Lines 42-56
Link Here
|
42 |
unsigned int *used_size, XpmColor *colors, |
42 |
unsigned int *used_size, XpmColor *colors, |
43 |
unsigned int ncolors, unsigned int cpp)); |
43 |
unsigned int ncolors, unsigned int cpp)); |
44 |
|
44 |
|
45 |
LFUNC(WritePixels, void, (char *dataptr, unsigned int *used_size, |
45 |
LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size, |
|
|
46 |
unsigned int *used_size, |
46 |
unsigned int width, unsigned int height, |
47 |
unsigned int width, unsigned int height, |
47 |
unsigned int cpp, unsigned int *pixels, |
48 |
unsigned int cpp, unsigned int *pixels, |
48 |
XpmColor *colors)); |
49 |
XpmColor *colors)); |
49 |
|
50 |
|
50 |
LFUNC(WriteExtensions, void, (char *dataptr, unsigned int *used_size, |
51 |
LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size, |
|
|
52 |
unsigned int *used_size, |
51 |
XpmExtension *ext, unsigned int num)); |
53 |
XpmExtension *ext, unsigned int num)); |
52 |
|
54 |
|
53 |
LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num)); |
55 |
LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num)); |
54 |
LFUNC(CommentsSize, int, (XpmInfo *info)); |
56 |
LFUNC(CommentsSize, int, (XpmInfo *info)); |
55 |
|
57 |
|
56 |
int |
58 |
int |
Lines 111-117
Link Here
|
111 |
unsigned int cmts, extensions, ext_size = 0; |
113 |
unsigned int cmts, extensions, ext_size = 0; |
112 |
unsigned int l, cmt_size = 0; |
114 |
unsigned int l, cmt_size = 0; |
113 |
char *ptr = NULL, *p; |
115 |
char *ptr = NULL, *p; |
114 |
unsigned int ptr_size, used_size; |
116 |
unsigned int ptr_size, used_size, tmp; |
115 |
|
117 |
|
116 |
*buffer_return = NULL; |
118 |
*buffer_return = NULL; |
117 |
|
119 |
|
Lines 133-139
Link Here
|
133 |
#ifdef VOID_SPRINTF |
135 |
#ifdef VOID_SPRINTF |
134 |
used_size = strlen(buf); |
136 |
used_size = strlen(buf); |
135 |
#endif |
137 |
#endif |
136 |
ptr_size = used_size + ext_size + cmt_size + 1; |
138 |
ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */ |
|
|
139 |
if(ptr_size <= used_size || |
140 |
ptr_size <= ext_size || |
141 |
ptr_size <= cmt_size) |
142 |
{ |
143 |
return XpmNoMemory; |
144 |
} |
137 |
ptr = (char *) XpmMalloc(ptr_size); |
145 |
ptr = (char *) XpmMalloc(ptr_size); |
138 |
if (!ptr) |
146 |
if (!ptr) |
139 |
return XpmNoMemory; |
147 |
return XpmNoMemory; |
Lines 144-150
Link Here
|
144 |
#ifndef VOID_SPRINTF |
152 |
#ifndef VOID_SPRINTF |
145 |
used_size += |
153 |
used_size += |
146 |
#endif |
154 |
#endif |
147 |
sprintf(ptr + used_size, "/*%s*/\n", info->hints_cmt); |
155 |
snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt); |
148 |
#ifdef VOID_SPRINTF |
156 |
#ifdef VOID_SPRINTF |
149 |
used_size += strlen(info->hints_cmt) + 5; |
157 |
used_size += strlen(info->hints_cmt) + 5; |
150 |
#endif |
158 |
#endif |
Lines 162-168
Link Here
|
162 |
#ifndef VOID_SPRINTF |
170 |
#ifndef VOID_SPRINTF |
163 |
l += |
171 |
l += |
164 |
#endif |
172 |
#endif |
165 |
sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot); |
173 |
snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot); |
166 |
#ifdef VOID_SPRINTF |
174 |
#ifdef VOID_SPRINTF |
167 |
l = strlen(buf); |
175 |
l = strlen(buf); |
168 |
#endif |
176 |
#endif |
Lines 184-189
Link Here
|
184 |
l = strlen(buf); |
192 |
l = strlen(buf); |
185 |
#endif |
193 |
#endif |
186 |
ptr_size += l; |
194 |
ptr_size += l; |
|
|
195 |
if(ptr_size <= l) |
