Attachment #48861 for bug #78111

Lines 169-175 Link Here

(-)motif.0194/lib/Xm/Imakefile (-2 / +2 lines)
169	XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \	169	XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \
170	XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \	170	XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \
171	XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \	171	XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \
172	XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c	172	XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c s_popen.c
173		173
174	#if UseLocalRegex	174	#if UseLocalRegex
175	REGEX_SRCS = regexp.c	175	REGEX_SRCS = regexp.c
Lines 232-238 Link Here
232	XpmCrBufFrP.o XpmCrPFrBuf.o XpmRdFToDat.o XpmWrFFrP.o Xpmrgb.o \	232	XpmCrBufFrP.o XpmCrPFrBuf.o XpmRdFToDat.o XpmWrFFrP.o Xpmrgb.o \
233	XpmCrDatFrI.o XpmCrPFrDat.o XpmRdFToI.o Xpmcreate.o Xpmscan.o \	233	XpmCrDatFrI.o XpmCrPFrDat.o XpmRdFToI.o Xpmcreate.o Xpmscan.o \
234	XpmCrDatFrP.o XpmCrPFrI.o XpmRdFToP.o Xpmdata.o \	234	XpmCrDatFrP.o XpmCrPFrI.o XpmRdFToP.o Xpmdata.o \
235	XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o	235	XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o s_popen.o
236		236
237	#if UseLocalRegex	237	#if UseLocalRegex
238	REGEX_OBJS = regexp.o	238	REGEX_OBJS = regexp.o

Lines 33-45 Link Here

(-)motif.0194/lib/Xm/XpmAttrib.c (-6 / +8 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37		39
38	/* 3.2 backward compatibility code */	40	/* 3.2 backward compatibility code */
39	LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,	41	LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
40	XpmColor ***oldct));	42	XpmColor ***oldct));
41		43
42	LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));	44	LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
43		45
44	/*	46	/*
45	* Create a colortable compatible with the old style colortable	47	* Create a colortable compatible with the old style colortable
Lines 51-59 Link Here
51	XpmColor ***oldct;	53	XpmColor ***oldct;
52	{	54	{
53	XpmColor colorTable, color;	55	XpmColor colorTable, color;
54	int a;	56	unsigned int a;
55		57
56	if (ncolors >= SIZE_MAX / sizeof(XpmColor *))	58	if (ncolors >= UINT_MAX / sizeof(XpmColor *))
57	return XpmNoMemory;	59	return XpmNoMemory;
58		60
59	colorTable = (XpmColor *) XpmMalloc(ncolors sizeof(XpmColor *));	61	colorTable = (XpmColor *) XpmMalloc(ncolors sizeof(XpmColor *));
Lines 70-78 Link Here
70	static void	72	static void
71	FreeOldColorTable(colorTable, ncolors)	73	FreeOldColorTable(colorTable, ncolors)
72	XpmColor **colorTable;	74	XpmColor **colorTable;
73	int ncolors;	75	unsigned int ncolors;
74	{	76	{
75	int a, b;	77	unsigned int a, b;
76	XpmColor **color;	78	XpmColor **color;
77	char **sptr;	79	char **sptr;
78		80
Lines 123-129 Link Here
123	XpmExtension *ext;	125	XpmExtension *ext;
124	char **sptr;	126	char **sptr;
125		127
126	if (extensions) {	128	if (extensions && nextensions > 0) {
127	for (i = 0, ext = extensions; i < nextensions; i++, ext++) {	129	for (i = 0, ext = extensions; i < nextensions; i++, ext++) {
128	if (ext->name)	130	if (ext->name)
129	XpmFree(ext->name);	131	XpmFree(ext->name);




			 unsigned int *used_size, XpmColor *colors,
			 unsigned int ncolors, unsigned int cpp));

LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
			  unsigned int *used_size,
			  unsigned int width, unsigned int height,
			  unsigned int cpp, unsigned int *pixels,
			  XpmColor *colors));

LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
			      unsigned int *used_size,
			      XpmExtension *ext, unsigned int num));

LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
LFUNC(CommentsSize, int, (XpmInfo *info));

int


#undef RETURN
#define RETURN(status) \
do { \
    if (ptr) \
	XpmFree(ptr); \
    return(status); \
} while(0)

int
XpmCreateBufferFromXpmImage(buffer_return, image, info)

    unsigned int cmts, extensions, ext_size = 0;
    unsigned int l, cmt_size = 0;
    char *ptr = NULL, *p;
    unsigned int ptr_size, used_size, tmp;

    *buffer_return = NULL;


#ifdef VOID_SPRINTF
    used_size = strlen(buf);
#endif
    ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
    if(ptr_size <= used_size ||
       ptr_size <= ext_size  ||
       ptr_size <= cmt_size)
    {
        return XpmNoMemory;
    }
    ptr = (char *) XpmMalloc(ptr_size);
    if (!ptr)
	return XpmNoMemory;

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->hints_cmt) + 5;
#endif

#ifndef VOID_SPRINTF
	l +=
#endif
	snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
#ifdef VOID_SPRINTF
	l = strlen(buf);
#endif

    l = strlen(buf);
#endif
    ptr_size += l;
    if(ptr_size <= l)
        RETURN(XpmNoMemory);
    p = (char *) XpmRealloc(ptr, ptr_size);
    if (!p)
	RETURN(XpmNoMemory);

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->colors_cmt) + 5;
#endif

     * 4 = 1 (for '"') + 3 (for '",\n')
     * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
     */
     if(image->width  > UINT_MAX / image->cpp ||
       (tmp = image->width * image->cpp + 4) <= 4 ||
        image->height > UINT_MAX / tmp ||
       (tmp = image->height * tmp + 1) <= 1 ||
       (ptr_size += tmp) <= tmp)
	RETURN(XpmNoMemory);

    p = (char *) XpmRealloc(ptr, ptr_size);
    if (!p)

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->pixels_cmt) + 5;
#endif
    }
    WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
		image->cpp, image->data, image->colorTable);

    /* print extensions */
    if (extensions)
	WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
			info->extensions, info->nextensions);

    /* close the array */

    return (XpmSuccess);
}


static int
WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
    char **dataptr;

    unsigned int ncolors;
    unsigned int cpp;
{
    char buf[BUFSIZ] = {0};
    unsigned int a, key, l;
    char *s, *s2;
    char **defaults;


	defaults = (char **) colors;
	s = buf + 1;
	if(cpp > (sizeof(buf) - (s-buf)))
		return(XpmNoMemory);
	strncpy(s, *defaults++, cpp);
	s += cpp;


#ifndef VOID_SPRINTF
		s +=
#endif
		/* assume C99 compliance */
		snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
#ifdef VOID_SPRINTF
		s += strlen(s);
#endif
		/* now let's check if s points out-of-bounds */
		if((s-buf) > sizeof(buf))
			return(XpmNoMemory);
	    }
	}
	if(sizeof(buf) - (s-buf) < 4)
		return(XpmNoMemory);
	strcpy(s, "\",\n");
	l = s + 3 - buf;
	if( *data_size                   >= UINT_MAX-l ||
	    *data_size + l               <= *used_size ||
	   (*data_size + l - *used_size) <= sizeof(buf))
		return(XpmNoMemory);
	s = (char *) XpmRealloc(*dataptr, *data_size + l);
	if (!s)
	    return (XpmNoMemory);

}

static void
WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
    char *dataptr;
    unsigned int data_size;
    unsigned int *used_size;
    unsigned int width;
    unsigned int height;

    char *s = dataptr;
    unsigned int x, y, h;

    if(height <= 1)
    	return;

    h = height - 1;
    for (y = 0; y < h; y++) {
	*s++ = '"';
	for (x = 0; x < width; x++, pixels++) {
	    if(cpp >= (data_size - (s-dataptr)))
		return;
	    strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */
	    s += cpp;
	}
	if((data_size - (s-dataptr)) < 4)
		return;
	strcpy(s, "\",\n");
	s += 3;
    }
    /* duplicate some code to avoid a test in the loop */
    *s++ = '"';
    for (x = 0; x < width; x++, pixels++) {
	if(cpp >= (data_size - (s-dataptr)))
	    return;
	strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */
	s += cpp;
    }
    *s++ = '"';
    *used_size += s - dataptr;
}

static unsigned int
ExtensionsSize(ext, num)
    XpmExtension *ext;
    unsigned int num;

    char **line;

    size = 0;
    if(num == 0)
    	return(0); /* ok? */
    for (x = 0; x < num; x++, ext++) {
	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
	size += strlen(ext->name) + 11;
	a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
	for (y = 0, line = ext->lines; y < a; y++, line++)
	    /* 4 = 3 (for ',\n"') + 1 (for '"') */
	    size += strlen(*line) + 4;
    }
    /* 13 is for ',\n"XPMENDEXT"' */
    if(size > UINT_MAX - 13) /* unlikely */
    	return(0);
    return size + 13;
}

static void
WriteExtensions(dataptr, data_size, used_size, ext, num)
    char *dataptr;
    unsigned int data_size;
    unsigned int *used_size;
    XpmExtension *ext;
    unsigned int num;

#ifndef VOID_SPRINTF
	s += 11 +
#endif
	snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
#ifdef VOID_SPRINTF
	s += strlen(ext->name) + 11;
#endif

#ifndef VOID_SPRINTF
	    s += 4 +
#endif
	    snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
#ifdef VOID_SPRINTF
	    s += strlen(*line) + 4;
#endif
	}
    }
    strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
    *used_size += s - dataptr + 13;
}


    int size = 0;

    /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */
    /* wrap possible but *very* unlikely */
    if (info->hints_cmt)
	size += 5 + strlen(info->hints_cmt);


