[packages/imlib.git] / imlib-CAN-2004-1026.patch

diff -urN imlib-1.9.13.orig/Imlib/load.c imlib-1.9.13/Imlib/load.c
--- imlib-1.9.13.orig/Imlib/load.c	Wed Mar 13 19:06:29 2002
+++ imlib-1.9.13/Imlib/load.c	Thu Sep 16 17:21:01 2004
@@ -4,6 +4,8 @@
 #include "Imlib_private.h"
 #include <setjmp.h>
 
+#define G_MAXINT ((int) 0x7fffffff)
+
 /*      Split the ID - damages input    */
 
 static char        *
@@ -41,13 +43,17 @@
 
 /*
  *     Make sure we don't wrap on our memory allocations
+ *     we check G_MAXINT/4 because rend.c malloc's w * h * bpp
+ *     + 3 is safety margin
  */
 
 void * _imlib_malloc_image(unsigned int w, unsigned int h)
 {
-       if( w > 32767 || h > 32767)
-               return NULL;
-       return malloc(w * h * 3);
+       if (w <= 0 || w > 32767 ||
+           h <= 0 || h > 32767 ||
+           h >= (G_MAXINT/4 - 1) / w)
+                return NULL;
+       return malloc(w * h * 3 + 3);
 }
 
 #ifdef HAVE_LIBJPEG
@@ -360,7 +366,9 @@
   npix = ww * hh;
   *w = (int)ww;
   *h = (int)hh;
-  if(ww > 32767 || hh > 32767)
+  if (ww <= 0 || ww > 32767 ||
+      hh <= 0 || hh > 32767 ||
+      hh >= (G_MAXINT/sizeof(uint32)) / ww)
     {
        TIFFClose(tif);
        return NULL;
@@ -463,7 +471,7 @@
 	    }
 	  *w = gif->Image.Width;
 	  *h = gif->Image.Height;
-	  if (*h > 32767 || *w > 32767)
+	  if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
 	    {
 	       return NULL;
 	    }
@@ -965,7 +973,12 @@
   comment = 0;
   quote = 0;
   context = 0;
+  memset(lookup, 0, sizeof(lookup));
+
   line = malloc(lsz);
+  if (!line)
+    return NULL;
+
   while (!done)
     {
       pc = c;
@@ -994,25 +1007,25 @@
 		{
 		  /* Header */
 		  sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
-                  if (ncolors > 32766)
+                  if (ncolors <= 0 || ncolors > 32766)
 		    {
 		      fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (cpp > 5)
+		  if (cpp <= 0 || cpp > 5)
 		    {
 		      fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (*w > 32767)
+		  if (*w <= 0 || *w > 32767)
 		    {
 		      fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (*h > 32767)
+		  if (*h <= 0 || *h > 32767)
 		    {
 		      fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
 		      free(line);
@@ -1045,11 +1058,13 @@
 		    {
 		      int                 slen;
 		      int                 hascolor, iscolor;
+		      int                 space;
 
 		      iscolor = 0;
 		      hascolor = 0;
 		      tok[0] = 0;
 		      col[0] = 0;
+		      space = sizeof(col) - 1;
 		      s[0] = 0;
 		      len = strlen(line);
 		      strncpy(cmap[j].str, line, cpp);
@@ -1072,10 +1087,10 @@
 				{
 				  if (k >= len)
 				    {
-				      if (col[0])
-					strcat(col, " ");
-                                      if (strlen(col) + strlen(s) < sizeof(col))
-					strcat(col, s);
+				      if (col[0] && space > 0)
+					strcat(col, " "), space -= 1;