196 |
RETURN(XpmNoMemory); |
187 |
p = (char *) XpmRealloc(ptr, ptr_size); |
197 |
p = (char *) XpmRealloc(ptr, ptr_size); |
188 |
if (!p) |
198 |
if (!p) |
189 |
RETURN(XpmNoMemory); |
199 |
RETURN(XpmNoMemory); |
Lines 196-202
Link Here
|
196 |
#ifndef VOID_SPRINTF |
206 |
#ifndef VOID_SPRINTF |
197 |
used_size += |
207 |
used_size += |
198 |
#endif |
208 |
#endif |
199 |
sprintf(ptr + used_size, "/*%s*/\n", info->colors_cmt); |
209 |
snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt); |
200 |
#ifdef VOID_SPRINTF |
210 |
#ifdef VOID_SPRINTF |
201 |
used_size += strlen(info->colors_cmt) + 5; |
211 |
used_size += strlen(info->colors_cmt) + 5; |
202 |
#endif |
212 |
#endif |
Lines 212-218
Link Here
|
212 |
* 4 = 1 (for '"') + 3 (for '",\n') |
222 |
* 4 = 1 (for '"') + 3 (for '",\n') |
213 |
* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n') |
223 |
* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n') |
214 |
*/ |
224 |
*/ |
215 |
ptr_size += image->height * (image->width * image->cpp + 4) + 1; |
225 |
if(image->width > UINT_MAX / image->cpp || |
|
|
226 |
(tmp = image->width * image->cpp + 4) <= 4 || |
227 |
image->height > UINT_MAX / tmp || |
228 |
(tmp = image->height * tmp + 1) <= 1 || |
229 |
(ptr_size += tmp) <= tmp) |
230 |
RETURN(XpmNoMemory); |
216 |
|
231 |
|
217 |
p = (char *) XpmRealloc(ptr, ptr_size); |
232 |
p = (char *) XpmRealloc(ptr, ptr_size); |
218 |
if (!p) |
233 |
if (!p) |
Lines 224-240
Link Here
|
224 |
#ifndef VOID_SPRINTF |
239 |
#ifndef VOID_SPRINTF |
225 |
used_size += |
240 |
used_size += |
226 |
#endif |
241 |
#endif |
227 |
sprintf(ptr + used_size, "/*%s*/\n", info->pixels_cmt); |
242 |
snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt); |
228 |
#ifdef VOID_SPRINTF |
243 |
#ifdef VOID_SPRINTF |
229 |
used_size += strlen(info->pixels_cmt) + 5; |
244 |
used_size += strlen(info->pixels_cmt) + 5; |
230 |
#endif |
245 |
#endif |
231 |
} |
246 |
} |
232 |
WritePixels(ptr + used_size, &used_size, image->width, image->height, |
247 |
WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height, |
233 |
image->cpp, image->data, image->colorTable); |
248 |
image->cpp, image->data, image->colorTable); |
234 |
|
249 |
|
235 |
/* print extensions */ |
250 |
/* print extensions */ |
236 |
if (extensions) |
251 |
if (extensions) |
237 |
WriteExtensions(ptr + used_size, &used_size, |
252 |
WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size, |
238 |
info->extensions, info->nextensions); |
253 |
info->extensions, info->nextensions); |
239 |
|
254 |
|
240 |
/* close the array */ |
255 |
/* close the array */ |
Lines 245-250
Link Here
|
245 |
return (XpmSuccess); |
260 |
return (XpmSuccess); |
246 |
} |
261 |
} |
247 |
|
262 |
|
|
|
263 |
|
248 |
static int |
264 |
static int |
249 |
WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp) |
265 |
WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp) |
250 |
char **dataptr; |
266 |
char **dataptr; |
Lines 254-260
Link Here
|
254 |
unsigned int ncolors; |
270 |
unsigned int ncolors; |
255 |
unsigned int cpp; |
271 |
unsigned int cpp; |
256 |
{ |
272 |
{ |
257 |
char buf[BUFSIZ]; |
273 |
char buf[BUFSIZ] = {0}; |
258 |
unsigned int a, key, l; |
274 |
unsigned int a, key, l; |
259 |
char *s, *s2; |
275 |
char *s, *s2; |
260 |
char **defaults; |
276 |
char **defaults; |
Lines 264-269
Link Here
|
264 |
|
280 |
|
