Attachment #51206 for bug #78111




        XpmCrBufFrP.c  XpmCrPFrBuf.c  XpmRdFToDat.c  XpmWrFFrP.c    Xpmrgb.c \
        XpmCrDatFrI.c  XpmCrPFrDat.c  XpmRdFToI.c    Xpmcreate.c    Xpmscan.c \
        XpmCrDatFrP.c  XpmCrPFrI.c    XpmRdFToP.c    Xpmdata.c \
        XpmCrIFrBuf.c  XpmImage.c     XpmWrFFrBuf.c  Xpmhashtab.c \
        Xpms_popen.c

#if UseLocalRegex
REGEX_SRCS = regexp.c

        XpmCrBufFrP.o  XpmCrPFrBuf.o  XpmRdFToDat.o  XpmWrFFrP.o    Xpmrgb.o \
        XpmCrDatFrI.o  XpmCrPFrDat.o  XpmRdFToI.o    Xpmcreate.o    Xpmscan.o \
        XpmCrDatFrP.o  XpmCrPFrI.o    XpmRdFToP.o    Xpmdata.o \
        XpmCrIFrBuf.o  XpmImage.o     XpmWrFFrBuf.o  Xpmhashtab.o \
        Xpms_popen.o

#if UseLocalRegex
REGEX_OBJS = regexp.o

Lines 241-247 Link Here

(-)lib/Xm/Makefile.am (-1 / +2 lines)
241	XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \	241	XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \
242	XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \	242	XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \
243	XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \	243	XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \
244	XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c	244	XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c \
		245	Xpms_popen.c
245		246
246	NEW_WID_SRCS = IconH.c Container.c IconG.c \	247	NEW_WID_SRCS = IconH.c Container.c IconG.c \
247	Notebook.c ComboBox.c GrabShell.c SpinB.c \	248	Notebook.c ComboBox.c GrabShell.c SpinB.c \




/*
 * Copyright (C) 2004 The X.Org fundation
 * 
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
 * files (the "Software"), to deal in the Software without
 * restriction, including without limitation the rights to use, copy,
 * modify, merge, publish, distribute, sublicense, and/or sell copies
 * of the Software, and to permit persons to whom the Software is fur-
 * nished to do so, subject to the following conditions:
 * 
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT.  IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR
 * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
 * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 * 
 * Except as contained in this notice, the name of the X.Org fundation
 * shall not be used in advertising or otherwise to promote the sale,
 * use or other dealings in this Software without prior written
 * authorization from the X.Org fundation.
 */

/*
** This is a secure but NOT 100% compatible replacement for popen()
** Note:        - don't use pclose() use fclose() for closing the returned
**                filedesc.!!!
**
** Known Bugs:  - unable to use i/o-redirection like > or <
** Author:      - Thomas Biege <thomas@suse.de>
** Credits:     - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when
**                calling strtok()
*/

#include <sys/types.h>
#include <sys/wait.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include "XpmI.h"

#define __SEC_POPEN_TOKEN " "

FILE *Xpms_popen(char *cmd, const char *type)
{
  pid_t pid;
  int pfd[2];
  int rpipe = 0, wpipe = 0, i;
  char **argv;
  char *ptr;
  char *cmdcpy;


  if(cmd == NULL || cmd == "")
    return(NULL);

  if(type[0] != 'r' && type[0] != 'w')
    return(NULL);

  if ((cmdcpy = strdup(cmd)) == NULL)
    return(NULL);

  argv = NULL;
  if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL)
  {
    free(cmdcpy);
    return(NULL);
  }

  for(i = 0;; i++)
  {
    if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL)
    {
      free(cmdcpy);
      return(NULL);
    }

    if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL)
    {
      free(cmdcpy);
      return(NULL);
    }

    strcpy(argv[i], ptr);

    if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL)
    {
      if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL)
      {
        free(cmdcpy);
        return(NULL);
      }
      argv[i+1] = NULL;
      break;
    }
  }


  if(type[0] == 'r')
    rpipe = 1;
  else
    wpipe = 1;

  if (pipe(pfd) < 0)
  {
    free(cmdcpy);
    return(NULL);
  }

	if((pid = fork()) < 0)
  {
    close(pfd[0]);
    close(pfd[1]);
    free(cmdcpy);
    return(NULL);
  }

	if(pid == 0)    /* child */
  {
    if((pid = fork()) < 0)
    {
      close(pfd[0]);
      close(pfd[1]);
      free(cmdcpy);
      return(NULL);
    }
    if(pid > 0)
    {
      exit(0);  /* child nr. 1 exits */
    }

    /* child nr. 2 */
    if(rpipe)
    {
      close(pfd[0]);  /* close reading end, we don't need it */
      dup2(STDOUT_FILENO, STDERR_FILENO);
      if (pfd[1] != STDOUT_FILENO)
        dup2(pfd[1], STDOUT_FILENO);  /* redirect stdout to writing end of pipe */
    }
    else
    {
      close(pfd[1]);  /* close writing end, we don't need it */
      if (pfd[0] != STDIN_FILENO)
        dup2(pfd[0], STDIN_FILENO);    /* redirect stdin to reading end of pipe */
	  }

    if(strchr(argv[0], '/') == NULL)
      execvp(argv[0], argv);  /* search in $PATH */
    else
      execv(argv[0], argv);

    close(pfd[0]);
    close(pfd[1]);
    free(cmdcpy);
    return(NULL);  /* exec failed.. ooops! */
  }
  else          /* parent */
  {
    waitpid(pid, NULL, 0); /* wait for child nr. 1 */

    if(rpipe)
    {
      close(pfd[1]);
      free(cmdcpy);
      return(fdopen(pfd[0], "r"));
    }
    else
    {
      close(pfd[0]);
      free(cmdcpy);
      return(fdopen(pfd[1], "w"));
    }

  }
}





LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
                                 XpmColor ***oldct));

LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));

/*
 * Create a colortable compatible with the old style colortable

    XpmColor ***oldct;
{
    XpmColor **colorTable, **color;
    unsigned int a;

    if (ncolors >= UINT_MAX / sizeof(XpmColor *)) 
        return XpmNoMemory;

    colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *));

static void
FreeOldColorTable(colorTable, ncolors)
    XpmColor **colorTable;
    unsigned int ncolors;
{
    unsigned int a, b;
    XpmColor **color;
    char **sptr;


    XpmExtension *ext;
    char **sptr;

    if (extensions  && nextensions > 0) {
	for (i = 0, ext = extensions; i < nextensions; i++, ext++) {
	    if (ext->name)
		XpmFree(ext->name);




#endif


/* October 2004, source code review by Thomas Biege <thomas@suse.de> */


#include "XpmI.h"

LFUNC(WriteColors, int, (char **dataptr, unsigned int *data_size,
			 unsigned int *used_size, XpmColor *colors,
			 unsigned int ncolors, unsigned int cpp));

LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
			  unsigned int *used_size,
			  unsigned int width, unsigned int height,
			  unsigned int cpp, unsigned int *pixels,
			  XpmColor *colors));

LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
			      unsigned int *used_size,
			      XpmExtension *ext, unsigned int num));

LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
LFUNC(CommentsSize, int, (XpmInfo *info));

int


#undef RETURN
#define RETURN(status) \
do \
{ \
    if (ptr) \
	XpmFree(ptr); \
    return(status); \
} while(0)

int
XpmCreateBufferFromXpmImage(buffer_return, image, info)

    unsigned int cmts, extensions, ext_size = 0;
    unsigned int l, cmt_size = 0;
    char *ptr = NULL, *p;
    unsigned int ptr_size, used_size, tmp;

    *buffer_return = NULL;


#ifdef VOID_SPRINTF
    used_size = strlen(buf);
#endif
    ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
    if(ptr_size <= used_size ||
       ptr_size <= ext_size  ||
       ptr_size <= cmt_size)
    {
        return XpmNoMemory;
    }
    ptr = (char *) XpmMalloc(ptr_size);
    if (!ptr)
	return XpmNoMemory;

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->hints_cmt) + 5;
#endif

#ifndef VOID_SPRINTF
	l +=
#endif
	snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
#ifdef VOID_SPRINTF
	l = strlen(buf);
#endif

    l = strlen(buf);
#endif
    ptr_size += l;
    if(ptr_size <= l)
        RETURN(XpmNoMemory);
    p = (char *) XpmRealloc(ptr, ptr_size);
    if (!p)
	RETURN(XpmNoMemory);

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->colors_cmt) + 5;
#endif

     * 4 = 1 (for '"') + 3 (for '",\n')
     * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
     */
     if(image->width  > UINT_MAX / image->cpp ||
       (tmp = image->width * image->cpp + 4) <= 4 ||
        image->height > UINT_MAX / tmp ||
       (tmp = image->height * tmp + 1) <= 1 ||
       (ptr_size += tmp) <= tmp)
	RETURN(XpmNoMemory);

    p = (char *) XpmRealloc(ptr, ptr_size);
    if (!p)

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->pixels_cmt) + 5;
#endif
    }
    WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
		image->cpp, image->data, image->colorTable);

    /* print extensions */
    if (extensions)
	WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
			info->extensions, info->nextensions);

