != new_name) { -- strcpy(new_name, name); -+ strncpy(new_name, name, sizeof(new_name)); -+ new_name[sizeof(new_name)-1] = 0; - name = new_name; - } - /* change '-' to '_' */ -@@ -248,7 +252,7 @@ - unsigned int x, y, h; - - h = height - 1; -- if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp) -+ if (cpp != 0 && width >= (UINT_MAX - 3)/cpp) - return XpmNoMemory; - p = buf = (char *) XpmMalloc(width * cpp + 3); - if (!buf) -@@ -300,6 +304,11 @@ - /* - * open the given file to be written as an xpmData which is returned - */ -+#ifndef NO_ZPIPE -+ FILE *s_popen(char *cmd, const char *type); -+#else -+# define s_popen popen -+#endif - static int - OpenWriteFile(filename, mdata) - char *filename; -@@ -315,16 +324,23 @@ - mdata->type = XPMFILE; - } else { - #ifndef NO_ZPIPE -- int len = strlen(filename); -+ size_t len = strlen(filename); -+ -+ if(len == 0 || -+ filename[0] == '/' || -+ strstr(filename, "../") != NULL || -+ filename[len-1] == '/') -+ return(XpmOpenFailed); -+ - if (len > 2 && !strcmp(".Z", filename + (len - 2))) { -- sprintf(buf, "compress > \"%s\"", filename); -- if (!(mdata->stream.file = popen(buf, "w"))) -+ snprintf(buf, sizeof(buf), "compress > \"%s\"", filename); -+ if (!(mdata->stream.file = s_popen(buf, "w"))) - return (XpmOpenFailed); - - mdata->type = XPMPIPE; - } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { -- sprintf(buf, "gzip -q > \"%s\"", filename); -- if (!(mdata->stream.file = popen(buf, "w"))) -+ snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename); -+ if (!(mdata->stream.file = s_popen(buf, "w"))) - return (XpmOpenFailed); - - mdata->type = XPMPIPE; -@@ -355,7 +371,7 @@ - break; - #ifndef NO_ZPIPE - case XPMPIPE: -- pclose(mdata->stream.file); -+ fclose(mdata->stream.file); - break; - #endif - } -Index: extras/Xpm/lib/XpmI.h -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/XpmI.h,v -retrieving revision 1.8 -diff -u -r1.8 XpmI.h ---- extras/Xpm/lib/XpmI.h 2 Nov 2004 23:26:39 -0000 1.8 -+++ extras/Xpm/lib/XpmI.h 14 Nov 2004 13:45:03 -0000 -@@ -49,8 +49,10 @@ - * lets try to solve include files - */ - -+#include - #include - #include -+#include - /* stdio.h doesn't declare popen on a Sequent DYNIX OS */ - #ifdef sequent - extern FILE *popen(); -Index: extras/Xpm/lib/create.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/create.c,v -retrieving revision 1.5 -diff -u -r1.5 create.c ---- extras/Xpm/lib/create.c 2 Nov 2004 23:26:39 -0000 1.5 -+++ extras/Xpm/lib/create.c 14 Nov 2004 13:45:05 -0000 -@@ -45,6 +45,8 @@ - * Lorens Younes (d93-hyo@nada.kth.se) 4/96 - */ - -+/* October 2004, source code review by Thomas Biege */ -+ - #include "XpmI.h" - #include - -@@ -586,7 +588,7 @@ - */ - } else { - #endif -- int i; -+ unsigned int i; - - #ifndef AMIGA - ncols = visual->map_entries; -@@ -746,12 +748,14 @@ - - - /* function call in case of error */ -+ - #undef RETURN - #define RETURN(status) \ -+do \ - { \ - ErrorStatus = status; \ - goto error; \ --} -+} while(0) - - int - XpmCreateImageFromXpmImage(display, image, -@@ -817,7 +821,7 @@ - - ErrorStatus = XpmSuccess; - -- if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) -+ if (image->ncolors >= UINT_MAX / sizeof(Pixel)) - return (XpmNoMemory); - - /* malloc pixels index tables */ -@@ -992,9 +996,13 @@ - return (XpmNoMemory); - - #if !defined(FOR_MSW) && !defined(AMIGA) -- if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) -+ if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { -+ XDestroyImage(*image_return); - return