From 55218f462e6656578e7d2335d1f625e1e4a9a3ab Mon Sep 17 00:00:00 2001 From: Dejan Lesjak Date: Sun, 31 Oct 2004 22:44:23 +0000 Subject: Grab changes to Xpm security patch from x11/xorg-libraries: Using SIZE_MAX instead of [U]INT_MAX in several tests would result in the tests being useless on 64-bit machines. Submitted by: nectar Obtained from: Matthieu Herrb (matthieu herrb at laas fr) by nectar --- x11/XFree86-4-libraries/Makefile | 2 +- x11/XFree86-4-libraries/files/patch-xpm-sec | 521 +++++++++++++++++++++ x11/XFree86-4-libraries/files/patch-xpm-sec.patch4 | 498 -------------------- 3 files changed, 522 insertions(+), 499 deletions(-) create mode 100644 x11/XFree86-4-libraries/files/patch-xpm-sec delete mode 100644 x11/XFree86-4-libraries/files/patch-xpm-sec.patch4 (limited to 'x11/XFree86-4-libraries') diff --git a/x11/XFree86-4-libraries/Makefile b/x11/XFree86-4-libraries/Makefile index 2e40f960f089..b24dc49fa715 100644 --- a/x11/XFree86-4-libraries/Makefile +++ b/x11/XFree86-4-libraries/Makefile @@ -7,7 +7,7 @@ PORTNAME= libraries PORTVERSION= 4.4.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= x11 MASTER_SITES= ${MASTER_SITE_XFREE:S/$/:x/} \ ${MASTER_SITE_LOCAL:S/$/:local/} diff --git a/x11/XFree86-4-libraries/files/patch-xpm-sec b/x11/XFree86-4-libraries/files/patch-xpm-sec new file mode 100644 index 000000000000..347ab0563d6e --- /dev/null +++ b/x11/XFree86-4-libraries/files/patch-xpm-sec @@ -0,0 +1,521 @@ +Index: extras/Xpm/lib/Attrib.c +=================================================================== +RCS file: /cvs/xorg/xc/extras/Xpm/lib/Attrib.c,v +retrieving revision 1.1 +diff -u -r1.1 Attrib.c +--- extras/Xpm/lib/Attrib.c 14 Nov 2003 16:48:24 -0000 1.1 ++++ extras/Xpm/lib/Attrib.c 31 Oct 2004 20:12:38 -0000 +@@ -35,7 +35,7 @@ + #include "XpmI.h" + + /* 3.2 backward compatibility code */ +-LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors, ++LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, + XpmColor ***oldct)); + + LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); +@@ -46,12 +46,15 @@ + static int + CreateOldColorTable(ct, ncolors, oldct) + XpmColor *ct; +- int ncolors; ++ unsigned int ncolors; + XpmColor ***oldct; + { + XpmColor **colorTable, **color; + int a; + ++ if (ncolors >= UINT_MAX / sizeof(XpmColor *)) ++ return XpmNoMemory; ++ + colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); + if (!colorTable) { + *oldct = NULL; +Index: extras/Xpm/lib/CrDatFrI.c +=================================================================== +RCS file: /cvs/xorg/xc/extras/Xpm/lib/CrDatFrI.c,v +retrieving revision 1.1.10.1 +diff -u -r1.1.10.1 CrDatFrI.c +--- extras/Xpm/lib/CrDatFrI.c 4 Mar 2004 17:46:10 -0000 1.1.10.1 ++++ extras/Xpm/lib/CrDatFrI.c 31 Oct 2004 20:12:38 -0000 +@@ -124,6 +124,8 @@ + */ + header_nlines = 1 + image->ncolors; + header_size = sizeof(char *) * header_nlines; ++ if (header_size >= UINT_MAX / sizeof(char *)) ++ return (XpmNoMemory); + header = (char **) XpmCalloc(header_size, sizeof(char *)); + if (!header) + return (XpmNoMemory); +Index: extras/Xpm/lib/WrFFrI.c +=================================================================== +RCS file: /cvs/xorg/xc/extras/Xpm/lib/WrFFrI.c,v +retrieving revision 1.1.10.1 +diff -u -r1.1.10.1 WrFFrI.c +--- extras/Xpm/lib/WrFFrI.c 4 Mar 2004 17:46:10 -0000 1.1.10.1 ++++ extras/Xpm/lib/WrFFrI.c 31 Oct 2004 20:12:26 -0000 +@@ -248,6 +248,8 @@ + unsigned int x, y, h; + + h = height - 1; ++ if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp) ++ return XpmNoMemory; + p = buf = (char *) XpmMalloc(width * cpp + 3); + if (!buf) + return (XpmNoMemory); +Index: extras/Xpm/lib/XpmI.h +=================================================================== +RCS file: /cvs/xorg/xc/extras/Xpm/lib/XpmI.h,v +retrieving revision 1.1.4.1.6.1 +diff -u -r1.1.4.1.6.1 XpmI.h +--- extras/Xpm/lib/XpmI.h 4 