Attachment #42416 for bug #68544

Lines 32-44 Link Here

(-)lib/Attrib.c (-5 / +7 lines)
32	* Developed by Arnaud Le Hors *	32	* Developed by Arnaud Le Hors *
33	\*****************************************************************************/	33	\*****************************************************************************/
34		34
		35	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		36
35	#include "XpmI.h"	37	#include "XpmI.h"
36		38
37	/* 3.2 backward compatibility code */	39	/* 3.2 backward compatibility code */
38	LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,	40	LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
39	XpmColor ***oldct));	41	XpmColor ***oldct));
40		42
41	LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));	43	LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
42		44
43	/*	45	/*
44	* Create a colortable compatible with the old style colortable	46	* Create a colortable compatible with the old style colortable
Lines 50-56 Link Here
50	XpmColor ***oldct;	52	XpmColor ***oldct;
51	{	53	{
52	XpmColor colorTable, color;	54	XpmColor colorTable, color;
53	int a;	55	unsigned int a;
54		56
55	if (ncolors >= UINT_MAX / sizeof(XpmColor *))	57	if (ncolors >= UINT_MAX / sizeof(XpmColor *))
56	return XpmNoMemory;	58	return XpmNoMemory;
Lines 69-77 Link Here
69	static void	71	static void
70	FreeOldColorTable(colorTable, ncolors)	72	FreeOldColorTable(colorTable, ncolors)
71	XpmColor **colorTable;	73	XpmColor **colorTable;
72	int ncolors;	74	unsigned int ncolors;
73	{	75	{
74	int a, b;	76	unsigned int a, b;
75	XpmColor **color;	77	XpmColor **color;
76	char **sptr;	78	char **sptr;
77		79
Lines 116-122 Link Here
116	void	118	void
117	XpmFreeExtensions(extensions, nextensions)	119	XpmFreeExtensions(extensions, nextensions)
118	XpmExtension *extensions;	120	XpmExtension *extensions;
119	int nextensions;	121	unsigned int nextensions;
120	{	122	{
121	unsigned int i, j, nlines;	123	unsigned int i, j, nlines;
122	XpmExtension *ext;	124	XpmExtension *ext;




*                                                                             *
*  Developed by Arnaud Le Hors                                                *
\*****************************************************************************/

/* October 2004, source code review by Thomas Biege <thomas@suse.de> */

/* $XFree86: xc/extras/Xpm/lib/CrBufFrI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */

#include "XpmI.h"

			 unsigned int *used_size, XpmColor *colors,
			 unsigned int ncolors, unsigned int cpp));

LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
			  unsigned int *used_size,
			  unsigned int width, unsigned int height,
			  unsigned int cpp, unsigned int *pixels,
			  XpmColor *colors));

LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
			      unsigned int *used_size,
			      XpmExtension *ext, unsigned int num));

LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
LFUNC(CommentsSize, int, (XpmInfo *info));

int


#undef RETURN
#define RETURN(status) \
do \
{ \
      ErrorStatus = status; \
      goto error; \
}while(0)

int
XpmCreateBufferFromXpmImage(buffer_return, image, info)

    unsigned int cmts, extensions, ext_size = 0;
    unsigned int l, cmt_size = 0;
    char *ptr = NULL, *p;
    unsigned int ptr_size, ptr_size_old, used_size;

    *buffer_return = NULL;


#ifdef VOID_SPRINTF
    used_size = strlen(buf);
#endif
    ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
    if(ptr_size <= used_size ||
       ptr_size <= ext_size  ||
       ptr_size <= cmt_size)
    {
        return XpmNoMemory;
    }
    ptr = (char *) XpmMalloc(ptr_size);
    if (!ptr)
	return XpmNoMemory;

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->hints_cmt) + 5;
#endif

#ifndef VOID_SPRINTF
	l +=
#endif
	snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
#ifdef VOID_SPRINTF
	l = strlen(buf);
#endif

    l = strlen(buf);
#endif
    ptr_size += l;
    if(ptr_size <= l)
        RETURN(XpmNoMemory);
    p = (char *) XpmRealloc(ptr, ptr_size);
    if (!p)
	RETURN(XpmNoMemory);

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->colors_cmt) + 5;
#endif

     * 4 = 1 (for '"') + 3 (for '",\n')
     * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
     */
    /* is the first and the last test necessary? */
    if(image->width > (UINT_MAX / (image->cpp)) - 4)
	RETURN(XpmNoMemory);
    if(image->height > (UINT_MAX / (image->width * image->cpp + 4)) - 1)
	RETURN(XpmNoMemory);
    ptr_size_old = ptr_size;
    ptr_size += image->height * (image->width * image->cpp + 4) + 1;
    if (ptr_size <= ptr_size_old)
	RETURN(XpmNoMemory);
    p = (char *) XpmRealloc(ptr, ptr_size);
    if (!p)
	RETURN(XpmNoMemory);

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->pixels_cmt) + 5;
#endif
    }
    WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
		image->cpp, image->data, image->colorTable);

    /* print extensions */
    if (extensions)
	WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
			info->extensions, info->nextensions);

    /* close the array */

    return (ErrorStatus);
}


static int
WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
    char **dataptr;

    unsigned int ncolors;
    unsigned int cpp;
{
    char buf[BUFSIZ] = {0};
    unsigned int a, key, l;
    char *s, *s2;
    char **defaults;


	defaults = (char **) colors;
	s = buf + 1;
	if(cpp > (sizeof(buf) - (s-buf)))
		return(XpmNoMemory);
	strncpy(s, *defaults++, cpp);
	s += cpp;


#ifndef VOID_SPRINTF
		s +=
#endif
		/* assume C99 compliance */
		snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
#ifdef VOID_SPRINTF
		s += strlen(s);
#endif
		/* now let's check if s points out-of-boundsa*/
		if((s-buf) > sizeof(buf))
			return(XpmNoMemory);
	    }
	}
	if(sizeof(buf) - (s-buf) < 4)
		return(XpmNoMemory);
	strcpy(s, "\",\n");
	l = s + 3 - buf;
	if( *data_size                   >= UINT_MAX-l ||
	    *data_size + l               <= *used_size ||
	   (*data_size + l - *used_size) <= sizeof(buf))
		return(XpmNoMemory);
	s = (char *) XpmRealloc(*dataptr, *data_size + l);
	if (!s)
	    return (XpmNoMemory);

}

static void
WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
    char *dataptr;
    unsigned int data_size;
    unsigned int *used_size;
    unsigned int width;
    unsigned int height;

    char *s = dataptr;
    unsigned int x, y, h;

    if(height <= 1)
    	return;

    h = height - 1;
    for (y = 0; y < h; y++) {
	*s++ = '"';
	for (x = 0; x < width; x++, pixels++) {
	    if(cpp >= (data_size - (s-dataptr)))
		return;
	    strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */
	    s += cpp;
	}
	if((data_size - (s-dataptr)) < 4)
		return;
	strcpy(s, "\",\n");
	s += 3;
    }
    /* duplicate some code to avoid a test in the loop */
    *s++ = '"';
    for (x = 0; x < width; x++, pixels++) {
	if(cpp >= (data_size - (s-dataptr)))
	    return;
	strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */
	s += cpp;
    }
    *s++ = '"';
    *used_size += s - dataptr;
}

static unsigned int
ExtensionsSize(ext, num)
    XpmExtension *ext;
    unsigned int num;

    char **line;

    size = 0;
    if(num == 0)
    	return(0); /* ok? */
    for (x = 0; x < num; x++, ext++) {
	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
	size += strlen(ext->name) + 11;
	a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
	for (y = 0, line = ext->lines; y < a; y++, line++)
	    /* 4 = 3 (for ',\n"') + 1 (for '"') */
	    size += strlen(*line) + 4;
    }
    /* 13 is for ',\n"XPMENDEXT"' */
    if(size > UINT_MAX - 13) /* unlikely */
    	return(0);
    return size + 13;
}

static void
WriteExtensions(dataptr, data_size, used_size, ext, num)
    char *dataptr;
    unsigned int data_size;
    unsigned int *used_size;
    XpmExtension *ext;
    unsigned int num;

#ifndef VOID_SPRINTF
	s +=
#endif
	snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
#ifdef VOID_SPRINTF
	s += strlen(ext->name) + 11;
#endif

#ifndef VOID_SPRINTF
	    s +=
#endif
	    snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
#ifdef VOID_SPRINTF
	    s += strlen(*line) + 4;
#endif
	}
    }
    strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
    *used_size += s - dataptr + 13;
}


    int size = 0;

    /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */
    /* wrap possible but *very* unlikely */
    if (info->hints_cmt)
	size += 5 + strlen(info->hints_cmt);