+                                      if (slen <= space)
+					strcat(col, s), space -= slen;
 				    }
 				  if (col[0])
 				    {
@@ -1105,14 +1120,17 @@
 					    }
 					}
 				    }
-				  strcpy(tok, s);
+				  if (slen < sizeof(tok));
+				    strcpy(tok, s);
 				  col[0] = 0;
+				  space = sizeof(col) - 1;
 				}
 			      else
 				{
-				  if (col[0])
-				    strcat(col, " ");
-				  strcat(col, s);
+				  if (col[0] && space > 0)
+				    strcat(col, " "), space -=1;
+				  if (slen <= space)
+				    strcat(col, s), space -= slen;
 				}
 			    }
 			}
@@ -1341,12 +1359,12 @@
 	  sscanf(s, "%i %i", w, h);
 	  a = *w;
 	  b = *h;
-	  if (a > 32767)
+	  if (a <= 0 || a > 32767)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
 	      return NULL;
 	    }
-	  if (b > 32767)
+	  if (b <= 0 || b > 32767)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
 	      return NULL;
diff -urN imlib-1.9.13.orig/Imlib/utils.c imlib-1.9.13/Imlib/utils.c
--- imlib-1.9.13.orig/Imlib/utils.c	Mon Mar  4 17:45:28 2002
+++ imlib-1.9.13/Imlib/utils.c	Thu Sep 16 17:21:15 2004
@@ -1496,36 +1496,56 @@
   context = 0;
   ptr = NULL;
   end = NULL;
+  memset(lookup, 0, sizeof(lookup));
 
   while (!done)
     {
       line = data[count++];
+      if (!line)
+	break;
+      line = strdup(line);
+      if (!line)
+	break;
+      len = strlen(line);
+      for (i = 0; i < len; ++i)
+	{
+	  c = line[i];
+	  if (c < 32)
+	    line[i] = 32;
+	  else if (c > 127)
+	    line[i] = 127;
+	}
+
       if (context == 0)
 	{
 	  /* Header */
 	  sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
-	  if (ncolors > 32766)
+	  if (ncolors <= 0 || ncolors > 32766)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (cpp > 5)
+	  if (cpp <= 0 || cpp > 5)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (w > 32767)
+	  if (w <= 0 || w > 32767)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (h > 32767)
+	  if (h <= 0 || h > 32767)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  cmap = malloc(sizeof(struct _cmap) * ncolors);
@@ -1533,6 +1553,7 @@
 	  if (!cmap)
 	    {
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->rgb_width = w;
@@ -1542,6 +1563,7 @@
 	    {
 	      free(cmap);
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->alpha_data = NULL;
@@ -1817,6 +1839,7 @@
 	}
       if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
 	done = 1;
+      free(line);
     }
   if (!transp)
     {
diff -urN imlib-1.9.13.orig/gdk_imlib/io-gif.c imlib-1.9.13/gdk_imlib/io-gif.c
--- imlib-1.9.13.orig/gdk_imlib/io-gif.c	Mon Mar  4 17:26:51 2002
+++ imlib-1.9.13/gdk_imlib/io-gif.c	Thu Sep 16 16:11:31 2004
@@ -55,7 +55,7 @@
 	    }
 	  *w = gif->Image.Width;
 	  *h = gif->Image.Height;
-	  if(*h > 32767 || *w > 32767)
+	  if(*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
 	    {
 	      return NULL;
 	    }
diff -urN imlib-1.9.13.orig/gdk_imlib/io-ppm.c imlib-1.9.13/gdk_imlib/io-ppm.c