    /* close the array */

    return (XpmSuccess);
}


static int
WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
    char **dataptr;

    unsigned int ncolors;
    unsigned int cpp;
{
    char buf[BUFSIZ] = {0};
    unsigned int a, key, l;
    char *s, *s2;
    char **defaults;


	defaults = (char **) colors;
	s = buf + 1;
        if(cpp > (sizeof(buf) - (s-buf)))
                return(XpmNoMemory);
        strncpy(s, *defaults++, cpp);
        s += cpp;

        for (key = 1; key <= NKEYS; key++, defaults++) {
            if ((s2 = *defaults)) {
#ifndef VOID_SPRINTF
                s +=
#endif
                /* assume C99 compliance */
                snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
#ifdef VOID_SPRINTF
                s += strlen(s);
#endif
                /* now let's check if s points out-of-bounds */
                if((s-buf) > sizeof(buf))
                        return(XpmNoMemory);
            }
        }
        if(sizeof(buf) - (s-buf) < 4)
                return(XpmNoMemory);
        strcpy(s, "\",\n");
        l = s + 3 - buf;
        if( *data_size                   >= UINT_MAX-l ||
            *data_size + l               <= *used_size ||
           (*data_size + l - *used_size) <= sizeof(buf))
                return(XpmNoMemory);
	s = (char *) XpmRealloc(*dataptr, *data_size + l);
	if (!s)
	    return (XpmNoMemory);

}

static void
WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
    char *dataptr;
    unsigned int data_size;
    unsigned int *used_size;
    unsigned int width;
    unsigned int height;

    char *s = dataptr;
    unsigned int x, y, h;

    if(height <= 1)
    	return;

    h = height - 1;
    for (y = 0; y < h; y++) {
	*s++ = '"';
	for (x = 0; x < width; x++, pixels++) {
	    if(cpp >= (data_size - (s-dataptr)))
		return;
	    strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */
	    s += cpp;
	}
	if((data_size - (s-dataptr)) < 4)
		return;
	strcpy(s, "\",\n");
	s += 3;
    }
    /* duplicate some code to avoid a test in the loop */
    *s++ = '"';
    for (x = 0; x < width; x++, pixels++) {
	if(cpp >= (data_size - (s-dataptr)))
	    return;
	strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */
	s += cpp;
    }
    *s++ = '"';
    *used_size += s - dataptr;
}

static unsigned int
ExtensionsSize(ext, num)
    XpmExtension *ext;
    unsigned int num;

    char **line;

    size = 0;
    if(num == 0)
    	return(0); /* ok? */
    for (x = 0; x < num; x++, ext++) {
	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
	size += strlen(ext->name) + 11;
	a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
	for (y = 0, line = ext->lines; y < a; y++, line++)
	    /* 4 = 3 (for ',\n"') + 1 (for '"') */
	    size += strlen(*line) + 4;
    }
    /* 13 is for ',\n"XPMENDEXT"' */
    if(size > UINT_MAX - 13) /* unlikely */
    	return(0);
    return size + 13;
}

static void
WriteExtensions(dataptr, data_size, used_size, ext, num)
    char *dataptr;
    unsigned int data_size;
    unsigned int *used_size;
    XpmExtension *ext;
    unsigned int num;


    for (x = 0; x < num; x++, ext++) {
#ifndef VOID_SPRINTF
	s +=
#endif
	snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
#ifdef VOID_SPRINTF
	s += strlen(ext->name) + 11;
#endif
	a = ext->nlines;
	for (y = 0, line = ext->lines; y < a; y++, line++) {
#ifndef VOID_SPRINTF
	    s +=
#endif
	    snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
#ifdef VOID_SPRINTF
	    s += strlen(*line) + 4;
#endif
	}
    }
    strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
    *used_size += s - dataptr + 13;
}


    int size = 0;

    /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */
    /* wrap possible but *very* unlikely */
    if (info->hints_cmt)
	size += 5 + strlen(info->hints_cmt);


Lines 38-50 Link Here

(-)lib/Xm/XpmCrDatFrI.c (-18 / +73 lines)
38	#endif	38	#endif
39		39
40		40
		41	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		42
41	#include "XpmI.h"	43	#include "XpmI.h"
42		44
43	LFUNC(CreateColors, int, (char *dataptr, unsigned int data_size,	45	LFUNC(CreateColors, int, (char *dataptr, unsigned int data_size,
44	XpmColor *colors, unsigned int ncolors,	46	XpmColor *colors, unsigned int ncolors,
45	unsigned int cpp));	47	unsigned int cpp));
46		48
47	LFUNC(CreatePixels, void, (char **dataptr, unsigned int width,	49	LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size,
		50	unsigned int width,
48	unsigned int height, unsigned int cpp,	51	unsigned int height, unsigned int cpp,
49	unsigned int pixels, XpmColor colors));	52	unsigned int pixels, XpmColor colors));
50		53
Lines 52-58 Link Here
52	unsigned int *ext_size,	55	unsigned int *ext_size,
53	unsigned int *ext_nlines));	56	unsigned int *ext_nlines));
54		57
55	LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset,	58	LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size,
		59	unsigned int offset,
56	XpmExtension *ext, unsigned int num,	60	XpmExtension *ext, unsigned int num,
57	unsigned int ext_nlines));	61	unsigned int ext_nlines));
58		62
Lines 93-98 Link Here
93		97
94	#undef RETURN	98	#undef RETURN
95	#define RETURN(status) \	99	#define RETURN(status) \
		100	do \
96	{ \	101	{ \
97	if (header) { \	102	if (header) { \
98	for (l = 0; l < header_nlines; l++) \	103	for (l = 0; l < header_nlines; l++) \
Lines 101-107 Link Here
101	XpmFree(header); \	106	XpmFree(header); \
102	} \	107	} \
103	return(status); \	108	return(status); \
104	}	109	} while(0)
105		110
106	int	111	int
107	XpmCreateDataFromXpmImage(data_return, image, info)	112	XpmCreateDataFromXpmImage(data_return, image, info)
Lines 133-142 Link Here
133	* is the hints line + the color table lines	138	* is the hints line + the color table lines
134	*/	139	*/
135	header_nlines = 1 + image->ncolors;	140	header_nlines = 1 + image->ncolors;
		141
		142	if(header_nlines <= image->ncolors \|\|
		143	header_nlines >= UINT_MAX / sizeof(char *))
		144	return(XpmNoMemory);
		145
136	header_size = sizeof(char ) header_nlines;	146	header_size = sizeof(char ) header_nlines;
137	if (header_size >= SIZE_MAX / sizeof(char *))	147	if (header_size >= UINT_MAX / sizeof(char *))
138	return (XpmNoMemory);	148	return (XpmNoMemory);
139	header = (char *) XpmCalloc(header_size, sizeof(char ));	149	header = (char *) XpmCalloc(header_size, sizeof(char ));
140	if (!header)	150	if (!header)
141	return (XpmNoMemory);	151	return (XpmNoMemory);
142		152
Lines 180-187 Link Here
180		190
181	/* now we know the size needed, alloc the data and copy the header lines */	191	/* now we know the size needed, alloc the data and copy the header lines */
182	offset = image->width * image->cpp + 1;	192	offset = image->width * image->cpp + 1;
183	data_size = header_size + (image->height + ext_nlines) * sizeof(char *)	193
184	+ image->height * offset + ext_size;	194	if(offset <= image->width \|\| offset <= image->cpp)
		195	RETURN(XpmNoMemory);
		196
		197	if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *))
		198	RETURN(XpmNoMemory);
		199	data_size = (image->height + ext_nlines) * sizeof(char *);
		200
		201	if (image->height > UINT_MAX / offset \|\|
		202	image->height * offset > UINT_MAX - data_size)
		203	RETURN(XpmNoMemory);
		204	data_size += image->height * offset;
		205
		206	if( (header_size + ext_size) >= (UINT_MAX - data_size) )
		207	RETURN(XpmNoMemory);
		208	data_size += header_size + ext_size;
185		209
186	data = (char **) XpmMalloc(data_size);	210	data = (char **) XpmMalloc(data_size);
187	if (!data)	211	if (!data)
Lines 189-196 Link Here
189		213
190	data_nlines = header_nlines + image->height + ext_nlines;	214	data_nlines = header_nlines + image->height + ext_nlines;
191	data = (char ) (data + data_nlines);	215	data = (char ) (data + data_nlines);
		216
		217	/* can header have less elements then n suggests? */
192	n = image->ncolors;	218	n = image->ncolors;
193	for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) {	219	for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) {
194	strcpy(sptr, sptr2);	220	strcpy(sptr, sptr2);
195	(sptr + 1) = sptr + strlen(*sptr2) + 1;	221	(sptr + 1) = sptr + strlen(*sptr2) + 1;
196	}	222	}
Lines 199-210 Link Here
199	data[header_nlines] = (char *) data + header_size	225	data[header_nlines] = (char *) data + header_size
200	+ (image->height + ext_nlines) * sizeof(char *);	226	+ (image->height + ext_nlines) * sizeof(char *);
201		227
202	CreatePixels(data + header_nlines, image->width, image->height,	228	CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height,
203	image->cpp, image->data, image->colorTable);	229	image->cpp, image->data, image->colorTable);
204		230
205	/* print extensions */	231	/* print extensions */
206	if (extensions)	232	if (extensions)
207	CreateExtensions(data + header_nlines + image->height - 1, offset,	233	CreateExtensions(data + header_nlines + image->height - 1,
		234	data_size - header_nlines - image->height + 1, offset,
208	info->extensions, info->nextensions,	235	info->extensions, info->nextensions,
209	ext_nlines);	236	ext_nlines);
210		237
Lines 229-246 Link Here
229	for (a = 0; a < ncolors; a++, colors++, dataptr++) {	256	for (a = 0; a < ncolors; a++, colors++, dataptr++) {
230		257
231	defaults = (char **) colors;	258	defaults = (char **) colors;
		259	if(sizeof(buf) <= cpp)
		260	return(XpmNoMemory);
232	strncpy(buf, *defaults++, cpp);	261	strncpy(buf, *defaults++, cpp);
233	s = buf + cpp;	262	s = buf + cpp;
234		263
		264	if(sizeof(buf) <= (s-buf))
		265	return XpmNoMemory;
		266
235	for (key = 1; key <= NKEYS; key++, defaults++) {	267	for (key = 1; key <= NKEYS; key++, defaults++) {
236	if ((s2 = *defaults)) {	268	if ((s2 = *defaults)) {
237	#ifndef VOID_SPRINTF	269	#ifndef VOID_SPRINTF
238	s +=	270	s +=
239	#endif	271	#endif
240	sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);	272	/* assume C99 compliance */
		273	snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
241	#ifdef VOID_SPRINTF	274	#ifdef VOID_SPRINTF
242	s += strlen(s);	275	s += strlen(s);
243	#endif	276	#endif
		277	/* does s point out-of-bounds? */
		278	if(sizeof(buf) < (s-buf))
		279	return XpmNoMemory;
244	}	280	}
245	}	281	}
246	l = s - buf + 1;	282	l = s - buf + 1;
Lines 254-261 Link Here
254	}	290	}
255		291
256	static void	292	static void
257	CreatePixels(dataptr, width, height, cpp, pixels, colors)	293	CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors)
258	char **dataptr;	294	char **dataptr;
		295	unsigned int data_size;
259	unsigned int width;	296	unsigned int width;
260	unsigned int height;	297	unsigned int height;
261	unsigned int cpp;	298	unsigned int cpp;
Lines 265-285 Link Here
265	char *s;	302	char *s;
266	unsigned int x, y, h, offset;	303	unsigned int x, y, h, offset;
267		304
		305	if(height <= 1)
		306	return;
		307
268	h = height - 1;	308	h = height - 1;
		309
269	offset = width * cpp + 1;	310	offset = width * cpp + 1;
		311
		312	if(offset <= width \|\| offset <= cpp)
		313	return;
		314
		315	/* why trust h? */
270	for (y = 0; y < h; y++, dataptr++) {	316	for (y = 0; y < h; y++, dataptr++) {
271	s = *dataptr;	317	s = *dataptr;
		318	/* why trust width? */
272	for (x = 0; x < width; x++, pixels++) {	319	for (x = 0; x < width; x++, pixels++) {
273	strncpy(s, colors[*pixels].string, cpp);	320	if(cpp > (data_size - (s - *dataptr)))
		321	return;
		322	strncpy(s, colors[pixels].string, cpp); / why trust pixel? */
274	s += cpp;	323	s += cpp;
275	}	324	}
276	*s = '\0';	325	*s = '\0';
		326	if(offset > data_size)
		327	return;
277	(dataptr + 1) = dataptr + offset;	328	(dataptr + 1) = dataptr + offset;
278	}	329	}
279	/* duplicate some code to avoid a test in the loop */	330	/* duplicate some code to avoid a test in the loop */
280	s = *dataptr;	331	s = *dataptr;
		332	/* why trust width? */
281	for (x = 0; x < width; x++, pixels++) {	333	for (x = 0; x < width; x++, pixels++) {
282	strncpy(s, colors[*pixels].string, cpp);	334	if(cpp > data_size - (s - *dataptr))
		335	return;
		336	strncpy(s, colors[pixels].string, cpp); / why should we trust pixel? /
283	s += cpp;	337	s += cpp;
284	}	338	}
285	*s = '\0';	339	*s = '\0';
Lines 312-319 Link Here
312	}	366	}
313		367
314	static void	368	static void
315	CreateExtensions(dataptr, offset, ext, num, ext_nlines)	369	CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines)
316	char **dataptr;	370	char **dataptr;
		371	unsigned int data_size;
317	unsigned int offset;	372	unsigned int offset;
318	XpmExtension *ext;	373	XpmExtension *ext;
319	unsigned int num;	374	unsigned int num;
Lines 326-337 Link Here
326	dataptr++;	381	dataptr++;
327	a = 0;	382	a = 0;
328	for (x = 0; x < num; x++, ext++) {	383	for (x = 0; x < num; x++, ext++) {
329	sprintf(*dataptr, "XPMEXT %s", ext->name);	384	snprintf(*dataptr, data_size, "XPMEXT %s", ext->name);
330	a++;	385	a++;
331	if (a < ext_nlines)	386	if (a < ext_nlines)
332	(dataptr + 1) = dataptr + strlen(ext->name) + 8;	387	(dataptr + 1) = dataptr + strlen(ext->name) + 8;
333	dataptr++;	388	dataptr++;
334	b = ext->nlines;	389	b = ext->nlines; /* can we trust these values? */
335	for (y = 0, line = ext->lines; y < b; y++, line++) {	390	for (y = 0, line = ext->lines; y < b; y++, line++) {
336	strcpy(dataptr, line);	391	strcpy(dataptr, line);
337	a++;	392	a++;