Lines 33-45 Link Here

(-)lib/CrDatFrI.c (-17 / +73 lines)
33	\*****************************************************************************/	33	\*****************************************************************************/
34	/* $XFree86: xc/extras/Xpm/lib/CrDatFrI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */	34	/* $XFree86: xc/extras/Xpm/lib/CrDatFrI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37		39
38	LFUNC(CreateColors, int, (char *dataptr, unsigned int data_size,	40	LFUNC(CreateColors, int, (char *dataptr, unsigned int data_size,
39	XpmColor *colors, unsigned int ncolors,	41	XpmColor *colors, unsigned int ncolors,
40	unsigned int cpp));	42	unsigned int cpp));
41		43
42	LFUNC(CreatePixels, void, (char **dataptr, unsigned int width,	44	LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size,
		45	unsigned int width,
43	unsigned int height, unsigned int cpp,	46	unsigned int height, unsigned int cpp,
44	unsigned int pixels, XpmColor colors));	47	unsigned int pixels, XpmColor colors));
45		48
Lines 47-53 Link Here
47	unsigned int *ext_size,	50	unsigned int *ext_size,
48	unsigned int *ext_nlines));	51	unsigned int *ext_nlines));
49		52
50	LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset,	53	LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size,
		54	unsigned int offset,
51	XpmExtension *ext, unsigned int num,	55	XpmExtension *ext, unsigned int num,
52	unsigned int ext_nlines));	56	unsigned int ext_nlines));
53		57
Lines 88-97 Link Here
88		92
89	#undef RETURN	93	#undef RETURN
90	#define RETURN(status) \	94	#define RETURN(status) \
		95	do \
91	{ \	96	{ \
92	ErrorStatus = status; \	97	ErrorStatus = status; \
93	goto exit; \	98	goto exit; \
94	}	99	} while(0)
95		100
96	int	101	int
97	XpmCreateDataFromXpmImage(data_return, image, info)	102	XpmCreateDataFromXpmImage(data_return, image, info)
Lines 122-132 Link Here
122	* alloc a temporary array of char pointer for the header section which	127	* alloc a temporary array of char pointer for the header section which
123	* is the hints line + the color table lines	128	* is the hints line + the color table lines
124	*/	129	*/
125	header_nlines = 1 + image->ncolors;	130	header_nlines = 1 + image->ncolors; /* this may wrap and/or become 0 */
		131
		132	/* 2nd check superfluous if we do not need header_nlines any further */
		133	if(header_nlines <= image->ncolors \|\|
		134	header_nlines >= UINT_MAX / sizeof(char *))
		135	return(XpmNoMemory);
		136
126	header_size = sizeof(char ) header_nlines;	137	header_size = sizeof(char ) header_nlines;
127	if (header_size >= UINT_MAX / sizeof(char *))	138	if (header_size >= UINT_MAX / sizeof(char *))
128	return (XpmNoMemory);	139	return (XpmNoMemory);
129	header = (char *) XpmCalloc(header_size, sizeof(char ));	140	header = (char *) XpmCalloc(header_size, sizeof(char )); /* can we trust image->ncolors */
130	if (!header)	141	if (!header)
131	return (XpmNoMemory);	142	return (XpmNoMemory);
132		143
Lines 170-177 Link Here
170		181
171	/* now we know the size needed, alloc the data and copy the header lines */	182	/* now we know the size needed, alloc the data and copy the header lines */
172	offset = image->width * image->cpp + 1;	183	offset = image->width * image->cpp + 1;
173	data_size = header_size + (image->height + ext_nlines) * sizeof(char *)	184	if(offset <= image->width \|\| offset <= image->cpp)
174	+ image->height * offset + ext_size;	185	RETURN(XpmNoMemory);
		186
		187	if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *))
		188	RETURN(XpmNoMemory);
		189	data_size = (image->height + ext_nlines) * sizeof(char *);
		190
		191	if( (image->height + data_size) >= (UINT_MAX - data_size) / offset)
		192	RETURN(XpmNoMemory);
		193	data_size += image->height * offset;
		194
		195	if( (header_size + ext_size) >= (UINT_MAX - data_size) )
		196	RETURN(XpmNoMemory);
		197	data_size += header_size + ext_size;
175		198
176	data = (char **) XpmMalloc(data_size);	199	data = (char **) XpmMalloc(data_size);
177	if (!data)	200	if (!data)
Lines 179-186 Link Here
179		202
180	data_nlines = header_nlines + image->height + ext_nlines;	203	data_nlines = header_nlines + image->height + ext_nlines;
181	data = (char ) (data + data_nlines);	204	data = (char ) (data + data_nlines);
		205
		206	/* can header have less elements then n suggests? */
182	n = image->ncolors;	207	n = image->ncolors;
183	for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) {	208	for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) {
184	strcpy(sptr, sptr2);	209	strcpy(sptr, sptr2);
185	(sptr + 1) = sptr + strlen(*sptr2) + 1;	210	(sptr + 1) = sptr + strlen(*sptr2) + 1;
186	}	211	}
Lines 189-200 Link Here
189	data[header_nlines] = (char *) data + header_size	214	data[header_nlines] = (char *) data + header_size
190	+ (image->height + ext_nlines) * sizeof(char *);	215	+ (image->height + ext_nlines) * sizeof(char *);
191		216
192	CreatePixels(data + header_nlines, image->width, image->height,	217	CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height,
193	image->cpp, image->data, image->colorTable);	218	image->cpp, image->data, image->colorTable);
194		219
195	/* print extensions */	220	/* print extensions */
196	if (extensions)	221	if (extensions)
197	CreateExtensions(data + header_nlines + image->height - 1, offset,	222	CreateExtensions(data + header_nlines + image->height - 1,
		223	data_size - header_nlines - image->height + 1, offset,
198	info->extensions, info->nextensions,	224	info->extensions, info->nextensions,
199	ext_nlines);	225	ext_nlines);
200		226
Lines 225-247 Link Here
225	char s, s2;	251	char s, s2;
226	char **defaults;	252	char **defaults;
227		253
		254	/* can ncolors be trusted here? */
228	for (a = 0; a < ncolors; a++, colors++, dataptr++) {	255	for (a = 0; a < ncolors; a++, colors++, dataptr++) {
229		256
230	defaults = (char **) colors;	257	defaults = (char **) colors;
		258	if(sizeof(buf) <= cpp)
		259	return(XpmNoMemory);
231	strncpy(buf, *defaults++, cpp);	260	strncpy(buf, *defaults++, cpp);
232	s = buf + cpp;	261	s = buf + cpp;
233		262
		263	if(sizeof(buf) <= (s-buf))
		264	return XpmNoMemory;
		265
234	for (key = 1; key <= NKEYS; key++, defaults++) {	266	for (key = 1; key <= NKEYS; key++, defaults++) {
235	if ((s2 = *defaults)) {	267	if ((s2 = *defaults)) {
236	#ifndef VOID_SPRINTF	268	#ifndef VOID_SPRINTF
237	s +=	269	s +=
238	#endif	270	#endif
239	sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);	271	/* assume C99 compliance */
		272	snprintf(s, s-buf, "\t%s %s", xpmColorKeys[key - 1], s2);
240	#ifdef VOID_SPRINTF	273	#ifdef VOID_SPRINTF
241	s += strlen(s);	274	s += strlen(s);
242	#endif	275	#endif
		276	/* does s point out-of-bounds? */
		277	if(sizeof(buf) < (s-buf))
		278	return XpmNoMemory;
243	}	279	}
244	}	280	}
		281	/* what about using strdup()? */
245	l = s - buf + 1;	282	l = s - buf + 1;
246	s = (char *) XpmMalloc(l);	283	s = (char *) XpmMalloc(l);
247	if (!s)	284	if (!s)
Lines 253-260 Link Here
253	}	290	}
254		291
255	static void	292	static void
256	CreatePixels(dataptr, width, height, cpp, pixels, colors)	293	CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors)
257	char **dataptr;	294	char **dataptr;
		295	unsigned int data_size;
258	unsigned int width;	296	unsigned int width;
259	unsigned int height;	297	unsigned int height;
260	unsigned int cpp;	298	unsigned int cpp;
Lines 264-284 Link Here
264	char *s;	302	char *s;
265	unsigned int x, y, h, offset;	303	unsigned int x, y, h, offset;
266		304
		305	if(height <= 1)
		306	return;
		307
267	h = height - 1;	308	h = height - 1;
		309
268	offset = width * cpp + 1;	310	offset = width * cpp + 1;
		311
		312	if(offset <= width \|\| offset <= cpp)
		313	return;
		314
		315	/* why trust h? */
269	for (y = 0; y < h; y++, dataptr++) {	316	for (y = 0; y < h; y++, dataptr++) {
270	s = *dataptr;	317	s = *dataptr;
		318	/* why trust width? */
271	for (x = 0; x < width; x++, pixels++) {	319	for (x = 0; x < width; x++, pixels++) {
272	strncpy(s, colors[*pixels].string, cpp);	320	if(cpp > (data_size - (s - *dataptr)))
		321	return;
		322	strncpy(s, colors[pixels].string, cpp); / why trust pixel? */
273	s += cpp;	323	s += cpp;
274	}	324	}
275	*s = '\0';	325	*s = '\0';
		326	if(offset > data_size)
		327	return;
276	(dataptr + 1) = dataptr + offset;	328	(dataptr + 1) = dataptr + offset;
277	}	329	}
278	/* duplicate some code to avoid a test in the loop */	330	/* duplicate some code to avoid a test in the loop */
279	s = *dataptr;	331	s = *dataptr;
		332	/* why trust width? */
280	for (x = 0; x < width; x++, pixels++) {	333	for (x = 0; x < width; x++, pixels++) {
281	strncpy(s, colors[*pixels].string, cpp);	334	if(cpp > data_size - (s - *dataptr))
		335	return;
		336	strncpy(s, colors[pixels].string, cpp); / why should we trust pixel? /
282	s += cpp;	337	s += cpp;
283	}	338	}
284	*s = '\0';	339	*s = '\0';
Lines 311-318 Link Here
311	}	366	}
312		367
313	static void	368	static void
314	CreateExtensions(dataptr, offset, ext, num, ext_nlines)	369	CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines)
315	char **dataptr;	370	char **dataptr;
		371	unsigned int data_size;
316	unsigned int offset;	372	unsigned int offset;
317	XpmExtension *ext;	373	XpmExtension *ext;
318	unsigned int num;	374	unsigned int num;
Lines 325-336 Link Here
325	dataptr++;	381	dataptr++;
326	a = 0;	382	a = 0;
327	for (x = 0; x < num; x++, ext++) {	383	for (x = 0; x < num; x++, ext++) {
328	sprintf(*dataptr, "XPMEXT %s", ext->name);	384	snprintf(*dataptr, data_size, "XPMEXT %s", ext->name);
329	a++;	385	a++;
330	if (a < ext_nlines)	386	if (a < ext_nlines)
331	(dataptr + 1) = dataptr + strlen(ext->name) + 8;	387	(dataptr + 1) = dataptr + strlen(ext->name) + 8;
332	dataptr++;	388	dataptr++;
333	b = ext->nlines;	389	b = ext->nlines; /* can we trust these values? */
334	for (y = 0, line = ext->lines; y < b; y++, line++) {	390	for (y = 0, line = ext->lines; y < b; y++, line++) {
335	strcpy(dataptr, line);	391	strcpy(dataptr, line);
336	a++;	392	a++;