--- imlib-1.9.13.orig/gdk_imlib/io-ppm.c	Mon Mar  4 17:26:51 2002
+++ imlib-1.9.13/gdk_imlib/io-ppm.c	Thu Sep 16 16:13:13 2004
@@ -53,12 +53,12 @@
 	  sscanf(s, "%i %i", w, h);
 	  a = *w;
 	  b = *h;
-	  if (a > 32767)
+	  if (a <= 0 || a > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
 	      return NULL;
 	    }
-	  if (b > 32767)
+	  if (b <= 0 || b > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
 	      return NULL;
diff -urN imlib-1.9.13.orig/gdk_imlib/io-tiff.c imlib-1.9.13/gdk_imlib/io-tiff.c
--- imlib-1.9.13.orig/gdk_imlib/io-tiff.c	Mon Mar  4 17:26:51 2002
+++ imlib-1.9.13/gdk_imlib/io-tiff.c	Thu Sep 16 16:13:57 2004
@@ -36,7 +36,9 @@
   npix = ww * hh;
   *w = (int)ww;
   *h = (int)hh;
-  if(ww > 32767 || hh > 32767)
+  if (ww <= 0 || ww > 32767 ||
+      hh <= 0 || hh > 32767 ||
+      hh >= (G_MAXINT/sizeof(uint32)) / ww)
     {
       TIFFClose(tif);
       return NULL;
diff -urN imlib-1.9.13.orig/gdk_imlib/io-xpm.c imlib-1.9.13/gdk_imlib/io-xpm.c
--- imlib-1.9.13.orig/gdk_imlib/io-xpm.c	Mon Mar  4 17:26:51 2002
+++ imlib-1.9.13/gdk_imlib/io-xpm.c	Thu Sep 16 17:08:24 2004
@@ -40,8 +40,12 @@
   context = 0;
   i = j = 0;
   cmap = NULL;
+  memset(lookup, 0, sizeof(lookup));
 
   line = malloc(lsz);
+  if (!line)
+    return NULL;
+
   while (!done)
     {
       pc = c;
@@ -70,25 +74,25 @@
 		{
 		  /* Header */
 		  sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
-		  if (ncolors > 32766)
+		  if (ncolors <= 0 || ncolors > 32766)
 		    {
 		      fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (cpp > 5)
+		  if (cpp <= 0 || cpp > 5)
 		    {
 		      fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (*w > 32767)
+		  if (*w <= 0 || *w > 32767)
 		    {
 		      fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (*h > 32767)
+		  if (*h <= 0 || *h > 32767)
 		    {
 		      fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
 		      free(line);
@@ -120,11 +124,13 @@
 		    {
 		      int                 slen;
 		      int                 hascolor, iscolor;
+		      int                 space;
 
 		      hascolor = 0;
 		      iscolor = 0;
 		      tok[0] = 0;
 		      col[0] = 0;
+		      space = sizeof(col) - 1;
 		      s[0] = 0;
 		      len = strlen(line);
 		      strncpy(cmap[j].str, line, cpp);
@@ -147,10 +153,10 @@
 				{
 				  if (k >= len)
 				    {
-				      if (col[0])
-					strcat(col, " ");
-				      if (strlen(col) + strlen(s) < sizeof(col))
-					strcat(col, s);
+				      if (col[0] && space > 0)
+					strncat(col, " ", space), space -= 1;
+				      if (slen <= space)
+					strcat(col, s), space -= slen;
 				    }
 				  if (col[0])
 				    {
@@ -180,14 +186,17 @@
 					    }
 					}
 				    }
-				  strcpy(tok, s);
+				  if (slen < sizeof(tok))
+				    strcpy(tok, s);
 				  col[0] = 0;
+				  space = sizeof(col) - 1;
 				}
 			      else
 				{
-				  if (col[0])
-				    strcat(col, " ");
-				  strcat(col, s);