Mar 2004 17:46:10 -0000 1.1.4.1.6.1 ++++ extras/Xpm/lib/XpmI.h 31 Oct 2004 20:12:26 -0000 +@@ -86,6 +86,18 @@ + boundCheckingCalloc((long)(nelem),(long) (elsize)) + #endif + ++#if defined(SCO) || defined(__USLC__) ++#include /* For SIZE_MAX */ ++#endif ++#include ++#ifndef SIZE_MAX ++# ifdef ULONG_MAX ++# define SIZE_MAX ULONG_MAX ++# else ++# define SIZE_MAX UINT_MAX ++# endif ++#endif ++ + #define XPMMAXCMTLEN BUFSIZ + typedef struct { + unsigned int type; +@@ -187,9 +199,9 @@ + } *xpmHashAtom; + + typedef struct { +- int size; +- int limit; +- int used; ++ unsigned int size; ++ unsigned int limit; ++ unsigned int used; + xpmHashAtom *atomTable; + } xpmHashTable; + +Index: extras/Xpm/lib/create.c +=================================================================== +RCS file: /cvs/xorg/xc/extras/Xpm/lib/create.c,v +retrieving revision 1.1.4.1.6.1 +diff -u -r1.1.4.1.6.1 create.c +--- extras/Xpm/lib/create.c 4 Mar 2004 17:46:10 -0000 1.1.4.1.6.1 ++++ extras/Xpm/lib/create.c 31 Oct 2004 20:12:38 -0000 +@@ -1,3 +1,4 @@ ++/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */ + /* + * Copyright (C) 1989-95 GROUPE BULL + * +@@ -816,6 +817,9 @@ + + ErrorStatus = XpmSuccess; + ++ if (image->ncolors >= UINT_MAX / sizeof(Pixel)) ++ return (XpmNoMemory); ++ + /* malloc pixels index tables */ + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); + if (!image_pixels) +@@ -988,6 +992,10 @@ + return (XpmNoMemory); + + #if !defined(FOR_MSW) && !defined(AMIGA) ++ if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) { ++ XDestroyImage(*image_return); ++ return XpmNoMemory; ++ } + /* now that bytes_per_line must have been set properly alloc data */ + (*image_return)->data = + (char *) XpmMalloc((*image_return)->bytes_per_line * height); +@@ -2055,6 +2063,9 @@ + xpmGetCmt(data, &colors_cmt); + + /* malloc pixels index tables */ ++ if (ncolors >= UINT_MAX / sizeof(Pixel)) ++ RETURN(XpmNoMemory); ++ + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); + if (!image_pixels) + RETURN(XpmNoMemory); +@@ -2309,7 +2320,8 @@ + } + obm = SelectObject(*dc, image->bitmap); + #endif +- ++ if (ncolors > 256) ++ return (XpmFileInvalid); + + bzero((char *)colidx, 256 * sizeof(short)); + for (a = 0; a < ncolors; a++) +@@ -2356,7 +2368,7 @@ + + /* array of pointers malloced by need */ + unsigned short *cidx[256]; +- int char1; ++ unsigned int char1; + + bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ + for (a = 0; a < ncolors; a++) { +@@ -2415,6 +2427,9 @@ + char *s; + char buf[BUFSIZ]; + ++ if (cpp >= sizeof(buf)) ++ return (XpmFileInvalid); ++ + buf[cpp] = '\0'; + if (USE_HASHTABLE) { + xpmHashAtom *slot; +Index: extras/Xpm/lib/data.c +=================================================================== +RCS file: /cvs/xorg/xc/extras/Xpm/lib/data.c,v +retrieving revision 1.1.10.1 +diff -u -r1.1.10.1 data.c +--- extras/Xpm/lib/data.c 4 Mar 2004 17:46:10 -0000 1.1.10.1 ++++ extras/Xpm/lib/data.c 31 Oct 2004 20:12:26 -0000 +@@ -375,7 +375,7 @@ + { + if (!data->type) + *cmt = NULL; +- else if (data->CommentLength) { ++ else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) { + *cmt = (char *) XpmMalloc(data->CommentLength + 1); + strncpy(*cmt, data->Comment, data->CommentLength); + (*cmt)[data->CommentLength] = '\0'; +Index: extras/Xpm/lib/hashtab.c +=================================================================== +RCS file: /cvs/xorg/xc/extras/Xpm/lib/hashtab.c,v +retrieving revision 1.1 +diff -u -r1.1 hashtab.c +--- extras/Xpm/lib/hashtab.c 14 Nov 2003 16:48:24 -0000 1.1 ++++ extras/Xpm/lib/hashtab.c 31 Oct 2004 20:12:38 -0000 +@@ -135,15 +135,17 @@ + xpmHashTable *table; + { + xpmHashAtom *atomTable = table->atomTable; +- int size = table->size; ++ unsigned int size = table->size; + xpmHashAtom *t, *p; + int i; +- int oldSize = size; ++ unsigned int oldSize = size; + + t = atomTable; + HASH_TABLE_GROWS + table->size = size; + table->limit = size / 3; ++ if (size >= UINT_MAX / sizeof(*atomTable)) ++ return (XpmNoMemory); + atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); + if (!atomTable) + return (XpmNoMemory); +@@ -204,6 +206,8 @@ + table->size = INITIAL_HASH_SIZE; + table->limit = table->size / 3; + table->used = 0; ++ if (table->size >= UINT_MAX / sizeof(*atomTable)) ++ return (XpmNoMemory); + atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); + if (!atomTable) + return (XpmNoMemory); +Index: extras/Xpm/lib/parse.c +=================================================================== +RCS file: /cvs/xorg/xc/extras/Xpm/lib/parse.c,v +retrieving revision 1.1.10.1 +diff -u -r1.1.10.1 parse.c +--- extras/Xpm/lib/parse.c 4 Mar 2004 17:46:10 -0000 1.1.10.1 ++++ extras/Xpm/lib/parse.c 31 Oct 2004 20:12:38 -0000 +@@ -1,3 +1,4 @@ ++/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */ + /* + * Copyright (C) 1989-95 GROUPE BULL + * +@@ -44,6 +45,24 @@ + #include + #include + ++#ifdef HAS_STRLCAT ++# define STRLCAT(dst, src, dstsize) { \ ++ if (strlcat(dst, src, dstsize) >= (dstsize)) \ ++ return (XpmFileInvalid); } ++# define STRLCPY(dst, src, dstsize) { \ ++ if (strlcpy(dst, src, dstsize) >= (dstsize)) \ ++ return (XpmFileInvalid); } ++#else ++# define STRLCAT(dst, src, dstsize) { \ ++ if ((strlen(dst) + strlen(src)) < (dstsize)) \ ++ strcat(dst, src); \ ++ else return (XpmFileInvalid); } ++# define STRLCPY(dst, src, dstsize) { \ ++ if (strlen(src) < (dstsize)) \ ++ strcpy(dst, src); \ ++ else return (XpmFileInvalid); } ++#endif ++ + LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, + unsigned int height, unsigned int ncolors, + unsigned int cpp, XpmColor *colorTable, +@@ -66,7 +85,7 @@ + unsigned int *extensions; + { + unsigned int l; +- char buf[BUFSIZ]; ++ char buf[BUFSIZ + 1]; + + if (!data->format) { /* XPM 2 or 3 */ + +@@ -175,10 +194,10 @@ + XpmColor **colorTablePtr; + xpmHashTable *hashtable; + { +- unsigned int key = 0, l, a, b; ++ unsigned int key = 0, l, a, b, len; + unsigned int curkey; /* current color key */ + unsigned int lastwaskey; /* key read */ +- char buf[BUFSIZ]; ++ char buf[BUFSIZ+1]; + char curbuf[BUFSIZ]; /* current buffer */ + char **sptr, *s; + XpmColor *color; +@@ -186,6 +205,8 @@ + char **defaults; + int ErrorStatus; + ++ if (ncolors >= UINT_MAX / sizeof(XpmColor)) ++ return (XpmNoMemory); + colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); + if (!colorTable) + return (XpmNoMemory); +@@ -197,6 +218,10 @@ + /* + * read pixel value + */ ++ if (cpp >= UINT_MAX - 1) { ++ xpmFreeColorTable(colorTable, ncolors); ++ return (XpmNoMemory); ++ } + color->string = (char *) XpmMalloc(cpp + 1); + if (!color->string) { + xpmFreeColorTable(colorTable, ncolors); +@@ -234,13 +259,14 @@ + } + if (!lastwaskey && key < NKEYS) { /* open new key */ + if (curkey) { /* flush string */ +- s = (char *) XpmMalloc(strlen(curbuf) + 1); ++ len = strlen(curbuf) + 1; ++ s = (char *) XpmMalloc(len); + if (!s) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } + defaults[curkey] = s; +- strcpy(s, curbuf); ++ memcpy(s, curbuf, len); + } + curkey = key + 1; /* set new key */ + *curbuf = '\0'; /* reset curbuf */ +@@ -251,9 +277,9 @@ + return (XpmFileInvalid); + } + if (!lastwaskey) +- strcat(curbuf, " "); /* append space */ ++ STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */ + buf[l] = '\0'; +- strcat(curbuf, buf);/* append buf */ ++ STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */ + lastwaskey = 0; + } + } +@@ -261,12 +287,13 @@ + xpmFreeColorTable(colorTable, ncolors); + return (XpmFileInvalid); + } +- s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1); ++ len = strlen(curbuf) + 1; ++ s = defaults[curkey] = (char *) XpmMalloc(len); + if (!s) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } +- strcpy(s, curbuf); ++ memcpy(s, curbuf, len); + } + } else { /* XPM 1 */ + /* get to the beginning of the first string */ +@@ -279,6 +306,10 @@ + /* + * read pixel value + */ ++ if (cpp >= UINT_MAX - 1) { ++ xpmFreeColorTable(colorTable, ncolors); ++ return (XpmNoMemory); ++ } + color->string = (char *) XpmMalloc(cpp + 1); + if (!color->string) { + xpmFreeColorTable(colorTable, ncolors); +@@ -307,16 +338,17 @@ + *curbuf = '\0'; /* init curbuf */ + while ((l = xpmNextWord(data, buf, BUFSIZ))) { + if (*curbuf != '\0') +- strcat(curbuf, " ");/* append space */ ++ STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */ + buf[l] = '\0'; +- strcat(curbuf, buf); /* append buf */ ++ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */ + } +- s = (char *) XpmMalloc(strlen(curbuf) + 1); ++ len = strlen(curbuf) + 1; ++ s = (char *) XpmMalloc(len); + if (!s) { + xpmFreeColorTable(colorTable, ncolors); + return (XpmNoMemory); + } +- strcpy(s, curbuf); ++ memcpy(s, curbuf, len); + color->c_color = s; + *curbuf = '\0'; /* reset curbuf */ + if (a < ncolors - 1) +@@ -341,6 +373,9 @@ + unsigned int *iptr, *iptr2; + unsigned int a, x, y; + ++ if ((height > 0 && width >= SIZE_MAX / height) || ++ width * height >= UINT_MAX / sizeof(unsigned int)) ++ return XpmNoMemory; + #ifndef FOR_MSW + iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); + #else +@@ -364,6 +399,9 @@ + { + unsigned short colidx[256]; + ++ if (ncolors > 256) ++ return (XpmFileInvalid); ++ + bzero((char *)colidx, 256 * sizeof(short)); + for (a = 0; a < ncolors; a++) + colidx[(unsigned char)colorTable[a].string[0]] = a + 1; +@@ -394,7 +432,7 @@ + + /* array of pointers malloced by need */ + unsigned short *cidx[256]; +- int char1; ++ unsigned int char1; + + bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ + for (a = 0; a < ncolors; a++) { +@@ -442,6 +480,9 @@ + char *s; + char buf[BUFSIZ]; + ++ if (cpp >= sizeof(buf)) ++ return (XpmFileInvalid); ++ + buf[cpp] = '\0'; + if (USE_HASHTABLE) { + xpmHashAtom *slot; +Index: extras/Xpm/lib/scan.c +=================================================================== +RCS file: /cvs/xorg/xc/extras/Xpm/lib/scan.c,v +retrieving revision 1.1.10.1 +diff -u -r1.1.10.1 scan.c +--- extras/Xpm/lib/scan.c 4 Mar 2004 17:46:10 -0000 1.1.10.1 ++++ extras/Xpm/lib/scan.c 31 Oct 2004 20:12:38 -0000 +@@ -107,7 +107,8 @@ + LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp, + XpmAttributes *attributes)); + +-LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors, ++LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, ++ unsigned int ncolors, + Pixel *pixels, unsigned int mask, + unsigned int cpp, XpmAttributes *attributes)); + +@@ -232,11 +233,17 @@ + else + cpp = 0; + ++ if ((height > 0 && width >= SIZE_MAX / height) || ++ width * height >= UINT_MAX / sizeof(unsigned int)) ++ RETURN(XpmNoMemory); + pmap.pixelindex = + (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); + if (!pmap.pixelindex) + RETURN(XpmNoMemory); + ++ if (pmap.size >= UINT_MAX / sizeof(Pixel)) ++ RETURN(XpmNoMemory); ++ + pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); + if (!pmap.pixels) + RETURN(XpmNoMemory); +@@ -301,7 +308,8 @@ + * get rgb values and a string of char, and possibly a name for each + * color + */ +- ++ if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor)) ++ RETURN(XpmNoMemory); + colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); + if (!colorTable) + RETURN(XpmNoMemory); +@@ -360,6 +368,8 @@ + + /* first get a character string */ + a = 0; ++ if (cpp >= UINT_MAX - 1) ++ return (XpmNoMemory); + if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) + return (XpmNoMemory); + *s++ = printable[c = a % MAXPRINTABLE]; +@@ -407,7 +417,7 @@ + ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) + Display *display; + XpmColor *colors; +- int ncolors; ++ unsigned int ncolors; + Pixel *pixels; + unsigned int