Lines 44-49 Link Here

(-)lib/Xm/Xpmcreate.c (-29 / +67 lines)
44	#endif	44	#endif
45		45
46		46
		47	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		48
47	#include "XpmI.h"	49	#include "XpmI.h"
48	#include <ctype.h>	50	#include <ctype.h>
49		51
Lines 565-571 Link Here
565	*/	567	*/
566	} else {	568	} else {
567	#endif	569	#endif
568	int i;	570	unsigned int i;
569		571
570	ncols = visual->map_entries;	572	ncols = visual->map_entries;
571	cols = (XColor *) XpmCalloc(ncols, sizeof(XColor));	573	cols = (XColor *) XpmCalloc(ncols, sizeof(XColor));
Lines 723-728 Link Here
723	/* function call in case of error, frees only locally allocated variables */	725	/* function call in case of error, frees only locally allocated variables */
724	#undef RETURN	726	#undef RETURN
725	#define RETURN(status) \	727	#define RETURN(status) \
		728	do \
726	{ \	729	{ \
727	if (ximage) XDestroyImage(ximage); \	730	if (ximage) XDestroyImage(ximage); \
728	if (shapeimage) XDestroyImage(shapeimage); \	731	if (shapeimage) XDestroyImage(shapeimage); \
Lines 733-739 Link Here
733	if (alloc_pixels) XpmFree(alloc_pixels); \	736	if (alloc_pixels) XpmFree(alloc_pixels); \
734	if (used_pixels) XpmFree(used_pixels); \	737	if (used_pixels) XpmFree(used_pixels); \
735	return (status); \	738	return (status); \
736	}	739	} while(0)
737		740
738	int	741	int
739	XpmCreateImageFromXpmImage(display, image,	742	XpmCreateImageFromXpmImage(display, image,
Lines 804-810 Link Here
804		807
805	ErrorStatus = XpmSuccess;	808	ErrorStatus = XpmSuccess;
806		809
807	if (image->ncolors >= SIZE_MAX / sizeof(Pixel))	810	if (image->ncolors >= UINT_MAX / sizeof(Pixel))
808	return (XpmNoMemory);	811	return (XpmNoMemory);
809		812
810	/* malloc pixels index tables */	813	/* malloc pixels index tables */
Lines 950-958 Link Here
950	return (XpmNoMemory);	953	return (XpmNoMemory);
951		954
952	#ifndef FOR_MSW	955	#ifndef FOR_MSW
953	if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)	956	if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
954	return XpmNoMemory;	957	XDestroyImage(*image_return);
		958	return XpmNoMemory;
		959	}
955	/* now that bytes_per_line must have been set properly alloc data */	960	/* now that bytes_per_line must have been set properly alloc data */
		961	if((*image_return)->bytes_per_line == 0 \|\| height == 0)
		962	return XpmNoMemory;
956	(*image_return)->data =	963	(*image_return)->data =
957	(char ) XpmMalloc((image_return)->bytes_per_line * height);	964	(char ) XpmMalloc((image_return)->bytes_per_line * height);
958		965
Lines 980-986 Link Here
980	LFUNC(_putbits, void, (register char *src, int dstoffset,	987	LFUNC(_putbits, void, (register char *src, int dstoffset,
981	register int numbits, register char *dst));	988	register int numbits, register char *dst));
982		989
983	LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));	990	LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
984		991
985	static unsigned char Const _reverse_byte[0x100] = {	992	static unsigned char Const _reverse_byte[0x100] = {
986	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,	993	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
Lines 1020-1031 Link Here
1020	static int	1027	static int
1021	_XReverse_Bytes(bpt, nb)	1028	_XReverse_Bytes(bpt, nb)
1022	register unsigned char *bpt;	1029	register unsigned char *bpt;
1023	register int nb;	1030	register unsigned int nb;
1024	{	1031	{
1025	do {	1032	do {
1026	bpt = _reverse_byte[bpt];	1033	bpt = _reverse_byte[bpt];
1027	bpt++;	1034	bpt++;
1028	} while (--nb > 0);	1035	} while (--nb > 0); /* is nb user-controled? */
1029	return 0;	1036	return 0;
1030	}	1037	}
1031		1038
Lines 1164-1170 Link Here
1164	register char *src;	1171	register char *src;
1165	register char *dst;	1172	register char *dst;
1166	register unsigned int *iptr;	1173	register unsigned int *iptr;
1167	register int x, y, i;	1174	register unsigned int x, y, i;
1168	register char *data;	1175	register char *data;
1169	Pixel pixel, px;	1176	Pixel pixel, px;
1170	int nbytes, depth, ibu, ibpp;	1177	int nbytes, depth, ibu, ibpp;
Lines 1174-1181 Link Here
1174	depth = image->depth;	1181	depth = image->depth;
1175	if (depth == 1) {	1182	if (depth == 1) {
1176	ibu = image->bitmap_unit;	1183	ibu = image->bitmap_unit;
1177	for (y = 0; y < height; y++)	1184	for (y = 0; y < height; y++) /* how can we trust height */
1178	for (x = 0; x < width; x++, iptr++) {	1185	for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
1179	pixel = pixels[*iptr];	1186	pixel = pixels[*iptr];
1180	for (i = 0, px = pixel; i < sizeof(unsigned long);	1187	for (i = 0, px = pixel; i < sizeof(unsigned long);
1181	i++, px >>= 8)	1188	i++, px >>= 8)
Lines 1250-1261 Link Here
1250	{	1257	{
1251	unsigned char *data;	1258	unsigned char *data;
1252	unsigned int *iptr;	1259	unsigned int *iptr;
1253	int y;	1260	unsigned int y;
1254	Pixel pixel;	1261	Pixel pixel;
1255		1262
1256	#ifdef WITHOUT_SPEEDUPS	1263	#ifdef WITHOUT_SPEEDUPS
1257		1264
1258	int x;	1265	unsigned int x;
1259	unsigned char *addr;	1266	unsigned char *addr;
1260		1267
1261	data = (unsigned char *) image->data;	1268	data = (unsigned char *) image->data;
Lines 1292-1298 Link Here
1292		1299
1293	#else /* WITHOUT_SPEEDUPS */	1300	#else /* WITHOUT_SPEEDUPS */
1294		1301
1295	int bpl = image->bytes_per_line;	1302	unsigned int bpl = image->bytes_per_line;
1296	unsigned char data_ptr, max_data;	1303	unsigned char data_ptr, max_data;
1297		1304
1298	data = (unsigned char *) image->data;	1305	data = (unsigned char *) image->data;
Lines 1360-1370 Link Here
1360	{	1367	{
1361	unsigned char *data;	1368	unsigned char *data;
1362	unsigned int *iptr;	1369	unsigned int *iptr;
1363	int y;	1370	unsigned int y;
1364		1371
1365	#ifdef WITHOUT_SPEEDUPS	1372	#ifdef WITHOUT_SPEEDUPS
1366		1373
1367	int x;	1374	unsigned int x;
1368	unsigned char *addr;	1375	unsigned char *addr;
1369		1376
1370	data = (unsigned char *) image->data;	1377	data = (unsigned char *) image->data;
Lines 1388-1394 Link Here
1388		1395
1389	Pixel pixel;	1396	Pixel pixel;
1390		1397
1391	int bpl = image->bytes_per_line;	1398	unsigned int bpl = image->bytes_per_line;
1392	unsigned char data_ptr, max_data;	1399	unsigned char data_ptr, max_data;
1393		1400
1394	data = (unsigned char *) image->data;	1401	data = (unsigned char *) image->data;
Lines 1441-1451 Link Here
1441	{	1448	{
1442	char *data;	1449	char *data;
1443	unsigned int *iptr;	1450	unsigned int *iptr;
1444	int y;	1451	unsigned int y;
1445		1452
1446	#ifdef WITHOUT_SPEEDUPS	1453	#ifdef WITHOUT_SPEEDUPS
1447		1454
1448	int x;	1455	unsigned int x;
1449		1456
1450	data = image->data;	1457	data = image->data;
1451	iptr = pixelindex;	1458	iptr = pixelindex;
Lines 1455-1461 Link Here
1455		1462
1456	#else /* WITHOUT_SPEEDUPS */	1463	#else /* WITHOUT_SPEEDUPS */
1457		1464
1458	int bpl = image->bytes_per_line;	1465	unsigned int bpl = image->bytes_per_line;
1459	char data_ptr, max_data;	1466	char data_ptr, max_data;
1460		1467
1461	data = image->data;	1468	data = image->data;
Lines 1490-1501 Link Here
1490	PutImagePixels(image, width, height, pixelindex, pixels);	1497	PutImagePixels(image, width, height, pixelindex, pixels);
1491	else {	1498	else {
1492	unsigned int *iptr;	1499	unsigned int *iptr;