+				  if (col[0] && space > 0)
+				    strcat(col, " "), space -= 1;
+				  if (slen <= space)
+				    strcat(col, s), space -= slen;
 				}
 			    }
 			}
diff -urN imlib-1.9.13.orig/gdk_imlib/misc.c imlib-1.9.13/gdk_imlib/misc.c
--- imlib-1.9.13.orig/gdk_imlib/misc.c	Mon Mar  4 17:26:51 2002
+++ imlib-1.9.13/gdk_imlib/misc.c	Thu Sep 16 16:35:32 2004
@@ -1355,11 +1355,16 @@
 
 /*
  *	Make sure we don't wrap on our memory allocations
+ *	we check G_MAX_INT/4 because rend.c malloc's w * h * bpp
+ *	+ 3 is safety margin
  */
 
 void *_gdk_malloc_image(unsigned int w, unsigned int h)
 {
-	if( w > 32767 || h > 32767)
+	if (w <= 0 || w > 32767 ||
+	    h <= 0 || h > 32767 ||
+	    h >= (G_MAXINT/4 - 1) / w)
 		return NULL;
-	return malloc(w * h * 3);
+	return malloc(w * h * 3 + 3);
 }
+
diff -urN imlib-1.9.13.orig/gdk_imlib/utils.c imlib-1.9.13/gdk_imlib/utils.c
--- imlib-1.9.13.orig/gdk_imlib/utils.c	Mon Mar  4 17:26:51 2002
+++ imlib-1.9.13/gdk_imlib/utils.c	Thu Sep 16 17:28:35 2004
@@ -1236,36 +1236,56 @@
   context = 0;
   ptr = NULL;
   end = NULL;
+  memset(lookup, 0, sizeof(lookup));
 
   while (!done)
     {
       line = data[count++];
+      if (!line)
+	break;
+      line = strdup(line);
+      if (!line)
+	break;
+      len = strlen(line);
+      for (i = 0; i < len; ++i)
+        {
+	  c = line[i];
+	  if (c < 32)
+	    line[i] = 32;
+	  else if (c > 127)
+	    line[i] = 127;
+	}
+
       if (context == 0)
 	{
 	  /* Header */
 	  sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
-	  if (ncolors > 32766)
+	  if (ncolors <= 0 || ncolors > 32766)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (cpp > 5)
+	  if (cpp <= 0 || cpp > 5)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (w > 32767)
+	  if (w <= 0 || w > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (h > 32767)
+	  if (h <= 0 || h > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  cmap = malloc(sizeof(struct _cmap) * ncolors);
@@ -1273,6 +1293,7 @@
 	  if (!cmap)
 	    {
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->rgb_width = w;
@@ -1282,6 +1303,7 @@
 	    {
 	      free(cmap);
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->alpha_data = NULL;
@@ -1355,7 +1377,7 @@
 				  strcpy(col + colptr, " ");
 				  colptr++;
 				}
-			      if (colptr + ls <= sizeof(col))
+			      if (colptr + ls < sizeof(col))
 				{
 				  strcpy(col + colptr, s);
 				  colptr += ls;
@@ -1558,6 +1580,7 @@
 	}
       if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
 	done = 1;
+      free(line);
     }
   if (!transp)
     {
Commit	Line	Data
f7679041	1	diff -urN imlib-1.9.13.orig/Imlib/load.c imlib-1.9.13/Imlib/load.c
	2	--- imlib-1.9.13.orig/Imlib/load.c Wed Mar 13 19:06:29 2002
	3	+++ imlib-1.9.13/Imlib/load.c Thu Sep 16 17:21:01 2004
	4	@@ -4,6 +4,8 @@
	5	#include "Imlib_private.h"
	6	#include <setjmp.h>
	7
	8	+#define G_MAXINT ((int) 0x7fffffff)
	9	+
	10	/* Split the ID - damages input */
	11
	12	static char *