Lines 33-45 Link Here

(-)motif.0194/lib/Xm/XpmCrDatFrI.c (-19 / +76 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37		39
38	LFUNC(CreateColors, int, (char *dataptr, unsigned int data_size,	40	LFUNC(CreateColors, int, (char *dataptr, unsigned int data_size,
39	XpmColor *colors, unsigned int ncolors,	41	XpmColor *colors, unsigned int ncolors,
40	unsigned int cpp));	42	unsigned int cpp));
41		43
42	LFUNC(CreatePixels, void, (char **dataptr, unsigned int width,	44	LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size,
		45	unsigned int width,
43	unsigned int height, unsigned int cpp,	46	unsigned int height, unsigned int cpp,
44	unsigned int pixels, XpmColor colors));	47	unsigned int pixels, XpmColor colors));
45		48
Lines 47-53 Link Here
47	unsigned int *ext_size,	50	unsigned int *ext_size,
48	unsigned int *ext_nlines));	51	unsigned int *ext_nlines));
49		52
50	LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset,	53	LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size,
		54	unsigned int offset,
51	XpmExtension *ext, unsigned int num,	55	XpmExtension *ext, unsigned int num,
52	unsigned int ext_nlines));	56	unsigned int ext_nlines));
53		57
Lines 88-94 Link Here
88		92
89	#undef RETURN	93	#undef RETURN
90	#define RETURN(status) \	94	#define RETURN(status) \
91	{ \	95	do { \
92	if (header) { \	96	if (header) { \
93	for (l = 0; l < header_nlines; l++) \	97	for (l = 0; l < header_nlines; l++) \
94	if (header[l]) \	98	if (header[l]) \
Lines 96-102 Link Here
96	XpmFree(header); \	100	XpmFree(header); \
97	} \	101	} \
98	return(status); \	102	return(status); \
99	}	103	} while(0)
100		104
101	int	105	int
102	XpmCreateDataFromXpmImage(data_return, image, info)	106	XpmCreateDataFromXpmImage(data_return, image, info)
Lines 127-137 Link Here
127	* alloc a temporary array of char pointer for the header section which	131	* alloc a temporary array of char pointer for the header section which
128	* is the hints line + the color table lines	132	* is the hints line + the color table lines
129	*/	133	*/
130	header_nlines = 1 + image->ncolors;	134	header_nlines = 1 + image->ncolors; /* this may wrap and/or become 0 */
		135
		136	/* 2nd check superfluous if we do not need header_nlines any further */
		137	if(header_nlines <= image->ncolors \|\|
		138	header_nlines >= UINT_MAX / sizeof(char *))
		139	return(XpmNoMemory);
		140
131	header_size = sizeof(char ) header_nlines;	141	header_size = sizeof(char ) header_nlines;
132	if (header_size >= SIZE_MAX / sizeof(char *))	142	if (header_size >= UINT_MAX / sizeof(char *))
133	return (XpmNoMemory);	143	return (XpmNoMemory);
134	header = (char *) XpmCalloc(header_size, sizeof(char ));	144	header = (char *) XpmCalloc(header_size, sizeof(char )); /* can we trust image->ncolors */
135	if (!header)	145	if (!header)
136	return (XpmNoMemory);	146	return (XpmNoMemory);
137		147
Lines 175-182 Link Here
175		185
176	/* now we know the size needed, alloc the data and copy the header lines */	186	/* now we know the size needed, alloc the data and copy the header lines */
177	offset = image->width * image->cpp + 1;	187	offset = image->width * image->cpp + 1;
178	data_size = header_size + (image->height + ext_nlines) * sizeof(char *)	188
179	+ image->height * offset + ext_size;	189	if(offset <= image->width \|\| offset <= image->cpp)
		190	RETURN(XpmNoMemory);
		191
		192	if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *))
		193	RETURN(XpmNoMemory);
		194	data_size = (image->height + ext_nlines) * sizeof(char *);
		195
		196	if (image->height > UINT_MAX / offset \|\|
		197	image->height * offset > UINT_MAX - data_size)
		198	RETURN(XpmNoMemory);
		199	data_size += image->height * offset;
		200
		201	if( (header_size + ext_size) >= (UINT_MAX - data_size) )
		202	RETURN(XpmNoMemory);
		203	data_size += header_size + ext_size;
180		204
181	data = (char **) XpmMalloc(data_size);	205	data = (char **) XpmMalloc(data_size);
182	if (!data)	206	if (!data)
Lines 184-191 Link Here
184		208
185	data_nlines = header_nlines + image->height + ext_nlines;	209	data_nlines = header_nlines + image->height + ext_nlines;
186	data = (char ) (data + data_nlines);	210	data = (char ) (data + data_nlines);
		211
		212	/* can header have less elements then n suggests? */
187	n = image->ncolors;	213	n = image->ncolors;
188	for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) {	214	for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) {
189	strcpy(sptr, sptr2);	215	strcpy(sptr, sptr2);
190	(sptr + 1) = sptr + strlen(*sptr2) + 1;	216	(sptr + 1) = sptr + strlen(*sptr2) + 1;
191	}	217	}
Lines 194-205 Link Here
194	data[header_nlines] = (char *) data + header_size	220	data[header_nlines] = (char *) data + header_size
195	+ (image->height + ext_nlines) * sizeof(char *);	221	+ (image->height + ext_nlines) * sizeof(char *);
196		222
197	CreatePixels(data + header_nlines, image->width, image->height,	223	CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height,
198	image->cpp, image->data, image->colorTable);	224	image->cpp, image->data, image->colorTable);
199		225
200	/* print extensions */	226	/* print extensions */
201	if (extensions)	227	if (extensions)
202	CreateExtensions(data + header_nlines + image->height - 1, offset,	228	CreateExtensions(data + header_nlines + image->height - 1,
		229	data_size - header_nlines - image->height + 1, offset,
203	info->extensions, info->nextensions,	230	info->extensions, info->nextensions,
204	ext_nlines);	231	ext_nlines);
205		232
Lines 221-243 Link Here
221	char s, s2;	248	char s, s2;
222	char **defaults;	249	char **defaults;
223		250
		251	/* can ncolors be trusted here? */
224	for (a = 0; a < ncolors; a++, colors++, dataptr++) {	252	for (a = 0; a < ncolors; a++, colors++, dataptr++) {
225		253
226	defaults = (char **) colors;	254	defaults = (char **) colors;
		255	if (sizeof(buf) <= cpp)
		256	return(XpmNoMemory);
227	strncpy(buf, *defaults++, cpp);	257	strncpy(buf, *defaults++, cpp);
228	s = buf + cpp;	258	s = buf + cpp;
229		259
		260	if(sizeof(buf) <= (s-buf))
		261	return XpmNoMemory;
		262
230	for (key = 1; key <= NKEYS; key++, defaults++) {	263	for (key = 1; key <= NKEYS; key++, defaults++) {
231	if (s2 = *defaults) {	264	if (s2 = *defaults) {
232	#ifndef VOID_SPRINTF	265	#ifndef VOID_SPRINTF
233	s +=	266	s +=
234	#endif	267	#endif
235	sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);	268	+ /* assume C99 compliance */
		269	+ snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
236	#ifdef VOID_SPRINTF	270	#ifdef VOID_SPRINTF
237	s += strlen(s);	271	s += strlen(s);
238	#endif	272	#endif
		273	/* does s point out-of-bounds? */
		274	+ if(sizeof(buf) < (s-buf))
		275	+ return XpmNoMemory;
239	}	276	}
240	}	277	}
		278	/* what about using strdup()? */
241	l = s - buf + 1;	279	l = s - buf + 1;
242	s = (char *) XpmMalloc(l);	280	s = (char *) XpmMalloc(l);
243	if (!s)	281	if (!s)
Lines 249-256 Link Here
249	}	287	}
250		288
251	static void	289	static void
252	CreatePixels(dataptr, width, height, cpp, pixels, colors)	290	CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors)
253	char **dataptr;	291	char **dataptr;
		292	unsigned int data_size;
254	unsigned int width;	293	unsigned int width;
255	unsigned int height;	294	unsigned int height;
256	unsigned int cpp;	295	unsigned int cpp;
Lines 260-280 Link Here
260	char *s;	299	char *s;
261	unsigned int x, y, h, offset;	300	unsigned int x, y, h, offset;
262		301
		302	if(height <= 1)
		303	return;
		304
263	h = height - 1;	305	h = height - 1;
		306
264	offset = width * cpp + 1;	307	offset = width * cpp + 1;
		308
		309	if(offset <= width \|\| offset <= cpp)
		310	return;
		311
		312	/* why trust h? */
265	for (y = 0; y < h; y++, dataptr++) {	313	for (y = 0; y < h; y++, dataptr++) {
266	s = *dataptr;	314	s = *dataptr;
		315	/* why trust width? */
267	for (x = 0; x < width; x++, pixels++) {	316	for (x = 0; x < width; x++, pixels++) {
268	strncpy(s, colors[*pixels].string, cpp);	317	if(cpp > (data_size - (s - *dataptr)))
		318	return;
		319	strncpy(s, colors[pixels].string, cpp); / why trust pixel? */
269	s += cpp;	320	s += cpp;
270	}	321	}
271	*s = '\0';	322	*s = '\0';
		323	if(offset > data_size)
		324	return;
272	(dataptr + 1) = dataptr + offset;	325	(dataptr + 1) = dataptr + offset;
273	}	326	}
274	/* duplicate some code to avoid a test in the loop */	327	/* duplicate some code to avoid a test in the loop */
275	s = *dataptr;	328	s = *dataptr;
		329	/* why trust width? */
276	for (x = 0; x < width; x++, pixels++) {	330	for (x = 0; x < width; x++, pixels++) {
277	strncpy(s, colors[*pixels].string, cpp);	331	if(cpp > data_size - (s - *dataptr))
		332	return;
		333	strncpy(s, colors[pixels].string, cpp); / why should we trust pixel? /
278	s += cpp;	334	s += cpp;
279	}	335	}
280	*s = '\0';	336	*s = '\0';
Lines 307-314 Link Here
307	}	363	}
308		364
309	static void	365	static void
310	CreateExtensions(dataptr, offset, ext, num, ext_nlines)	366	CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines)
311	char **dataptr;	367	char **dataptr;
		368	unsigned int data_size;
312	unsigned int offset;	369	unsigned int offset;
313	XpmExtension *ext;	370	XpmExtension *ext;
314	unsigned int num;	371	unsigned int num;
Lines 321-332 Link Here
321	dataptr++;	378	dataptr++;
322	a = 0;	379	a = 0;
323	for (x = 0; x < num; x++, ext++) {	380	for (x = 0; x < num; x++, ext++) {
324	sprintf(*dataptr, "XPMEXT %s", ext->name);	381	snprintf(*dataptr, data_size, "XPMEXT %s", ext->name);
325	a++;	382	a++;
326	if (a < ext_nlines)	383	if (a < ext_nlines)
327	(dataptr + 1) = dataptr + strlen(ext->name) + 8;	384	(dataptr + 1) = dataptr + strlen(ext->name) + 8;
328	dataptr++;	385	dataptr++;
329	b = ext->nlines;	386	b = ext->nlines; /* can we trust these values? */
330	for (y = 0, line = ext->lines; y < b; y++, line++) {	387	for (y = 0, line = ext->lines; y < b; y++, line++) {
331	strcpy(dataptr, line);	388	strcpy(dataptr, line);
332	a++;	389	a++;