Lines 45-50 Link Here

(-)lib/create.c (-53 / +59 lines)
45	* Lorens Younes (d93-hyo@nada.kth.se) 4/96	45	* Lorens Younes (d93-hyo@nada.kth.se) 4/96
46	*/	46	*/
47		47
		48	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		49
48	#include "XpmI.h"	50	#include "XpmI.h"
49	#include <ctype.h>	51	#include <ctype.h>
50		52
Lines 125-140 Link Here
125	unsigned int height, unsigned int *pixelindex,	127	unsigned int height, unsigned int *pixelindex,
126	Pixel *pixels));	128	Pixel *pixels));
127		129
128	LFUNC(PutPixel1, int, (XImage *ximage, int x, int y, unsigned long pixel));	130	LFUNC(PutPixel1, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
129	LFUNC(PutPixel, int, (XImage *ximage, int x, int y, unsigned long pixel));	131	LFUNC(PutPixel, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
130	LFUNC(PutPixel32, int, (XImage *ximage, int x, int y, unsigned long pixel));	132	LFUNC(PutPixel32, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
131	LFUNC(PutPixel32MSB, int, (XImage *ximage, int x, int y, unsigned long pixel));	133	LFUNC(PutPixel32MSB, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
132	LFUNC(PutPixel32LSB, int, (XImage *ximage, int x, int y, unsigned long pixel));	134	LFUNC(PutPixel32LSB, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
133	LFUNC(PutPixel16MSB, int, (XImage *ximage, int x, int y, unsigned long pixel));	135	LFUNC(PutPixel16MSB, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
134	LFUNC(PutPixel16LSB, int, (XImage *ximage, int x, int y, unsigned long pixel));	136	LFUNC(PutPixel16LSB, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
135	LFUNC(PutPixel8, int, (XImage *ximage, int x, int y, unsigned long pixel));	137	LFUNC(PutPixel8, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
136	LFUNC(PutPixel1MSB, int, (XImage *ximage, int x, int y, unsigned long pixel));	138	LFUNC(PutPixel1MSB, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
137	LFUNC(PutPixel1LSB, int, (XImage *ximage, int x, int y, unsigned long pixel));	139	LFUNC(PutPixel1LSB, int, (XImage *ximage, unsigned x, unsigned y, unsigned long pixel));
138		140
139	# else /* AMIGA */	141	# else /* AMIGA */
140	LFUNC(APutImagePixels, void, (XImage *ximage, unsigned int width,	142	LFUNC(APutImagePixels, void, (XImage *ximage, unsigned int width,
Lines 584-590 Link Here
584	*/	586	*/
585	} else {	587	} else {
586	#endif	588	#endif
587	int i;	589	unsigned int i;
588		590
589	#ifndef AMIGA	591	#ifndef AMIGA
590	ncols = visual->map_entries;	592	ncols = visual->map_entries;
Lines 744-755 Link Here
744		746
745		747
746	/* function call in case of error */	748	/* function call in case of error */
		749
747	#undef RETURN	750	#undef RETURN
748	#define RETURN(status) \	751	#define RETURN(status) \
		752	do \
749	{ \	753	{ \
750	ErrorStatus = status; \	754	ErrorStatus = status; \
751	goto error; \	755	goto error; \
752	}	756	} while(0)
753		757
754	int	758	int
755	XpmCreateImageFromXpmImage(display, image,	759	XpmCreateImageFromXpmImage(display, image,
Lines 995-1005 Link Here
995	return (XpmNoMemory);	999	return (XpmNoMemory);
996		1000
997	#if !defined(FOR_MSW) && !defined(AMIGA)	1001	#if !defined(FOR_MSW) && !defined(AMIGA)
998	if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) {	1002	if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
999	XDestroyImage(*image_return);	1003	XDestroyImage(*image_return);
1000	return XpmNoMemory;	1004	return XpmNoMemory;
1001	}	1005	}
1002	/* now that bytes_per_line must have been set properly alloc data */	1006	/* now that bytes_per_line must have been set properly alloc data */
		1007	if((*image_return)->bytes_per_line == 0 \|\| height == 0)
		1008	return XpmNoMemory;
1003	(*image_return)->data =	1009	(*image_return)->data =
1004	(char ) XpmMalloc((image_return)->bytes_per_line * height);	1010	(char ) XpmMalloc((image_return)->bytes_per_line * height);
1005		1011
Lines 1028-1034 Link Here
1028	LFUNC(_putbits, void, (register char *src, int dstoffset,	1034	LFUNC(_putbits, void, (register char *src, int dstoffset,
1029	register int numbits, register char *dst));	1035	register int numbits, register char *dst));
1030		1036
1031	LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));	1037	LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
1032		1038
1033	static unsigned char Const _reverse_byte[0x100] = {	1039	static unsigned char Const _reverse_byte[0x100] = {
1034	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,	1040	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
Lines 1068-1079 Link Here
1068	static int	1074	static int
1069	_XReverse_Bytes(bpt, nb)	1075	_XReverse_Bytes(bpt, nb)
1070	register unsigned char *bpt;	1076	register unsigned char *bpt;
1071	register int nb;	1077	register unsigned int nb;
1072	{	1078	{
1073	do {	1079	do {
1074	bpt = _reverse_byte[bpt];	1080	bpt = _reverse_byte[bpt];
1075	bpt++;	1081	bpt++;
1076	} while (--nb > 0);	1082	} while (--nb > 0); /* is nb user-controled? */
1077	return 0;	1083	return 0;
1078	}	1084	}
1079		1085
Lines 1212-1218 Link Here
1212	register char *src;	1218	register char *src;
1213	register char *dst;	1219	register char *dst;
1214	register unsigned int *iptr;	1220	register unsigned int *iptr;
1215	register int x, y, i;	1221	register unsigned int x, y, i;
1216	register char *data;	1222	register char *data;
1217	Pixel pixel, px;	1223	Pixel pixel, px;
1218	int nbytes, depth, ibu, ibpp;	1224	int nbytes, depth, ibu, ibpp;
Lines 1222-1229 Link Here
1222	depth = image->depth;	1228	depth = image->depth;
1223	if (depth == 1) {	1229	if (depth == 1) {
1224	ibu = image->bitmap_unit;	1230	ibu = image->bitmap_unit;
1225	for (y = 0; y < height; y++)	1231	for (y = 0; y < height; y++) /* how can we trust height */
1226	for (x = 0; x < width; x++, iptr++) {	1232	for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
1227	pixel = pixels[*iptr];	1233	pixel = pixels[*iptr];
1228	for (i = 0, px = pixel; i < sizeof(unsigned long);	1234	for (i = 0, px = pixel; i < sizeof(unsigned long);
1229	i++, px >>= 8)	1235	i++, px >>= 8)
Lines 1298-1309 Link Here
1298	{	1304	{
1299	unsigned char *data;	1305	unsigned char *data;
1300	unsigned int *iptr;	1306	unsigned int *iptr;
1301	int y;	1307	unsigned int y;
1302	Pixel pixel;	1308	Pixel pixel;
1303		1309
1304	#ifdef WITHOUT_SPEEDUPS	1310	#ifdef WITHOUT_SPEEDUPS
1305		1311
1306	int x;	1312	unsigned int x;
1307	unsigned char *addr;	1313	unsigned char *addr;
1308		1314
1309	data = (unsigned char *) image->data;	1315	data = (unsigned char *) image->data;
Lines 1340-1346 Link Here
1340		1346
1341	#else /* WITHOUT_SPEEDUPS */	1347	#else /* WITHOUT_SPEEDUPS */
1342		1348
1343	int bpl = image->bytes_per_line;	1349	unsigned int bpl = image->bytes_per_line;
1344	unsigned char data_ptr, max_data;	1350	unsigned char data_ptr, max_data;
1345		1351
1346	data = (unsigned char *) image->data;	1352	data = (unsigned char *) image->data;
Lines 1408-1418 Link Here
1408	{	1414	{
1409	unsigned char *data;	1415	unsigned char *data;
1410	unsigned int *iptr;	1416	unsigned int *iptr;
1411	int y;	1417	unsigned int y;
1412		1418
1413	#ifdef WITHOUT_SPEEDUPS	1419	#ifdef WITHOUT_SPEEDUPS
1414		1420
1415	int x;	1421	unsigned int x;
1416	unsigned char *addr;	1422	unsigned char *addr;
1417		1423
1418	data = (unsigned char *) image->data;	1424	data = (unsigned char *) image->data;
Lines 1436-1442 Link Here
1436		1442
1437	Pixel pixel;	1443	Pixel pixel;
1438		1444
1439	int bpl = image->bytes_per_line;	1445	unsigned int bpl = image->bytes_per_line;
1440	unsigned char data_ptr, max_data;	1446	unsigned char data_ptr, max_data;
1441		1447
1442	data = (unsigned char *) image->data;	1448	data = (unsigned char *) image->data;
Lines 1489-1499 Link Here
1489	{	1495	{
1490	char *data;	1496	char *data;
1491	unsigned int *iptr;	1497	unsigned int *iptr;
1492	int y;	1498	unsigned int y;
1493		1499
1494	#ifdef WITHOUT_SPEEDUPS	1500	#ifdef WITHOUT_SPEEDUPS
1495		1501
1496	int x;	1502	unsigned int x;
1497		1503
1498	data = image->data;	1504	data = image->data;
1499	iptr = pixelindex;	1505	iptr = pixelindex;
Lines 1503-1509 Link Here
1503		1509
1504	#else /* WITHOUT_SPEEDUPS */	1510	#else /* WITHOUT_SPEEDUPS */
1505		1511
1506	int bpl = image->bytes_per_line;	1512	unsigned int bpl = image->bytes_per_line;
1507	char data_ptr, max_data;	1513	char data_ptr, max_data;
1508		1514
1509	data = image->data;	1515	data = image->data;
Lines 1538-1549 Link Here
1538	PutImagePixels(image, width, height, pixelindex, pixels);	1544	PutImagePixels(image, width, height, pixelindex, pixels);
1539	else {	1545	else {
1540	unsigned int *iptr;	1546	unsigned int *iptr;
1541	int y;	1547	unsigned int y;
1542	char *data;	1548	char *data;
1543		1549
1544	#ifdef WITHOUT_SPEEDUPS	1550	#ifdef WITHOUT_SPEEDUPS
1545		1551
1546	int x;	1552	unsigned int x;
1547		1553
1548	data = image->data;	1554	data = image->data;
1549	iptr = pixelindex;	1555	iptr = pixelindex;
Lines 1756-1763 Link Here
1756	static int	1762	static int
1757	PutPixel1(ximage, x, y, pixel)	1763	PutPixel1(ximage, x, y, pixel)
1758	register XImage *ximage;	1764	register XImage *ximage;
1759	int x;	1765	unsigned int x;
1760	int y;	1766	unsigned int y;
1761	unsigned long pixel;	1767	unsigned long pixel;
1762	{	1768	{
1763	register char *src;	1769	register char *src;
Lines 1788-1802 Link Here
1788	static int	1794	static int
1789	PutPixel(ximage, x, y, pixel)	1795	PutPixel(ximage, x, y, pixel)
1790	register XImage *ximage;	1796	register XImage *ximage;
1791	int x;	1797	unsigned int x;
1792	int y;	1798	unsigned int y;
1793	unsigned long pixel;	1799	unsigned long pixel;
1794	{	1800	{
1795	register char *src;	1801	register char *src;
1796	register char *dst;	1802	register char *dst;
1797	register int i;	1803	register int i;
1798	Pixel px;	1804	Pixel px;
1799	int nbytes, ibpp;	1805	unsigned int nbytes, ibpp;
1800		1806
1801	ibpp = ximage->bits_per_pixel;	1807	ibpp = ximage->bits_per_pixel;
1802	if (ximage->depth == 4)	1808	if (ximage->depth == 4)
Lines 1823-1830 Link Here
1823	static int	1829	static int
1824	PutPixel32(ximage, x, y, pixel)	1830	PutPixel32(ximage, x, y, pixel)
1825	register XImage *ximage;	1831	register XImage *ximage;
1826	int x;	1832	unsigned int x;
1827	int y;	1833	unsigned int y;
1828	unsigned long pixel;	1834	unsigned long pixel;
1829	{	1835	{
1830	unsigned char *addr;	1836	unsigned char *addr;
Lines 1837-1844 Link Here
1837	static int	1843	static int
1838	PutPixel32MSB(ximage, x, y, pixel)	1844	PutPixel32MSB(ximage, x, y, pixel)
1839	register XImage *ximage;	1845	register XImage *ximage;
1840	int x;	1846	unsigned int x;
1841	int y;	1847	unsigned int y;
1842	unsigned long pixel;	1848	unsigned long pixel;
1843	{	1849	{
1844	unsigned char *addr;	1850	unsigned char *addr;
Lines 1854-1861 Link Here
1854	static int	1860	static int
1855	PutPixel32LSB(ximage, x, y, pixel)	1861	PutPixel32LSB(ximage, x, y, pixel)
1856	register XImage *ximage;	1862	register XImage *ximage;
1857	int x;	1863	unsigned int x;
1858	int y;	1864	unsigned int y;
1859	unsigned long pixel;	1865	unsigned long pixel;
1860	{	1866	{
1861	unsigned char *addr;	1867	unsigned char *addr;
Lines 1871-1878 Link Here
1871	static int	1877	static int
1872	PutPixel16MSB(ximage, x, y, pixel)	1878	PutPixel16MSB(ximage, x, y, pixel)
1873	register XImage *ximage;	1879	register XImage *ximage;
1874	int x;	1880	unsigned int x;
1875	int y;	1881	unsigned int y;
1876	unsigned long pixel;	1882	unsigned long pixel;
1877	{	1883	{
1878	unsigned char *addr;	1884	unsigned char *addr;
Lines 1886-1893 Link Here
1886	static int	1892	static int
1887	PutPixel16LSB(ximage, x, y, pixel)	1893	PutPixel16LSB(ximage, x, y, pixel)
1888	register XImage *ximage;	1894	register XImage *ximage;
1889	int x;	1895	unsigned int x;
1890	int y;	1896	unsigned int y;
1891	unsigned long pixel;	1897	unsigned long pixel;
1892	{	1898	{
1893	unsigned char *addr;	1899	unsigned char *addr;
Lines 1901-1908 Link Here
1901	static int	1907	static int
1902	PutPixel8(ximage, x, y, pixel)	1908	PutPixel8(ximage, x, y, pixel)
1903	register XImage *ximage;	1909	register XImage *ximage;
1904	int x;	1910	unsigned int x;
1905	int y;	1911	unsigned int y;
1906	unsigned long pixel;	1912	unsigned long pixel;
1907	{	1913	{
1908	ximage->data[ZINDEX8(x, y, ximage)] = pixel;	1914	ximage->data[ZINDEX8(x, y, ximage)] = pixel;
Lines 1912-1919 Link Here
1912	static int	1918	static int
1913	PutPixel1MSB(ximage, x, y, pixel)	1919	PutPixel1MSB(ximage, x, y, pixel)
1914	register XImage *ximage;	1920	register XImage *ximage;
1915	int x;	1921	unsigned int x;
1916	int y;	1922	unsigned int y;
1917	unsigned long pixel;	1923	unsigned long pixel;
1918	{	1924	{
1919	if (pixel & 1)	1925	if (pixel & 1)
Lines 1926-1933 Link Here
1926	static int	1932	static int
1927	PutPixel1LSB(ximage, x, y, pixel)	1933	PutPixel1LSB(ximage, x, y, pixel)
1928	register XImage *ximage;	1934	register XImage *ximage;
1929	int x;	1935	unsigned int x;
1930	int y;	1936	unsigned int y;
1931	unsigned long pixel;	1937	unsigned long pixel;
1932	{	1938	{
1933	if (pixel & 1)	1939	if (pixel & 1)
Lines 2182-2188 Link Here
2182	* free the hastable	2188	* free the hastable
2183	*/	2189	*/
2184	if (ErrorStatus != XpmSuccess)	2190	if (ErrorStatus != XpmSuccess)
2185	RETURN(ErrorStatus)	2191	RETURN(ErrorStatus);
2186	else if (USE_HASHTABLE)	2192	else if (USE_HASHTABLE)
2187	xpmHashTableFree(&hashtable);	2193	xpmHashTableFree(&hashtable);
2188		2194
Lines 2378-2384 Link Here
2378		2384
2379	bzero((char )cidx, 256 sizeof(unsigned short )); / init */	2385	bzero((char )cidx, 256 sizeof(unsigned short )); / init */
2380	for (a = 0; a < ncolors; a++) {	2386	for (a = 0; a < ncolors; a++) {
2381	char1 = colorTable[a].string[0];	2387	char1 = (unsigned char) colorTable[a].string[0];
2382	if (cidx[char1] == NULL) { /* get new memory */	2388	if (cidx[char1] == NULL) { /* get new memory */
2383	cidx[char1] = (unsigned short *)	2389	cidx[char1] = (unsigned short *)
2384	XpmCalloc(256, sizeof(unsigned short));	2390	XpmCalloc(256, sizeof(unsigned short));