	13	@@ -41,13 +43,17 @@
	14
	15	/*
	16	* Make sure we don't wrap on our memory allocations
	17	+ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp
	18	+ * + 3 is safety margin
	19	*/
	20
	21	void * _imlib_malloc_image(unsigned int w, unsigned int h)
	22	{
	23	- if( w > 32767 \|\| h > 32767)
	24	- return NULL;
	25	- return malloc(w * h * 3);
	26	+ if (w <= 0 \|\| w > 32767 \|\|
	27	+ h <= 0 \|\| h > 32767 \|\|
	28	+ h >= (G_MAXINT/4 - 1) / w)
	29	+ return NULL;
	30	+ return malloc(w * h * 3 + 3);
	31	}
	32
	33	#ifdef HAVE_LIBJPEG
	34	@@ -360,7 +366,9 @@
	35	npix = ww * hh;
	36	*w = (int)ww;
	37	*h = (int)hh;
	38	- if(ww > 32767 \|\| hh > 32767)
	39	+ if (ww <= 0 \|\| ww > 32767 \|\|
	40	+ hh <= 0 \|\| hh > 32767 \|\|
	41	+ hh >= (G_MAXINT/sizeof(uint32)) / ww)
	42	{
	43	TIFFClose(tif);
	44	return NULL;
	45	@@ -463,7 +471,7 @@
	46	}
	47	*w = gif->Image.Width;
	48	*h = gif->Image.Height;
	49	- if (h > 32767 \|\| w > 32767)
	50	+ if (h <= 0 \|\| h > 32767 \|\| w <= 0 \|\| w > 32767)
	51	{
	52	return NULL;
	53	}
	54	@@ -965,7 +973,12 @@
	55	comment = 0;
	56	quote = 0;
	57	context = 0;
	58	+ memset(lookup, 0, sizeof(lookup));
	59	+
	60	line = malloc(lsz);
	61	+ if (!line)
	62	+ return NULL;
	63	+
	64	while (!done)
65	{
66	pc = c;
67	@@ -994,25 +1007,25 @@
68	{
69	/* Header */
70	sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
71	- if (ncolors > 32766)
72	+ if (ncolors <= 0 \|\| ncolors > 32766)
73	{
74	fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n");
75	free(line);
76	return NULL;
77	}
78	- if (cpp > 5)
79	+ if (cpp <= 0 \|\| cpp > 5)
80	{
81	fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n");
82	free(line);
83	return NULL;
84	}
85	- if (*w > 32767)
86	+ if (w <= 0 \|\| w > 32767)
87	{
88	fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
89	free(line);
90	return NULL;
91	}
92	- if (*h > 32767)
93	+ if (h <= 0 \|\| h > 32767)
94	{
95	fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
96	free(line);
97	@@ -1045,11 +1058,13 @@
98	{
99	int slen;
100	int hascolor, iscolor;
101	+ int space;
102
103	iscolor = 0;
104	hascolor = 0;
105	tok[0] = 0;
106	col[0] = 0;
107	+ space = sizeof(col) - 1;
108	s[0] = 0;
109	len = strlen(line);
110	strncpy(cmap[j].str, line, cpp);
111	@@ -1072,10 +1087,10 @@
112	{
113	if (k >= len)
114	{
115	- if (col[0])
116	- strcat(col, " ");
117	- if (strlen(col) + strlen(s) < sizeof(col))
118	- strcat(col, s);
119	+ if (col[0] && space > 0)
120	+ strcat(col, " "), space -= 1;
121	+ if (slen <= space)
122	+ strcat(col, s), space -= slen;
123	}
124	if (col[0])
125	{
126	@@ -1105,14 +1120,17 @@
127	}
128	}
129	}
130	- strcpy(tok, s);
131	+ if (slen < sizeof(tok));
132	+ strcpy(tok, s);
133	col[0] = 0;
134	+ space = sizeof(col) - 1;
135	}
136	else
137	{
138	- if (col[0])
139	- strcat(col, " ");
140	- strcat(col, s);
141	+ if (col[0] && space > 0)
142	+ strcat(col, " "), space -=1;
143	+ if (slen <= space)
144	+ strcat(col, s), space -= slen;