Lines 39-44 Link Here

(-)motif.0194/lib/Xm/Xpmcreate.c (-38 / +67 lines)
39	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94	39	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
40	*/	40	*/
41		41
		42	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		43
42	#include "XpmI.h"	44	#include "XpmI.h"
43	#include <ctype.h>	45	#include <ctype.h>
44		46
Lines 560-566 Link Here
560	*/	562	*/
561	} else {	563	} else {
562	#endif	564	#endif
563	int i;	565	unsigned int i;
564		566
565	ncols = visual->map_entries;	567	ncols = visual->map_entries;
566	cols = (XColor *) XpmCalloc(ncols, sizeof(XColor));	568	cols = (XColor *) XpmCalloc(ncols, sizeof(XColor));
Lines 718-734 Link Here
718	/* function call in case of error, frees only locally allocated variables */	720	/* function call in case of error, frees only locally allocated variables */
719	#undef RETURN	721	#undef RETURN
720	#define RETURN(status) \	722	#define RETURN(status) \
721	{ \	723	do { \
722	if (ximage) XDestroyImage(ximage); \	724	ErrorStatus = status; \
723	if (shapeimage) XDestroyImage(shapeimage); \	725	goto error; \
724	if (image_pixels) XpmFree(image_pixels); \	726	} while(0)
725	if (mask_pixels) XpmFree(mask_pixels); \
726	if (nalloc_pixels) \
727	(*freeColors)(display, colormap, alloc_pixels, nalloc_pixels, NULL); \
728	if (alloc_pixels) XpmFree(alloc_pixels); \
729	if (used_pixels) XpmFree(used_pixels); \
730	return (status); \
731	}
732		727
733	int	728	int
734	XpmCreateImageFromXpmImage(display, image,	729	XpmCreateImageFromXpmImage(display, image,
Lines 799-805 Link Here
799		794
800	ErrorStatus = XpmSuccess;	795	ErrorStatus = XpmSuccess;
801		796
802	if (image->ncolors >= SIZE_MAX / sizeof(Pixel))	797	if (image->ncolors >= UINT_MAX / sizeof(Pixel))
803	return (XpmNoMemory);	798	return (XpmNoMemory);
804		799
805	/* malloc pixels index tables */	800	/* malloc pixels index tables */
Lines 945-954 Link Here
945	return (XpmNoMemory);	940	return (XpmNoMemory);
946		941
947	#ifndef FOR_MSW	942	#ifndef FOR_MSW
948	if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)	943	if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
		944	XDestroyImage(*image_return);
949	return XpmNoMemory;	945	return XpmNoMemory;
		946	}
950	/* now that bytes_per_line must have been set properly alloc data */	947	/* now that bytes_per_line must have been set properly alloc data */
951	(*image_return)->data =	948	if((*image_return)->bytes_per_line == 0 \|\| height == 0)
		949	return XpmNoMemory;
		950	(*image_return)->data =
952	(char ) XpmMalloc((image_return)->bytes_per_line * height);	951	(char ) XpmMalloc((image_return)->bytes_per_line * height);
953		952
954	if (!(*image_return)->data) {	953	if (!(*image_return)->data) {
Lines 975-981 Link Here
975	LFUNC(_putbits, void, (register char *src, int dstoffset,	974	LFUNC(_putbits, void, (register char *src, int dstoffset,
976	register int numbits, register char *dst));	975	register int numbits, register char *dst));
977		976
978	LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));	977	LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
979		978
980	static unsigned char Const _reverse_byte[0x100] = {	979	static unsigned char Const _reverse_byte[0x100] = {
981	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,	980	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
Lines 1015-1026 Link Here
1015	static int	1014	static int
1016	_XReverse_Bytes(bpt, nb)	1015	_XReverse_Bytes(bpt, nb)
1017	register unsigned char *bpt;	1016	register unsigned char *bpt;
1018	register int nb;	1017	register unsigned int nb;
1019	{	1018	{
1020	do {	1019	do {
1021	bpt = _reverse_byte[bpt];	1020	bpt = _reverse_byte[bpt];
1022	bpt++;	1021	bpt++;
1023	} while (--nb > 0);	1022	} while (--nb > 0); /* is nb user-controled? */
1024	return 0;	1023	return 0;
1025	}	1024	}
1026		1025
Lines 1159-1165 Link Here
1159	register char *src;	1158	register char *src;
1160	register char *dst;	1159	register char *dst;
1161	register unsigned int *iptr;	1160	register unsigned int *iptr;
1162	register int x, y, i;	1161	register unsigned int x, y, i;
1163	register char *data;	1162	register char *data;
1164	Pixel pixel, px;	1163	Pixel pixel, px;
1165	int nbytes, depth, ibu, ibpp;	1164	int nbytes, depth, ibu, ibpp;
Lines 1169-1176 Link Here
1169	depth = image->depth;	1168	depth = image->depth;
1170	if (depth == 1) {	1169	if (depth == 1) {
1171	ibu = image->bitmap_unit;	1170	ibu = image->bitmap_unit;
1172	for (y = 0; y < height; y++)	1171	for (y = 0; y < height; y++) /* how can we trust height */
1173	for (x = 0; x < width; x++, iptr++) {	1172	for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
1174	pixel = pixels[*iptr];	1173	pixel = pixels[*iptr];
1175	for (i = 0, px = pixel; i < sizeof(unsigned long);	1174	for (i = 0, px = pixel; i < sizeof(unsigned long);
1176	i++, px >>= 8)	1175	i++, px >>= 8)
Lines 1245-1256 Link Here
1245	{	1244	{
1246	unsigned char *data;	1245	unsigned char *data;
1247	unsigned int *iptr;	1246	unsigned int *iptr;
1248	int y;	1247	unsigned int y;
1249	Pixel pixel;	1248	Pixel pixel;
1250		1249
1251	#ifdef WITHOUT_SPEEDUPS	1250	#ifdef WITHOUT_SPEEDUPS
1252		1251
1253	int x;	1252	unsigned int x;
1254	unsigned char *addr;	1253	unsigned char *addr;
1255		1254
1256	data = (unsigned char *) image->data;	1255	data = (unsigned char *) image->data;
Lines 1287-1293 Link Here
1287		1286
1288	#else /* WITHOUT_SPEEDUPS */	1287	#else /* WITHOUT_SPEEDUPS */
1289		1288
1290	int bpl = image->bytes_per_line;	1289	unsigned int bpl = image->bytes_per_line;
1291	unsigned char data_ptr, max_data;	1290	unsigned char data_ptr, max_data;
1292		1291
1293	data = (unsigned char *) image->data;	1292	data = (unsigned char *) image->data;
Lines 1355-1365 Link Here
1355	{	1354	{
1356	unsigned char *data;	1355	unsigned char *data;
1357	unsigned int *iptr;	1356	unsigned int *iptr;
1358	int y;	1357	unsigned int y;
1359		1358
1360	#ifdef WITHOUT_SPEEDUPS	1359	#ifdef WITHOUT_SPEEDUPS
1361		1360
1362	int x;	1361	unsigned int x;
1363	unsigned char *addr;	1362	unsigned char *addr;
1364		1363
1365	data = (unsigned char *) image->data;	1364	data = (unsigned char *) image->data;
Lines 1383-1389 Link Here
1383		1382
1384	Pixel pixel;	1383	Pixel pixel;
1385		1384
1386	int bpl = image->bytes_per_line;	1385	unsigned int bpl = image->bytes_per_line;
1387	unsigned char data_ptr, max_data;	1386	unsigned char data_ptr, max_data;
1388		1387
1389	data = (unsigned char *) image->data;	1388	data = (unsigned char *) image->data;
Lines 1436-1446 Link Here
1436	{	1435	{
1437	char *data;	1436	char *data;
1438	unsigned int *iptr;	1437	unsigned int *iptr;
1439	int y;	1438	unsigned int y;
1440		1439
1441	#ifdef WITHOUT_SPEEDUPS	1440	#ifdef WITHOUT_SPEEDUPS
1442		1441
1443	int x;	1442	unsigned int x;
1444		1443
1445	data = image->data;	1444	data = image->data;
1446	iptr = pixelindex;	1445	iptr = pixelindex;
Lines 1450-1456 Link Here
1450		1449
1451	#else /* WITHOUT_SPEEDUPS */	1450	#else /* WITHOUT_SPEEDUPS */
1452		1451
1453	int bpl = image->bytes_per_line;	1452	unsigned int bpl = image->bytes_per_line;
1454	char data_ptr, max_data;	1453	char data_ptr, max_data;
1455		1454
1456	data = image->data;	1455	data = image->data;
Lines 1485-1496 Link Here
1485	PutImagePixels(image, width, height, pixelindex, pixels);	1484	PutImagePixels(image, width, height, pixelindex, pixels);
1486	else {	1485	else {
1487	unsigned int *iptr;	1486	unsigned int *iptr;
1488	int y;	1487	unsigned int y;
1489	char *data;	1488	char *data;
1490		1489
1491	#ifdef WITHOUT_SPEEDUPS	1490	#ifdef WITHOUT_SPEEDUPS
1492		1491
1493	int x;	1492	unsigned int x;
1494		1493
1495	data = image->data;	1494	data = image->data;
1496	iptr = pixelindex;	1495	iptr = pixelindex;
Lines 1668-1673 Link Here
1668	Pixel px;	1667	Pixel px;
1669	int nbytes;	1668	int nbytes;
1670		1669
		1670	if(x < 0 \|\| y < 0)
		1671	return 0;
		1672
1671	for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)	1673	for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)
1672	((unsigned char *)&pixel)[i] = px;	1674	((unsigned char *)&pixel)[i] = px;
1673	src = &ximage->data[XYINDEX(x, y, ximage)];	1675	src = &ximage->data[XYINDEX(x, y, ximage)];
Lines 1699-1705 Link Here
1699	register int i;	1701	register int i;
1700	register char *data;	1702	register char *data;
1701	Pixel px;	1703	Pixel px;
1702	int nbytes, ibpp;	1704	unsigned int nbytes, ibpp;
		1705
		1706	if(x < 0 \|\| y < 0)
		1707	return 0;
1703		1708
1704	ibpp = ximage->bits_per_pixel;	1709	ibpp = ximage->bits_per_pixel;
1705	if (ximage->depth == 4)	1710	if (ximage->depth == 4)
Lines 1732-1737 Link Here
1732	{	1737	{
1733	unsigned char *addr;	1738	unsigned char *addr;
1734		1739
		1740	if(x < 0 \|\| y < 0)
		1741	return 0;
		1742
1735	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];	1743	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1736	((unsigned long )addr) = pixel;	1744	((unsigned long )addr) = pixel;
1737	return 1;	1745	return 1;
Lines 1746-1751 Link Here
1746	{	1754	{
1747	unsigned char *addr;	1755	unsigned char *addr;
1748		1756
		1757	if(x < 0 \|\| y < 0)
		1758	return 0;
		1759
1749	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];	1760	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1750	addr[0] = pixel >> 24;	1761	addr[0] = pixel >> 24;
1751	addr[1] = pixel >> 16;	1762	addr[1] = pixel >> 16;
Lines 1763-1768 Link Here
1763	{	1774	{
1764	unsigned char *addr;	1775	unsigned char *addr;
1765		1776
		1777	if(x < 0 \|\| y < 0)
		1778	return 0;
		1779
1766	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];	1780	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1767	addr[3] = pixel >> 24;	1781	addr[3] = pixel >> 24;
1768	addr[2] = pixel >> 16;	1782	addr[2] = pixel >> 16;
Lines 1780-1785 Link Here
1780	{	1794	{
1781	unsigned char *addr;	1795	unsigned char *addr;
1782		1796
		1797	if(x < 0 \|\| y < 0)
		1798	return 0;
		1799
1783	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];	1800	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
1784	addr[0] = pixel >> 8;	1801	addr[0] = pixel >> 8;
1785	addr[1] = pixel;	1802	addr[1] = pixel;
Lines 1795-1800 Link Here
1795	{	1812	{
1796	unsigned char *addr;	1813	unsigned char *addr;
1797		1814
		1815	if(x < 0 \|\| y < 0)
		1816	return 0;
		1817
1798	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];	1818	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
1799	addr[1] = pixel >> 8;	1819	addr[1] = pixel >> 8;
1800	addr[0] = pixel;	1820	addr[0] = pixel;
Lines 1808-1813 Link Here
1808	int y;	1828	int y;
1809	unsigned long pixel;	1829	unsigned long pixel;
1810	{	1830	{
		1831	if(x < 0 \|\| y < 0)
		1832	return 0;
		1833
1811	ximage->data[ZINDEX8(x, y, ximage)] = pixel;	1834	ximage->data[ZINDEX8(x, y, ximage)] = pixel;
1812	return 1;	1835	return 1;
1813	}	1836	}
Lines 1819-1824 Link Here
1819	int y;	1842	int y;
1820	unsigned long pixel;	1843	unsigned long pixel;
1821	{	1844	{
		1845	if(x < 0 \|\| y < 0)
		1846	return 0;
		1847
1822	if (pixel & 1)	1848	if (pixel & 1)
1823	ximage->data[ZINDEX1(x, y, ximage)] \|= 0x80 >> (x & 7);	1849	ximage->data[ZINDEX1(x, y, ximage)] \|= 0x80 >> (x & 7);
1824	else	1850	else
Lines 1833-1838 Link Here
1833	int y;	1859	int y;
1834	unsigned long pixel;	1860	unsigned long pixel;
1835	{	1861	{
		1862	if(x < 0 \|\| y < 0)
		1863	return 0;
		1864
1836	if (pixel & 1)	1865	if (pixel & 1)
1837	ximage->data[ZINDEX1(x, y, ximage)] \|= 1 << (x & 7);	1866	ximage->data[ZINDEX1(x, y, ximage)] \|= 1 << (x & 7);
1838	else	1867	else
Lines 1992-1999 Link Here
1992	xpmGetCmt(data, &colors_cmt);	2021	xpmGetCmt(data, &colors_cmt);
1993		2022
1994	/* malloc pixels index tables */	2023	/* malloc pixels index tables */
1995	if (ncolors >= SIZE_MAX / sizeof(Pixel))	2024	if (ncolors >= UINT_MAX / sizeof(Pixel))
1996	return XpmNoMemory;	2025	RETURN(XpmNoMemory);
1997		2026
1998	image_pixels = (Pixel ) XpmMalloc(sizeof(Pixel) ncolors);	2027	image_pixels = (Pixel ) XpmMalloc(sizeof(Pixel) ncolors);
1999	if (!image_pixels)	2028	if (!image_pixels)
Lines 2104-2110 Link Here
2104	* free the hastable	2133	* free the hastable
2105	*/	2134	*/
2106	if (ErrorStatus != XpmSuccess)	2135	if (ErrorStatus != XpmSuccess)
2107	RETURN(ErrorStatus)	2136	RETURN(ErrorStatus);
2108	else if (USE_HASHTABLE)	2137	else if (USE_HASHTABLE)
2109	xpmHashTableFree(&hashtable);	2138	xpmHashTableFree(&hashtable);
2110		2139
Lines 2251-2264 Link Here
2251		2280
2252	/* array of pointers malloced by need */	2281	/* array of pointers malloced by need */
2253	unsigned short *cidx[256];	2282	unsigned short *cidx[256];
2254	int char1;	2283	unsigned int char1;
2255		2284
2256	if (ncolors > 256)	2285	if (ncolors > 256)
2257	return (XpmFileInvalid);	2286	return (XpmFileInvalid);
2258		2287
2259	bzero((char )cidx, 256 sizeof(unsigned short )); / init */	2288	bzero((char )cidx, 256 sizeof(unsigned short )); / init */
2260	for (a = 0; a < ncolors; a++) {	2289	for (a = 0; a < ncolors; a++) {
2261	char1 = colorTable[a].string[0];	2290	char1 = (unsigned char) colorTable[a].string[0];
2262	if (cidx[char1] == NULL) { /* get new memory */	2291	if (cidx[char1] == NULL) { /* get new memory */
2263	cidx[char1] = (unsigned short *)	2292	cidx[char1] = (unsigned short *)
2264	XpmCalloc(256, sizeof(unsigned short));	2293	XpmCalloc(256, sizeof(unsigned short));