1493	int y;	1500	unsigned int y;
1494	char *data;	1501	char *data;
1495		1502
1496	#ifdef WITHOUT_SPEEDUPS	1503	#ifdef WITHOUT_SPEEDUPS
1497		1504
1498	int x;	1505	unsigned int x;
1499		1506
1500	data = image->data;	1507	data = image->data;
1501	iptr = pixelindex;	1508	iptr = pixelindex;
Lines 1673-1678 Link Here
1673	Pixel px;	1680	Pixel px;
1674	int nbytes;	1681	int nbytes;
1675		1682
		1683	if(x < 0 \|\| y < 0)
		1684	return 0;
		1685
1676	for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)	1686	for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)
1677	((unsigned char *)&pixel)[i] = px;	1687	((unsigned char *)&pixel)[i] = px;
1678	src = &ximage->data[XYINDEX(x, y, ximage)];	1688	src = &ximage->data[XYINDEX(x, y, ximage)];
Lines 1704-1710 Link Here
1704	register int i;	1714	register int i;
1705	register char *data;	1715	register char *data;
1706	Pixel px;	1716	Pixel px;
1707	int nbytes, ibpp;	1717	unsigned int nbytes, ibpp;
		1718
		1719	if(x < 0 \|\| y < 0)
		1720	return 0;
1708		1721
1709	ibpp = ximage->bits_per_pixel;	1722	ibpp = ximage->bits_per_pixel;
1710	if (ximage->depth == 4)	1723	if (ximage->depth == 4)
Lines 1737-1742 Link Here
1737	{	1750	{
1738	unsigned char *addr;	1751	unsigned char *addr;
1739		1752
		1753	if(x < 0 \|\| y < 0)
		1754	return 0;
		1755
1740	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];	1756	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1741	((unsigned long )addr) = pixel;	1757	((unsigned long )addr) = pixel;
1742	return 1;	1758	return 1;
Lines 1751-1756 Link Here
1751	{	1767	{
1752	unsigned char *addr;	1768	unsigned char *addr;
1753		1769
		1770	if(x < 0 \|\| y < 0)
		1771	return 0;
		1772
1754	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];	1773	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1755	addr[0] = pixel >> 24;	1774	addr[0] = pixel >> 24;
1756	addr[1] = pixel >> 16;	1775	addr[1] = pixel >> 16;
Lines 1768-1773 Link Here
1768	{	1787	{
1769	unsigned char *addr;	1788	unsigned char *addr;
1770		1789
		1790	if(x < 0 \|\| y < 0)
		1791	return 0;
		1792
1771	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];	1793	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1772	addr[3] = pixel >> 24;	1794	addr[3] = pixel >> 24;
1773	addr[2] = pixel >> 16;	1795	addr[2] = pixel >> 16;
Lines 1785-1790 Link Here
1785	{	1807	{
1786	unsigned char *addr;	1808	unsigned char *addr;
1787		1809
		1810	if(x < 0 \|\| y < 0)
		1811	return 0;
		1812
1788	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];	1813	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
1789	addr[0] = pixel >> 8;	1814	addr[0] = pixel >> 8;
1790	addr[1] = pixel;	1815	addr[1] = pixel;
Lines 1800-1805 Link Here
1800	{	1825	{
1801	unsigned char *addr;	1826	unsigned char *addr;
1802		1827
		1828	if(x < 0 \|\| y < 0)
		1829	return 0;
		1830
1803	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];	1831	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
1804	addr[1] = pixel >> 8;	1832	addr[1] = pixel >> 8;
1805	addr[0] = pixel;	1833	addr[0] = pixel;
Lines 1813-1818 Link Here
1813	int y;	1841	int y;
1814	unsigned long pixel;	1842	unsigned long pixel;
1815	{	1843	{
		1844	if(x < 0 \|\| y < 0)
		1845	return 0;
		1846
1816	ximage->data[ZINDEX8(x, y, ximage)] = pixel;	1847	ximage->data[ZINDEX8(x, y, ximage)] = pixel;
1817	return 1;	1848	return 1;
1818	}	1849	}
Lines 1824-1829 Link Here
1824	int y;	1855	int y;
1825	unsigned long pixel;	1856	unsigned long pixel;
1826	{	1857	{
		1858	if(x < 0 \|\| y < 0)
		1859	return 0;
		1860
1827	if (pixel & 1)	1861	if (pixel & 1)
1828	ximage->data[ZINDEX1(x, y, ximage)] \|= 0x80 >> (x & 7);	1862	ximage->data[ZINDEX1(x, y, ximage)] \|= 0x80 >> (x & 7);
1829	else	1863	else
Lines 1838-1843 Link Here
1838	int y;	1872	int y;
1839	unsigned long pixel;	1873	unsigned long pixel;
1840	{	1874	{
		1875	if(x < 0 \|\| y < 0)
		1876	return 0;
		1877
1841	if (pixel & 1)	1878	if (pixel & 1)
1842	ximage->data[ZINDEX1(x, y, ximage)] \|= 1 << (x & 7);	1879	ximage->data[ZINDEX1(x, y, ximage)] \|= 1 << (x & 7);
1843	else	1880	else
Lines 1850-1855 Link Here
1850	/* function call in case of error, frees only locally allocated variables */	1887	/* function call in case of error, frees only locally allocated variables */
1851	#undef RETURN	1888	#undef RETURN
1852	#define RETURN(status) \	1889	#define RETURN(status) \
		1890	do \
1853	{ \	1891	{ \
1854	if (USE_HASHTABLE) xpmHashTableFree(&hashtable); \	1892	if (USE_HASHTABLE) xpmHashTableFree(&hashtable); \
1855	if (colorTable) xpmFreeColorTable(colorTable, ncolors); \	1893	if (colorTable) xpmFreeColorTable(colorTable, ncolors); \
Lines 1865-1871 Link Here
1865	if (alloc_pixels) XpmFree(alloc_pixels); \	1903	if (alloc_pixels) XpmFree(alloc_pixels); \
1866	if (used_pixels) XpmFree(used_pixels); \	1904	if (used_pixels) XpmFree(used_pixels); \
1867	return(status); \	1905	return(status); \
1868	}	1906	} while(0)
1869		1907
1870	/*	1908	/*
1871	* This function parses an Xpm file or data and directly create an XImage	1909	* This function parses an Xpm file or data and directly create an XImage
Lines 1997-2003 Link Here
1997	xpmGetCmt(data, &colors_cmt);	2035	xpmGetCmt(data, &colors_cmt);
1998		2036
1999	/* malloc pixels index tables */	2037	/* malloc pixels index tables */
2000	if (ncolors >= SIZE_MAX / sizeof(Pixel))	2038	if (ncolors >= UINT_MAX / sizeof(Pixel))
2001	return XpmNoMemory;	2039	return XpmNoMemory;
2002		2040
2003	image_pixels = (Pixel ) XpmMalloc(sizeof(Pixel) ncolors);	2041	image_pixels = (Pixel ) XpmMalloc(sizeof(Pixel) ncolors);
Lines 2109-2115 Link Here
2109	* free the hastable	2147	* free the hastable
2110	*/	2148	*/
2111	if (ErrorStatus != XpmSuccess)	2149	if (ErrorStatus != XpmSuccess)
2112	RETURN(ErrorStatus)	2150	RETURN(ErrorStatus);
2113	else if (USE_HASHTABLE)	2151	else if (USE_HASHTABLE)
2114	xpmHashTableFree(&hashtable);	2152	xpmHashTableFree(&hashtable);
2115		2153
Lines 2258-2268 Link Here
2258		2296
2259	/* array of pointers malloced by need */	2297	/* array of pointers malloced by need */
2260	unsigned short *cidx[256];	2298	unsigned short *cidx[256];
2261	int char1;	2299	unsigned int char1;
2262		2300
2263	bzero((char )cidx, 256 sizeof(unsigned short )); / init */	2301	bzero((char )cidx, 256 sizeof(unsigned short )); / init */
2264	for (a = 0; a < ncolors; a++) {	2302	for (a = 0; a < ncolors; a++) {
2265	char1 = colorTable[a].string[0];	2303	char1 = (unsigned char) colorTable[a].string[0];
2266	if (cidx[char1] == NULL) { /* get new memory */	2304	if (cidx[char1] == NULL) { /* get new memory */
2267	cidx[char1] = (unsigned short *)	2305	cidx[char1] = (unsigned short *)
2268	XpmCalloc(256, sizeof(unsigned short));	2306	XpmCalloc(256, sizeof(unsigned short));
Lines 2280-2286 Link Here
2280	int cc1 = xpmGetC(data);	2318	int cc1 = xpmGetC(data);
2281	if (cc1 > 0 && cc1 < 256) {	2319	if (cc1 > 0 && cc1 < 256) {
2282	int cc2 = xpmGetC(data);	2320	int cc2 = xpmGetC(data);
2283	if (cc2 > 0 && cc2 < 256 && cidx[cc1][cc2] != 0) {	2321	if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0) {
2284	#ifndef FOR_MSW	2322	#ifndef FOR_MSW
2285	XPutPixel(image, x, y,	2323	XPutPixel(image, x, y,
2286	image_pixels[cidx[cc1][cc2] - 1]);	2324	image_pixels[cidx[cc1][cc2] - 1]);