Lines 33-38 Link Here

(-)lib/data.c (-4 / +7 lines)
33	\*****************************************************************************/	33	\*****************************************************************************/
34	/* $XFree86: xc/extras/Xpm/lib/data.c,v 1.4 2002/01/07 19:40:49 dawes Exp $ */	34	/* $XFree86: xc/extras/Xpm/lib/data.c,v 1.4 2002/01/07 19:40:49 dawes Exp $ */
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#ifndef CXPMPROG	38	#ifndef CXPMPROG
37	#if 0	39	#if 0
38	/* Official version number */	40	/* Official version number */
Lines 262-268 Link Here
262	}	264	}
263	Ungetc(data, c, file);	265	Ungetc(data, c, file);
264	}	266	}
265	return (n);	267	return (n); /* this returns bytes read + 1 */
266	}	268	}
267		269
268	/*	270	/*
Lines 375-382 Link Here
375	{	377	{
376	if (!data->type)	378	if (!data->type)
377	*cmt = NULL;	379	*cmt = NULL;
378	else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) {	380	else if (data->CommentLength != 0 && data->CommentLength < UINT_MAX - 1) {
379	cmt = (char ) XpmMalloc(data->CommentLength + 1);	381	if( (cmt = (char ) XpmMalloc(data->CommentLength + 1)) == NULL)
		382	return XpmNoMemory;
380	strncpy(*cmt, data->Comment, data->CommentLength);	383	strncpy(*cmt, data->Comment, data->CommentLength);
381	(*cmt)[data->CommentLength] = '\0';	384	(*cmt)[data->CommentLength] = '\0';
382	data->CommentLength = 0;	385	data->CommentLength = 0;
Lines 400-406 Link Here
400	xpmParseHeader(data)	403	xpmParseHeader(data)
401	xpmData *data;	404	xpmData *data;
402	{	405	{
403	char buf[BUFSIZ];	406	char buf[BUFSIZ+1] = {0};
404	int l, n = 0;	407	int l, n = 0;
405		408
406	if (data->type) {	409	if (data->type) {




	 CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \
	 CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \
	 CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \
	 Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \
	 s_popen.c

  OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \
	 CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \
	 CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \
	 CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \
	 Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \
	 s_popen.o

       INCLUDES = -I.
       LINTLIBS = $(LINTXTOLL) $(LINTXLIB) 

Lines 44-50 Link Here

(-)lib/misc.c (-1 / +1 lines)
44	char *s1;	44	char *s1;
45	{	45	{
46	char *s2;	46	char *s2;
47	int l = strlen(s1) + 1;	47	size_t l = strlen(s1) + 1;
48		48
49	if (s2 = (char *) XpmMalloc(l))	49	if (s2 = (char *) XpmMalloc(l))
50	strcpy(s2, s1);	50	strcpy(s2, s1);




 * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
 */

/* October 2004, source code review by Thomas Biege <thomas@suse.de> */

#include "XpmI.h"
#include <ctype.h>
#include <string.h>

#ifdef HAS_STRLCAT
# define STRLCAT(dst, src, dstsize) do { \
  	if (strlcat(dst, src, dstsize) >= (dstsize)) \
	    return (XpmFileInvalid); } while(0)
# define STRLCPY(dst, src, dstsize) do { \
  	if (strlcpy(dst, src, dstsize) >= (dstsize)) \
	    return (XpmFileInvalid); } while(0)
#else
# define STRLCAT(dst, src, dstsize) do { \
	if ((strlen(dst) + strlen(src)) < (dstsize)) \
 	    strcat(dst, src); \
	else return (XpmFileInvalid); } while(0)
# define STRLCPY(dst, src, dstsize) do { \
	if (strlen(src) < (dstsize)) \
 	    strcpy(dst, src); \
	else return (XpmFileInvalid); } while(0)
#endif

LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,

			return (XpmFileInvalid);
		    }
		    if (!lastwaskey)
			STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
		    buf[l] = '\0';
		    STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
		    lastwaskey = 0;
		}
	    }

		xpmFreeColorTable(colorTable, ncolors);
		return (XpmFileInvalid);
	    }
	    len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
	    s = defaults[curkey] = (char *) XpmMalloc(len);
	    if (!s) {
		xpmFreeColorTable(colorTable, ncolors);

	    memcpy(s, curbuf, len);
	    color->c_color = s;
	    *curbuf = '\0';		/* reset curbuf */
	    if (a < ncolors - 1)	/* can we trust ncolors -> leave data's bounds */
		xpmNextString(data);	/* get to the next string */
	}
    }

    xpmHashTable *hashtable;
    unsigned int **pixels;
{
    unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
    unsigned int a, x, y;

    if ((height > 0 && width >= UINT_MAX / height) ||
	width * height >= UINT_MAX / sizeof(unsigned int)) 
	return XpmNoMemory;
#ifndef FOR_MSW

	{
	    unsigned short colidx[256];

	    if (ncolors > 256) {
		XpmFree(iptr2); /* found by Egbert Eich */
		return (XpmFileInvalid);
	    }

	    bzero((char *)colidx, 256 * sizeof(short));
	    for (a = 0; a < ncolors; a++)

	{

/* free all allocated pointers at all exits */
#define FREE_CIDX \
do \
{ \
	int f; for (f = 0; f < 256; f++) \
	if (cidx[f]) XpmFree(cidx[f]); \
} while(0)

	    /* array of pointers malloced by need */
	    unsigned short *cidx[256];


	    bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
	    for (a = 0; a < ncolors; a++) {
		char1 = (unsigned char) colorTable[a].string[0];
		if (cidx[char1] == NULL) { /* get new memory */
		    cidx[char1] = (unsigned short *)
			XpmCalloc(256, sizeof(unsigned short));

	    char *s;
	    char buf[BUFSIZ];

	    if (cpp >= sizeof(buf)) {
		XpmFree(iptr2); /* found by Egbert Eich */
		return (XpmFileInvalid);
	    }

	    buf[cpp] = '\0';
	    if (USE_HASHTABLE) {

		    xpmNextString(data);
		    for (x = 0; x < width; x++, iptr++) {
			for (a = 0, s = buf; a < cpp; a++, s++)
			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
			slot = xpmHashSlot(hashtable, buf);
			if (!*slot) {	/* no color matches */
			    XpmFree(iptr2);

		    xpmNextString(data);
		    for (x = 0; x < width; x++, iptr++) {
			for (a = 0, s = buf; a < cpp; a++, s++)
			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
			for (a = 0; a < ncolors; a++)
			    if (!strcmp(colorTable[a].string, buf))
				break;

    while (!notstart && notend) {
	/* there starts an extension */
	ext = (XpmExtension *)
	    XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
	if (!ext) {
	    XpmFree(string);
	    XpmFreeExtensions(exts, num);

	while ((notstart = strncmp("XPMEXT", string, 6))
	       && (notend = strncmp("XPMENDEXT", string, 9))) {
	    sp = (char **)
		XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */
	    if (!sp) {
		XpmFree(string);
		ext->nlines = nlines;

/* function call in case of error */
#undef RETURN
#define RETURN(status) \
do { \
      goto error; \
} while(0)

/*
 * This function parses an Xpm file or data and store the found informations

Lines 37-42 Link Here

(-)lib/RdFToBuf.c (-2 / +5 lines)
37	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94	37	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
38	*/	38	*/
39		39
		40	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		41
40	#include "XpmI.h"	42	#include "XpmI.h"
41	#include <sys/stat.h>	43	#include <sys/stat.h>
42	#if !defined(FOR_MSW) && !defined(WIN32)	44	#if !defined(FOR_MSW) && !defined(WIN32)
Lines 58-64 Link Here
58	char *filename;	60	char *filename;
59	char **buffer_return;	61	char **buffer_return;
60	{	62	{
61	int fd, fcheck, len;	63	int fd, fcheck;
		64	off_t len;
62	char *ptr;	65	char *ptr;
63	struct stat stats;	66	struct stat stats;
64	FILE *fp;	67	FILE *fp;
Lines 82-88 Link Here
82	close(fd);	85	close(fd);
83	return XpmOpenFailed;	86	return XpmOpenFailed;
84	}	87	}
85	len = (int) stats.st_size;	88	len = stats.st_size;
86	ptr = (char *) XpmMalloc(len + 1);	89	ptr = (char *) XpmMalloc(len + 1);
87	if (!ptr) {	90	if (!ptr) {
88	fclose(fp);	91	fclose(fp);