mask; + unsigned int cpp; +@@ -451,6 +461,8 @@ + } + + /* first get character strings and rgb values */ ++ if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1) ++ return (XpmNoMemory); + xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); + if (!xcolors) + return (XpmNoMemory); +Index: lib/Xpm/Imakefile +=================================================================== +RCS file: /cvs/xorg/xc/lib/Xpm/Imakefile,v +retrieving revision 1.1.10.1 +diff -u -r1.1.10.1 Imakefile +--- lib/Xpm/Imakefile 4 Mar 2004 17:46:58 -0000 1.1.10.1 ++++ lib/Xpm/Imakefile 31 Oct 2004 20:12:26 -0000 +@@ -42,11 +42,16 @@ + SPRINTFDEF = -DVOID_SPRINTF + #endif + ++#if HasStrlcat ++STRLCATDEF = -DHAS_STRLCAT ++#endif ++ + #if defined(Win32Architecture) + ZPIPEDEF = -DNO_ZPIPE + #endif + +-DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(ZPIPEDEF) $(ZFILEDEF) ++DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(STRLCATDEF) \ ++ $(ZPIPEDEF) $(ZFILEDEF) + + HEADERS = xpm.h + diff --git a/x11/XFree86-4-libraries/files/patch-xpm-sec.patch4 b/x11/XFree86-4-libraries/files/patch-xpm-sec.patch4 deleted file mode 100644 index 7590d1a856ac..000000000000 --- a/x11/XFree86-4-libraries/files/patch-xpm-sec.patch4 +++ /dev/null @@ -1,498 +0,0 @@ -Index: xc/extras/Xpm/lib/Attrib.c -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/extras/Xpm/lib/Attrib.c,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 Attrib.c ---- extras/Xpm/lib/Attrib.c 15 Feb 2001 07:59:10 -0000 1.1.1.1 -+++ extras/Xpm/lib/Attrib.c 31 Aug 2004 23:28:59 -0000 -@@ -35,7 +35,7 @@ - #include "XpmI.h" - - /* 3.2 backward compatibility code */ --LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors, -+LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors, - XpmColor ***oldct)); - - LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); -@@ -46,11 +46,14 @@ - static int - CreateOldColorTable(ct, ncolors, oldct) - XpmColor *ct; -- int ncolors; -+ unsigned int ncolors; - XpmColor ***oldct; - { - XpmColor **colorTable, **color; - int a; -+ -+ if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) -+ return XpmNoMemory; - - colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *)); - if (!colorTable) { -Index: xc/extras/Xpm/lib/CrDatFrI.c -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/extras/Xpm/lib/CrDatFrI.c,v -retrieving revision 1.1.1.2 -diff -u -r1.1.1.2 CrDatFrI.c ---- extras/Xpm/lib/CrDatFrI.c 19 Jan 2002 11:08:43 -0000 1.1.1.2 -+++ extras/Xpm/lib/CrDatFrI.c 31 Aug 2004 23:28:59 -0000 -@@ -124,6 +124,8 @@ - */ - header_nlines = 1 + image->ncolors; - header_size = sizeof(char *) * header_nlines; -+ if (header_size >= SIZE_MAX / sizeof(char *)) -+ return (XpmNoMemory); - header = (char **) XpmCalloc(header_size, sizeof(char *)); - if (!header) - return (XpmNoMemory); -Index: xc/extras/Xpm/lib/WrFFrI.c -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/extras/Xpm/lib/WrFFrI.c,v -retrieving revision 1.1.1.2 -diff -u -r1.1.1.2 WrFFrI.c ---- extras/Xpm/lib/WrFFrI.c 19 Jan 2002 11:08:43 -0000 1.1.1.2 -+++ extras/Xpm/lib/WrFFrI.c 31 Aug 2004 23:28:59 -0000 -@@ -248,6 +248,8 @@ - unsigned int x, y, h; - - h = height - 1; -+ if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp) -+ return XpmNoMemory; - p = buf = (char *) XpmMalloc(width * cpp + 3); - if (!buf) - return (XpmNoMemory); -Index: xc/extras/Xpm/lib/XpmI.h -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/extras/Xpm/lib/XpmI.h,v -retrieving revision 1.6 -diff -u -r1.6 XpmI.h ---- extras/Xpm/lib/XpmI.h 13 Feb 2004 22:40:56 -0000 1.6 -+++ extras/Xpm/lib/XpmI.h 31 Aug 2004 23:28:59 -0000 -@@ -86,6 +86,18 @@ - boundCheckingCalloc((long)(nelem),(long) (elsize)) - #endif - -+#if defined(SCO) || defined(__USLC__) -+#include /* For SIZE_MAX */ -+#endif -+#include -+#ifndef SIZE_MAX -+# ifdef ULONG_MAX -+# define SIZE_MAX ULONG_MAX -+# else -+# define