145	}
146	}
147	}
148	@@ -1341,12 +1359,12 @@
149	sscanf(s, "%i %i", w, h);
150	a = *w;
151	b = *h;
152	- if (a > 32767)
153	+ if (a <= 0 \|\| a > 32767)
154	{
155	fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
156	return NULL;
157	}
158	- if (b > 32767)
159	+ if (b <= 0 \|\| b > 32767)
160	{
161	fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
162	return NULL;
163	diff -urN imlib-1.9.13.orig/Imlib/utils.c imlib-1.9.13/Imlib/utils.c
164	--- imlib-1.9.13.orig/Imlib/utils.c Mon Mar 4 17:45:28 2002
165	+++ imlib-1.9.13/Imlib/utils.c Thu Sep 16 17:21:15 2004
166	@@ -1496,36 +1496,56 @@
167	context = 0;
168	ptr = NULL;
169	end = NULL;
170	+ memset(lookup, 0, sizeof(lookup));
171
172	while (!done)
173	{
174	line = data[count++];
175	+ if (!line)
176	+ break;
177	+ line = strdup(line);
178	+ if (!line)
179	+ break;
180	+ len = strlen(line);
181	+ for (i = 0; i < len; ++i)
182	+ {
183	+ c = line[i];
184	+ if (c < 32)
185	+ line[i] = 32;
186	+ else if (c > 127)
187	+ line[i] = 127;
188	+ }
189	+
190	if (context == 0)
191	{
192	/* Header */
193	sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
194	- if (ncolors > 32766)
195	+ if (ncolors <= 0 \|\| ncolors > 32766)
196	{
197	fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n");
198	free(im);
199	+ free(line);
200	return NULL;
201	}
202	- if (cpp > 5)
203	+ if (cpp <= 0 \|\| cpp > 5)
204	{
205	fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n");
206	free(im);
207	+ free(line);
208	return NULL;
209	}
210	- if (w > 32767)
211	+ if (w <= 0 \|\| w > 32767)
212	{
213	fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n");
214	free(im);
215	+ free(line);
216	return NULL;
217	}
218	- if (h > 32767)
219	+ if (h <= 0 \|\| h > 32767)
220	{
221	fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n");
222	free(im);
223	+ free(line);
224	return NULL;
225	}
226	cmap = malloc(sizeof(struct _cmap) * ncolors);
227	@@ -1533,6 +1553,7 @@
228	if (!cmap)
229	{
230	free(im);
231	+ free(line);
232	return NULL;
233	}
234	im->rgb_width = w;
235	@@ -1542,6 +1563,7 @@
236	{
237	free(cmap);
238	free(im);
239	+ free(line);
240	return NULL;
241	}
242	im->alpha_data = NULL;
243	@@ -1817,6 +1839,7 @@
244	}
245	if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
246	done = 1;
247	+ free(line);
248	}
249	if (!transp)
250	{
251	diff -urN imlib-1.9.13.orig/gdk_imlib/io-gif.c imlib-1.9.13/gdk_imlib/io-gif.c
252	--- imlib-1.9.13.orig/gdk_imlib/io-gif.c Mon Mar 4 17:26:51 2002
253	+++ imlib-1.9.13/gdk_imlib/io-gif.c Thu Sep 16 16:11:31 2004
254	@@ -55,7 +55,7 @@
255	}
256	*w = gif->Image.Width;
257	*h = gif->Image.Height;
258	- if(h > 32767 \|\| w > 32767)
259	+ if(h <= 0 \|\| h > 32767 \|\| w <= 0 \|\| w > 32767)
260	{
261	return NULL;
262	}
263	diff -urN imlib-1.9.13.orig/gdk_imlib/io-ppm.c imlib-1.9.13/gdk_imlib/io-ppm.c
264	--- imlib-1.9.13.orig/gdk_imlib/io-ppm.c Mon Mar 4 17:26:51 2002
265	+++ imlib-1.9.13/gdk_imlib/io-ppm.c Thu Sep 16 16:13:13 2004