Lines 33-38 Link Here

(-)lib/RdFToI.c (-12 / +26 lines)
33	\*****************************************************************************/	33	\*****************************************************************************/
34	/* $XFree86: xc/extras/Xpm/lib/RdFToI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */	34	/* $XFree86: xc/extras/Xpm/lib/RdFToI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37	#include <sys/stat.h>	39	#include <sys/stat.h>
38	#if !defined(NO_ZPIPE) && defined(WIN32)	40	#if !defined(NO_ZPIPE) && defined(WIN32)
Lines 123-128 Link Here
123	/*	125	/*
124	* open the given file to be read as an xpmData which is returned.	126	* open the given file to be read as an xpmData which is returned.
125	*/	127	*/
		128	#ifndef NO_ZPIPE
		129	FILE s_popen(char cmd, const char *type);
		130	#else
		131	#define s_popen popen
		132	#endif
		133
126	static int	134	static int
127	OpenReadFile(filename, mdata)	135	OpenReadFile(filename, mdata)
128	char *filename;	136	char *filename;
Lines 141-157 Link Here
141	mdata->type = XPMFILE;	149	mdata->type = XPMFILE;
142	} else {	150	} else {
143	#ifndef NO_ZPIPE	151	#ifndef NO_ZPIPE
144	int len = strlen(filename);	152	size_t len = strlen(filename);
		153
		154	if(len == 0 \|\|
		155	filename[0] == '/' \|\|
		156	strstr(filename, "../") != NULL \|\|
		157	filename[len-1] == '/')
		158	return(XpmOpenFailed);
145	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {	159	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
146	mdata->type = XPMPIPE;	160	mdata->type = XPMPIPE;
147	sprintf(buf, "uncompress -c \"%s\"", filename);	161	snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename);
148	if (!(mdata->stream.file = popen(buf, "r")))	162	if (!(mdata->stream.file = s_popen(buf, "r")))
149	return (XpmOpenFailed);	163	return (XpmOpenFailed);
150		164
151	} else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {	165	} else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
152	mdata->type = XPMPIPE;	166	mdata->type = XPMPIPE;
153	sprintf(buf, "gunzip -qc \"%s\"", filename);	167	snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename);
154	if (!(mdata->stream.file = popen(buf, "r")))	168	if (!(mdata->stream.file = s_popen(buf, "r")))
155	return (XpmOpenFailed);	169	return (XpmOpenFailed);
156		170
157	} else {	171	} else {
Lines 159-177 Link Here
159	if (!(compressfile = (char *) XpmMalloc(len + 4)))	173	if (!(compressfile = (char *) XpmMalloc(len + 4)))
160	return (XpmNoMemory);	174	return (XpmNoMemory);
161		175
162	sprintf(compressfile, "%s.Z", filename);	176	snprintf(compressfile, len+4, "%s.Z", filename);
163	if (!stat(compressfile, &status)) {	177	if (!stat(compressfile, &status)) {
164	sprintf(buf, "uncompress -c \"%s\"", compressfile);	178	snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile);
165	if (!(mdata->stream.file = popen(buf, "r"))) {	179	if (!(mdata->stream.file = s_popen(buf, "r"))) {
166	XpmFree(compressfile);	180	XpmFree(compressfile);
167	return (XpmOpenFailed);	181	return (XpmOpenFailed);
168	}	182	}
169	mdata->type = XPMPIPE;	183	mdata->type = XPMPIPE;
170	} else {	184	} else {
171	sprintf(compressfile, "%s.gz", filename);	185	snprintf(compressfile, len+4, "%s.gz", filename);
172	if (!stat(compressfile, &status)) {	186	if (!stat(compressfile, &status)) {
173	sprintf(buf, "gunzip -c \"%s\"", compressfile);	187	snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile);
174	if (!(mdata->stream.file = popen(buf, "r"))) {	188	if (!(mdata->stream.file = s_popen(buf, "r"))) {
175	XpmFree(compressfile);	189	XpmFree(compressfile);
176	return (XpmOpenFailed);	190	return (XpmOpenFailed);
177	}	191	}
Lines 217-223 Link Here
217	break;	231	break;
218	#ifndef NO_ZPIPE	232	#ifndef NO_ZPIPE
219	case XPMPIPE:	233	case XPMPIPE:
220	pclose(mdata->stream.file);	234	fclose(mdata->stream.file);
221	break;	235	break;
222	#endif	236	#endif
223	}	237	}

Lines 43-48 Link Here

(-)lib/scan.c (-13 / +15 lines)
43	* Lorens Younes (d93-hyo@nada.kth.se) 4/96	43	* Lorens Younes (d93-hyo@nada.kth.se) 4/96
44	*/	44	*/
45		45
		46	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		47
46	#include "XpmI.h"	48	#include "XpmI.h"
47		49
48	#define MAXPRINTABLE 92 /* number of printable ascii chars	50	#define MAXPRINTABLE 92 /* number of printable ascii chars
Lines 172-181 Link Here
172	/* function call in case of error */	174	/* function call in case of error */
173	#undef RETURN	175	#undef RETURN
174	#define RETURN(status) \	176	#define RETURN(status) \
175	{ \	177	do { \
176	ErrorStatus = status; \	178	ErrorStatus = status; \
177	goto error; \	179	goto error; \
178	}	180	} while(0)
179		181
180	/*	182	/*
181	* This function scans the given image and stores the found informations in	183	* This function scans the given image and stores the found informations in
Lines 233-239 Link Here
233	else	235	else
234	cpp = 0;	236	cpp = 0;
235		237
236	if ((height > 0 && width >= SIZE_MAX / height) \|\|	238	if ((height > 0 && width >= UINT_MAX / height) \|\|
237	width * height >= UINT_MAX / sizeof(unsigned int))	239	width * height >= UINT_MAX / sizeof(unsigned int))
238	RETURN(XpmNoMemory);	240	RETURN(XpmNoMemory);
239	pmap.pixelindex =	241	pmap.pixelindex =
Lines 619-625 Link Here
619	char *dst;	621	char *dst;
620	unsigned int *iptr;	622	unsigned int *iptr;
621	char *data;	623	char *data;
622	int x, y, i;	624	unsigned int x, y, i;
623	int bits, depth, ibu, ibpp, offset;	625	int bits, depth, ibu, ibpp, offset;
624	unsigned long lbt;	626	unsigned long lbt;
625	Pixel pixel, px;	627	Pixel pixel, px;
Lines 721-727 Link Here
721	unsigned char *addr;	723	unsigned char *addr;
722	unsigned char *data;	724	unsigned char *data;
723	unsigned int *iptr;	725	unsigned int *iptr;
724	int x, y;	726	unsigned int x, y;
725	unsigned long lbt;	727	unsigned long lbt;
726	Pixel pixel;	728	Pixel pixel;
727	int depth;	729	int depth;
Lines 786-792 Link Here
786	unsigned char *addr;	788	unsigned char *addr;
787	unsigned char *data;	789	unsigned char *data;
788	unsigned int *iptr;	790	unsigned int *iptr;
789	int x, y;	791	unsigned int x, y;
790	unsigned long lbt;	792	unsigned long lbt;
791	Pixel pixel;	793	Pixel pixel;
792	int depth;	794	int depth;
Lines 831-837 Link Here
831	{	833	{
832	unsigned int *iptr;	834	unsigned int *iptr;
833	unsigned char *data;	835	unsigned char *data;
834	int x, y;	836	unsigned int x, y;
835	unsigned long lbt;	837	unsigned long lbt;
836	Pixel pixel;	838	Pixel pixel;
837	int depth;	839	int depth;
Lines 864-870 Link Here
864	storeFuncPtr storeFunc;	866	storeFuncPtr storeFunc;
865	{	867	{
866	unsigned int *iptr;	868	unsigned int *iptr;
867	int x, y;	869	unsigned int x, y;
868	char *data;	870	char *data;
869	Pixel pixel;	871	Pixel pixel;
870	int xoff, yoff, offset, bpl;	872	int xoff, yoff, offset, bpl;
Lines 900-910 Link Here
900	# else /* AMIGA */	902	# else /* AMIGA */
901		903
902	#define CLEAN_UP(status) \	904	#define CLEAN_UP(status) \
903	{\	905	do {\
904	if (pixels) XpmFree (pixels);\	906	if (pixels) XpmFree (pixels);\
905	if (tmp_img) FreeXImage (tmp_img);\	907	if (tmp_img) FreeXImage (tmp_img);\
906	return (status);\	908	return (status);\
907	}	909	} while(0)
908		910
909	static int	911	static int
910	AGetImagePixels (	912	AGetImagePixels (
Lines 925-931 Link Here
925		927
926	tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth);	928	tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth);
927	if (tmp_img == NULL)	929	if (tmp_img == NULL)
928	CLEAN_UP (XpmNoMemory)	930	CLEAN_UP (XpmNoMemory);
929		931
930	iptr = pmap->pixelindex;	932	iptr = pmap->pixelindex;
931	for (y = 0; y < height; ++y)	933	for (y = 0; y < height; ++y)
Lines 934-944 Link Here
934	for (x = 0; x < width; ++x, ++iptr)	936	for (x = 0; x < width; ++x, ++iptr)
935	{	937	{
936	if ((*storeFunc) (pixels[x], pmap, iptr))	938	if ((*storeFunc) (pixels[x], pmap, iptr))
937	CLEAN_UP (XpmNoMemory)	939	CLEAN_UP (XpmNoMemory);
938	}	940	}
939	}	941	}
940		942
941	CLEAN_UP (XpmSuccess)	943	CLEAN_UP (XpmSuccess);
942	}	944	}
943		945
944	#undef CLEAN_UP	946	#undef CLEAN_UP




/*
** This is a secure but NOT 100% compatible replacement for popen()
** Note:        - don't use pclose() use fclose() for closing the returned
**                filedesc.!!!
**
** Known Bugs:  - unable to use i/o-redirection like > or <
** Author:      - Thomas Biege <thomas@suse.de>
** Credits:     - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when
**                calling strtok()
*/

#include <sys/types.h>
#include <sys/wait.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define __SEC_POPEN_TOKEN " "

FILE *s_popen(char *cmd, const char *type)
{
  pid_t pid;
  int pfd[2];
  int rpipe = 0, wpipe = 0, i;
  char **argv;
  char *ptr;
  char *cmdcpy;


  if(cmd == NULL || cmd == "")
    return(NULL);

  if(type[0] != 'r' && type[0] != 'w')
    return(NULL);

  if ((cmdcpy = strdup(cmd)) == NULL)
    return(NULL);

  argv = NULL;
  if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL)
  {
    free(cmdcpy);
    return(NULL);
  }

  for(i = 0;; i++)
  {
    if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL)
    {
      free(cmdcpy);
      return(NULL);
    }

    if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL)
    {
      free(cmdcpy);
      return(NULL);
    }

    strcpy(argv[i], ptr);

    if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL)
    {
      if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL)
      {
        free(cmdcpy);
        return(NULL);
      }
      argv[i+1] = NULL;
      break;
    }
  }


  if(type[0] == 'r')
    rpipe = 1;
  else
    wpipe = 1;

  if (pipe(pfd) < 0)
  {
    free(cmdcpy);
    return(NULL);
  }

	if((pid = fork()) < 0)
  {
    close(pfd[0]);
    close(pfd[1]);
    free(cmdcpy);
    return(NULL);
  }

	if(pid == 0)    /* child */
  {
    if((pid = fork()) < 0)
    {
      close(pfd[0]);
      close(pfd[1]);
      free(cmdcpy);
      return(NULL);
    }
    if(pid > 0)
    {
      exit(0);  /* child nr. 1 exits */
    }

    /* child nr. 2 */
    if(rpipe)
    {
      close(pfd[0]);  /* close reading end, we don't need it */
      dup2(STDOUT_FILENO, STDERR_FILENO);
      if (pfd[1] != STDOUT_FILENO)
        dup2(pfd[1], STDOUT_FILENO);  /* redirect stdout to writing end of pipe */
    }
    else
    {
      close(pfd[1]);  /* close writing end, we don't need it */
      if (pfd[0] != STDIN_FILENO)
        dup2(pfd[0], STDIN_FILENO);    /* redirect stdin to reading end of pipe */
	  }

    if(strchr(argv[0], '/') == NULL)
      execvp(argv[0], argv);  /* search in $PATH */
    else
      execv(argv[0], argv);

    close(pfd[0]);
    close(pfd[1]);
    free(cmdcpy);
    return(NULL);  /* exec failed.. ooops! */
  }
  else          /* parent */
  {
    waitpid(pid, NULL, 0); /* wait for child nr. 1 */

    if(rpipe)
    {
      close(pfd[1]);
      free(cmdcpy);
      return(fdopen(pfd[0], "r"));
    }
    else
    {
      close(pfd[0]);
      free(cmdcpy);
      return(fdopen(pfd[1], "w"));
    }

  }
}


Lines 32-37 Link Here

(-)lib/WrFFrBuf.c (-1 / +3 lines)
32	* Developed by Arnaud Le Hors *	32	* Developed by Arnaud Le Hors *
33	\*****************************************************************************/	33	\*****************************************************************************/
34		34
		35	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		36
35	#include "XpmI.h"	37	#include "XpmI.h"
36		38
37	int	39	int
Lines 49-55 Link Here
49	fcheck = fwrite(buffer, len, 1, fp);	51	fcheck = fwrite(buffer, len, 1, fp);
50	fclose(fp);	52	fclose(fp);
51	if (fcheck != 1)	53	if (fcheck != 1)
52	return XpmOpenFailed;	54	return XpmOpenFailed; /* maybe use a better return value */
53		55
54	return XpmSuccess;	56	return XpmSuccess;
55	}	57	}