	}
	ungetc(c, file);
    }
    return (n); /* this returns bytes read + 1 */
}

/*

{
    if (!mdata->type)
	*cmt = NULL;
         else if (dmata->CommentLength != 0 && mdata->CommentLength < UINT_MAX - 1) {
       		if( (*cmt = (char *) XpmMalloc(mdata->CommentLength + 1)) == NULL)
	 		return XpmNoMemory;
	strncpy(*cmt, mdata->Comment, mdata->CommentLength);
	(*cmt)[mdata->CommentLength] = '\0';
	mdata->CommentLength = 0;

xpmParseHeader(mdata)
    xpmData *mdata;
{
    char buf[BUFSIZ+1] = {0};
    int l, n = 0;

    if (mdata->type) {




    unsigned int size = table->size;
    xpmHashAtom *t, *p;
    int i;
    unsigned int oldSize = size;

    t = atomTable;
    HASH_TABLE_GROWS
	table->size = size;
    table->limit = size / 3;
    if (size >= UINT_MAX / sizeof(*atomTable)) 
	return (XpmNoMemory);
    atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable));
    if (!atomTable)

    table->size = INITIAL_HASH_SIZE;
    table->limit = table->size / 3;
    table->used = 0;
    if (table->size >= UINT_MAX / sizeof(*atomTable))
	return (XpmNoMemory);
    atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
    if (!atomTable)

Lines 108-115 Link Here

(-)motif.0194/lib/Xm/XpmI.h (+2 lines)
108	* lets try to solve include files	108	* lets try to solve include files
109	*/	109	*/
110		110
		111	#include <sys/types.h>
111	#include <stdio.h>	112	#include <stdio.h>
112	#include <stdlib.h>	113	#include <stdlib.h>
		114	#include <limits.h>
113	/* stdio.h doesn't declare popen on a Sequent DYNIX OS */	115	/* stdio.h doesn't declare popen on a Sequent DYNIX OS */
114	#ifdef sequent	116	#ifdef sequent
115	extern FILE *popen();	117	extern FILE *popen();

Lines 47-53 Link Here

(-)motif.0194/lib/Xm/Xpmmisc.c (-1 / +1 lines)
47	char *s1;	47	char *s1;
48	{	48	{
49	char *s2;	49	char *s2;
50	int l = strlen(s1) + 1;	50	size_t l = strlen(s1) + 1;
51		51
52	if (s2 = (char *) XpmMalloc(l))	52	if (s2 = (char *) XpmMalloc(l))
53	strcpy(s2, s1);	53	strcpy(s2, s1);




#include <ctype.h>

#ifdef HAS_STRLCAT
# define STRLCAT(dst, src, dstsize) do { \
  	if (strlcat(dst, src, dstsize) >= (dstsize)) \
	    return (XpmFileInvalid); } while(0)
# define STRLCPY(dst, src, dstsize) do { \
  	if (strlcpy(dst, src, dstsize) >= (dstsize)) \
	    return (XpmFileInvalid); } while(0)
#else
# define STRLCAT(dst, src, dstsize) do { \
	if ((strlen(dst) + strlen(src)) < (dstsize)) \
 	    strcat(dst, src); \
	else return (XpmFileInvalid); } while(0)
# define STRLCPY(dst, src, dstsize) do { \
	if (strlen(src) < (dstsize)) \
 	    strcpy(dst, src); \
	else return (XpmFileInvalid); } while(0)
#endif

LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,

/* function call in case of error, frees only locally allocated variables */
#undef RETURN
#define RETURN(status) \
do { \
	goto error;
} while(0)
    if (hints_cmt)  XpmFree(hints_cmt); \
    if (colors_cmt) XpmFree(colors_cmt); \
    if (pixels_cmt) XpmFree(pixels_cmt); \
    return(status); \
}

/*
 * This function parses an Xpm file or data and store the found informations

    char **defaults;
    int ErrorStatus;

    if (ncolors >= UINT_MAX / sizeof(XpmColor))
	return (XpmNoMemory);
    colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
    if (!colorTable)

	    /*
	     * read pixel value
	     */
	    if (cpp >= UINT_MAX - 1) {
		xpmFreeColorTable(colorTable, ncolors);
		return (XpmNoMemory);
	    }

			return (XpmFileInvalid);
		    }
		    if (!lastwaskey)
			STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
		    buf[l] = '\0';
		    STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
		    lastwaskey = 0;
		}
	    }

		xpmFreeColorTable(colorTable, ncolors);
		return (XpmFileInvalid);
	    }
	    len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
	    s = defaults[curkey] = (char *) XpmMalloc(len);
	    if (!s) {
		xpmFreeColorTable(colorTable, ncolors);

	    /*
	     * read pixel value
	     */
	    if (cpp >= UINT_MAX - 1) {
		xpmFreeColorTable(colorTable, ncolors);
		return (XpmNoMemory);
	    }

	    memcpy(s, curbuf, len);
	    color->c_color = s;
	    *curbuf = '\0';		/* reset curbuf */
	    if (a < ncolors - 1)	/* can we trust ncolors -> leave data's bounds */
		xpmNextString(data);	/* get to the next string */
	}
    }

    xpmHashTable *hashtable;
    unsigned int **pixels;
{
    unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
    unsigned int a, x, y;

    if ((height > 0 && width >= UINT_MAX / height) ||
	width * height >= UINT_MAX / sizeof(unsigned int)) 
	return XpmNoMemory;
#ifndef FOR_MSW
    iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);

	{
	    unsigned short colidx[256];

	    if (ncolors > 256) {
		XpmFree(iptr2); /* found by Egbert Eich */
		return (XpmFileInvalid);
	    }

	    bzero((char *)colidx, 256 * sizeof(short));
	    for (a = 0; a < ncolors; a++)

	{

/* free all allocated pointers at all exits */
#define FREE_CIDX \
do \
{ \
	int f; for (f = 0; f < 256; f++) \
	if (cidx[f]) XpmFree(cidx[f]); \
} while(0)

	    /* array of pointers malloced by need */
	    unsigned short *cidx[256];
	    unsigned int char1;

	    bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
	    for (a = 0; a < ncolors; a++) {
		char1 = (unsigned char) colorTable[a].string[0];
		if (cidx[char1] == NULL) { /* get new memory */
		    cidx[char1] = (unsigned short *)
			XpmCalloc(256, sizeof(unsigned short));

	    char *s;
	    char buf[BUFSIZ];

	    if (cpp >= sizeof(buf)) {
		XpmFree(iptr2); /* found by Egbert Eich */
		return (XpmFileInvalid);
	    }

	    buf[cpp] = '\0';
	    if (USE_HASHTABLE) {

		    xpmNextString(data);
		    for (x = 0; x < width; x++, iptr++) {
			for (a = 0, s = buf; a < cpp; a++, s++)
			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
			slot = xpmHashSlot(hashtable, buf);
			if (!*slot) {	/* no color matches */
			    XpmFree(iptr2);

		    xpmNextString(data);
		    for (x = 0; x < width; x++, iptr++) {
			for (a = 0, s = buf; a < cpp; a++, s++)
			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
			for (a = 0; a < ncolors; a++)
			    if (!strcmp(colorTable[a].string, buf))
				break;

    while (!notstart && notend) {
	/* there starts an extension */
	ext = (XpmExtension *)
	    XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
	if (!ext) {
	    XpmFree(string);
	    XpmFreeExtensions(exts, num);

	while ((notstart = strncmp("XPMEXT", string, 6))
	       && (notend = strncmp("XPMENDEXT", string, 9))) {
	    sp = (char **)
		XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */
	    if (!sp) {
		XpmFree(string);
		ext->nlines = nlines;

Lines 38-43 Link Here

(-)motif.0194/lib/Xm/XpmRdFToBuf.c (-2 / +5 lines)
38	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94	38	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
39	*/	39	*/
40		40
		41	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		42
41	#include "XpmI.h"	43	#include "XpmI.h"
42	#include <sys/stat.h>	44	#include <sys/stat.h>
43	#if !defined(FOR_MSW) && !defined(WIN32)	45	#if !defined(FOR_MSW) && !defined(WIN32)
Lines 59-65 Link Here
59	char *filename;	61	char *filename;
60	char **buffer_return;	62	char **buffer_return;
61	{	63	{
62	int fd, fcheck, len;	64	int fd, fcheck;
		65	off_t len;
63	char *ptr;	66	char *ptr;
64	struct stat stats;	67	struct stat stats;
65	FILE *fp;	68	FILE *fp;
Lines 83-89 Link Here
83	close(fd);	86	close(fd);
84	return XpmOpenFailed;	87	return XpmOpenFailed;
85	}	88	}
86	len = (int) stats.st_size;	89	len = stats.st_size;
87	ptr = (char *) XpmMalloc(len + 1);	90	ptr = (char *) XpmMalloc(len + 1);
88	if (!ptr) {	91	if (!ptr) {
89	fclose(fp);	92	fclose(fp);