XpmNoMemory; -+ } - /* now that bytes_per_line must have been set properly alloc data */ -+ if((*image_return)->bytes_per_line == 0 || height == 0) -+ return XpmNoMemory; - (*image_return)->data = - (char *) XpmMalloc((*image_return)->bytes_per_line * height); - -@@ -1023,7 +1031,7 @@ - LFUNC(_putbits, void, (register char *src, int dstoffset, - register int numbits, register char *dst)); - --LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb)); -+LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb)); - - static unsigned char Const _reverse_byte[0x100] = { - 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, -@@ -1063,12 +1071,12 @@ - static int - _XReverse_Bytes(bpt, nb) - register unsigned char *bpt; -- register int nb; -+ register unsigned int nb; - { - do { - *bpt = _reverse_byte[*bpt]; - bpt++; -- } while (--nb > 0); -+ } while (--nb > 0); /* is nb user-controled? */ - return 0; - } - -@@ -1207,7 +1215,7 @@ - register char *src; - register char *dst; - register unsigned int *iptr; -- register int x, y, i; -+ register unsigned int x, y, i; - register char *data; - Pixel pixel, px; - int nbytes, depth, ibu, ibpp; -@@ -1217,8 +1225,8 @@ - depth = image->depth; - if (depth == 1) { - ibu = image->bitmap_unit; -- for (y = 0; y < height; y++) -- for (x = 0; x < width; x++, iptr++) { -+ for (y = 0; y < height; y++) /* how can we trust height */ -+ for (x = 0; x < width; x++, iptr++) { /* how can we trust width */ - pixel = pixels[*iptr]; - for (i = 0, px = pixel; i < sizeof(unsigned long); - i++, px >>= 8) -@@ -1293,12 +1301,12 @@ - { - unsigned char *data; - unsigned int *iptr; -- int y; -+ unsigned int y; - Pixel pixel; - - #ifdef WITHOUT_SPEEDUPS - -- int x; -+ unsigned int x; - unsigned char *addr; - - data = (unsigned char *) image->data; -@@ -1335,7 +1343,7 @@ - - #else /* WITHOUT_SPEEDUPS */ - -- int bpl = image->bytes_per_line; -+ unsigned int bpl = image->bytes_per_line; - unsigned char *data_ptr, *max_data; - - data = (unsigned char *) image->data; -@@ -1403,11 +1411,11 @@ - { - unsigned char *data; - unsigned int *iptr; -- int y; -+ unsigned int y; - - #ifdef WITHOUT_SPEEDUPS - -- int x; -+ unsigned int x; - unsigned char *addr; - - data = (unsigned char *) image->data; -@@ -1431,7 +1439,7 @@ - - Pixel pixel; - -- int bpl = image->bytes_per_line; -+ unsigned int bpl = image->bytes_per_line; - unsigned char *data_ptr, *max_data; - - data = (unsigned char *) image->data; -@@ -1484,11 +1492,11 @@ - { - char *data; - unsigned int *iptr; -- int y; -+ unsigned int y; - - #ifdef WITHOUT_SPEEDUPS - -- int x; -+ unsigned int x; - - data = image->data; - iptr = pixelindex; -@@ -1498,7 +1506,7 @@ - - #else /* WITHOUT_SPEEDUPS */ - -- int bpl = image->bytes_per_line; -+ unsigned int bpl = image->bytes_per_line; - char *data_ptr, *max_data; - - data = image->data; -@@ -1533,12 +1541,12 @@ - PutImagePixels(image, width, height, pixelindex, pixels); - else { - unsigned int *iptr; -- int y; -+ unsigned int y; - char *data; - - #ifdef WITHOUT_SPEEDUPS - -- int x; -+ unsigned int x; - - data = image->data; - iptr = pixelindex; -@@ -1761,6 +1769,9 @@ - Pixel px; - int nbytes; - -+ if(x < 0 || y < 0) -+ return 0; -+ - for (i=0, px=pixel; i>=8) - ((unsigned char *)&pixel)[i] = px; - src = &ximage->data[XYINDEX(x, y, ximage)]; -@@ -1791,7 +1802,10 @@ - register char *dst; - register int i; - Pixel px; -- int nbytes, ibpp; -+ unsigned int nbytes, ibpp; -+ -+ if(x < 0 || y < 0) -+ return 0; - - ibpp = ximage->bits_per_pixel; - if (ximage->depth == 4) -@@ -1825,6 +1839,9 @@ - { - unsigned char *addr; - -+ if(x < 0 || y < 0) -+ return 0; -+ - addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; - *((unsigned long *)addr) = pixel; - return 1; -@@ -1840,6 +1857,9 @@ - { - unsigned char *addr; - -+ if(x < 0 || y < 0) -+ return 0; -+ - addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; - addr[0] = pixel >> 24; - addr[1] = pixel >> 16; -@@ -1857,6 +1877,9 @@ - { - unsigned char *addr; - -+ if(x < 0 || y < 0) -+ return 0; -+ - addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)]; - addr[3] = pixel >> 24; - addr[2] = pixel >> 16; -@@ -1874,6 +1897,9 @@ - { - unsigned char *addr; - -+ if(x < 0 || y < 0) -+ return 0; -+ - addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; - addr[0] = pixel >> 8; - addr[1] = pixel; -@@ -1889,6 +1915,9 @@ - { - unsigned char *addr; - -+ if(x < 0 || y < 0) -+ return 0; -+ - addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)]; - addr[1] = pixel >> 8; - addr[0] = pixel; -@@ -1902,6 +1931,9 @@ - int y; - unsigned long pixel; - { -+ if(x < 0 || y < 0) -+ return 0; -+ - ximage->data[ZINDEX8(x, y, ximage)] = pixel; - return 1; - } -@@ -1913,6 +1945,9 @@ - int y; - unsigned long pixel; - { -+ if(x < 0 || y < 0) -+ return 0; -+ - if (pixel & 1) - ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7); - else -@@ -1927,6 +1962,9 @@ - int y; - unsigned long pixel; - { -+ if(x < 0 || y < 0) -+ return 0; -+ - if (pixel & 1) - ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7); - else -@@ -2061,8 +2099,8 @@ - xpmGetCmt(data, &colors_cmt); - - /* malloc pixels index tables */ -- if (ncolors >= SIZE_MAX / sizeof(Pixel)) -- return XpmNoMemory; -+ if (ncolors >= UINT_MAX / sizeof(Pixel)) -+ RETURN(XpmNoMemory); - - image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); - if (!image_pixels) -@@ -2174,7 +2212,7 @@ - * free the hastable - */ - if (ErrorStatus != XpmSuccess) -- RETURN(ErrorStatus) -+ RETURN(ErrorStatus); - else if (USE_HASHTABLE) - xpmHashTableFree(&hashtable); - -@@ -2366,11 +2404,11 @@ - - /* array of pointers malloced by need */ - unsigned short *cidx[256]; -- int char1; -+ unsigned int char1; - - bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ - for (a = 0; a < ncolors; a++) { -- char1 = colorTable[a].string[0]; -+ char1 = (unsigned char) colorTable[a].string[0]; - if (cidx[char1] == NULL) { /* get new memory */ - cidx[char1] = (unsigned short *) - XpmCalloc(256, sizeof(unsigned short)); -Index: extras/Xpm/lib/data.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/data.c,v -retrieving revision 1.3 -diff -u -r1.3 data.c ---- extras/Xpm/lib/data.c 2 Nov 2004 23:26:39 -0000 1.3 -+++ extras/Xpm/lib/data.c 14 Nov 2004 13:45:05 -0000 -@@ -33,6 +33,8 @@ - \*****************************************************************************/ - /* $XFree86: xc/extras/Xpm/lib/data.c,v 1.3 2001/10/28 03:32:10 tsi Exp $ */ - -+/* October 2004, source code review by Thomas Biege */ -+ - #ifndef CXPMPROG - #if 0 - /* Official version number */ -@@ -262,7 +264,7 @@ - } - Ungetc(data, c, file); - } -- return (n); -+ return (n); /* this returns bytes read + 1 */ - } - - /* -@@ -375,8 +377,9 @@ - { - if (!data->type) - *cmt = NULL; -- else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) { -- *cmt = (char *) XpmMalloc(data->CommentLength + 1); -+ else if (data->CommentLength != 0 && data->CommentLength < UINT_MAX - 1) { -+ if( (*cmt = (char *) XpmMalloc(data->CommentLength + 1)) == NULL) -+ return XpmNoMemory; - strncpy(*cmt, data->Comment, data->CommentLength); - (*cmt)[data->CommentLength] = '\0'; - data->CommentLength = 0; -@@ -400,7 +403,7 @@ - xpmParseHeader(data) - xpmData *data; - { -- char buf[BUFSIZ]; -+ char buf[BUFSIZ+1] = {0}; - int l, n = 0; - - if (data->type) { -Index: extras/Xpm/lib/hashtab.