Lines 38-43 Link Here

(-)lib/WrFFrI.c (-9 / +25 lines)
38	* Lorens Younes (d93-hyo@nada.kth.se) 4/96	38	* Lorens Younes (d93-hyo@nada.kth.se) 4/96
39	*/	39	*/
40		40
		41	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		42
41	#include "XpmI.h"	43	#include "XpmI.h"
42	#if !defined(NO_ZPIPE) && defined(WIN32)	44	#if !defined(NO_ZPIPE) && defined(WIN32)
43	# define popen _popen	45	# define popen _popen
Lines 98-104 Link Here
98	XpmInfo *info;	100	XpmInfo *info;
99	{	101	{
100	xpmData mdata;	102	xpmData mdata;
101	char name, dot, *s, new_name[BUFSIZ];	103	char name, dot, *s, new_name[BUFSIZ] = {0};
102	int ErrorStatus;	104	int ErrorStatus;
103		105
104	/* open file to write */	106	/* open file to write */
Lines 121-127 Link Here
121	#endif	123	#endif
122	/* let's try to make a valid C syntax name */	124	/* let's try to make a valid C syntax name */
123	if (index(name, '.')) {	125	if (index(name, '.')) {
124	strcpy(new_name, name);	126	strncpy(new_name, name, sizeof(new_name));
		127	new_name[sizeof(new_name)-1] = 0;
125	/* change '.' to '_' */	128	/* change '.' to '_' */
126	name = s = new_name;	129	name = s = new_name;
127	while ((dot = index(s, '.'))) {	130	while ((dot = index(s, '.'))) {
Lines 131-137 Link Here
131	}	134	}
132	if (index(name, '-')) {	135	if (index(name, '-')) {
133	if (name != new_name) {	136	if (name != new_name) {
134	strcpy(new_name, name);	137	strncpy(new_name, name, sizeof(new_name));
		138	new_name[sizeof(new_name)-1] = 0;
135	name = new_name;	139	name = new_name;
136	}	140	}
137	/* change '-' to '_' */	141	/* change '-' to '_' */
Lines 248-254 Link Here
248	unsigned int x, y, h;	252	unsigned int x, y, h;
249		253
250	h = height - 1;	254	h = height - 1;
251	if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp)	255	if (cpp != 0 && width >= (UINT_MAX - 3)/cpp)
252	return XpmNoMemory;	256	return XpmNoMemory;
253	p = buf = (char ) XpmMalloc(width cpp + 3);	257	p = buf = (char ) XpmMalloc(width cpp + 3);
254	if (!buf)	258	if (!buf)
Lines 300-305 Link Here
300	/*	304	/*
301	* open the given file to be written as an xpmData which is returned	305	* open the given file to be written as an xpmData which is returned
302	*/	306	*/
		307	#ifndef NO_ZPIPE
		308	FILE s_popen(char cmd, const char *type);
		309	#else
		310	#define s_popen popen
		311	#endif
303	static int	312	static int
304	OpenWriteFile(filename, mdata)	313	OpenWriteFile(filename, mdata)
305	char *filename;	314	char *filename;
Lines 315-330 Link Here
315	mdata->type = XPMFILE;	324	mdata->type = XPMFILE;
316	} else {	325	} else {
317	#ifndef NO_ZPIPE	326	#ifndef NO_ZPIPE
318	int len = strlen(filename);	327	size_t len = strlen(filename);
		328
		329	if(len == 0 \|\|
		330	filename[0] == '/' \|\|
		331	strstr(filename, "../") != NULL \|\|
		332	filename[len-1] == '/')
		333	return(XpmOpenFailed);
		334
319	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {	335	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
320	sprintf(buf, "compress > \"%s\"", filename);	336	snprintf(buf, sizeof(buf), "compress > \"%s\"", filename);
321	if (!(mdata->stream.file = popen(buf, "w")))	337	if (!(mdata->stream.file = s_popen(buf, "w")))
322	return (XpmOpenFailed);	338	return (XpmOpenFailed);
323		339
324	mdata->type = XPMPIPE;	340	mdata->type = XPMPIPE;
325	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {	341	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
326	sprintf(buf, "gzip -q > \"%s\"", filename);	342	snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename);
327	if (!(mdata->stream.file = popen(buf, "w")))	343	if (!(mdata->stream.file = s_popen(buf, "w")))
328	return (XpmOpenFailed);	344	return (XpmOpenFailed);
329		345
330	mdata->type = XPMPIPE;	346	mdata->type = XPMPIPE;

Lines 396-402 Link Here

(-)lib/xpm.h (-1 / +1 lines)
396	FUNC(XpmAttributesSize, int, (void));	396	FUNC(XpmAttributesSize, int, (void));
397	FUNC(XpmFreeAttributes, void, (XpmAttributes *attributes));	397	FUNC(XpmFreeAttributes, void, (XpmAttributes *attributes));
398	FUNC(XpmFreeExtensions, void, (XpmExtension *extensions,	398	FUNC(XpmFreeExtensions, void, (XpmExtension *extensions,
399	int nextensions));	399	unsigned int nextensions));
400		400
401	FUNC(XpmFreeXpmImage, void, (XpmImage *image));	401	FUNC(XpmFreeXpmImage, void, (XpmImage *image));
402	FUNC(XpmFreeXpmInfo, void, (XpmInfo *info));	402	FUNC(XpmFreeXpmInfo, void, (XpmInfo *info));

Lines 49-56 Link Here

(-)lib/XpmI.h (+2 lines)
49	* lets try to solve include files	49	* lets try to solve include files
50	*/	50	*/
51		51
		52	#include <sys/types.h>
52	#include <stdio.h>	53	#include <stdio.h>
53	#include <stdlib.h>	54	#include <stdlib.h>
		55	#include <limits.h>
54	/* stdio.h doesn't declare popen on a Sequent DYNIX OS */	56	/* stdio.h doesn't declare popen on a Sequent DYNIX OS */
55	#ifdef sequent	57	#ifdef sequent
56	extern FILE *popen();	58	extern FILE *popen();