Lines 33-38 Link Here

(-)motif.0194/lib/Xm/XpmRdFToI.c (-12 / +24 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37	#include <sys/stat.h>	39	#include <sys/stat.h>
38	#include <sys/param.h>	40	#include <sys/param.h>
Lines 122-127 Link Here
122	/*	124	/*
123	* open the given file to be read as an xpmData which is returned.	125	* open the given file to be read as an xpmData which is returned.
124	*/	126	*/
		127	#ifndef NO_ZPIPE
		128	FILE s_popen(char cmd, const char *type);
		129	#else
		130	# define s_popen popen
		131	#endif
		132
125	static int	133	static int
126	OpenReadFile(filename, mdata)	134	OpenReadFile(filename, mdata)
127	char *filename;	135	char *filename;
Lines 139-155 Link Here
139	mdata->type = XPMFILE;	147	mdata->type = XPMFILE;
140	} else {	148	} else {
141	#ifndef NO_ZPIPE	149	#ifndef NO_ZPIPE
142	int len = strlen(filename);	150	size_t len = strlen(filename);
		151
		152	if(len == 0 \|\|
		153	filename[len-1] == '/')
		154	return(XpmOpenFailed);
143	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {	155	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
144	mdata->type = XPMPIPE;	156	mdata->type = XPMPIPE;
145	sprintf(buf, "uncompress -c \"%s\"", filename);	157	snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename);
146	if (!(mdata->stream.file = popen(buf, "r")))	158	if (!(mdata->stream.file = s_popen(buf, "r")))
147	return (XpmOpenFailed);	159	return (XpmOpenFailed);
148		160
149	} else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {	161	} else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
150	mdata->type = XPMPIPE;	162	mdata->type = XPMPIPE;
151	sprintf(buf, "gunzip -qc \"%s\"", filename);	163	snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename);
152	if (!(mdata->stream.file = popen(buf, "r")))	164	if (!(mdata->stream.file = s_popen(buf, "r")))
153	return (XpmOpenFailed);	165	return (XpmOpenFailed);
154		166
155	} else {	167	} else {
Lines 157-175 Link Here
157	if (!(compressfile = (char *) XpmMalloc(len + 4)))	169	if (!(compressfile = (char *) XpmMalloc(len + 4)))
158	return (XpmNoMemory);	170	return (XpmNoMemory);
159		171
160	sprintf(compressfile, "%s.Z", filename);	172	snprintf(compressfile, len+4, "%s.Z", filename);
161	if (!stat(compressfile, &status)) {	173	if (!stat(compressfile, &status)) {
162	sprintf(buf, "uncompress -c \"%s\"", compressfile);	174	snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile);
163	if (!(mdata->stream.file = popen(buf, "r"))) {	175	if (!(mdata->stream.file = s_popen(buf, "r"))) {
164	XpmFree(compressfile);	176	XpmFree(compressfile);
165	return (XpmOpenFailed);	177	return (XpmOpenFailed);
166	}	178	}
167	mdata->type = XPMPIPE;	179	mdata->type = XPMPIPE;
168	} else {	180	} else {
169	sprintf(compressfile, "%s.gz", filename);	181	snprintf(compressfile, len+4, "%s.gz", filename);
170	if (!stat(compressfile, &status)) {	182	if (!stat(compressfile, &status)) {
171	sprintf(buf, "gunzip -c \"%s\"", compressfile);	183	snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile);
172	if (!(mdata->stream.file = popen(buf, "r"))) {	184	if (!(mdata->stream.file = s_popen(buf, "r"))) {
173	XpmFree(compressfile);	185	XpmFree(compressfile);
174	return (XpmOpenFailed);	186	return (XpmOpenFailed);
175	}	187	}
Lines 211-217 Link Here
211	break;	223	break;
212	#ifndef NO_ZPIPE	224	#ifndef NO_ZPIPE
213	case XPMPIPE:	225	case XPMPIPE:
214	pclose(mdata->stream.file);	226	fclose(mdata->stream.file);
215	break;	227	break;
216	#endif	228	#endif
217	}	229	}

Lines 38-43 Link Here

(-)motif.0194/lib/Xm/Xpmscan.c (-17 / +17 lines)
38	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94	38	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
39	*/	39	*/
40		40
		41	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		42
41	#include "XpmI.h"	43	#include "XpmI.h"
42		44
43	#define MAXPRINTABLE 92 /* number of printable ascii chars	45	#define MAXPRINTABLE 92 /* number of printable ascii chars
Lines 158-169 Link Here
158	/* function call in case of error, frees only locally allocated variables */	160	/* function call in case of error, frees only locally allocated variables */
159	#undef RETURN	161	#undef RETURN
160	#define RETURN(status) \	162	#define RETURN(status) \
161	{ \	163	do { \
162	if (pmap.pixelindex) XpmFree(pmap.pixelindex); \	164	ErrorStatus = status; \
163	if (pmap.pixels) XpmFree(pmap.pixels); \	165	goto error; \
164	if (colorTable) xpmFreeColorTable(colorTable, pmap.ncolors); \	166	} while(0)
165	return(status); \
166	}
167		167
168	/*	168	/*
169	* This function scans the given image and stores the found informations in	169	* This function scans the given image and stores the found informations in
Lines 221-235 Link Here
221	else	221	else
222	cpp = 0;	222	cpp = 0;
223		223
224	if ((height > 0 && width >= SIZE_MAX / height) \|\|	224	if ((height > 0 && width >= UINT_MAX / height) \|\|
225	width * height >= SIZE_MAX / sizeof(unsigned int))	225	width * height >= UINT_MAX / sizeof(unsigned int))
226	RETURN(XpmNoMemory);	226	RETURN(XpmNoMemory);
227	pmap.pixelindex =	227	pmap.pixelindex =
228	(unsigned int ) XpmCalloc(width height, sizeof(unsigned int));	228	(unsigned int ) XpmCalloc(width height, sizeof(unsigned int));
229	if (!pmap.pixelindex)	229	if (!pmap.pixelindex)
230	RETURN(XpmNoMemory);	230	RETURN(XpmNoMemory);
231		231
232	if (pmap.size >= SIZE_MAX / sizeof(Pixel))	232	if (pmap.size >= UINT_MAX / sizeof(Pixel))
233	RETURN(XpmNoMemory);	233	RETURN(XpmNoMemory);
234		234
235	pmap.pixels = (Pixel ) XpmMalloc(sizeof(Pixel) pmap.size);	235	pmap.pixels = (Pixel ) XpmMalloc(sizeof(Pixel) pmap.size);
Lines 286-292 Link Here
286	* get rgb values and a string of char, and possibly a name for each	286	* get rgb values and a string of char, and possibly a name for each
287	* color	287	* color
288	*/	288	*/
289	if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))	289	if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor))
290	RETURN(XpmNoMemory);	290	RETURN(XpmNoMemory);
291	colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));	291	colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
292	if (!colorTable)	292	if (!colorTable)
Lines 335-341 Link Here
335		335
336	/* first get a character string */	336	/* first get a character string */
337	a = 0;	337	a = 0;
338	if (cpp >= SIZE_MAX - 1)	338	if (cpp >= UINT_MAX - 1)
339	return (XpmNoMemory);	339	return (XpmNoMemory);
340	if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))	340	if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
341	return (XpmNoMemory);	341	return (XpmNoMemory);
Lines 428-434 Link Here
428	}	428	}
429		429
430	/* first get character strings and rgb values */	430	/* first get character strings and rgb values */
431	if (ncolors >= SIZE_MAX / sizeof(XColor) \|\| cpp >= SIZE_MAX - 1)	431	if (ncolors >= UINT_MAX / sizeof(XColor) \|\| cpp >= UINT_MAX - 1)
432	return (XpmNoMemory);	432	return (XpmNoMemory);
433	xcolors = (XColor ) XpmMalloc(sizeof(XColor) ncolors);	433	xcolors = (XColor ) XpmMalloc(sizeof(XColor) ncolors);
434	if (!xcolors)	434	if (!xcolors)
Lines 585-591 Link Here
585	char *dst;	585	char *dst;
586	unsigned int *iptr;	586	unsigned int *iptr;
587	char *data;	587	char *data;
588	int x, y, i;	588	unsigned int x, y, i;
589	int bits, depth, ibu, ibpp, offset;	589	int bits, depth, ibu, ibpp, offset;
590	unsigned long lbt;	590	unsigned long lbt;
591	Pixel pixel, px;	591	Pixel pixel, px;
Lines 687-693 Link Here
687	unsigned char *addr;	687	unsigned char *addr;
688	unsigned char *data;	688	unsigned char *data;
689	unsigned int *iptr;	689	unsigned int *iptr;
690	int x, y;	690	unsigned int x, y;
691	unsigned long lbt;	691	unsigned long lbt;
692	Pixel pixel;	692	Pixel pixel;
693	int depth;	693	int depth;
Lines 752-758 Link Here
752	unsigned char *addr;	752	unsigned char *addr;
753	unsigned char *data;	753	unsigned char *data;
754	unsigned int *iptr;	754	unsigned int *iptr;
755	int x, y;	755	unsigned int x, y;
756	unsigned long lbt;	756	unsigned long lbt;
757	Pixel pixel;	757	Pixel pixel;
758	int depth;	758	int depth;
Lines 797-803 Link Here
797	{	797	{
798	unsigned int *iptr;	798	unsigned int *iptr;
799	unsigned char *data;	799	unsigned char *data;
800	int x, y;	800	unsigned int x, y;
801	unsigned long lbt;	801	unsigned long lbt;
802	Pixel pixel;	802	Pixel pixel;
803	int depth;	803	int depth;
Lines 830-836 Link Here
830	int (*storeFunc) ();	830	int (*storeFunc) ();
831	{	831	{
832	unsigned int *iptr;	832	unsigned int *iptr;
833	int x, y;	833	unsigned int x, y;
834	char *data;	834	char *data;
835	Pixel pixel;	835	Pixel pixel;
836	int xoff, yoff, offset, bpl;	836	int xoff, yoff, offset, bpl;

Lines 33-38 Link Here

(-)motif.0194/lib/Xm/XpmWrFFrBuf.c (-1 / +3 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37		39
38	int	40	int
Lines 50-56 Link Here
50	fcheck = fwrite(buffer, len, 1, fp);	52	fcheck = fwrite(buffer, len, 1, fp);
51	fclose(fp);	53	fclose(fp);
52	if (fcheck != 1)	54	if (fcheck != 1)
53	return XpmOpenFailed;	55	return XpmOpenFailed; /* maybe use a better return value */
54		56
55	return XpmSuccess;	57	return XpmSuccess;
56	}	58	}