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/hashtab.c,v -retrieving revision 1.2 -diff -u -r1.2 hashtab.c ---- extras/Xpm/lib/hashtab.c 1 Sep 2004 21:01:33 -0000 1.2 -+++ extras/Xpm/lib/hashtab.c 14 Nov 2004 13:45:05 -0000 -@@ -138,13 +138,13 @@ - unsigned int size = table->size; - xpmHashAtom *t, *p; - int i; -- int oldSize = size; -+ unsigned int oldSize = size; - - t = atomTable; - HASH_TABLE_GROWS - table->size = size; - table->limit = size / 3; -- if (size >= SIZE_MAX / sizeof(*atomTable)) -+ if (size >= UINT_MAX / sizeof(*atomTable)) - return (XpmNoMemory); - atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); - if (!atomTable) -@@ -206,7 +206,7 @@ - table->size = INITIAL_HASH_SIZE; - table->limit = table->size / 3; - table->used = 0; -- if (table->size >= SIZE_MAX / sizeof(*atomTable)) -+ if (table->size >= UINT_MAX / sizeof(*atomTable)) - return (XpmNoMemory); - atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); - if (!atomTable) -Index: extras/Xpm/lib/misc.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/misc.c,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 misc.c ---- extras/Xpm/lib/misc.c 15 Feb 2001 07:59:10 -0000 1.1.1.1 -+++ extras/Xpm/lib/misc.c 14 Nov 2004 13:45:05 -0000 -@@ -44,7 +44,7 @@ - char *s1; - { - char *s2; -- int l = strlen(s1) + 1; -+ size_t l = strlen(s1) + 1; - - if (s2 = (char *) XpmMalloc(l)) - strcpy(s2, s1); -Index: extras/Xpm/lib/parse.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/parse.c,v -retrieving revision 1.3 -diff -u -r1.3 parse.c ---- extras/Xpm/lib/parse.c 2 Nov 2004 23:26:39 -0000 1.3 -+++ extras/Xpm/lib/parse.c 14 Nov 2004 13:45:05 -0000 -@@ -41,26 +41,28 @@ - * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94 - */ - -+/* October 2004, source code review by Thomas Biege */ -+ - #include "XpmI.h" - #include - #include - - #ifdef HAS_STRLCAT --# define STRLCAT(dst, src, dstsize) { \ -+# define STRLCAT(dst, src, dstsize) do { \ - if (strlcat(dst, src, dstsize) >= (dstsize)) \ -- return (XpmFileInvalid); } --# define STRLCPY(dst, src, dstsize) { \ -+ return (XpmFileInvalid); } while(0) -+# define STRLCPY(dst, src, dstsize) do { \ - if (strlcpy(dst, src, dstsize) >= (dstsize)) \ -- return (XpmFileInvalid); } -+ return (XpmFileInvalid); } while(0) - #else --# define STRLCAT(dst, src, dstsize) { \ -+# define STRLCAT(dst, src, dstsize) do { \ - if ((strlen(dst) + strlen(src)) < (dstsize)) \ - strcat(dst, src); \ -- else return (XpmFileInvalid); } --# define STRLCPY(dst, src, dstsize) { \ -+ else return (XpmFileInvalid); } while(0) -+# define STRLCPY(dst, src, dstsize) do { \ - if (strlen(src) < (dstsize)) \ - strcpy(dst, src); \ -- else return (XpmFileInvalid); } -+ else return (XpmFileInvalid); } while(0) - #endif - - LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, -@@ -205,7 +207,7 @@ - char **defaults; - int ErrorStatus; - -- if (ncolors >= SIZE_MAX / sizeof(XpmColor)) -+ if (ncolors >= UINT_MAX / sizeof(XpmColor)) - return (XpmNoMemory); - colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); - if (!colorTable) -@@ -218,7 +220,7 @@ - /* - * read pixel value - */ -- if (cpp >= SIZE_MAX - 1) { -+ if (cpp >= UINT_MAX - 