Return to bug 68544

Lines 31-36 Link Here

(-)lib/CrBufFrI.c (-24 / +74 lines)
31	* *	31	* *
32	* Developed by Arnaud Le Hors *	32	* Developed by Arnaud Le Hors *
33	\*****************************************************************************/	33	\*****************************************************************************/
		34
		35	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		36
34	/* $XFree86: xc/extras/Xpm/lib/CrBufFrI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */	37	/* $XFree86: xc/extras/Xpm/lib/CrBufFrI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
35		38
36	#include "XpmI.h"	39	#include "XpmI.h"
Lines 39-53 Link Here
39	unsigned int used_size, XpmColor colors,	42	unsigned int used_size, XpmColor colors,
40	unsigned int ncolors, unsigned int cpp));	43	unsigned int ncolors, unsigned int cpp));
41		44
42	LFUNC(WritePixels, void, (char dataptr, unsigned int used_size,	45	LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
		46	unsigned int *used_size,
43	unsigned int width, unsigned int height,	47	unsigned int width, unsigned int height,
44	unsigned int cpp, unsigned int *pixels,	48	unsigned int cpp, unsigned int *pixels,
45	XpmColor *colors));	49	XpmColor *colors));
46		50
47	LFUNC(WriteExtensions, void, (char dataptr, unsigned int used_size,	51	LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
		52	unsigned int *used_size,
48	XpmExtension *ext, unsigned int num));	53	XpmExtension *ext, unsigned int num));
49		54
50	LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num));	55	LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
51	LFUNC(CommentsSize, int, (XpmInfo *info));	56	LFUNC(CommentsSize, int, (XpmInfo *info));
52		57
53	int	58	int
Lines 90-99 Link Here
90		95
91	#undef RETURN	96	#undef RETURN
92	#define RETURN(status) \	97	#define RETURN(status) \
		98	do \
93	{ \	99	{ \
94	ErrorStatus = status; \	100	ErrorStatus = status; \
95	goto error; \	101	goto error; \
96	}	102	}while(0)
97		103
98	int	104	int
99	XpmCreateBufferFromXpmImage(buffer_return, image, info)	105	XpmCreateBufferFromXpmImage(buffer_return, image, info)
Lines 107-113 Link Here
107	unsigned int cmts, extensions, ext_size = 0;	113	unsigned int cmts, extensions, ext_size = 0;
108	unsigned int l, cmt_size = 0;	114	unsigned int l, cmt_size = 0;
109	char ptr = NULL, p;	115	char ptr = NULL, p;
110	unsigned int ptr_size, used_size;	116	unsigned int ptr_size, ptr_size_old, used_size;
111		117
112	*buffer_return = NULL;	118	*buffer_return = NULL;
113		119
Lines 129-135 Link Here
129	#ifdef VOID_SPRINTF	135	#ifdef VOID_SPRINTF
130	used_size = strlen(buf);	136	used_size = strlen(buf);
131	#endif	137	#endif
132	ptr_size = used_size + ext_size + cmt_size + 1;	138	ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
		139	if(ptr_size <= used_size \|\|
		140	ptr_size <= ext_size \|\|
		141	ptr_size <= cmt_size)
		142	{
		143	return XpmNoMemory;
		144	}
133	ptr = (char *) XpmMalloc(ptr_size);	145	ptr = (char *) XpmMalloc(ptr_size);
134	if (!ptr)	146	if (!ptr)
135	return XpmNoMemory;	147	return XpmNoMemory;
Lines 140-146 Link Here
140	#ifndef VOID_SPRINTF	152	#ifndef VOID_SPRINTF
141	used_size +=	153	used_size +=
142	#endif	154	#endif
143	sprintf(ptr + used_size, "/%s/\n", info->hints_cmt);	155	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->hints_cmt);
144	#ifdef VOID_SPRINTF	156	#ifdef VOID_SPRINTF
145	used_size += strlen(info->hints_cmt) + 5;	157	used_size += strlen(info->hints_cmt) + 5;
146	#endif	158	#endif
Lines 158-164 Link Here
158	#ifndef VOID_SPRINTF	170	#ifndef VOID_SPRINTF
159	l +=	171	l +=
160	#endif	172	#endif
161	sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot);	173	snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
162	#ifdef VOID_SPRINTF	174	#ifdef VOID_SPRINTF
163	l = strlen(buf);	175	l = strlen(buf);
164	#endif	176	#endif
Lines 180-185 Link Here
180	l = strlen(buf);	192	l = strlen(buf);
181	#endif	193	#endif
182	ptr_size += l;	194	ptr_size += l;
		195	if(ptr_size <= l)
		196	RETURN(XpmNoMemory);
183	p = (char *) XpmRealloc(ptr, ptr_size);	197	p = (char *) XpmRealloc(ptr, ptr_size);
184	if (!p)	198	if (!p)
185	RETURN(XpmNoMemory);	199	RETURN(XpmNoMemory);
Lines 192-198 Link Here
192	#ifndef VOID_SPRINTF	206	#ifndef VOID_SPRINTF
193	used_size +=	207	used_size +=
194	#endif	208	#endif
195	sprintf(ptr + used_size, "/%s/\n", info->colors_cmt);	209	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->colors_cmt);
196	#ifdef VOID_SPRINTF	210	#ifdef VOID_SPRINTF
197	used_size += strlen(info->colors_cmt) + 5;	211	used_size += strlen(info->colors_cmt) + 5;
198	#endif	212	#endif
Lines 208-215 Link Here
208	* 4 = 1 (for '"') + 3 (for '",\n')	222	* 4 = 1 (for '"') + 3 (for '",\n')
209	* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')	223	* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
210	*/	224	*/
		225	/* is the first and the last test necessary? */
		226	if(image->width > (UINT_MAX / (image->cpp)) - 4)
		227	RETURN(XpmNoMemory);
		228	if(image->height > (UINT_MAX / (image->width * image->cpp + 4)) - 1)
		229	RETURN(XpmNoMemory);
		230	ptr_size_old = ptr_size;
211	ptr_size += image->height * (image->width * image->cpp + 4) + 1;	231	ptr_size += image->height * (image->width * image->cpp + 4) + 1;
212		232	if (ptr_size <= ptr_size_old)
		233	RETURN(XpmNoMemory);
213	p = (char *) XpmRealloc(ptr, ptr_size);	234	p = (char *) XpmRealloc(ptr, ptr_size);
214	if (!p)	235	if (!p)
215	RETURN(XpmNoMemory);	236	RETURN(XpmNoMemory);
Lines 220-236 Link Here
220	#ifndef VOID_SPRINTF	241	#ifndef VOID_SPRINTF
221	used_size +=	242	used_size +=
222	#endif	243	#endif
223	sprintf(ptr + used_size, "/%s/\n", info->pixels_cmt);	244	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->pixels_cmt);
224	#ifdef VOID_SPRINTF	245	#ifdef VOID_SPRINTF
225	used_size += strlen(info->pixels_cmt) + 5;	246	used_size += strlen(info->pixels_cmt) + 5;
226	#endif	247	#endif
227	}	248	}
228	WritePixels(ptr + used_size, &used_size, image->width, image->height,	249	WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
229	image->cpp, image->data, image->colorTable);	250	image->cpp, image->data, image->colorTable);
230		251
231	/* print extensions */	252	/* print extensions */
232	if (extensions)	253	if (extensions)
233	WriteExtensions(ptr + used_size, &used_size,	254	WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
234	info->extensions, info->nextensions);	255	info->extensions, info->nextensions);
235		256
236	/* close the array */	257	/* close the array */
Lines 247-252 Link Here
247	return (ErrorStatus);	268	return (ErrorStatus);
248	}	269	}
249		270
		271
250	static int	272	static int
251	WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)	273	WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
252	char **dataptr;	274	char **dataptr;
Lines 256-262 Link Here
256	unsigned int ncolors;	278	unsigned int ncolors;
257	unsigned int cpp;	279	unsigned int cpp;
258	{	280	{
259	char buf[BUFSIZ];	281	char buf[BUFSIZ] = {0};
260	unsigned int a, key, l;	282	unsigned int a, key, l;
261	char s, s2;	283	char s, s2;
262	char **defaults;	284	char **defaults;
Lines 266-271 Link Here
266		288
267	defaults = (char **) colors;	289	defaults = (char **) colors;
268	s = buf + 1;	290	s = buf + 1;
		291	if(cpp > (sizeof(buf) - (s-buf)))
		292	return(XpmNoMemory);
269	strncpy(s, *defaults++, cpp);	293	strncpy(s, *defaults++, cpp);
270	s += cpp;	294	s += cpp;
271		295
Lines 274-287 Link Here
274	#ifndef VOID_SPRINTF	298	#ifndef VOID_SPRINTF
275	s +=	299	s +=
276	#endif	300	#endif
277	sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);	301	/* assume C99 compliance */
		302	snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
278	#ifdef VOID_SPRINTF	303	#ifdef VOID_SPRINTF
279	s += strlen(s);	304	s += strlen(s);
280	#endif	305	#endif
		306	/* now let's check if s points out-of-boundsa*/
		307	if((s-buf) > sizeof(buf))
		308	return(XpmNoMemory);
281	}	309	}
282	}	310	}
		311	if(sizeof(buf) - (s-buf) < 4)
		312	return(XpmNoMemory);
283	strcpy(s, "\",\n");	313	strcpy(s, "\",\n");
284	l = s + 3 - buf;	314	l = s + 3 - buf;
		315	if( *data_size >= UINT_MAX-l \|\|
		316	data_size + l <= used_size \|\|
		317	(data_size + l - used_size) <= sizeof(buf))
		318	return(XpmNoMemory);
285	s = (char ) XpmRealloc(dataptr, *data_size + l);	319	s = (char ) XpmRealloc(dataptr, *data_size + l);
286	if (!s)	320	if (!s)
287	return (XpmNoMemory);	321	return (XpmNoMemory);
Lines 294-301 Link Here
294	}	328	}
295		329
296	static void	330	static void
297	WritePixels(dataptr, used_size, width, height, cpp, pixels, colors)	331	WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
298	char *dataptr;	332	char *dataptr;
		333	unsigned int data_size;
299	unsigned int *used_size;	334	unsigned int *used_size;
300	unsigned int width;	335	unsigned int width;
301	unsigned int height;	336	unsigned int height;
Lines 306-332 Link Here
306	char *s = dataptr;	341	char *s = dataptr;
307	unsigned int x, y, h;	342	unsigned int x, y, h;
308		343
		344	if(height <= 1)
		345	return;
		346
309	h = height - 1;	347	h = height - 1;
310	for (y = 0; y < h; y++) {	348	for (y = 0; y < h; y++) {
311	*s++ = '"';	349	*s++ = '"';
312	for (x = 0; x < width; x++, pixels++) {	350	for (x = 0; x < width; x++, pixels++) {
313	strncpy(s, colors[*pixels].string, cpp);	351	if(cpp >= (data_size - (s-dataptr)))
		352	return;
		353	strncpy(s, colors[pixels].string, cpp); / how can we trust pixels? :-\ /
314	s += cpp;	354	s += cpp;
315	}	355	}
		356	if((data_size - (s-dataptr)) < 4)
		357	return;
316	strcpy(s, "\",\n");	358	strcpy(s, "\",\n");
317	s += 3;	359	s += 3;
318	}	360	}
319	/* duplicate some code to avoid a test in the loop */	361	/* duplicate some code to avoid a test in the loop */
320	*s++ = '"';	362	*s++ = '"';
321	for (x = 0; x < width; x++, pixels++) {	363	for (x = 0; x < width; x++, pixels++) {
322	strncpy(s, colors[*pixels].string, cpp);	364	if(cpp >= (data_size - (s-dataptr)))
		365	return;
		366	strncpy(s, colors[pixels].string, cpp); / how can we trust pixels? /
323	s += cpp;	367	s += cpp;
324	}	368	}
325	*s++ = '"';	369	*s++ = '"';
326	*used_size += s - dataptr;	370	*used_size += s - dataptr;
327	}	371	}
328		372
329	static int	373	static unsigned int
330	ExtensionsSize(ext, num)	374	ExtensionsSize(ext, num)
331	XpmExtension *ext;	375	XpmExtension *ext;
332	unsigned int num;	376	unsigned int num;
Lines 335-355 Link Here
335	char **line;	379	char **line;
336		380
337	size = 0;	381	size = 0;
		382	if(num == 0)
		383	return(0); /* ok? */
338	for (x = 0; x < num; x++, ext++) {	384	for (x = 0; x < num; x++, ext++) {
339	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */	385	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
340	size += strlen(ext->name) + 11;	386	size += strlen(ext->name) + 11;
341	a = ext->nlines;	387	a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
342	for (y = 0, line = ext->lines; y < a; y++, line++)	388	for (y = 0, line = ext->lines; y < a; y++, line++)
343	/* 4 = 3 (for ',\n"') + 1 (for '"') */	389	/* 4 = 3 (for ',\n"') + 1 (for '"') */
344	size += strlen(*line) + 4;	390	size += strlen(*line) + 4;
345	}	391	}
346	/* 13 is for ',\n"XPMENDEXT"' */	392	/* 13 is for ',\n"XPMENDEXT"' */
		393	if(size > UINT_MAX - 13) /* unlikely */
		394	return(0);
347	return size + 13;	395	return size + 13;
348	}	396	}
349		397
350	static void	398	static void
351	WriteExtensions(dataptr, used_size, ext, num)	399	WriteExtensions(dataptr, data_size, used_size, ext, num)
352	char *dataptr;	400	char *dataptr;
		401	unsigned int data_size;
353	unsigned int *used_size;	402	unsigned int *used_size;
354	XpmExtension *ext;	403	XpmExtension *ext;
355	unsigned int num;	404	unsigned int num;
Lines 362-368 Link Here
362	#ifndef VOID_SPRINTF	411	#ifndef VOID_SPRINTF
363	s +=	412	s +=
364	#endif	413	#endif
365	sprintf(s, ",\n\"XPMEXT %s\"", ext->name);	414	snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
366	#ifdef VOID_SPRINTF	415	#ifdef VOID_SPRINTF
367	s += strlen(ext->name) + 11;	416	s += strlen(ext->name) + 11;
368	#endif	417	#endif
Lines 371-383 Link Here
371	#ifndef VOID_SPRINTF	420	#ifndef VOID_SPRINTF
372	s +=	421	s +=
373	#endif	422	#endif
374	sprintf(s, ",\n\"%s\"", *line);	423	snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
375	#ifdef VOID_SPRINTF	424	#ifdef VOID_SPRINTF
376	s += strlen(*line) + 4;	425	s += strlen(*line) + 4;
377	#endif	426	#endif
378	}	427	}
379	}	428	}
380	strcpy(s, ",\n\"XPMENDEXT\"");	429	strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
381	*used_size += s - dataptr + 13;	430	*used_size += s - dataptr + 13;
382	}	431	}
383		432
Lines 388-393 Link Here
388	int size = 0;	437	int size = 0;
389		438
390	/* 5 = 2 (for "/_") + 3 (for "_/\n") */	439	/* 5 = 2 (for "/_") + 3 (for "_/\n") */
		440	/* wrap possible but very unlikely */
391	if (info->hints_cmt)	441	if (info->hints_cmt)
392	size += 5 + strlen(info->hints_cmt);	442	size += 5 + strlen(info->hints_cmt);
393		443

Lines 104-116 Link Here

(-)lib/Imakefile (-2 / +4 lines)
104	CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \	104	CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \
105	CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \	105	CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \
106	CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \	106	CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \
107	Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c	107	Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \
		108	s_popen.c
108		109
109	OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \	110	OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \
110	CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \	111	CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \
111	CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \	112	CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \
112	CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \	113	CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \
113	Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o	114	Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \
		115	s_popen.o
114		116
115	INCLUDES = -I.	117	INCLUDES = -I.
116	LINTLIBS = $(LINTXTOLL) $(LINTXLIB)	118	LINTLIBS = $(LINTXTOLL) $(LINTXLIB)