SIZE_MAX UINT_MAX -+# endif -+#endif -+ - #define XPMMAXCMTLEN BUFSIZ - typedef struct { - unsigned int type; -@@ -187,9 +199,9 @@ - } *xpmHashAtom; - - typedef struct { -- int size; -- int limit; -- int used; -+ unsigned int size; -+ unsigned int limit; -+ unsigned int used; - xpmHashAtom *atomTable; - } xpmHashTable; - -Index: xc/extras/Xpm/lib/create.c -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/extras/Xpm/lib/create.c,v -retrieving revision 1.3 -diff -u -r1.3 create.c ---- extras/Xpm/lib/create.c 13 Feb 2004 22:40:56 -0000 1.3 -+++ extras/Xpm/lib/create.c 31 Aug 2004 23:28:59 -0000 -@@ -1,3 +1,4 @@ -+/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */ - /* - * Copyright (C) 1989-95 GROUPE BULL - * -@@ -816,6 +817,9 @@ - - ErrorStatus = XpmSuccess; - -+ if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) -+ return (XpmNoMemory); -+ - /* malloc pixels index tables */ - image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); - if (!image_pixels) -@@ -988,6 +992,8 @@ - return (XpmNoMemory); - - #if !defined(FOR_MSW) && !defined(AMIGA) -+ if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) -+ return XpmNoMemory; - /* now that bytes_per_line must have been set properly alloc data */ - (*image_return)->data = - (char *) XpmMalloc((*image_return)->bytes_per_line * height); -@@ -2055,6 +2061,9 @@ - xpmGetCmt(data, &colors_cmt); - - /* malloc pixels index tables */ -+ if (ncolors >= SIZE_MAX / sizeof(Pixel)) -+ return XpmNoMemory; -+ - image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); - if (!image_pixels) - RETURN(XpmNoMemory); -@@ -2309,7 +2318,8 @@ - } - obm = SelectObject(*dc, image->bitmap); - #endif -- -+ if (ncolors > 256) -+ return (XpmFileInvalid); - - bzero((char *)colidx, 256 * sizeof(short)); - for (a = 0; a < ncolors; a++) -@@ -2414,6 +2424,9 @@ - { - char *s; - char buf[BUFSIZ]; -+ -+ if (cpp >= sizeof(buf)) -+ return (XpmFileInvalid); - - buf[cpp] = '\0'; - if (USE_HASHTABLE) { -Index: xc/extras/Xpm/lib/data.c -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/extras/Xpm/lib/data.c,v -retrieving revision 1.1.1.2 -diff -u -r1.1.1.2 data.c ---- extras/Xpm/lib/data.c 19 Jan 2002 11:08:44 -0000 1.1.1.2 -+++ extras/Xpm/lib/data.c 31 Aug 2004 23:28:59 -0000 -@@ -375,7 +375,7 @@ - { - if (!data->type) - *cmt = NULL; -- else if (data->CommentLength) { -+ else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) { - *cmt = (char *) XpmMalloc(data->CommentLength + 1); - strncpy(*cmt, data->Comment, data->CommentLength); - (*cmt)[data->CommentLength] = '\0'; -Index: xc/extras/Xpm/lib/hashtab.c -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/extras/Xpm/lib/hashtab.c,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 hashtab.c ---- extras/Xpm/lib/hashtab.c 15 Feb 2001 07:59:10 -0000 1.1.1.1 -+++ extras/Xpm/lib/hashtab.c 31 Aug 2004 23:28:59 -0000 -@@ -135,7 +135,7 @@ - xpmHashTable *table; - { - xpmHashAtom *atomTable = table->atomTable; -- int size = table->size; -+ unsigned int size = table->size; - xpmHashAtom *t, *p; - int i; - int oldSize = size; -@@ -144,6 +144,8 @@ - HASH_TABLE_GROWS - table->size = size; - table->limit = size / 3; -+ if (size >= SIZE_MAX / sizeof(*atomTable)) -+ return (XpmNoMemory); - atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable)); - if (!atomTable) - return (XpmNoMemory); -@@ -204,6 +206,8 @@ - table->size = INITIAL_HASH_SIZE; - table->limit = table->size / 3; - table->used = 0; -+ if (table->size >= SIZE_MAX / sizeof(*atomTable)) -+ return (XpmNoMemory); - atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable)); - if (!atomTable) - return (XpmNoMemory); -Index: xc/extras/Xpm/lib/parse.c -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/extras/Xpm/lib/parse.c,v -retrieving revision 1.1.1.2 -diff -u -r1.1.1.2 parse.c ---- extras/Xpm/lib/parse.c 19 Jan 2002 11:08:44 -0000 1.1.1.2 -+++ extras/Xpm/lib/parse.c 31 Aug 2004 23:28:59 -0000 -@@ -1,3 +1,4 @@ -+/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */ - /* - * Copyright (C) 1989-95 GROUPE BULL - * -@@ -44,6 +45,24 @@ - #include - #include - -+#ifdef HAS_STRLCAT -+# define STRLCAT(dst, src, dstsize) { \ -+ if (strlcat(dst, src, dstsize) >= (dstsize)) \ -+ return (XpmFileInvalid); } -+# define STRLCPY(dst, src, dstsize) { \ -+ if (strlcpy(dst, src, dstsize) >= (dstsize)) \ -+ return (XpmFileInvalid); } -+#else -+# define STRLCAT(dst, src, dstsize) { \ -+ if ((strlen(dst) + strlen(src)) < (dstsize)) \ -+ strcat(dst, src); \ -+ else return (XpmFileInvalid); } -+# define STRLCPY(dst, src, dstsize) { \ -+ if (strlen(src) < (dstsize)) \ -+ strcpy(dst, src); \ -+ else return (XpmFileInvalid); } -+#endif -+ - LFUNC(ParsePixels, int, (xpmData *data, unsigned int width, - unsigned int height, unsigned int ncolors, - unsigned int cpp, XpmColor *colorTable, -@@ -66,7 +85,7 @@ - unsigned int *extensions; - { - unsigned int l; -- char buf[BUFSIZ]; -+ char buf[BUFSIZ + 1]; - - if (!data->format) { /* XPM 2 or 3 */ - -@@ -175,10 +194,10 @@ - XpmColor **colorTablePtr; - xpmHashTable *hashtable; - { -- unsigned int key = 0, l, a, b; -+ unsigned int key = 0, l, a, b, len; - unsigned int curkey; /* current color key */ - unsigned int lastwaskey; /* key read */ -- char buf[BUFSIZ]; -+ char buf[BUFSIZ+1]; - char curbuf[BUFSIZ]; /* current buffer */ - char **sptr, *s; - XpmColor *color; -@@ -186,6 +205,8 @@ - char **defaults; - int ErrorStatus; - -+ if (ncolors >= SIZE_MAX / sizeof(XpmColor)) -+ return (XpmNoMemory); - colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor)); - if (!colorTable) - return (XpmNoMemory); -@@ -197,6 +218,10 @@ - /* - * read pixel value - */ -+ if (cpp >= SIZE_MAX - 1) { -+ xpmFreeColorTable(colorTable, ncolors); -+ return (XpmNoMemory); -+ } - color->string = (char *) XpmMalloc(cpp + 1); - if (!color->string) { - xpmFreeColorTable(colorTable, ncolors); -@@ -234,13 +259,14 @@ - } - if (!lastwaskey && key < NKEYS) { /* open new key */ - if (curkey) { /* flush string */ -- s = (char *) XpmMalloc(strlen(curbuf) + 1); -+ len = strlen(curbuf) + 1; -+ s = (char *) XpmMalloc(len); - if (!s) { - xpmFreeColorTable(colorTable, ncolors); - return (XpmNoMemory); - } - defaults[curkey] = s; -- strcpy(s, curbuf); -+ memcpy(s, curbuf, len); - } - curkey = key + 1; /* set new key */ - *curbuf = '\0'; /* reset curbuf */ -@@ -251,9 +277,9 @@ - return (XpmFileInvalid); - } - if (!lastwaskey) -- strcat(curbuf, " "); /* append space */ -+ STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */ - buf[l] = '\0'; -- strcat(curbuf, buf);/* append buf */ -+ STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */ - lastwaskey = 0; - } - } -@@ -261,12 +287,13 @@ - xpmFreeColorTable(colorTable, ncolors); - return (XpmFileInvalid); - } -- s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1); -+ len = strlen(curbuf) + 1; -+ s = defaults[curkey] = (char *) XpmMalloc(len); - if (!s) { - xpmFreeColorTable(colorTable, ncolors); - return (XpmNoMemory); - } -- strcpy(s, curbuf); -+ memcpy(s, curbuf, len); - } - } else { /* XPM 1 */ - /* get to the beginning of the first string */ -@@ -279,6 +306,10 @@ - /* - * read pixel value - */ -+ if (cpp >= SIZE_MAX - 1) { -+ xpmFreeColorTable(colorTable, ncolors); -+ return (XpmNoMemory); -+ } - color->string = (char *) XpmMalloc(cpp + 1); - if (!color->string) { - xpmFreeColorTable(colorTable, ncolors); -@@ -307,16 +338,17 @@ - *curbuf = '\0'; /* init curbuf */ - while ((l = xpmNextWord(data, buf, BUFSIZ))) { - if (*curbuf != '\0') -- strcat(curbuf, " ");/* append space */ -+ STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */ - buf[l] = '\0'; -- strcat(curbuf, buf); /* append buf */ -+ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */ - } -- s = (char *) XpmMalloc(strlen(curbuf) + 