1) { - xpmFreeColorTable(colorTable, ncolors); - return (XpmNoMemory); - } -@@ -277,9 +279,9 @@ - return (XpmFileInvalid); - } - if (!lastwaskey) -- STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */ -+ STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */ - buf[l] = '\0'; -- STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */ -+ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */ - lastwaskey = 0; - } - } -@@ -287,7 +289,7 @@ - xpmFreeColorTable(colorTable, ncolors); - return (XpmFileInvalid); - } -- len = strlen(curbuf) + 1; -+ len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */ - s = defaults[curkey] = (char *) XpmMalloc(len); - if (!s) { - xpmFreeColorTable(colorTable, ncolors); -@@ -306,7 +308,7 @@ - /* - * read pixel value - */ -- if (cpp >= SIZE_MAX - 1) { -+ if (cpp >= UINT_MAX - 1) { - xpmFreeColorTable(colorTable, ncolors); - return (XpmNoMemory); - } -@@ -351,7 +353,7 @@ - memcpy(s, curbuf, len); - color->c_color = s; - *curbuf = '\0'; /* reset curbuf */ -- if (a < ncolors - 1) -+ if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */ - xpmNextString(data); /* get to the next string */ - } - } -@@ -370,11 +372,11 @@ - xpmHashTable *hashtable; - unsigned int **pixels; - { -- unsigned int *iptr, *iptr2; -+ unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ - unsigned int a, x, y; - -- if ((height > 0 && width >= SIZE_MAX / height) || -- width * height >= SIZE_MAX / sizeof(unsigned int)) -+ if ((height > 0 && width >= UINT_MAX / height) || -+ width * height >= UINT_MAX / sizeof(unsigned int)) - return XpmNoMemory; - #ifndef FOR_MSW - iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); -@@ -399,8 +401,10 @@ - { - unsigned short colidx[256]; - -- if (ncolors > 256) -+ if (ncolors > 256) { -+ XpmFree(iptr2); /* found by Egbert Eich */ - return (XpmFileInvalid); -+ } - - bzero((char *)colidx, 256 * sizeof(short)); - for (a = 0; a < ncolors; a++) -@@ -427,16 +431,20 @@ - { - - /* free all allocated pointers at all exits */ --#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \ --if (cidx[f]) XpmFree(cidx[f]);} -+#define FREE_CIDX \ -+do \ -+{ \ -+ int f; for (f = 0; f < 256; f++) \ -+ if (cidx[f]) XpmFree(cidx[f]); \ -+} while(0) - - /* array of pointers malloced by need */ - unsigned short *cidx[256]; -- int char1; -+ unsigned int char1; - - bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ - for (a = 0; a < ncolors; a++) { -- char1 = colorTable[a].string[0]; -+ char1 = (unsigned char) colorTable[a].string[0]; - if (cidx[char1] == NULL) { /* get new memory */ - cidx[char1] = (unsigned short *) - XpmCalloc(256, sizeof(unsigned short)); -@@ -480,8 +488,10 @@ - char *s; - char buf[BUFSIZ]; - -- if (cpp >= sizeof(buf)) -+ if (cpp >= sizeof(buf)) { -+ XpmFree(iptr2); /* found by Egbert Eich */ - return (XpmFileInvalid); -+ } - - buf[cpp] = '\0'; - if (USE_HASHTABLE) { -@@ -491,7 +501,7 @@ - xpmNextString(data); - for (x = 0; x < width; x++, iptr++) { - for (a = 0, s = buf; a < cpp; a++, s++) -- *s = xpmGetC(data); -+ *s = xpmGetC(data); /* int assigned to char, not a problem here */ - slot = xpmHashSlot(hashtable, buf); - if (!