266	@@ -53,12 +53,12 @@
267	sscanf(s, "%i %i", w, h);
268	a = *w;
269	b = *h;
270	- if (a > 32767)
271	+ if (a <= 0 \|\| a > 32767)
272	{
273	fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
274	return NULL;
275	}
276	- if (b > 32767)
277	+ if (b <= 0 \|\| b > 32767)
278	{
279	fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
280	return NULL;
281	diff -urN imlib-1.9.13.orig/gdk_imlib/io-tiff.c imlib-1.9.13/gdk_imlib/io-tiff.c
282	--- imlib-1.9.13.orig/gdk_imlib/io-tiff.c Mon Mar 4 17:26:51 2002
283	+++ imlib-1.9.13/gdk_imlib/io-tiff.c Thu Sep 16 16:13:57 2004
284	@@ -36,7 +36,9 @@
285	npix = ww * hh;
286	*w = (int)ww;
287	*h = (int)hh;
288	- if(ww > 32767 \|\| hh > 32767)
289	+ if (ww <= 0 \|\| ww > 32767 \|\|
290	+ hh <= 0 \|\| hh > 32767 \|\|
291	+ hh >= (G_MAXINT/sizeof(uint32)) / ww)
292	{
293	TIFFClose(tif);
294	return NULL;
295	diff -urN imlib-1.9.13.orig/gdk_imlib/io-xpm.c imlib-1.9.13/gdk_imlib/io-xpm.c
296	--- imlib-1.9.13.orig/gdk_imlib/io-xpm.c Mon Mar 4 17:26:51 2002
297	+++ imlib-1.9.13/gdk_imlib/io-xpm.c Thu Sep 16 17:08:24 2004
298	@@ -40,8 +40,12 @@
299	context = 0;
300	i = j = 0;
301	cmap = NULL;
302	+ memset(lookup, 0, sizeof(lookup));
303
304	line = malloc(lsz);
305	+ if (!line)
306	+ return NULL;
307	+
308	while (!done)
309	{
310	pc = c;
311	@@ -70,25 +74,25 @@
312	{
313	/* Header */
314	sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
315	- if (ncolors > 32766)
316	+ if (ncolors <= 0 \|\| ncolors > 32766)
317	{
318	fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n");
319	free(line);
320	return NULL;
321	}
322	- if (cpp > 5)
323	+ if (cpp <= 0 \|\| cpp > 5)
324	{
325	fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n");
326	free(line);
327	return NULL;
328	}
329	- if (*w > 32767)
330	+ if (w <= 0 \|\| w > 32767)
331	{
332	fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
333	free(line);
334	return NULL;
335	}
336	- if (*h > 32767)
337	+ if (h <= 0 \|\| h > 32767)
338	{
339	fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
340	free(line);
341	@@ -120,11 +124,13 @@
342	{
343	int slen;
344	int hascolor, iscolor;
345	+ int space;
346
347	hascolor = 0;
348	iscolor = 0;
349	tok[0] = 0;
350	col[0] = 0;
351	+ space = sizeof(col) - 1;
352	s[0] = 0;
353	len = strlen(line);
354	strncpy(cmap[j].str, line, cpp);
355	@@ -147,10 +153,10 @@
356	{
357	if (k >= len)
358	{
359	- if (col[0])
360	- strcat(col, " ");
361	- if (strlen(col) + strlen(s) < sizeof(col))
362	- strcat(col, s);
363	+ if (col[0] && space > 0)
364	+ strncat(col, " ", space), space -= 1;
365	+ if (slen <= space)
366	+ strcat(col, s), space -= slen;
367	}
368	if (col[0])
369	{
370	@@ -180,14 +186,17 @@
371	}
372	}
373	}
374	- strcpy(tok, s);
375	+ if (slen < sizeof(tok))
376	+ strcpy(tok, s);
377	col[0] = 0;
378	+ space = sizeof(col) - 1;
379	}
380	else
381	{
382	- if (col[0])
383	- strcat(col, " ");
384	- strcat(col, s);
385	+ if (col[0] && space > 0)
386	+ strcat(col, " "), space -= 1;