Lines 33-38 Link Here

(-)motif.0194/lib/Xm/XpmWrFFrI.c (-10 / +26 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37	#if !defined(NO_ZPIPE) && defined(WIN32)	39	#if !defined(NO_ZPIPE) && defined(WIN32)
38	# define popen _popen	40	# define popen _popen
Lines 93-99 Link Here
93	XpmInfo *info;	95	XpmInfo *info;
94	{	96	{
95	xpmData mdata;	97	xpmData mdata;
96	char name, dot, *s, new_name[BUFSIZ];	98	char name, dot, *s, new_name[BUFSIZ] = {0};
97	int ErrorStatus;	99	int ErrorStatus;
98		100
99	/* open file to write */	101	/* open file to write */
Lines 112-118 Link Here
112	#endif	114	#endif
113	/* let's try to make a valid C syntax name */	115	/* let's try to make a valid C syntax name */
114	if (dot = index(name, '.')) {	116	if (dot = index(name, '.')) {
115	strcpy(new_name, name);	117	strncpy(new_name, name, sizeof(new_name));
		118	+ new_name[sizeof(new_name)-1] = 0;
116	/* change '.' to '_' */	119	/* change '.' to '_' */
117	name = s = new_name;	120	name = s = new_name;
118	while (dot = index(s, '.')) {	121	while (dot = index(s, '.')) {
Lines 122-128 Link Here
122	}	125	}
123	if (dot = index(name, '-')) {	126	if (dot = index(name, '-')) {
124	if (name != new_name) {	127	if (name != new_name) {
125	strcpy(new_name, name);	128	strncpy(new_name, name, sizeof(new_name));
		129	new_name[sizeof(new_name)-1] = 0;
126	name = new_name;	130	name = new_name;
127	}	131	}
128	/* change '-' to '_' */	132	/* change '-' to '_' */
Lines 239-245 Link Here
239	unsigned int x, y, h;	243	unsigned int x, y, h;
240		244
241	h = height - 1;	245	h = height - 1;
242	if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp)	246	if (cpp != 0 && width >= (UINT_MAX - 3)/cpp)
243	return XpmNoMemory;	247	return XpmNoMemory;
244	p = buf = (char ) XpmMalloc(width cpp + 3);	248	p = buf = (char ) XpmMalloc(width cpp + 3);
245	if (!buf)	249	if (!buf)
Lines 291-296 Link Here
291	/*	295	/*
292	* open the given file to be written as an xpmData which is returned	296	* open the given file to be written as an xpmData which is returned
293	*/	297	*/
		298	#ifndef NO_ZPIPE
		299	FILE s_popen(char cmd, const char *type);
		300	#else
		301	# define s_popen popen
		302	#endif
294	static int	303	static int
295	OpenWriteFile(filename, mdata)	304	OpenWriteFile(filename, mdata)
296	char *filename;	305	char *filename;
Lines 306-321 Link Here
306	mdata->type = XPMFILE;	315	mdata->type = XPMFILE;
307	} else {	316	} else {
308	#ifndef NO_ZPIPE	317	#ifndef NO_ZPIPE
309	int len = strlen(filename);	318	size_t len = strlen(filename);
		319
		320	if(len == 0 \|\|
		321	filename[0] == '/' \|\|
		322	strstr(filename, "../") != NULL \|\|
		323	filename[len-1] == '/')
		324	return(XpmOpenFailed);
		325
310	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {	326	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
311	sprintf(buf, "compress > \"%s\"", filename);	327	snprintf(buf, sizeof(buf), "compress > \"%s\"", filename);
312	if (!(mdata->stream.file = popen(buf, "w")))	328	if (!(mdata->stream.file = s_popen(buf, "w")))
313	return (XpmOpenFailed);	329	return (XpmOpenFailed);
314		330
315	mdata->type = XPMPIPE;	331	mdata->type = XPMPIPE;
316	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {	332	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
317	sprintf(buf, "gzip -q > \"%s\"", filename);	333	snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename);
318	if (!(mdata->stream.file = popen(buf, "w")))	334	if (!(mdata->stream.file = s_popen(buf, "w")))
319	return (XpmOpenFailed);	335	return (XpmOpenFailed);
320		336
321	mdata->type = XPMPIPE;	337	mdata->type = XPMPIPE;
Lines 346-352 Link Here
346	break;	362	break;
347	#ifndef NO_ZPIPE	363	#ifndef NO_ZPIPE
348	case XPMPIPE:	364	case XPMPIPE:
349	pclose(mdata->stream.file);	365	fclose(mdata->stream.file);
350	break;	366	break;
351	#endif	367	#endif
352	}	368	}