*slot) { /* no color matches */ - XpmFree(iptr2); -@@ -505,7 +515,7 @@ - xpmNextString(data); - for (x = 0; x < width; x++, iptr++) { - for (a = 0, s = buf; a < cpp; a++, s++) -- *s = xpmGetC(data); -+ *s = xpmGetC(data); /* int assigned to char, not a problem here */ - for (a = 0; a < ncolors; a++) - if (!strcmp(colorTable[a].string, buf)) - break; -@@ -560,7 +570,7 @@ - while (!notstart && notend) { - /* there starts an extension */ - ext = (XpmExtension *) -- XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); -+ XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */ - if (!ext) { - XpmFree(string); - XpmFreeExtensions(exts, num); -@@ -597,7 +607,7 @@ - while ((notstart = strncmp("XPMEXT", string, 6)) - && (notend = strncmp("XPMENDEXT", string, 9))) { - sp = (char **) -- XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); -+ XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */ - if (!sp) { - XpmFree(string); - ext->nlines = nlines; -@@ -637,9 +647,9 @@ - /* function call in case of error */ - #undef RETURN - #define RETURN(status) \ --{ \ -+do { \ - goto error; \ --} -+} while(0) - - /* - * This function parses an Xpm file or data and store the found informations -Index: extras/Xpm/lib/s_popen.c -=================================================================== -RCS file: extras/Xpm/lib/s_popen.c -diff -N extras/Xpm/lib/s_popen.c ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ extras/Xpm/lib/s_popen.c 14 Nov 2004 13:45:05 -0000 -@@ -0,0 +1,181 @@ -+/* -+ * Copyright (C) 2004 The X.Org fundation -+ * -+ * Permission is hereby granted, free of charge, to any person -+ * obtaining a copy of this software and associated documentation -+ * files (the "Software"), to deal in the Software without -+ * restriction, including without limitation the rights to use, copy, -+ * modify, merge, publish, distribute, sublicense, and/or sell copies -+ * of the Software, and to permit persons to whom the Software is fur- -+ * nished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be -+ * included in all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -+ * NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR -+ * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF -+ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Except as contained in this notice, the name of the X.Org fundation -+ * shall not be used in advertising or otherwise to promote the sale, -+ * use or other dealings in this Software without prior written -+ * authorization from the X.Org fundation. -+ */ -+ -+/* -+** This is a secure but NOT 100% compatible replacement for popen() -+** Note: - don't use pclose() use fclose() for closing the returned -+** filedesc.!!! -+** -+** Known Bugs: - unable to use i/o-redirection like > or < -+** Author: - Thomas Biege -+** Credits: - Andreas Pfaller for fixing a SEGV when -+** calling strtok() -+*/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#define __SEC_POPEN_TOKEN " " -+ -+FILE *s_popen(char *cmd, const char *type) -+{ -+ pid_t pid; -+ int pfd[2]; -+ int rpipe = 0, wpipe = 0, i; -+ char **argv; -+ char *ptr; -+ char *cmdcpy; -+ -+ -+ if(cmd == NULL || cmd == "") -+ return(NULL); -+ -+ if(type[0] != 'r' && type[0] != 'w') -+ return(NULL); -+ -+ if ((cmdcpy = strdup(cmd)) == NULL) -+ return(NULL); -+ -+ argv = NULL; -+ if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL) -+ { -+ free(cmdcpy); -+ return(NULL); -+ } -+ -+ for(i = 0;; i++) -+ { -+ if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL) -+ { -+ free(cmdcpy); -+ return(NULL); -+ } -+ -+ if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL) -+ { -+ free(cmdcpy); -+ return(NULL); -+ } -+ -+ strcpy(argv[i], ptr); -+ -+ if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL) -+ { -+ if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL) -+ { -+ free(cmdcpy); -+ return(NULL); -+ } -+ argv[i+1] = NULL; -+ break; -+ } -+ } -+ -+ -+ if(type[0] == 'r') -+ rpipe = 1; -+ else -+ wpipe = 1; -+ -+ if (pipe(pfd) < 0) -+ { -+ free(cmdcpy); -+ return(NULL); -+ } -+ -+ if((pid = fork()) < 0) -+ { -+ close(pfd[0]); -+ close(pfd[1]); -+ free(cmdcpy); -+ return(NULL); -+ } -+ -+ if(pid == 0) /* child */ -+ { -+ if((pid = fork()) < 0) -+ { -+ close(pfd[0]); -+ close(pfd[1]); -+ free(cmdcpy); -+ return(NULL); -+ } -+ if(pid > 0) -+ { -+ exit(0); /* child nr. 1 exits */ -+ } -+ -+ /* child nr. 2 */ -+ if(rpipe) -+ { -+ close(pfd[0]); /* close reading end, we don't need it */ -+ dup2(STDOUT_FILENO, STDERR_FILENO); -+ if (pfd[1] != STDOUT_FILENO) -+ dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */ -+ } -+ else -+ { -+ close(pfd[1]); /* close writing end, we don't need it */ -+ if (pfd[0] != STDIN_FILENO) -+ dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */ -+ } -+ -+ if(strchr(argv[0], '/') == NULL) -+ execvp(argv[0], argv); /* search in $PATH */ -+ else -+ execv(argv[0], argv); -+ -+ close(pfd[0]); -+ close(pfd[1]); -+ free(cmdcpy); -+ return(NULL); /* exec failed.. ooops! */ -+ } -+ else /* parent */ -+ { -+ waitpid(pid, NULL, 0); /* wait for child nr. 1 */ -+ -+ if(rpipe) -+ { -+ close(pfd[1]); -+ free(cmdcpy); -+ return(fdopen(pfd[0], "r")); -+ } -+ else -+ { -+ close(pfd[0]); -+ free(cmdcpy); -+ return(fdopen(pfd[1], "w")); -+ } -+ -+ } -+} -+ -Index: extras/Xpm/lib/scan.c -=================================================================== -RCS file: /cvs/XF4/xc/extras/Xpm/lib/scan.c,v -retrieving revision 1.3 -diff -u -r1.3 scan.c ---- extras/Xpm/lib/scan.c 2 Nov 2004 23:26:39 -0000 1.3 -+++ extras/Xpm/lib/scan.c 14 Nov 2004 13:45:05 -0000 -@@ -43,6 +43,8 @@ - * Lorens Younes (d93-hyo@nada.kth.se) 4/96 - */ - -+/* October 2004, source code review by Thomas Biege */ -+ - #include "XpmI.h" - - #define MAXPRINTABLE 92 /* number of printable ascii chars -@@ -172,10 +174,10 @@ - /* function call in case of error */ - #undef RETURN - #define RETURN(status) \ --{ \ -+do { \ - ErrorStatus = status; \ - goto error; \ --} -+} while(0) - - /* - * This function scans the given image and stores the found informations in -@@ -233,15 +235,15 @@ - else - cpp = 0; - -- if ((height > 0 && width >= SIZE_MAX / height) || -- width * height >= SIZE_MAX / sizeof(unsigned int)) -+ if ((height > 0 && width >= UINT_MAX / height) || -+ width * height >= UINT_MAX / sizeof(unsigned int)) - RETURN(XpmNoMemory); - pmap.pixelindex = - (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); - if (!pmap.pixelindex) - RETURN(XpmNoMemory); - -- if (pmap.size >= SIZE_MAX / sizeof(Pixel)) -+ if (pmap.size >= UINT_MAX / sizeof(Pixel)) - RETURN(XpmNoMemory); - - pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); -@@ -308,7 +310,7 @@ - * get rgb values and a string of char, and possibly a name for each - * color - */ -- if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) -+ if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor)) - RETURN(XpmNoMemory); - colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); - if (!colorTable) -@@ -368,7 +370,7 @@ - - /* first get a character string */ - a = 0; -- if (cpp >= SIZE_MAX - 1) -+ if (cpp >= UINT_MAX - 1) - return (XpmNoMemory); - if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) - return (XpmNoMemory); -@@ -461,7 +463,7 @@ - } - - /* first get character strings and rgb values */ -- if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) -+ if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1) - return (XpmNoMemory); - xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); - if (!xcolors) -@@ -619,7 +621,7 @@ - char *dst; - unsigned int *iptr; - char *data; -- int x, y, i; -+ unsigned int x, y, i; - int bits, depth, ibu, ibpp, offset; - unsigned long lbt; - Pixel pixel, px; -@@ -721,7 +723,7 @@ - unsigned char *addr; - unsigned char *data; - unsigned int *iptr; -- int x, y; -+ unsigned int x, y; - unsigned long lbt; - Pixel pixel; - int depth; -@@ -786,7 +788,7 @@ - unsigned char *addr; - unsigned char *data; - unsigned int *iptr; -- int x, y; -+ unsigned int x, y; - unsigned long lbt; - Pixel pixel; - int depth; -@@ -831,7 +833,7 @@ - { - unsigned int *iptr; - unsigned char *data; -- int x, y; -+ unsigned int x, y; - unsigned long lbt; - Pixel pixel; - int depth; -@@ -864,7 +866,7 @@ - storeFuncPtr storeFunc; - { - unsigned int *iptr; -- int x, y; -+ unsigned int x, y; - char *data; - Pixel pixel; - int xoff, yoff, offset, bpl; -@@ -900,11 +902,11 @@ - # else /* AMIGA */ - - #define CLEAN_UP(status) \ --{\ -+do {\ - if (pixels) XpmFree (pixels);\ - if (tmp_img) FreeXImage (tmp_img);\ - return (status);\ --} -+} while(0) - - static int - AGetImagePixels ( -@@ -925,7 +927,7 @@ - - tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth); - if (tmp_img == NULL) -- CLEAN_UP (XpmNoMemory) -+ CLEAN_UP (XpmNoMemory); - - iptr = pmap->pixelindex; - for (y = 0; y < height; ++y) -@@ -934,11 +936,11 @@ - for (x = 0; x < width; ++x, ++iptr) - { - if ((*storeFunc) (pixels[x], pmap, iptr)) -- CLEAN_UP (XpmNoMemory) -+ CLEAN_UP (XpmNoMemory); - } - } - -- CLEAN_UP (XpmSuccess) -+ CLEAN_UP (XpmSuccess); - } - - #undef CLEAN_UP -Index: lib/Xpm/Imakefile -=================================================================== -RCS file: /cvs/XF4/xc/lib/Xpm/Imakefile,v -retrieving revision 1.3 -diff -u -r1.3 Imakefile ---- lib/Xpm/Imakefile 2 Nov 2004 23:47:45 -0000 1.3 -+++ lib/Xpm/Imakefile 14 Nov 2004 13:45:05 -0000 -@@ -46,12 +46,20 @@ - STRLCATDEF = -DHAS_STRLCAT - #endif - -+#if HasSnprintf -+SNPRINTFDEF = -DHAS_SNPRINTF -+#else -+SNPRINTFDEF = -Dsnprintf=_XpmSnprintf -+SNPRINTFSRCS = snprintf.c -+SNPRINTFOBJS = snprintf.o -+#endif -+ - #if defined(Win32Architecture) - ZPIPEDEF = -DNO_ZPIPE - #endif - - DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(STRLCATDEF) \ -- $(ZPIPEDEF) $(ZFILEDEF) -+ $(SNPRINTFDEF) $(ZPIPEDEF) $(ZFILEDEF) - - HEADERS = xpm.h - -@@ -59,13 +67,15 @@ - CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \ - CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \ - CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \ -- Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c -+ Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \ -+ s_popen.c $(SNPRINTFSRCS) - - OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \ - CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \ - CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \ - CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \ -- Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o -+ Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \ -+ s_popen.o $(SNPRINTFOBJS) - - XPMDIR = $(TOP)/extras/Xpm - XPMLIBDIR = $(TOP)/extras/Xpm/lib -@@ -104,5 +114,10 @@ - LinkSourceFile(RdFToBuf.c,$(XPMLIBDIR)) - LinkSourceFile(WrFFrBuf.c,$(XPMLIBDIR)) - LinkSourceFile(xpm.h,$(XPMLIBDIR)) -+LinkSourceFile(s_popen.c,$(XPMLIBDIR)) -+ -+#if !HasSnprintf -+LinkSourceFile(snprintf.c,$(LIBSRC)/misc) -+#endif - - DependTarget() -- 2.44.0