Lines 33-38 Link Here

(-)lib/Xm/Xpmdata.c (-4 / +7 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	/* Official version number */	38	/* Official version number */
37	static char *RCS_Version = "$XpmVersion: 3.4i $";	39	static char *RCS_Version = "$XpmVersion: 3.4i $";
38		40
Lines 279-285 Link Here
279	}	281	}
280	ungetc(c, file);	282	ungetc(c, file);
281	}	283	}
282	return (n);	284	return (n); /* this returns bytes read + 1 */
283	}	285	}
284		286
285	/*	287	/*
Lines 376-383 Link Here
376	{	378	{
377	if (!mdata->type)	379	if (!mdata->type)
378	*cmt = NULL;	380	*cmt = NULL;
379	else if (mdata->CommentLength != 0 && mdata->CommentLength < SIZE_MAX - 1) {	381	else if (mdata->CommentLength != 0 && mdata->CommentLength < UINT_MAX - 1) {
380	cmt = (char ) XpmMalloc(mdata->CommentLength + 1);	382	if( (cmt = (char ) XpmMalloc(mdata->CommentLength + 1)) == NULL)
		383	return XpmNoMemory;
381	strncpy(*cmt, mdata->Comment, mdata->CommentLength);	384	strncpy(*cmt, mdata->Comment, mdata->CommentLength);
382	(*cmt)[mdata->CommentLength] = '\0';	385	(*cmt)[mdata->CommentLength] = '\0';
383	mdata->CommentLength = 0;	386	mdata->CommentLength = 0;
Lines 405-411 Link Here
405	xpmParseHeader(mdata)	408	xpmParseHeader(mdata)
406	xpmData *mdata;	409	xpmData *mdata;
407	{	410	{
408	char buf[BUFSIZ];	411	char buf[BUFSIZ+1] = {0};
409	int l, n = 0;	412	int l, n = 0;
410		413
411	if (mdata->type) {	414	if (mdata->type) {




    unsigned int size = table->size;
    xpmHashAtom *t, *p;
    int i;
    unsigned int oldSize = size;

    t = atomTable;
    HASH_TABLE_GROWS
	table->size = size;
    table->limit = size / 3;
    if (size >= UINT_MAX / sizeof(*atomTable)) 
        return (XpmNoMemory);
    atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable));
    if (!atomTable)

    table->size = INITIAL_HASH_SIZE;
    table->limit = table->size / 3;
    table->used = 0;
   if (table->size >= UINT_MAX / sizeof(*atomTable))
       return (XpmNoMemory);
    atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
    if (!atomTable)

Lines 108-115 Link Here

(-)lib/Xm/XpmI.h (+2 lines)
108	* lets try to solve include files	109	* lets try to solve include files
109	*/	110	*/
110		111
		112	#include <sys/types.h>
111	#include <stdio.h>	113	#include <stdio.h>
112	#include <stdlib.h>	114	#include <stdlib.h>
		115	#include <limits.h>
113	/* stdio.h doesn't declare popen on a Sequent DYNIX OS */	116	/* stdio.h doesn't declare popen on a Sequent DYNIX OS */
114	#ifdef sequent	117	#ifdef sequent
115	extern FILE *popen();	118	extern FILE *popen();

Lines 52-58 Link Here

(-)lib/Xm/Xpmmisc.c (-1 / +1 lines)
52	char *s1;	52	char *s1;
53	{	53	{
54	char *s2;	54	char *s2;
55	int l = strlen(s1) + 1;	55	size_t l = strlen(s1) + 1;
56		56
57	if (s2 = (char *) XpmMalloc(l))	57	if (s2 = (char *) XpmMalloc(l))
58	strcpy(s2, s1);	58	strcpy(s2, s1);




#include <string.h>
 
#ifdef HAS_STRLCAT
# define STRLCAT(dst, src, dstsize) do { \
       if (strlcat(dst, src, dstsize) >= (dstsize)) \
           return (XpmFileInvalid); } while(0)
# define STRLCPY(dst, src, dstsize) do { \
       if (strlcpy(dst, src, dstsize) >= (dstsize)) \
           return (XpmFileInvalid); } while(0)
#else
# define STRLCAT(dst, src, dstsize) do { \
       if ((strlen(dst) + strlen(src)) < (dstsize)) \
           strcat(dst, src); \
       else return (XpmFileInvalid); } while(0)
# define STRLCPY(dst, src, dstsize) do { \
       if (strlen(src) < (dstsize)) \
           strcpy(dst, src); \
       else return (XpmFileInvalid); } while(0)
#endif

LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,

/* function call in case of error, frees only locally allocated variables */
#undef RETURN
#define RETURN(status) \
do \
{ \
    if (colorTable) xpmFreeColorTable(colorTable, ncolors); \
    if (pixelindex) XpmFree(pixelindex); \

    if (colors_cmt) XpmFree(colors_cmt); \
    if (pixels_cmt) XpmFree(pixels_cmt); \
    return(status); \
} while(0)

/*
 * This function parses an Xpm file or data and store the found informations

    char **defaults;
    int ErrorStatus;

    if (ncolors >= UINT_MAX / sizeof(XpmColor))
        return (XpmNoMemory);
    colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
    if (!colorTable)

	    /*
	     * read pixel value
	     */
	    if (cpp >= UINT_MAX - 1) {
	        xpmFreeColorTable(colorTable, ncolors);
		return (XpmNoMemory);
	    }

		xpmFreeColorTable(colorTable, ncolors);
		return (XpmFileInvalid);
	    }
	    len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
	    s = defaults[curkey] = (char *) XpmMalloc(len);
	    if (!s) {
		xpmFreeColorTable(colorTable, ncolors);

	    /*
	     * read pixel value
	     */
	    if (cpp >= UINT_MAX - 1) {
	        xpmFreeColorTable(colorTable, ncolors);
		return (XpmNoMemory);
	    }

	    memcpy(s, curbuf, len);
	    color->c_color = s;
	    *curbuf = '\0';		/* reset curbuf */
	    if (a < ncolors - 1)	/* can we trust ncolors -> leave data's bounds */
		xpmNextString(data);	/* get to the next string */
	}
    }

    xpmHashTable *hashtable;
    unsigned int **pixels;
{
    unsigned int *iptr, *iptr2 = NULL;
    unsigned int a, x, y;

    if ((height > 0 && width >= UINT_MAX / height) ||
	width * height >= UINT_MAX / sizeof(unsigned int)) 
        return XpmNoMemory;
#ifndef FOR_MSW
    iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);