Return to bug 78111

Lines 42-56 Link Here

(-)motif.0194/lib/Xm/XpmCrBufFrI.c (-25 / +69 lines)
42	unsigned int used_size, XpmColor colors,	42	unsigned int used_size, XpmColor colors,
43	unsigned int ncolors, unsigned int cpp));	43	unsigned int ncolors, unsigned int cpp));
44		44
45	LFUNC(WritePixels, void, (char dataptr, unsigned int used_size,	45	LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
		46	unsigned int *used_size,
46	unsigned int width, unsigned int height,	47	unsigned int width, unsigned int height,
47	unsigned int cpp, unsigned int *pixels,	48	unsigned int cpp, unsigned int *pixels,
48	XpmColor *colors));	49	XpmColor *colors));
49		50
50	LFUNC(WriteExtensions, void, (char dataptr, unsigned int used_size,	51	LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
		52	unsigned int *used_size,
51	XpmExtension *ext, unsigned int num));	53	XpmExtension *ext, unsigned int num));
52		54
53	LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num));	55	LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
54	LFUNC(CommentsSize, int, (XpmInfo *info));	56	LFUNC(CommentsSize, int, (XpmInfo *info));
55		57
56	int	58	int
Lines 93-103 Link Here
93		95
94	#undef RETURN	96	#undef RETURN
95	#define RETURN(status) \	97	#define RETURN(status) \
96	{ \	98	do { \
97	if (ptr) \	99	if (ptr) \
98	XpmFree(ptr); \	100	XpmFree(ptr); \
99	return(status); \	101	return(status); \
100	}	102	} while(0)
101		103
102	int	104	int
103	XpmCreateBufferFromXpmImage(buffer_return, image, info)	105	XpmCreateBufferFromXpmImage(buffer_return, image, info)
Lines 111-117 Link Here
111	unsigned int cmts, extensions, ext_size = 0;	113	unsigned int cmts, extensions, ext_size = 0;
112	unsigned int l, cmt_size = 0;	114	unsigned int l, cmt_size = 0;
113	char ptr = NULL, p;	115	char ptr = NULL, p;
114	unsigned int ptr_size, used_size;	116	unsigned int ptr_size, used_size, tmp;
115		117
116	*buffer_return = NULL;	118	*buffer_return = NULL;
117		119
Lines 133-139 Link Here
133	#ifdef VOID_SPRINTF	135	#ifdef VOID_SPRINTF
134	used_size = strlen(buf);	136	used_size = strlen(buf);
135	#endif	137	#endif
136	ptr_size = used_size + ext_size + cmt_size + 1;	138	ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
		139	if(ptr_size <= used_size \|\|
		140	ptr_size <= ext_size \|\|
		141	ptr_size <= cmt_size)
		142	{
		143	return XpmNoMemory;
		144	}
137	ptr = (char *) XpmMalloc(ptr_size);	145	ptr = (char *) XpmMalloc(ptr_size);
138	if (!ptr)	146	if (!ptr)
139	return XpmNoMemory;	147	return XpmNoMemory;
Lines 144-150 Link Here
144	#ifndef VOID_SPRINTF	152	#ifndef VOID_SPRINTF
145	used_size +=	153	used_size +=
146	#endif	154	#endif
147	sprintf(ptr + used_size, "/%s/\n", info->hints_cmt);	155	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->hints_cmt);
148	#ifdef VOID_SPRINTF	156	#ifdef VOID_SPRINTF
149	used_size += strlen(info->hints_cmt) + 5;	157	used_size += strlen(info->hints_cmt) + 5;
150	#endif	158	#endif
Lines 162-168 Link Here
162	#ifndef VOID_SPRINTF	170	#ifndef VOID_SPRINTF
163	l +=	171	l +=
164	#endif	172	#endif
165	sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot);	173	snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
166	#ifdef VOID_SPRINTF	174	#ifdef VOID_SPRINTF
167	l = strlen(buf);	175	l = strlen(buf);
168	#endif	176	#endif
Lines 184-189 Link Here
184	l = strlen(buf);	192	l = strlen(buf);
185	#endif	193	#endif
186	ptr_size += l;	194	ptr_size += l;
		195	if(ptr_size <= l)
		196	RETURN(XpmNoMemory);
187	p = (char *) XpmRealloc(ptr, ptr_size);	197	p = (char *) XpmRealloc(ptr, ptr_size);
188	if (!p)	198	if (!p)
189	RETURN(XpmNoMemory);	199	RETURN(XpmNoMemory);
Lines 196-202 Link Here
196	#ifndef VOID_SPRINTF	206	#ifndef VOID_SPRINTF
197	used_size +=	207	used_size +=
198	#endif	208	#endif
199	sprintf(ptr + used_size, "/%s/\n", info->colors_cmt);	209	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->colors_cmt);
200	#ifdef VOID_SPRINTF	210	#ifdef VOID_SPRINTF
201	used_size += strlen(info->colors_cmt) + 5;	211	used_size += strlen(info->colors_cmt) + 5;
202	#endif	212	#endif
Lines 212-218 Link Here
212	* 4 = 1 (for '"') + 3 (for '",\n')	222	* 4 = 1 (for '"') + 3 (for '",\n')
213	* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')	223	* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
214	*/	224	*/
215	ptr_size += image->height * (image->width * image->cpp + 4) + 1;	225	if(image->width > UINT_MAX / image->cpp \|\|
		226	(tmp = image->width * image->cpp + 4) <= 4 \|\|
		227	image->height > UINT_MAX / tmp \|\|
		228	(tmp = image->height * tmp + 1) <= 1 \|\|
		229	(ptr_size += tmp) <= tmp)
		230	RETURN(XpmNoMemory);
216		231
217	p = (char *) XpmRealloc(ptr, ptr_size);	232	p = (char *) XpmRealloc(ptr, ptr_size);
218	if (!p)	233	if (!p)
Lines 224-240 Link Here
224	#ifndef VOID_SPRINTF	239	#ifndef VOID_SPRINTF
225	used_size +=	240	used_size +=
226	#endif	241	#endif
227	sprintf(ptr + used_size, "/%s/\n", info->pixels_cmt);	242	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->pixels_cmt);
228	#ifdef VOID_SPRINTF	243	#ifdef VOID_SPRINTF
229	used_size += strlen(info->pixels_cmt) + 5;	244	used_size += strlen(info->pixels_cmt) + 5;
230	#endif	245	#endif
231	}	246	}
232	WritePixels(ptr + used_size, &used_size, image->width, image->height,	247	WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
233	image->cpp, image->data, image->colorTable);	248	image->cpp, image->data, image->colorTable);
234		249
235	/* print extensions */	250	/* print extensions */
236	if (extensions)	251	if (extensions)
237	WriteExtensions(ptr + used_size, &used_size,	252	WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
238	info->extensions, info->nextensions);	253	info->extensions, info->nextensions);
239		254
240	/* close the array */	255	/* close the array */
Lines 245-250 Link Here
245	return (XpmSuccess);	260	return (XpmSuccess);
246	}	261	}
247		262
		263
248	static int	264	static int
249	WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)	265	WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
250	char **dataptr;	266	char **dataptr;
Lines 254-260 Link Here
254	unsigned int ncolors;	270	unsigned int ncolors;
255	unsigned int cpp;	271	unsigned int cpp;
256	{	272	{
257	char buf[BUFSIZ];	273	char buf[BUFSIZ] = {0};
258	unsigned int a, key, l;	274	unsigned int a, key, l;
259	char s, s2;	275	char s, s2;
260	char **defaults;	276	char **defaults;
Lines 264-269 Link Here
264		280
265	defaults = (char **) colors;	281	defaults = (char **) colors;
266	s = buf + 1;	282	s = buf + 1;
		283	if(cpp > (sizeof(buf) - (s-buf)))
		284	return(XpmNoMemory);
267	strncpy(s, *defaults++, cpp);	285	strncpy(s, *defaults++, cpp);
268	s += cpp;	286	s += cpp;
269		287
Lines 272-285 Link Here
272	#ifndef VOID_SPRINTF	290	#ifndef VOID_SPRINTF
273	s +=	291	s +=
274	#endif	292	#endif
275	sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);	293	/* assume C99 compliance */
		294	snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
276	#ifdef VOID_SPRINTF	295	#ifdef VOID_SPRINTF
277	s += strlen(s);	296	s += strlen(s);
278	#endif	297	#endif
		298	/* now let's check if s points out-of-bounds */
		299	if((s-buf) > sizeof(buf))
		300	return(XpmNoMemory);
279	}	301	}
280	}	302	}
		303	if(sizeof(buf) - (s-buf) < 4)
		304	return(XpmNoMemory);
281	strcpy(s, "\",\n");	305	strcpy(s, "\",\n");
282	l = s + 3 - buf;	306	l = s + 3 - buf;
		307	if( *data_size >= UINT_MAX-l \|\|
		308	data_size + l <= used_size \|\|
		309	(data_size + l - used_size) <= sizeof(buf))
		310	return(XpmNoMemory);
283	s = (char ) XpmRealloc(dataptr, *data_size + l);	311	s = (char ) XpmRealloc(dataptr, *data_size + l);
284	if (!s)	312	if (!s)
285	return (XpmNoMemory);	313	return (XpmNoMemory);
Lines 292-299 Link Here
292	}	320	}
293		321
294	static void	322	static void
295	WritePixels(dataptr, used_size, width, height, cpp, pixels, colors)	323	WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
296	char *dataptr;	324	char *dataptr;
		325	unsigned int data_size;
297	unsigned int *used_size;	326	unsigned int *used_size;
298	unsigned int width;	327	unsigned int width;
299	unsigned int height;	328	unsigned int height;
Lines 304-330 Link Here
304	char *s = dataptr;	333	char *s = dataptr;
305	unsigned int x, y, h;	334	unsigned int x, y, h;
306		335
		336	if(height <= 1)
		337	return;
		338
307	h = height - 1;	339	h = height - 1;
308	for (y = 0; y < h; y++) {	340	for (y = 0; y < h; y++) {
309	*s++ = '"';	341	*s++ = '"';
310	for (x = 0; x < width; x++, pixels++) {	342	for (x = 0; x < width; x++, pixels++) {
311	strncpy(s, colors[*pixels].string, cpp);	343	if(cpp >= (data_size - (s-dataptr)))
		344	return;
		345	strncpy(s, colors[pixels].string, cpp); / how can we trust pixels? :-\ /
312	s += cpp;	346	s += cpp;
313	}	347	}
		348	if((data_size - (s-dataptr)) < 4)
		349	return;
314	strcpy(s, "\",\n");	350	strcpy(s, "\",\n");
315	s += 3;	351	s += 3;
316	}	352	}
317	/* duplicate some code to avoid a test in the loop */	353	/* duplicate some code to avoid a test in the loop */
318	*s++ = '"';	354	*s++ = '"';
319	for (x = 0; x < width; x++, pixels++) {	355	for (x = 0; x < width; x++, pixels++) {
320	strncpy(s, colors[*pixels].string, cpp);	356	if(cpp >= (data_size - (s-dataptr)))
		357	return;
		358	strncpy(s, colors[pixels].string, cpp); / how can we trust pixels? /
321	s += cpp;	359	s += cpp;
322	}	360	}
323	*s++ = '"';	361	*s++ = '"';
324	*used_size += s - dataptr;	362	*used_size += s - dataptr;
325	}	363	}
326		364
327	static int	365	static unsigned int
328	ExtensionsSize(ext, num)	366	ExtensionsSize(ext, num)
329	XpmExtension *ext;	367	XpmExtension *ext;
330	unsigned int num;	368	unsigned int num;
Lines 333-353 Link Here
333	char **line;	371	char **line;
334		372
335	size = 0;	373	size = 0;
		374	if(num == 0)
		375	return(0); /* ok? */
336	for (x = 0; x < num; x++, ext++) {	376	for (x = 0; x < num; x++, ext++) {
337	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */	377	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
338	size += strlen(ext->name) + 11;	378	size += strlen(ext->name) + 11;
339	a = ext->nlines;	379	a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
340	for (y = 0, line = ext->lines; y < a; y++, line++)	380	for (y = 0, line = ext->lines; y < a; y++, line++)
341	/* 4 = 3 (for ',\n"') + 1 (for '"') */	381	/* 4 = 3 (for ',\n"') + 1 (for '"') */
342	size += strlen(*line) + 4;	382	size += strlen(*line) + 4;
343	}	383	}
344	/* 13 is for ',\n"XPMENDEXT"' */	384	/* 13 is for ',\n"XPMENDEXT"' */
		385	if(size > UINT_MAX - 13) /* unlikely */
		386	return(0);
345	return size + 13;	387	return size + 13;
346	}	388	}
347		389
348	static void	390	static void
349	WriteExtensions(dataptr, used_size, ext, num)	391	WriteExtensions(dataptr, data_size, used_size, ext, num)
350	char *dataptr;	392	char *dataptr;
		393	unsigned int data_size;
351	unsigned int *used_size;	394	unsigned int *used_size;
352	XpmExtension *ext;	395	XpmExtension *ext;
353	unsigned int num;	396	unsigned int num;
Lines 360-366 Link Here
360	#ifndef VOID_SPRINTF	403	#ifndef VOID_SPRINTF
361	s += 11 +	404	s += 11 +
362	#endif	405	#endif
363	sprintf(s, ",\n\"XPMEXT %s\"", ext->name);	406	snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
364	#ifdef VOID_SPRINTF	407	#ifdef VOID_SPRINTF
365	s += strlen(ext->name) + 11;	408	s += strlen(ext->name) + 11;
366	#endif	409	#endif
Lines 369-381 Link Here
369	#ifndef VOID_SPRINTF	412	#ifndef VOID_SPRINTF
370	s += 4 +	413	s += 4 +
371	#endif	414	#endif
372	sprintf(s, ",\n\"%s\"", *line);	415	snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
373	#ifdef VOID_SPRINTF	416	#ifdef VOID_SPRINTF
374	s += strlen(*line) + 4;	417	s += strlen(*line) + 4;
375	#endif	418	#endif
376	}	419	}
377	}	420	}
378	strcpy(s, ",\n\"XPMENDEXT\"");	421	strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
379	*used_size += s - dataptr + 13;	422	*used_size += s - dataptr + 13;
380	}	423	}
381		424
Lines 386-391 Link Here
386	int size = 0;	429	int size = 0;
387		430
388	/* 5 = 2 (for "/_") + 3 (for "_/\n") */	431	/* 5 = 2 (for "/_") + 3 (for "_/\n") */
		432	/* wrap possible but very unlikely */
389	if (info->hints_cmt)	433	if (info->hints_cmt)
390	size += 5 + strlen(info->hints_cmt);	434	size += 5 + strlen(info->hints_cmt);
391		435

Lines 274-280 Link Here

(-)motif.0194/lib/Xm/Xpmdata.c (-4 / +5 lines)
274	}	274	}
275	ungetc(c, file);	275	ungetc(c, file);
276	}	276	}
277	return (n);	277	return (n); /* this returns bytes read + 1 */
278	}	278	}
279		279
280	/*	280	/*
Lines 371-378 Link Here
371	{	371	{
372	if (!mdata->type)	372	if (!mdata->type)
373	*cmt = NULL;	373	*cmt = NULL;
374	else if (mdata->CommentLength) {	374	else if (dmata->CommentLength != 0 && mdata->CommentLength < UINT_MAX - 1) {
375	cmt = (char ) XpmMalloc(mdata->CommentLength + 1);	375	if( (cmt = (char ) XpmMalloc(mdata->CommentLength + 1)) == NULL)
		376	return XpmNoMemory;
376	strncpy(*cmt, mdata->Comment, mdata->CommentLength);	377	strncpy(*cmt, mdata->Comment, mdata->CommentLength);
377	(*cmt)[mdata->CommentLength] = '\0';	378	(*cmt)[mdata->CommentLength] = '\0';
378	mdata->CommentLength = 0;	379	mdata->CommentLength = 0;
Lines 400-406 Link Here
400	xpmParseHeader(mdata)	401	xpmParseHeader(mdata)
401	xpmData *mdata;	402	xpmData *mdata;
402	{	403	{
403	char buf[BUFSIZ];	404	char buf[BUFSIZ+1] = {0};
404	int l, n = 0;	405	int l, n = 0;
405		406
406	if (mdata->type) {	407	if (mdata->type) {

Lines 139-151 Link Here

(-)motif.0194/lib/Xm/Xpmhashtab.c (-3 / +3 lines)
139	unsigned int size = table->size;	139	unsigned int size = table->size;
140	xpmHashAtom t, p;	140	xpmHashAtom t, p;
141	int i;	141	int i;
142	int oldSize = size;	142	unsigned int oldSize = size;
143		143
144	t = atomTable;	144	t = atomTable;
145	HASH_TABLE_GROWS	145	HASH_TABLE_GROWS
146	table->size = size;	146	table->size = size;
147	table->limit = size / 3;	147	table->limit = size / 3;
148	if (size >= SIZE_MAX / sizeof(*atomTable))	148	if (size >= UINT_MAX / sizeof(*atomTable))
149	return (XpmNoMemory);	149	return (XpmNoMemory);
150	atomTable = (xpmHashAtom ) XpmMalloc(size sizeof(*atomTable));	150	atomTable = (xpmHashAtom ) XpmMalloc(size sizeof(*atomTable));
151	if (!atomTable)	151	if (!atomTable)
Lines 207-213 Link Here
207	table->size = INITIAL_HASH_SIZE;	207	table->size = INITIAL_HASH_SIZE;
208	table->limit = table->size / 3;	208	table->limit = table->size / 3;
209	table->used = 0;	209	table->used = 0;
210	if (table->size >= SIZE_MAX / sizeof(*atomTable))	210	if (table->size >= UINT_MAX / sizeof(*atomTable))
211	return (XpmNoMemory);	211	return (XpmNoMemory);
212	atomTable = (xpmHashAtom ) XpmMalloc(table->size sizeof(*atomTable));	212	atomTable = (xpmHashAtom ) XpmMalloc(table->size sizeof(*atomTable));
213	if (!atomTable)	213	if (!atomTable)