387	+ if (slen <= space)
388	+ strcat(col, s), space -= slen;
389	}
390	}
391	}
392	diff -urN imlib-1.9.13.orig/gdk_imlib/misc.c imlib-1.9.13/gdk_imlib/misc.c
393	--- imlib-1.9.13.orig/gdk_imlib/misc.c Mon Mar 4 17:26:51 2002
394	+++ imlib-1.9.13/gdk_imlib/misc.c Thu Sep 16 16:35:32 2004
395	@@ -1355,11 +1355,16 @@
396
397	/*
398	* Make sure we don't wrap on our memory allocations
399	+ * we check G_MAX_INT/4 because rend.c malloc's w * h * bpp
400	+ * + 3 is safety margin
401	*/
402
403	void *_gdk_malloc_image(unsigned int w, unsigned int h)
404	{
405	- if( w > 32767 \|\| h > 32767)
406	+ if (w <= 0 \|\| w > 32767 \|\|
407	+ h <= 0 \|\| h > 32767 \|\|
408	+ h >= (G_MAXINT/4 - 1) / w)
409	return NULL;
410	- return malloc(w * h * 3);
411	+ return malloc(w * h * 3 + 3);
412	}
413	+
414	diff -urN imlib-1.9.13.orig/gdk_imlib/utils.c imlib-1.9.13/gdk_imlib/utils.c
415	--- imlib-1.9.13.orig/gdk_imlib/utils.c Mon Mar 4 17:26:51 2002
416	+++ imlib-1.9.13/gdk_imlib/utils.c Thu Sep 16 17:28:35 2004
417	@@ -1236,36 +1236,56 @@
418	context = 0;
419	ptr = NULL;
420	end = NULL;
421	+ memset(lookup, 0, sizeof(lookup));
422
423	while (!done)
424	{
425	line = data[count++];
426	+ if (!line)
427	+ break;
428	+ line = strdup(line);
429	+ if (!line)
430	+ break;
431	+ len = strlen(line);
432	+ for (i = 0; i < len; ++i)
433	+ {
434	+ c = line[i];
435	+ if (c < 32)
436	+ line[i] = 32;
437	+ else if (c > 127)
438	+ line[i] = 127;
439	+ }
440	+
441	if (context == 0)
442	{
443	/* Header */
444	sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
445	- if (ncolors > 32766)
446	+ if (ncolors <= 0 \|\| ncolors > 32766)
447	{
448	fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n");
449	free(im);
450	+ free(line);
451	return NULL;
452	}
453	- if (cpp > 5)
454	+ if (cpp <= 0 \|\| cpp > 5)
455	{
456	fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n");
457	free(im);
458	+ free(line);
459	return NULL;
460	}
461	- if (w > 32767)
462	+ if (w <= 0 \|\| w > 32767)
463	{
464	fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n");
465	free(im);
466	+ free(line);
467	return NULL;
468	}
469	- if (h > 32767)
470	+ if (h <= 0 \|\| h > 32767)
471	{
472	fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n");
473	free(im);
474	+ free(line);
475	return NULL;
476	}
477	cmap = malloc(sizeof(struct _cmap) * ncolors);
478	@@ -1273,6 +1293,7 @@
479	if (!cmap)
480	{
481	free(im);
482	+ free(line);
483	return NULL;
484	}
485	im->rgb_width = w;
486	@@ -1282,6 +1303,7 @@
487	{
488	free(cmap);
489	free(im);
490	+ free(line);
491	return NULL;
492	}
493	im->alpha_data = NULL;
494	@@ -1355,7 +1377,7 @@
495	strcpy(col + colptr, " ");
496	colptr++;
497	}
498	- if (colptr + ls <= sizeof(col))
499	+ if (colptr + ls < sizeof(col))
500	{
501	strcpy(col + colptr, s);
502	colptr += ls;
503	@@ -1558,6 +1580,7 @@
504	}
505	if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
506	done = 1;
507	+ free(line);
508	}
509	if (!transp)
510	{