1); -+ len = strlen(curbuf) + 1; -+ s = (char *) XpmMalloc(len); - if (!s) { - xpmFreeColorTable(colorTable, ncolors); - return (XpmNoMemory); - } -- strcpy(s, curbuf); -+ memcpy(s, curbuf, len); - color->c_color = s; - *curbuf = '\0'; /* reset curbuf */ - if (a < ncolors - 1) -@@ -341,6 +373,9 @@ - unsigned int *iptr, *iptr2; - unsigned int a, x, y; - -+ if ((height > 0 && width >= SIZE_MAX / height) || -+ width * height >= SIZE_MAX / sizeof(unsigned int)) -+ return XpmNoMemory; - #ifndef FOR_MSW - iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height); - #else -@@ -364,6 +399,9 @@ - { - unsigned short colidx[256]; - -+ if (ncolors > 256) -+ return (XpmFileInvalid); -+ - bzero((char *)colidx, 256 * sizeof(short)); - for (a = 0; a < ncolors; a++) - colidx[(unsigned char)colorTable[a].string[0]] = a + 1; -@@ -441,6 +479,9 @@ - { - char *s; - char buf[BUFSIZ]; -+ -+ if (cpp >= sizeof(buf)) -+ return (XpmFileInvalid); - - buf[cpp] = '\0'; - if (USE_HASHTABLE) { -Index: xc/extras/Xpm/lib/scan.c -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/extras/Xpm/lib/scan.c,v -retrieving revision 1.1.1.2 -diff -u -r1.1.1.2 scan.c ---- extras/Xpm/lib/scan.c 19 Jan 2002 11:08:44 -0000 1.1.1.2 -+++ extras/Xpm/lib/scan.c 31 Aug 2004 23:28:59 -0000 -@@ -107,7 +107,8 @@ - LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp, - XpmAttributes *attributes)); - --LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors, -+LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, -+ unsigned int ncolors, - Pixel *pixels, unsigned int mask, - unsigned int cpp, XpmAttributes *attributes)); - -@@ -232,11 +233,17 @@ - else - cpp = 0; - -+ if ((height > 0 && width >= SIZE_MAX / height) || -+ width * height >= SIZE_MAX / sizeof(unsigned int)) -+ RETURN(XpmNoMemory); - pmap.pixelindex = - (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int)); - if (!pmap.pixelindex) - RETURN(XpmNoMemory); - -+ if (pmap.size >= SIZE_MAX / sizeof(Pixel)) -+ RETURN(XpmNoMemory); -+ - pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size); - if (!pmap.pixels) - RETURN(XpmNoMemory); -@@ -301,7 +308,8 @@ - * get rgb values and a string of char, and possibly a name for each - * color - */ -- -+ if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor)) -+ RETURN(XpmNoMemory); - colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor)); - if (!colorTable) - RETURN(XpmNoMemory); -@@ -360,6 +368,8 @@ - - /* first get a character string */ - a = 0; -+ if (cpp >= SIZE_MAX - 1) -+ return (XpmNoMemory); - if (!(s = color->string = (char *) XpmMalloc(cpp + 1))) - return (XpmNoMemory); - *s++ = printable[c = a % MAXPRINTABLE]; -@@ -407,7 +417,7 @@ - ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes) - Display *display; - XpmColor *colors; -- int ncolors; -+ unsigned int ncolors; - Pixel *pixels; - unsigned int mask; - unsigned int cpp; -@@ -451,6 +461,8 @@ - } - - /* first get character strings and rgb values */ -+ if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1) -+ return (XpmNoMemory); - xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors); - if (!xcolors) - return (XpmNoMemory); -Index: xc/lib/Xpm/Imakefile -=================================================================== -RCS file: /cvs/OpenBSD/XF4/xc/lib/Xpm/Imakefile,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 Imakefile ---- lib/Xpm/Imakefile 15 Feb 2001 07:56:01 -0000 1.1.1.1 -+++ lib/Xpm/Imakefile 31 Aug 2004 23:28:59 -0000 -@@ -42,11 +42,16 @@ - SPRINTFDEF = -DVOID_SPRINTF - #endif - -+#if HasStrlcat -+STRLCATDEF = -DHAS_STRLCAT -+#endif -+ - #if defined(Win32Architecture) - ZPIPEDEF = -DNO_ZPIPE - #endif - --DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(ZPIPEDEF) $(ZFILEDEF) -+DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(STRLCATDEF) \ -+ $(ZPIPEDEF) $(ZFILEDEF) - - HEADERS = xpm.h - -- cgit v1.2.3