265 |
defaults = (char **) colors; |
281 |
defaults = (char **) colors; |
266 |
s = buf + 1; |
282 |
s = buf + 1; |
|
|
283 |
if(cpp > (sizeof(buf) - (s-buf))) |
284 |
return(XpmNoMemory); |
267 |
strncpy(s, *defaults++, cpp); |
285 |
strncpy(s, *defaults++, cpp); |
268 |
s += cpp; |
286 |
s += cpp; |
269 |
|
287 |
|
Lines 272-285
Link Here
|
272 |
#ifndef VOID_SPRINTF |
290 |
#ifndef VOID_SPRINTF |
273 |
s += |
291 |
s += |
274 |
#endif |
292 |
#endif |
275 |
sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2); |
293 |
/* assume C99 compliance */ |
|
|
294 |
snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2); |
276 |
#ifdef VOID_SPRINTF |
295 |
#ifdef VOID_SPRINTF |
277 |
s += strlen(s); |
296 |
s += strlen(s); |
278 |
#endif |
297 |
#endif |
|
|
298 |
/* now let's check if s points out-of-bounds */ |
299 |
if((s-buf) > sizeof(buf)) |
300 |
return(XpmNoMemory); |
279 |
} |
301 |
} |
280 |
} |
302 |
} |
|
|
303 |
if(sizeof(buf) - (s-buf) < 4) |
304 |
return(XpmNoMemory); |
281 |
strcpy(s, "\",\n"); |
305 |
strcpy(s, "\",\n"); |
282 |
l = s + 3 - buf; |
306 |
l = s + 3 - buf; |
|
|
307 |
if( *data_size >= UINT_MAX-l || |
308 |
*data_size + l <= *used_size || |
309 |
(*data_size + l - *used_size) <= sizeof(buf)) |
310 |
return(XpmNoMemory); |
283 |
s = (char *) XpmRealloc(*dataptr, *data_size + l); |
311 |
s = (char *) XpmRealloc(*dataptr, *data_size + l); |
284 |
if (!s) |
312 |
if (!s) |
285 |
return (XpmNoMemory); |
313 |
return (XpmNoMemory); |
Lines 292-299
Link Here
|
292 |
} |
320 |
} |
293 |
|
321 |
|
294 |
static void |
322 |
static void |
295 |
WritePixels(dataptr, used_size, width, height, cpp, pixels, colors) |
323 |
WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors) |
296 |
char *dataptr; |
324 |
char *dataptr; |
|
|
325 |
unsigned int data_size; |
297 |
unsigned int *used_size; |
326 |
unsigned int *used_size; |
298 |
unsigned int width; |
327 |
unsigned int width; |
299 |
unsigned int height; |
328 |
unsigned int height; |
Lines 304-330
Link Here
|
304 |
char *s = dataptr; |
333 |
char *s = dataptr; |
305 |
unsigned int x, y, h; |
334 |
unsigned int x, y, h; |
306 |
|
335 |
|
|
|
336 |
if(height <= 1) |
337 |
return; |
338 |
|
307 |
h = height - 1; |
339 |
h = height - 1; |
308 |
for (y = 0; y < h; y++) { |
340 |
for (y = 0; y < h; y++) { |
309 |
*s++ = '"'; |
341 |
*s++ = '"'; |
310 |
for (x = 0; x < width; x++, pixels++) { |
342 |
for (x = 0; x < width; x++, pixels++) { |
311 |
strncpy(s, colors[*pixels].string, cpp); |
343 |
if(cpp >= (data_size - (s-dataptr))) |
|
|
344 |
return; |
345 |
strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */ |
312 |
s += cpp; |
346 |
s += cpp; |
313 |
} |
347 |
} |
|
|
348 |
if((data_size - (s-dataptr)) < 4) |
349 |
return; |
314 |
strcpy(s, "\",\n"); |
350 |
strcpy(s, "\",\n"); |
315 |
s += 3; |
351 |
s += 3; |
316 |
} |
352 |
} |
317 |
/* duplicate some code to avoid a test in the loop */ |
353 |
/* duplicate some code to avoid a test in the loop */ |
318 |
*s++ = '"'; |
354 |
*s++ = '"'; |
319 |
for (x = 0; x < width; x++, pixels++) { |
355 |
for (x = 0; x < width; x++, pixels++) { |
320 |
strncpy(s, colors[*pixels].string, cpp); |
356 |
if(cpp >= (data_size - (s-dataptr))) |
|
|
357 |
return; |
358 |
strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */ |
321 |
s += cpp; |
359 |
s += cpp; |
322 |
} |
360 |
} |
323 |
*s++ = '"'; |