	{
	    unsigned short colidx[256];

	    if (ncolors > 256) {
	        return (XpmFileInvalid);
		XpmFree(iptr2); /* found by Egbert Eich */
            }

	    bzero((char *)colidx, 256 * sizeof(short));
	    for (a = 0; a < ncolors; a++)

	{

/* free all allocated pointers at all exits */
#define FREE_CIDX \
do \
{ \
	int f; for (f = 0; f < 256; f++) \
	if (cidx[f]) XpmFree(cidx[f]); \
} while(0)

	    /* array of pointers malloced by need */
	    unsigned short *cidx[256];
	    unsigned int char1;

	    bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
	    for (a = 0; a < ncolors; a++) {
		char1 = (unsigned char) colorTable[a].string[0];
		if (cidx[char1] == NULL) { /* get new memory */
		    cidx[char1] = (unsigned short *)
			XpmCalloc(256, sizeof(unsigned short));

		    int cc1 = xpmGetC(data);
		    if (cc1 > 0 && cc1 < 256) {
			int cc2 = xpmGetC(data);
			if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0)
			    *iptr = cidx[cc1][cc2] - 1;
			else {
			    FREE_CIDX;

	    char *s;
	    char buf[BUFSIZ];

	    if (cpp >= sizeof(buf)) {
	        return (XpmFileInvalid);
		XpmFree(iptr2); /* found by Egbert Eich */
            }

	    buf[cpp] = '\0';
	    if (USE_HASHTABLE) {

		    xpmNextString(data);
		    for (x = 0; x < width; x++, iptr++) {
			for (a = 0, s = buf; a < cpp; a++, s++)
			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
			slot = xpmHashSlot(hashtable, buf);
			if (!*slot) {	/* no color matches */
			    XpmFree(iptr2);

		    xpmNextString(data);
		    for (x = 0; x < width; x++, iptr++) {
			for (a = 0, s = buf; a < cpp; a++, s++)
			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
			for (a = 0; a < ncolors; a++)
			    if (!strcmp(colorTable[a].string, buf))
				break;

    while (!notstart && notend) {
	/* there starts an extension */
	ext = (XpmExtension *)
	    XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
	if (!ext) {
	    XpmFree(string);
	    XpmFreeExtensions(exts, num);

	while ((notstart = strncmp("XPMEXT", string, 6))
	       && (notend = strncmp("XPMENDEXT", string, 9))) {
	    sp = (char **)
		XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */
	    if (!sp) {
		XpmFree(string);
		ext->nlines = nlines;

Lines 43-48 Link Here

(-)lib/Xm/XpmRdFToBuf.c (-2 / +5 lines)
43	#endif	43	#endif
44		44
45		45
		46	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		47
46	#include "XpmI.h"	48	#include "XpmI.h"
47	#include <sys/stat.h>	49	#include <sys/stat.h>
48	#if !defined(FOR_MSW) && !defined(WIN32)	50	#if !defined(FOR_MSW) && !defined(WIN32)
Lines 64-70 Link Here
64	char *filename;	66	char *filename;
65	char **buffer_return;	67	char **buffer_return;
66	{	68	{
67	int fd, fcheck, len;	69	int fd, fcheck;
		70	off_t len;
68	char *ptr;	71	char *ptr;
69	struct stat stats;	72	struct stat stats;
70	FILE *fp;	73	FILE *fp;
Lines 88-94 Link Here
88	close(fd);	91	close(fd);
89	return XpmOpenFailed;	92	return XpmOpenFailed;
90	}	93	}
91	len = (int) stats.st_size;	94	len = stats.st_size;
92	ptr = (char *) XpmMalloc(len + 1);	95	ptr = (char *) XpmMalloc(len + 1);
93	if (!ptr) {	96	if (!ptr) {
94	fclose(fp);	97	fclose(fp);

Lines 38-43 Link Here

(-)lib/Xm/XpmRdFToI.c (-12 / +24 lines)
38	#endif	38	#endif
39		39
40		40
		41	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		42
41	#include "XpmI.h"	43	#include "XpmI.h"
42	#include <sys/stat.h>	44	#include <sys/stat.h>
43	#include <sys/param.h>	45	#include <sys/param.h>
Lines 127-132 Link Here
127	/*	129	/*
128	* open the given file to be read as an xpmData which is returned.	130	* open the given file to be read as an xpmData which is returned.
129	*/	131	*/
		132	#ifndef NO_ZPIPE
		133	FILE Xpms_popen(char cmd, const char *type);
		134	#else
		135	# define Xpms_popen popen
		136	#endif
		137
130	static int	138	static int
131	OpenReadFile(filename, mdata)	139	OpenReadFile(filename, mdata)
132	char *filename;	140	char *filename;
Lines 144-160 Link Here
144	mdata->type = XPMFILE;	152	mdata->type = XPMFILE;
145	} else {	153	} else {
146	#ifndef NO_ZPIPE	154	#ifndef NO_ZPIPE
147	int len = strlen(filename);	155	size_t len = strlen(filename);
		156
		157	if(len == 0 \|\|
		158	filename[len-1] == '/')
		159	return(XpmOpenFailed);
148	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {	160	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
149	mdata->type = XPMPIPE;	161	mdata->type = XPMPIPE;
150	sprintf(buf, "uncompress -c \"%s\"", filename);	162	snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename);
151	if (!(mdata->stream.file = popen(buf, "r")))	163	if (!(mdata->stream.file = Xpms_popen(buf, "r")))
152	return (XpmOpenFailed);	164	return (XpmOpenFailed);
153		165
154	} else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {	166	} else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
155	mdata->type = XPMPIPE;	167	mdata->type = XPMPIPE;
156	sprintf(buf, "gunzip -qc \"%s\"", filename);	168	snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename);
157	if (!(mdata->stream.file = popen(buf, "r")))	169	if (!(mdata->stream.file = Xpms_popen(buf, "r")))
158	return (XpmOpenFailed);	170	return (XpmOpenFailed);
159		171
160	} else {	172	} else {
Lines 162-180 Link Here
162	if (!(compressfile = (char *) XpmMalloc(len + 4)))	174	if (!(compressfile = (char *) XpmMalloc(len + 4)))
163	return (XpmNoMemory);	175	return (XpmNoMemory);
164		176
165	sprintf(compressfile, "%s.Z", filename);	177	snprintf(compressfile, len+4, "%s.Z", filename);
166	if (!stat(compressfile, &status)) {	178	if (!stat(compressfile, &status)) {
167	sprintf(buf, "uncompress -c \"%s\"", compressfile);	179	snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile);
168	if (!(mdata->stream.file = popen(buf, "r"))) {	180	if (!(mdata->stream.file = Xpms_popen(buf, "r"))) {
169	XpmFree(compressfile);	181	XpmFree(compressfile);
170	return (XpmOpenFailed);	182	return (XpmOpenFailed);
171	}	183	}
172	mdata->type = XPMPIPE;	184	mdata->type = XPMPIPE;
173	} else {	185	} else {
174	sprintf(compressfile, "%s.gz", filename);	186	snprintf(compressfile, len+4, "%s.gz", filename);
175	if (!stat(compressfile, &status)) {	187	if (!stat(compressfile, &status)) {
176	sprintf(buf, "gunzip -c \"%s\"", compressfile);	188	snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile);
177	if (!(mdata->stream.file = popen(buf, "r"))) {	189	if (!(mdata->stream.file = Xpms_popen(buf, "r"))) {
178	XpmFree(compressfile);	190	XpmFree(compressfile);
179	return (XpmOpenFailed);	191	return (XpmOpenFailed);
180	}	192	}
Lines 216-222 Link Here
216	break;	228	break;
217	#ifndef NO_ZPIPE	229	#ifndef NO_ZPIPE
218	case XPMPIPE:	230	case XPMPIPE:
219	pclose(mdata->stream.file);	231	fclose(mdata->stream.file);
220	break;	232	break;
221	#endif	233	#endif
222	}	234	}




#endif


/* October 2004, source code review by Thomas Biege <thomas@suse.de> */

#include "XpmI.h"

#define MAXPRINTABLE 92			/* number of printable ascii chars
					 * minus \ and " for string compat
					 * and ? to avoid ANSI trigraphs. */
					/* " */
static char *printable =
" .XoO+@#$%&*=-;:>,<1234567890qwertyuipasdfghjklzxcvbnmMNBVCZ\
ASDFGHJKLPIUYTREWQ!~^/()_`'][{}|";

/* function call in case of error, frees only locally allocated variables */
#undef RETURN
#define RETURN(status) \
do \
{ \
    if (pmap.pixelindex) XpmFree(pmap.pixelindex); \
    if (pmap.pixels) XpmFree(pmap.pixels); \
    if (colorTable) xpmFreeColorTable(colorTable, pmap.ncolors); \
    return(status); \
} while(0)

/*
 * This function scans the given image and stores the found informations in

    else
	cpp = 0;

    if ((height > 0 && width >= UINT_MAX / height) ||
	width * height >= UINT_MAX / sizeof(unsigned int))
        RETURN(XpmNoMemory);
    pmap.pixelindex =
	(unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
    if (!pmap.pixelindex)
	RETURN(XpmNoMemory);

    if (pmap.size >= UINT_MAX / sizeof(Pixel)) 
        RETURN(XpmNoMemory);

    pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);

     * color
     */

    if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor))
        RETURN(XpmNoMemory);
    colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
    if (!colorTable)