Lines 43-63 Link Here

(-)motif.0194/lib/Xm/Xpmparse.c (-36 / +39 lines)
43	#include <ctype.h>	43	#include <ctype.h>
44		44
45	#ifdef HAS_STRLCAT	45	#ifdef HAS_STRLCAT
46	# define STRLCAT(dst, src, dstsize) { \	46	# define STRLCAT(dst, src, dstsize) do { \
47	if (strlcat(dst, src, dstsize) >= (dstsize)) \	47	if (strlcat(dst, src, dstsize) >= (dstsize)) \
48	return (XpmFileInvalid); }	48	return (XpmFileInvalid); } while(0)
49	# define STRLCPY(dst, src, dstsize) { \	49	# define STRLCPY(dst, src, dstsize) do { \
50	if (strlcpy(dst, src, dstsize) >= (dstsize)) \	50	if (strlcpy(dst, src, dstsize) >= (dstsize)) \
51	return (XpmFileInvalid); }	51	return (XpmFileInvalid); } while(0)
52	#else	52	#else
53	# define STRLCAT(dst, src, dstsize) { \	53	# define STRLCAT(dst, src, dstsize) do { \
54	if ((strlen(dst) + strlen(src)) < (dstsize)) \	54	if ((strlen(dst) + strlen(src)) < (dstsize)) \
55	strcat(dst, src); \	55	strcat(dst, src); \
56	else return (XpmFileInvalid); }	56	else return (XpmFileInvalid); } while(0)
57	# define STRLCPY(dst, src, dstsize) { \	57	# define STRLCPY(dst, src, dstsize) do { \
58	if (strlen(src) < (dstsize)) \	58	if (strlen(src) < (dstsize)) \
59	strcpy(dst, src); \	59	strcpy(dst, src); \
60	else return (XpmFileInvalid); }	60	else return (XpmFileInvalid); } while(0)
61	#endif	61	#endif
62		62
63	LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,	63	LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
Lines 77-90 Link Here
77	/* function call in case of error, frees only locally allocated variables */	77	/* function call in case of error, frees only locally allocated variables */
78	#undef RETURN	78	#undef RETURN
79	#define RETURN(status) \	79	#define RETURN(status) \
80	{ \	80	do { \
81	if (colorTable) xpmFreeColorTable(colorTable, ncolors); \	81	goto error;
82	if (pixelindex) XpmFree(pixelindex); \	82	} while(0)
83	if (hints_cmt) XpmFree(hints_cmt); \
84	if (colors_cmt) XpmFree(colors_cmt); \
85	if (pixels_cmt) XpmFree(pixels_cmt); \
86	return(status); \
87	}
88		83
89	/*	84	/*
90	* This function parses an Xpm file or data and store the found informations	85	* This function parses an Xpm file or data and store the found informations
Lines 347-353 Link Here
347	char **defaults;	342	char **defaults;
348	int ErrorStatus;	343	int ErrorStatus;
349		344
350	if (ncolors >= SIZE_MAX / sizeof(XpmColor))	345	if (ncolors >= UINT_MAX / sizeof(XpmColor))
351	return (XpmNoMemory);	346	return (XpmNoMemory);
352	colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));	347	colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
353	if (!colorTable)	348	if (!colorTable)
Lines 360-366 Link Here
360	/*	355	/*
361	* read pixel value	356	* read pixel value
362	*/	357	*/
363	if (cpp >= SIZE_MAX - 1) {	358	if (cpp >= UINT_MAX - 1) {
364	xpmFreeColorTable(colorTable, ncolors);	359	xpmFreeColorTable(colorTable, ncolors);
365	return (XpmNoMemory);	360	return (XpmNoMemory);
366	}	361	}
Lines 419-427 Link Here
419	return (XpmFileInvalid);	414	return (XpmFileInvalid);
420	}	415	}
421	if (!lastwaskey)	416	if (!lastwaskey)
422	STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */	417	STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
423	buf[l] = '\0';	418	buf[l] = '\0';
424	STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */	419	STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
425	lastwaskey = 0;	420	lastwaskey = 0;
426	}	421	}
427	}	422	}
Lines 429-435 Link Here
429	xpmFreeColorTable(colorTable, ncolors);	424	xpmFreeColorTable(colorTable, ncolors);
430	return (XpmFileInvalid);	425	return (XpmFileInvalid);
431	}	426	}
432	len = strlen(curbuf) + 1;	427	len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
433	s = defaults[curkey] = (char *) XpmMalloc(len);	428	s = defaults[curkey] = (char *) XpmMalloc(len);
434	if (!s) {	429	if (!s) {
435	xpmFreeColorTable(colorTable, ncolors);	430	xpmFreeColorTable(colorTable, ncolors);
Lines 448-454 Link Here
448	/*	443	/*
449	* read pixel value	444	* read pixel value
450	*/	445	*/
451	if (cpp >= SIZE_MAX - 1) {	446	if (cpp >= UINT_MAX - 1) {
452	xpmFreeColorTable(colorTable, ncolors);	447	xpmFreeColorTable(colorTable, ncolors);
453	return (XpmNoMemory);	448	return (XpmNoMemory);
454	}	449	}
Lines 493-499 Link Here
493	memcpy(s, curbuf, len);	488	memcpy(s, curbuf, len);
494	color->c_color = s;	489	color->c_color = s;
495	curbuf = '\0'; / reset curbuf */	490	curbuf = '\0'; / reset curbuf */
496	if (a < ncolors - 1)	491	if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */
497	xpmNextString(data); /* get to the next string */	492	xpmNextString(data); /* get to the next string */
498	}	493	}
499	}	494	}
Lines 512-522 Link Here
512	xpmHashTable *hashtable;	507	xpmHashTable *hashtable;
513	unsigned int **pixels;	508	unsigned int **pixels;
514	{	509	{
515	unsigned int iptr, iptr2;	510	unsigned int iptr, iptr2 = NULL; /* found by Egbert Eich */
516	unsigned int a, x, y;	511	unsigned int a, x, y;
517		512
518	if ((height > 0 && width >= SIZE_MAX / height) \|\|	513	if ((height > 0 && width >= UINT_MAX / height) \|\|
519	width * height >= SIZE_MAX / sizeof(unsigned int))	514	width * height >= UINT_MAX / sizeof(unsigned int))
520	return XpmNoMemory;	515	return XpmNoMemory;
521	#ifndef FOR_MSW	516	#ifndef FOR_MSW
522	iptr2 = (unsigned int ) XpmMalloc(sizeof(unsigned int) width * height);	517	iptr2 = (unsigned int ) XpmMalloc(sizeof(unsigned int) width * height);
Lines 541-548 Link Here
541	{	536	{
542	unsigned short colidx[256];	537	unsigned short colidx[256];
543		538
544	if (ncolors > 256)	539	if (ncolors > 256) {
		540	XpmFree(iptr2); /* found by Egbert Eich */
545	return (XpmFileInvalid);	541	return (XpmFileInvalid);
		542	}
546		543
547	bzero((char )colidx, 256 sizeof(short));	544	bzero((char )colidx, 256 sizeof(short));
548	for (a = 0; a < ncolors; a++)	545	for (a = 0; a < ncolors; a++)
Lines 569-584 Link Here
569	{	566	{
570		567
571	/* free all allocated pointers at all exits */	568	/* free all allocated pointers at all exits */
572	#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \	569	#define FREE_CIDX \
573	if (cidx[f]) XpmFree(cidx[f]);}	570	do \
		571	{ \
		572	int f; for (f = 0; f < 256; f++) \
		573	if (cidx[f]) XpmFree(cidx[f]); \
		574	} while(0)
574		575
575	/* array of pointers malloced by need */	576	/* array of pointers malloced by need */
576	unsigned short *cidx[256];	577	unsigned short *cidx[256];
577	int char1;	578	unsigned int char1;
578		579
579	bzero((char )cidx, 256 sizeof(unsigned short )); / init */	580	bzero((char )cidx, 256 sizeof(unsigned short )); / init */
580	for (a = 0; a < ncolors; a++) {	581	for (a = 0; a < ncolors; a++) {
581	char1 = colorTable[a].string[0];	582	char1 = (unsigned char) colorTable[a].string[0];
582	if (cidx[char1] == NULL) { /* get new memory */	583	if (cidx[char1] == NULL) { /* get new memory */
583	cidx[char1] = (unsigned short *)	584	cidx[char1] = (unsigned short *)
584	XpmCalloc(256, sizeof(unsigned short));	585	XpmCalloc(256, sizeof(unsigned short));
Lines 621-628 Link Here
621	char *s;	622	char *s;
622	char buf[BUFSIZ];	623	char buf[BUFSIZ];
623		624
624	if (cpp >= sizeof(buf))	625	if (cpp >= sizeof(buf)) {
		626	XpmFree(iptr2); /* found by Egbert Eich */
625	return (XpmFileInvalid);	627	return (XpmFileInvalid);
		628	}
626		629
627	buf[cpp] = '\0';	630	buf[cpp] = '\0';
628	if (USE_HASHTABLE) {	631	if (USE_HASHTABLE) {
Lines 632-638 Link Here
632	xpmNextString(data);	635	xpmNextString(data);
633	for (x = 0; x < width; x++, iptr++) {	636	for (x = 0; x < width; x++, iptr++) {
634	for (a = 0, s = buf; a < cpp; a++, s++)	637	for (a = 0, s = buf; a < cpp; a++, s++)
635	*s = xpmGetC(data);	638	s = xpmGetC(data); / int assigned to char, not a problem here */
636	slot = xpmHashSlot(hashtable, buf);	639	slot = xpmHashSlot(hashtable, buf);
637	if (!slot) { / no color matches */	640	if (!slot) { / no color matches */
638	XpmFree(iptr2);	641	XpmFree(iptr2);
Lines 646-652 Link Here
646	xpmNextString(data);	649	xpmNextString(data);
647	for (x = 0; x < width; x++, iptr++) {	650	for (x = 0; x < width; x++, iptr++) {
648	for (a = 0, s = buf; a < cpp; a++, s++)	651	for (a = 0, s = buf; a < cpp; a++, s++)
649	*s = xpmGetC(data);	652	s = xpmGetC(data); / int assigned to char, not a problem here */
650	for (a = 0; a < ncolors; a++)	653	for (a = 0; a < ncolors; a++)
651	if (!strcmp(colorTable[a].string, buf))	654	if (!strcmp(colorTable[a].string, buf))
652	break;	655	break;
Lines 701-707 Link Here
701	while (!notstart && notend) {	704	while (!notstart && notend) {
702	/* there starts an extension */	705	/* there starts an extension */
703	ext = (XpmExtension *)	706	ext = (XpmExtension *)
704	XpmRealloc(exts, (num + 1) * sizeof(XpmExtension));	707	XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
705	if (!ext) {	708	if (!ext) {
706	XpmFree(string);	709	XpmFree(string);
707	XpmFreeExtensions(exts, num);	710	XpmFreeExtensions(exts, num);
Lines 738-744 Link Here
738	while ((notstart = strncmp("XPMEXT", string, 6))	741	while ((notstart = strncmp("XPMEXT", string, 6))
739	&& (notend = strncmp("XPMENDEXT", string, 9))) {	742	&& (notend = strncmp("XPMENDEXT", string, 9))) {
740	sp = (char **)	743	sp = (char **)
741	XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *));	744	XpmRealloc(ext->lines, (nlines + 1) * sizeof(char )); / can we iterate enough for a wrapping? */
742	if (!sp) {	745	if (!sp) {
743	XpmFree(string);	746	XpmFree(string);
744	ext->nlines = nlines;	747	ext->nlines = nlines;