361 |
*s++ = '"'; |
324 |
*used_size += s - dataptr; |
362 |
*used_size += s - dataptr; |
325 |
} |
363 |
} |
326 |
|
364 |
|
327 |
static int |
365 |
static unsigned int |
328 |
ExtensionsSize(ext, num) |
366 |
ExtensionsSize(ext, num) |
329 |
XpmExtension *ext; |
367 |
XpmExtension *ext; |
330 |
unsigned int num; |
368 |
unsigned int num; |
Lines 333-353
Link Here
|
333 |
char **line; |
371 |
char **line; |
334 |
|
372 |
|
335 |
size = 0; |
373 |
size = 0; |
|
|
374 |
if(num == 0) |
375 |
return(0); /* ok? */ |
336 |
for (x = 0; x < num; x++, ext++) { |
376 |
for (x = 0; x < num; x++, ext++) { |
337 |
/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */ |
377 |
/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */ |
338 |
size += strlen(ext->name) + 11; |
378 |
size += strlen(ext->name) + 11; |
339 |
a = ext->nlines; |
379 |
a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */ |
340 |
for (y = 0, line = ext->lines; y < a; y++, line++) |
380 |
for (y = 0, line = ext->lines; y < a; y++, line++) |
341 |
/* 4 = 3 (for ',\n"') + 1 (for '"') */ |
381 |
/* 4 = 3 (for ',\n"') + 1 (for '"') */ |
342 |
size += strlen(*line) + 4; |
382 |
size += strlen(*line) + 4; |
343 |
} |
383 |
} |
344 |
/* 13 is for ',\n"XPMENDEXT"' */ |
384 |
/* 13 is for ',\n"XPMENDEXT"' */ |
|
|
385 |
if(size > UINT_MAX - 13) /* unlikely */ |
386 |
return(0); |
345 |
return size + 13; |
387 |
return size + 13; |
346 |
} |
388 |
} |
347 |
|
389 |
|
348 |
static void |
390 |
static void |
349 |
WriteExtensions(dataptr, used_size, ext, num) |
391 |
WriteExtensions(dataptr, data_size, used_size, ext, num) |
350 |
char *dataptr; |
392 |
char *dataptr; |
|
|
393 |
unsigned int data_size; |
351 |
unsigned int *used_size; |
394 |
unsigned int *used_size; |
352 |
XpmExtension *ext; |
395 |
XpmExtension *ext; |
353 |
unsigned int num; |
396 |
unsigned int num; |
Lines 360-366
Link Here
|
360 |
#ifndef VOID_SPRINTF |
403 |
#ifndef VOID_SPRINTF |
361 |
s += 11 + |
404 |
s += 11 + |
362 |
#endif |
405 |
#endif |
363 |
sprintf(s, ",\n\"XPMEXT %s\"", ext->name); |
406 |
snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name); |
364 |
#ifdef VOID_SPRINTF |
407 |
#ifdef VOID_SPRINTF |
365 |
s += strlen(ext->name) + 11; |
408 |
s += strlen(ext->name) + 11; |
366 |
#endif |
409 |
#endif |
Lines 369-381
Link Here
|
369 |
#ifndef VOID_SPRINTF |
412 |
#ifndef VOID_SPRINTF |
370 |
s += 4 + |
413 |
s += 4 + |
371 |
#endif |
414 |
#endif |
372 |
sprintf(s, ",\n\"%s\"", *line); |
415 |
snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line); |
373 |
#ifdef VOID_SPRINTF |
416 |
#ifdef VOID_SPRINTF |
374 |
s += strlen(*line) + 4; |
417 |
s += strlen(*line) + 4; |
375 |
#endif |
418 |
#endif |
376 |
} |
419 |
} |
377 |
} |
420 |
} |
378 |
strcpy(s, ",\n\"XPMENDEXT\""); |
421 |
strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1); |
379 |
*used_size += s - dataptr + 13; |
422 |
*used_size += s - dataptr + 13; |
380 |
} |
423 |
} |
381 |
|
424 |
|
Lines 386-391
Link Here
|
386 |
int size = 0; |
429 |
int size = 0; |
387 |
|
430 |
|
388 |
/* 5 = 2 (for "/_*") + 3 (for "*_/\n") */ |
431 |
/* 5 = 2 (for "/_*") + 3 (for "*_/\n") */ |
|
|
432 |
/* wrap possible but *very* unlikely */ |
389 |
if (info->hints_cmt) |
433 |
if (info->hints_cmt) |
390 |
size += 5 + strlen(info->hints_cmt); |
434 |
size += 5 + strlen(info->hints_cmt); |
391 |
|
435 |
|