    /* first get a character string */
    a = 0;
    if (cpp >= UINT_MAX - 1)
        return (XpmNoMemory);
    if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
	return (XpmNoMemory);

    }

    /* first get character strings and rgb values */
    if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1)
        return (XpmNoMemory);
    xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
    if (!xcolors)

    char *dst;
    unsigned int *iptr;
    char *data;
    unsigned int x, y, i;
    int bits, depth, ibu, ibpp, offset;
    unsigned long lbt;
    Pixel pixel, px;

    unsigned char *addr;
    unsigned char *data;
    unsigned int *iptr;
    unsigned int x, y;
    unsigned long lbt;
    Pixel pixel;
    int depth;

    unsigned char *addr;
    unsigned char *data;
    unsigned int *iptr;
    unsigned int x, y;
    unsigned long lbt;
    Pixel pixel;
    int depth;

{
    unsigned int *iptr;
    unsigned char *data;
    unsigned int x, y;
    unsigned long lbt;
    Pixel pixel;
    int depth;

    int (*storeFunc) ();
{
    unsigned int *iptr;
    unsigned int x, y;
    char *data;
    Pixel pixel;
    int xoff, yoff, offset, bpl;

Lines 38-43 Link Here

(-)lib/Xm/XpmWrFFrBuf.c (-1 / +3 lines)
38	#endif	38	#endif
39		39
40		40
		41	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		42
41	#include "XpmI.h"	43	#include "XpmI.h"
42		44
43	int	45	int
Lines 55-61 Link Here
55	fcheck = fwrite(buffer, len, 1, fp);	57	fcheck = fwrite(buffer, len, 1, fp);
56	fclose(fp);	58	fclose(fp);
57	if (fcheck != 1)	59	if (fcheck != 1)
58	return XpmOpenFailed;	60	return XpmOpenFailed; /* maybe use a better return value */
59		61
60	return XpmSuccess;	62	return XpmSuccess;
61	}	63	}

Lines 38-43 Link Here

(-)lib/Xm/XpmWrFFrI.c (-9 / +26 lines)
38	#endif	38	#endif
39		39
40		40
		41	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		42
41	#include "XpmI.h"	43	#include "XpmI.h"
42	#if !defined(NO_ZPIPE) && defined(WIN32)	44	#if !defined(NO_ZPIPE) && defined(WIN32)
43	# define popen _popen	45	# define popen _popen
Lines 98-104 Link Here
98	XpmInfo *info;	100	XpmInfo *info;
99	{	101	{
100	xpmData mdata;	102	xpmData mdata;
101	char name, dot, *s, new_name[BUFSIZ];	103	char name, dot, *s, new_name[BUFSIZ] = {0};
102	int ErrorStatus;	104	int ErrorStatus;
103		105
104	/* open file to write */	106	/* open file to write */
Lines 117-122 Link Here
117	#endif	119	#endif
118	/* let's try to make a valid C syntax name */	120	/* let's try to make a valid C syntax name */
119	if ((dot = index(name, '.'))) {	121	if ((dot = index(name, '.'))) {
		122	strncpy(new_name, name, sizeof(new_name));
		123	new_name[sizeof(new_name)-1] = 0;
120	strcpy(new_name, name);	124	strcpy(new_name, name);
121	/* change '.' to '_' */	125	/* change '.' to '_' */
122	name = s = new_name;	126	name = s = new_name;
Lines 127-133 Link Here
127	}	131	}
128	if ((dot = index(name, '-'))) {	132	if ((dot = index(name, '-'))) {
129	if (name != new_name) {	133	if (name != new_name) {
130	strcpy(new_name, name);	134	strncpy(new_name, name, sizeof(new_name));
		135	new_name[sizeof(new_name)-1] = 0;
131	name = new_name;	136	name = new_name;
132	}	137	}
133	/* change '-' to '_' */	138	/* change '-' to '_' */
Lines 244-250 Link Here
244	unsigned int x, y, h;	249	unsigned int x, y, h;
245		250
246	h = height - 1;	251	h = height - 1;
247	if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp)	252	if (cpp != 0 && width >= (UINT_MAX - 3)/cpp)
248	return (XpmNoMemory);	253	return (XpmNoMemory);
249	p = buf = (char ) XpmMalloc(width cpp + 3);	254	p = buf = (char ) XpmMalloc(width cpp + 3);
250	if (!buf)	255	if (!buf)
Lines 296-301 Link Here
296	/*	301	/*
297	* open the given file to be written as an xpmData which is returned	302	* open the given file to be written as an xpmData which is returned
298	*/	303	*/
		304	#ifndef NO_ZPIPE
		305	FILE Xpms_popen(char cmd, const char *type);
		306	#else
		307	# define Xpms_popen popen
		308	#endif
299	static int	309	static int
300	OpenWriteFile(filename, mdata)	310	OpenWriteFile(filename, mdata)
301	char *filename;	311	char *filename;
Lines 311-326 Link Here
311	mdata->type = XPMFILE;	321	mdata->type = XPMFILE;
312	} else {	322	} else {
313	#ifndef NO_ZPIPE	323	#ifndef NO_ZPIPE
314	int len = strlen(filename);	324	size_t len = strlen(filename);
		325
		326	if(len == 0 \|\|
		327	filename[0] == '/' \|\|
		328	strstr(filename, "../") != NULL \|\|
		329	filename[len-1] == '/')
		330	return(XpmOpenFailed);
		331
315	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {	332	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
316	sprintf(buf, "compress > \"%s\"", filename);	333	snprintf(buf, sizeof(buf), "compress > \"%s\"", filename);
317	if (!(mdata->stream.file = popen(buf, "w")))	334	if (!(mdata->stream.file = Xpms_popen(buf, "w")))
318	return (XpmOpenFailed);	335	return (XpmOpenFailed);
319		336
320	mdata->type = XPMPIPE;	337	mdata->type = XPMPIPE;
321	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {	338	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
322	sprintf(buf, "gzip -q > \"%s\"", filename);	339	snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename);
323	if (!(mdata->stream.file = popen(buf, "w")))	340	if (!(mdata->stream.file = Xpms_popen(buf, "w")))
324	return (XpmOpenFailed);	341	return (XpmOpenFailed);
325		342
326	mdata->type = XPMPIPE;	343	mdata->type = XPMPIPE;
Lines 351-357 Link Here
351	break;	368	break;
352	#ifndef NO_ZPIPE	369	#ifndef NO_ZPIPE
353	case XPMPIPE:	370	case XPMPIPE:
354	pclose(mdata->stream.file);	371	fclose(mdata->stream.file);
355	break;	372	break;
356	#endif	373	#endif
357	}	374	}

Return to bug 78111

Lines 211-217 Link Here

(-)lib/Xm/Imakefile (-2 / +4 lines)
211	XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \	211	XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \
212	XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \	212	XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \
213	XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \	213	XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \
214	XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c	214	XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c \
		215	Xpms_popen.c
215		216
216	#if UseLocalRegex	217	#if UseLocalRegex
217	REGEX_SRCS = regexp.c	218	REGEX_SRCS = regexp.c
Lines 274-280 Link Here
274	XpmCrBufFrP.o XpmCrPFrBuf.o XpmRdFToDat.o XpmWrFFrP.o Xpmrgb.o \	275	XpmCrBufFrP.o XpmCrPFrBuf.o XpmRdFToDat.o XpmWrFFrP.o Xpmrgb.o \
275	XpmCrDatFrI.o XpmCrPFrDat.o XpmRdFToI.o Xpmcreate.o Xpmscan.o \	276	XpmCrDatFrI.o XpmCrPFrDat.o XpmRdFToI.o Xpmcreate.o Xpmscan.o \
276	XpmCrDatFrP.o XpmCrPFrI.o XpmRdFToP.o Xpmdata.o \	277	XpmCrDatFrP.o XpmCrPFrI.o XpmRdFToP.o Xpmdata.o \
277	XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o	278	XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o \
		279	Xpms_popen.o
278		280
279	#if UseLocalRegex	281	#if UseLocalRegex
280	REGEX_OBJS = regexp.o	282	REGEX_OBJS = regexp.o