Lines 41-66 Link Here

(-)lib/parse.c (-25 / +35 lines)
41	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94	41	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
42	*/	42	*/
43		43
		44	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		45
44	#include "XpmI.h"	46	#include "XpmI.h"
45	#include <ctype.h>	47	#include <ctype.h>
46	#include <string.h>	48	#include <string.h>
47		49
48	#ifdef HAS_STRLCAT	50	#ifdef HAS_STRLCAT
49	# define STRLCAT(dst, src, dstsize) { \	51	# define STRLCAT(dst, src, dstsize) do { \
50	if (strlcat(dst, src, dstsize) >= (dstsize)) \	52	if (strlcat(dst, src, dstsize) >= (dstsize)) \
51	return (XpmFileInvalid); }	53	return (XpmFileInvalid); } while(0)
52	# define STRLCPY(dst, src, dstsize) { \	54	# define STRLCPY(dst, src, dstsize) do { \
53	if (strlcpy(dst, src, dstsize) >= (dstsize)) \	55	if (strlcpy(dst, src, dstsize) >= (dstsize)) \
54	return (XpmFileInvalid); }	56	return (XpmFileInvalid); } while(0)
55	#else	57	#else
56	# define STRLCAT(dst, src, dstsize) { \	58	# define STRLCAT(dst, src, dstsize) do { \
57	if ((strlen(dst) + strlen(src)) < (dstsize)) \	59	if ((strlen(dst) + strlen(src)) < (dstsize)) \
58	strcat(dst, src); \	60	strcat(dst, src); \
59	else return (XpmFileInvalid); }	61	else return (XpmFileInvalid); } while(0)
60	# define STRLCPY(dst, src, dstsize) { \	62	# define STRLCPY(dst, src, dstsize) do { \
61	if (strlen(src) < (dstsize)) \	63	if (strlen(src) < (dstsize)) \
62	strcpy(dst, src); \	64	strcpy(dst, src); \
63	else return (XpmFileInvalid); }	65	else return (XpmFileInvalid); } while(0)
64	#endif	66	#endif
65		67
66	LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,	68	LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
Lines 277-285 Link Here
277	return (XpmFileInvalid);	279	return (XpmFileInvalid);
278	}	280	}
279	if (!lastwaskey)	281	if (!lastwaskey)
280	STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */	282	STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
281	buf[l] = '\0';	283	buf[l] = '\0';
282	STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */	284	STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
283	lastwaskey = 0;	285	lastwaskey = 0;
284	}	286	}
285	}	287	}
Lines 287-293 Link Here
287	xpmFreeColorTable(colorTable, ncolors);	289	xpmFreeColorTable(colorTable, ncolors);
288	return (XpmFileInvalid);	290	return (XpmFileInvalid);
289	}	291	}
290	len = strlen(curbuf) + 1;	292	len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
291	s = defaults[curkey] = (char *) XpmMalloc(len);	293	s = defaults[curkey] = (char *) XpmMalloc(len);
292	if (!s) {	294	if (!s) {
293	xpmFreeColorTable(colorTable, ncolors);	295	xpmFreeColorTable(colorTable, ncolors);
Lines 351-357 Link Here
351	memcpy(s, curbuf, len);	353	memcpy(s, curbuf, len);
352	color->c_color = s;	354	color->c_color = s;
353	curbuf = '\0'; / reset curbuf */	355	curbuf = '\0'; / reset curbuf */
354	if (a < ncolors - 1)	356	if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */
355	xpmNextString(data); /* get to the next string */	357	xpmNextString(data); /* get to the next string */
356	}	358	}
357	}	359	}
Lines 370-379 Link Here
370	xpmHashTable *hashtable;	372	xpmHashTable *hashtable;
371	unsigned int **pixels;	373	unsigned int **pixels;
372	{	374	{
373	unsigned int iptr, iptr2;	375	unsigned int iptr, iptr2 = NULL; /* found by Egbert Eich */
374	unsigned int a, x, y;	376	unsigned int a, x, y;
375		377
376	if ((height > 0 && width >= SIZE_MAX / height) \|\|	378	if ((height > 0 && width >= UINT_MAX / height) \|\|
377	width * height >= UINT_MAX / sizeof(unsigned int))	379	width * height >= UINT_MAX / sizeof(unsigned int))
378	return XpmNoMemory;	380	return XpmNoMemory;
379	#ifndef FOR_MSW	381	#ifndef FOR_MSW
Lines 399-406 Link Here
399	{	401	{
400	unsigned short colidx[256];	402	unsigned short colidx[256];
401		403
402	if (ncolors > 256)	404	if (ncolors > 256) {
		405	XpmFree(iptr2); /* found by Egbert Eich */
403	return (XpmFileInvalid);	406	return (XpmFileInvalid);
		407	}
404		408
405	bzero((char )colidx, 256 sizeof(short));	409	bzero((char )colidx, 256 sizeof(short));
406	for (a = 0; a < ncolors; a++)	410	for (a = 0; a < ncolors; a++)
Lines 427-434 Link Here
427	{	431	{
428		432
429	/* free all allocated pointers at all exits */	433	/* free all allocated pointers at all exits */
430	#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \	434	#define FREE_CIDX \
431	if (cidx[f]) XpmFree(cidx[f]);}	435	do \
		436	{ \
		437	int f; for (f = 0; f < 256; f++) \
		438	if (cidx[f]) XpmFree(cidx[f]); \
		439	} while(0)
432		440
433	/* array of pointers malloced by need */	441	/* array of pointers malloced by need */
434	unsigned short *cidx[256];	442	unsigned short *cidx[256];
Lines 436-442 Link Here
436		444
437	bzero((char )cidx, 256 sizeof(unsigned short )); / init */	445	bzero((char )cidx, 256 sizeof(unsigned short )); / init */
438	for (a = 0; a < ncolors; a++) {	446	for (a = 0; a < ncolors; a++) {
439	char1 = colorTable[a].string[0];	447	char1 = (unsigned char) colorTable[a].string[0];
440	if (cidx[char1] == NULL) { /* get new memory */	448	if (cidx[char1] == NULL) { /* get new memory */
441	cidx[char1] = (unsigned short *)	449	cidx[char1] = (unsigned short *)
442	XpmCalloc(256, sizeof(unsigned short));	450	XpmCalloc(256, sizeof(unsigned short));
Lines 480-487 Link Here
480	char *s;	488	char *s;
481	char buf[BUFSIZ];	489	char buf[BUFSIZ];
482		490
483	if (cpp >= sizeof(buf))	491	if (cpp >= sizeof(buf)) {
		492	XpmFree(iptr2); /* found by Egbert Eich */
484	return (XpmFileInvalid);	493	return (XpmFileInvalid);
		494	}
485		495
486	buf[cpp] = '\0';	496	buf[cpp] = '\0';
487	if (USE_HASHTABLE) {	497	if (USE_HASHTABLE) {
Lines 491-497 Link Here
491	xpmNextString(data);	501	xpmNextString(data);
492	for (x = 0; x < width; x++, iptr++) {	502	for (x = 0; x < width; x++, iptr++) {
493	for (a = 0, s = buf; a < cpp; a++, s++)	503	for (a = 0, s = buf; a < cpp; a++, s++)
494	*s = xpmGetC(data);	504	s = xpmGetC(data); / int assigned to char, not a problem here */
495	slot = xpmHashSlot(hashtable, buf);	505	slot = xpmHashSlot(hashtable, buf);
496	if (!slot) { / no color matches */	506	if (!slot) { / no color matches */
497	XpmFree(iptr2);	507	XpmFree(iptr2);
Lines 505-511 Link Here
505	xpmNextString(data);	515	xpmNextString(data);
506	for (x = 0; x < width; x++, iptr++) {	516	for (x = 0; x < width; x++, iptr++) {
507	for (a = 0, s = buf; a < cpp; a++, s++)	517	for (a = 0, s = buf; a < cpp; a++, s++)
508	*s = xpmGetC(data);	518	s = xpmGetC(data); / int assigned to char, not a problem here */
509	for (a = 0; a < ncolors; a++)	519	for (a = 0; a < ncolors; a++)
510	if (!strcmp(colorTable[a].string, buf))	520	if (!strcmp(colorTable[a].string, buf))
511	break;	521	break;
Lines 560-566 Link Here
560	while (!notstart && notend) {	570	while (!notstart && notend) {
561	/* there starts an extension */	571	/* there starts an extension */
562	ext = (XpmExtension *)	572	ext = (XpmExtension *)
563	XpmRealloc(exts, (num + 1) * sizeof(XpmExtension));	573	XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
564	if (!ext) {	574	if (!ext) {
565	XpmFree(string);	575	XpmFree(string);
566	XpmFreeExtensions(exts, num);	576	XpmFreeExtensions(exts, num);
Lines 597-603 Link Here
597	while ((notstart = strncmp("XPMEXT", string, 6))	607	while ((notstart = strncmp("XPMEXT", string, 6))
598	&& (notend = strncmp("XPMENDEXT", string, 9))) {	608	&& (notend = strncmp("XPMENDEXT", string, 9))) {
599	sp = (char **)	609	sp = (char **)
600	XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *));	610	XpmRealloc(ext->lines, (nlines + 1) * sizeof(char )); / can we iterate enough for a wrapping? */
601	if (!sp) {	611	if (!sp) {
602	XpmFree(string);	612	XpmFree(string);
603	ext->nlines = nlines;	613	ext->nlines = nlines;
Lines 637-645 Link Here
637	/* function call in case of error */	647	/* function call in case of error */
638	#undef RETURN	648	#undef RETURN
639	#define RETURN(status) \	649	#define RETURN(status) \
640	{ \	650	do { \
641	goto error; \	651	goto error; \
642	}	652	} while(0)
643		653
644	/*	654	/*
645	* This function parses an Xpm file or data and store the found informations	655	* This function parses an Xpm file or data and store the found informations

Line 0 Link Here

(-)lib/s_popen.c (+153 lines)
		1	/*
		2	** This is a secure but NOT 100% compatible replacement for popen()
		3	** Note: - don't use pclose() use fclose() for closing the returned
		4	** filedesc.!!!
		5	**
		6	** Known Bugs: - unable to use i/o-redirection like > or <
		7	** Author: - Thomas Biege <thomas@suse.de>
		8	** Credits: - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when
		9	** calling strtok()
		10	*/
		11
		12	#include <sys/types.h>
		13	#include <sys/wait.h>
		14	#include <stdio.h>
		15	#include <stdlib.h>
		16	#include <unistd.h>
		17	#include <string.h>
		18
		19	#define __SEC_POPEN_TOKEN " "
		20
		21	FILE s_popen(char cmd, const char *type)
		22	{
		23	pid_t pid;
		24	int pfd[2];
		25	int rpipe = 0, wpipe = 0, i;
		26	char **argv;
		27	char *ptr;
		28	char *cmdcpy;
		29
		30
		31	if(cmd == NULL \|\| cmd == "")
		32	return(NULL);
		33
		34	if(type[0] != 'r' && type[0] != 'w')
		35	return(NULL);
		36
		37	if ((cmdcpy = strdup(cmd)) == NULL)
		38	return(NULL);
		39
		40	argv = NULL;
		41	if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL)
		42	{
		43	free(cmdcpy);
		44	return(NULL);
		45	}
		46
		47	for(i = 0;; i++)
		48	{
		49	if( ( argv = (char *) realloc(argv, (i+1) sizeof(char *)) ) == NULL)
		50	{
		51	free(cmdcpy);
		52	return(NULL);
		53	}
		54
		55	if( ((argv+i) = (char ) malloc((strlen(ptr)+1) * sizeof(char))) == NULL)
		56	{
		57	free(cmdcpy);
		58	return(NULL);
		59	}
		60
		61	strcpy(argv[i], ptr);
		62
		63	if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL)
		64	{
65	if( ( argv = (char *) realloc(argv, (i+2) sizeof(char *))) == NULL)
66	{
67	free(cmdcpy);
68	return(NULL);
69	}
70	argv[i+1] = NULL;
71	break;
72	}
73	}
74
75
76	if(type[0] == 'r')
77	rpipe = 1;
78	else
79	wpipe = 1;
80
81	if (pipe(pfd) < 0)
82	{
83	free(cmdcpy);
84	return(NULL);
85	}
86
87	if((pid = fork()) < 0)
88	{
89	close(pfd[0]);
90	close(pfd[1]);
91	free(cmdcpy);
92	return(NULL);
93	}
94
95	if(pid == 0) /* child */
96	{
97	if((pid = fork()) < 0)
98	{
99	close(pfd[0]);
100	close(pfd[1]);
101	free(cmdcpy);
102	return(NULL);
103	}
104	if(pid > 0)
105	{
106	exit(0); /* child nr. 1 exits */
107	}
108
109	/* child nr. 2 */
110	if(rpipe)
111	{
112	close(pfd[0]); /* close reading end, we don't need it */
113	dup2(STDOUT_FILENO, STDERR_FILENO);
114	if (pfd[1] != STDOUT_FILENO)
115	dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */
116	}
117	else
118	{
119	close(pfd[1]); /* close writing end, we don't need it */
120	if (pfd[0] != STDIN_FILENO)
121	dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */
122	}
123
124	if(strchr(argv[0], '/') == NULL)
125	execvp(argv[0], argv); /* search in $PATH */
126	else
127	execv(argv[0], argv);
128
129	close(pfd[0]);
130	close(pfd[1]);
131	free(cmdcpy);
132	return(NULL); /* exec failed.. ooops! */
133	}
134	else /* parent */
135	{
136	waitpid(pid, NULL, 0); /* wait for child nr. 1 */
137
138	if(rpipe)
139	{
140	close(pfd[1]);
141	free(cmdcpy);
142	return(fdopen(pfd[0], "r"));
143	}
144	else
145	{
146	close(pfd[0]);
147	free(cmdcpy);
148	return(fdopen(pfd[1], "w"));
149	}
150
151	}
152	}
153