Added Link Here

(-) (+182 lines)
1	/*
2	* Copyright (C) 2004 The X.Org fundation
3	*
4	* Permission is hereby granted, free of charge, to any person
5	* obtaining a copy of this software and associated documentation
6	* files (the "Software"), to deal in the Software without
7	* restriction, including without limitation the rights to use, copy,
8	* modify, merge, publish, distribute, sublicense, and/or sell copies
9	* of the Software, and to permit persons to whom the Software is fur-
10	* nished to do so, subject to the following conditions:
11	*
12	* The above copyright notice and this permission notice shall be
13	* included in all copies or substantial portions of the Software.
14	*
15	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16	* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18	* NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR
19	* ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
20	* CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
21	* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
22	*
23	* Except as contained in this notice, the name of the X.Org fundation
24	* shall not be used in advertising or otherwise to promote the sale,
25	* use or other dealings in this Software without prior written
26	* authorization from the X.Org fundation.
27	*/
28
29	/*
30	** This is a secure but NOT 100% compatible replacement for popen()
31	** Note: - don't use pclose() use fclose() for closing the returned
32	** filedesc.!!!
33	**
34	** Known Bugs: - unable to use i/o-redirection like > or <
35	** Author: - Thomas Biege <thomas@suse.de>
36	** Credits: - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when
37	** calling strtok()
38	*/
39
40	#include <sys/types.h>
41	#include <sys/wait.h>
42	#include <stdio.h>
43	#include <stdlib.h>
44	#include <unistd.h>
45	#include <string.h>
46	#include "XpmI.h"
47
48	#define __SEC_POPEN_TOKEN " "
49
50	FILE Xpms_popen(char cmd, const char *type)
51	{
52	pid_t pid;
53	int pfd[2];
54	int rpipe = 0, wpipe = 0, i;
55	char **argv;
56	char *ptr;
57	char *cmdcpy;
58
59
60	if(cmd == NULL \|\| cmd == "")
61	return(NULL);
62
63	if(type[0] != 'r' && type[0] != 'w')
64	return(NULL);
65
66	if ((cmdcpy = strdup(cmd)) == NULL)
67	return(NULL);
68
69	argv = NULL;
70	if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL)
71	{
72	free(cmdcpy);
73	return(NULL);
74	}
75
76	for(i = 0;; i++)
77	{
78	if( ( argv = (char *) realloc(argv, (i+1) sizeof(char *)) ) == NULL)
79	{
80	free(cmdcpy);
81	return(NULL);
82	}
83
84	if( ((argv+i) = (char ) malloc((strlen(ptr)+1) * sizeof(char))) == NULL)
85	{
86	free(cmdcpy);
87	return(NULL);
88	}
89
90	strcpy(argv[i], ptr);
91
92	if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL)
93	{
94	if( ( argv = (char *) realloc(argv, (i+2) sizeof(char *))) == NULL)
95	{
96	free(cmdcpy);
97	return(NULL);
98	}
99	argv[i+1] = NULL;
100	break;
101	}
102	}
103
104
105	if(type[0] == 'r')
106	rpipe = 1;
107	else
108	wpipe = 1;
109
110	if (pipe(pfd) < 0)
111	{
112	free(cmdcpy);
113	return(NULL);
114	}
115
116	if((pid = fork()) < 0)
117	{
118	close(pfd[0]);
119	close(pfd[1]);
120	free(cmdcpy);
121	return(NULL);
122	}
123
124	if(pid == 0) /* child */
125	{
126	if((pid = fork()) < 0)
127	{
128	close(pfd[0]);
129	close(pfd[1]);
130	free(cmdcpy);
131	return(NULL);
132	}
133	if(pid > 0)
134	{
135	exit(0); /* child nr. 1 exits */
136	}
137
138	/* child nr. 2 */
139	if(rpipe)
140	{
141	close(pfd[0]); /* close reading end, we don't need it */
142	dup2(STDOUT_FILENO, STDERR_FILENO);
143	if (pfd[1] != STDOUT_FILENO)
144	dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */
145	}
146	else
147	{
148	close(pfd[1]); /* close writing end, we don't need it */
149	if (pfd[0] != STDIN_FILENO)
150	dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */
151	}
152
153	if(strchr(argv[0], '/') == NULL)
154	execvp(argv[0], argv); /* search in $PATH */
155	else
156	execv(argv[0], argv);
157
158	close(pfd[0]);
159	close(pfd[1]);
160	free(cmdcpy);
161	return(NULL); /* exec failed.. ooops! */
162	}
163	else /* parent */
164	{
165	waitpid(pid, NULL, 0); /* wait for child nr. 1 */
166
167	if(rpipe)
168	{
169	close(pfd[1]);
170	free(cmdcpy);
171	return(fdopen(pfd[0], "r"));
172	}
173	else
174	{
175	close(pfd[0]);
176	free(cmdcpy);
177	return(fdopen(pfd[1], "w"));
178	}
179
180	}
181	}
182

Lines 44-50 Link Here

(-)lib/Xm/XpmAttrib.c (-6 / +6 lines)
44	LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,	44	LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
45	XpmColor ***oldct));	45	XpmColor ***oldct));
46		46
47	LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));	47	LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
48		48
49	/*	49	/*
50	* Create a colortable compatible with the old style colortable	50	* Create a colortable compatible with the old style colortable
Lines 56-64 Link Here
56	XpmColor ***oldct;	56	XpmColor ***oldct;
57	{	57	{
58	XpmColor colorTable, color;	58	XpmColor colorTable, color;
59	int a;	59	unsigned int a;
60		60
61	if (ncolors >= SIZE_MAX / sizeof(XpmColor *))	61	if (ncolors >= UINT_MAX / sizeof(XpmColor *))
62	return XpmNoMemory;	62	return XpmNoMemory;
63		63
64	colorTable = (XpmColor *) XpmMalloc(ncolors sizeof(XpmColor *));	64	colorTable = (XpmColor *) XpmMalloc(ncolors sizeof(XpmColor *));
Lines 75-83 Link Here
75	static void	75	static void
76	FreeOldColorTable(colorTable, ncolors)	76	FreeOldColorTable(colorTable, ncolors)
77	XpmColor **colorTable;	77	XpmColor **colorTable;
78	int ncolors;	78	unsigned int ncolors;
79	{	79	{
80	int a, b;	80	unsigned int a, b;
81	XpmColor **color;	81	XpmColor **color;
82	char **sptr;	82	char **sptr;
83		83
Lines 128-134 Link Here
128	XpmExtension *ext;	128	XpmExtension *ext;
129	char **sptr;	129	char **sptr;
130		130
131	if (extensions) {	131	if (extensions && nextensions > 0) {
132	for (i = 0, ext = extensions; i < nextensions; i++, ext++) {	132	for (i = 0, ext = extensions; i < nextensions; i++, ext++) {
133	if (ext->name)	133	if (ext->name)
134	XpmFree(ext->name);	134	XpmFree(ext->name);

Lines 41-61 Link Here

(-)lib/Xm/XpmCrBufFrI.c (-41 / +89 lines)
41	#endif	41	#endif
42		42
43		43
		44	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		45
		46
44	#include "XpmI.h"	47	#include "XpmI.h"
45		48
46	LFUNC(WriteColors, int, (char *dataptr, unsigned int data_size,	49	LFUNC(WriteColors, int, (char *dataptr, unsigned int data_size,
47	unsigned int used_size, XpmColor colors,	50	unsigned int used_size, XpmColor colors,
48	unsigned int ncolors, unsigned int cpp));	51	unsigned int ncolors, unsigned int cpp));
49		52
50	LFUNC(WritePixels, void, (char dataptr, unsigned int used_size,	53	LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
		54	unsigned int *used_size,
51	unsigned int width, unsigned int height,	55	unsigned int width, unsigned int height,
52	unsigned int cpp, unsigned int *pixels,	56	unsigned int cpp, unsigned int *pixels,
53	XpmColor *colors));	57	XpmColor *colors));
54		58
55	LFUNC(WriteExtensions, void, (char dataptr, unsigned int used_size,	59	LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
		60	unsigned int *used_size,
56	XpmExtension *ext, unsigned int num));	61	XpmExtension *ext, unsigned int num));
57		62
58	LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num));	63	LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
59	LFUNC(CommentsSize, int, (XpmInfo *info));	64	LFUNC(CommentsSize, int, (XpmInfo *info));
60		65
61	int	66	int
Lines 98-108 Link Here
98		103
99	#undef RETURN	104	#undef RETURN
100	#define RETURN(status) \	105	#define RETURN(status) \
		106	do \
101	{ \	107	{ \
102	if (ptr) \	108	if (ptr) \
103	XpmFree(ptr); \	109	XpmFree(ptr); \
104	return(status); \	110	return(status); \
105	}	111	} while(0)
106		112
107	int	113	int
108	XpmCreateBufferFromXpmImage(buffer_return, image, info)	114	XpmCreateBufferFromXpmImage(buffer_return, image, info)
Lines 116-122 Link Here
116	unsigned int cmts, extensions, ext_size = 0;	122	unsigned int cmts, extensions, ext_size = 0;
117	unsigned int l, cmt_size = 0;	123	unsigned int l, cmt_size = 0;
118	char ptr = NULL, p;	124	char ptr = NULL, p;
119	unsigned int ptr_size, used_size;	125	unsigned int ptr_size, used_size, tmp;
120		126
121	*buffer_return = NULL;	127	*buffer_return = NULL;
122		128
Lines 138-144 Link Here
138	#ifdef VOID_SPRINTF	144	#ifdef VOID_SPRINTF
139	used_size = strlen(buf);	145	used_size = strlen(buf);
140	#endif	146	#endif
141	ptr_size = used_size + ext_size + cmt_size + 1;	147	ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
		148	if(ptr_size <= used_size \|\|
		149	ptr_size <= ext_size \|\|
		150	ptr_size <= cmt_size)
		151	{
		152	return XpmNoMemory;
		153	}
142	ptr = (char *) XpmMalloc(ptr_size);	154	ptr = (char *) XpmMalloc(ptr_size);
143	if (!ptr)	155	if (!ptr)
144	return XpmNoMemory;	156	return XpmNoMemory;
Lines 149-155 Link Here
149	#ifndef VOID_SPRINTF	161	#ifndef VOID_SPRINTF
150	used_size +=	162	used_size +=
151	#endif	163	#endif
152	sprintf(ptr + used_size, "/%s/\n", info->hints_cmt);	164	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->hints_cmt);
153	#ifdef VOID_SPRINTF	165	#ifdef VOID_SPRINTF
154	used_size += strlen(info->hints_cmt) + 5;	166	used_size += strlen(info->hints_cmt) + 5;
155	#endif	167	#endif
Lines 167-173 Link Here
167	#ifndef VOID_SPRINTF	179	#ifndef VOID_SPRINTF
168	l +=	180	l +=
169	#endif	181	#endif
170	sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot);	182	snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
171	#ifdef VOID_SPRINTF	183	#ifdef VOID_SPRINTF
172	l = strlen(buf);	184	l = strlen(buf);
173	#endif	185	#endif
Lines 189-194 Link Here
189	l = strlen(buf);	201	l = strlen(buf);
190	#endif	202	#endif
191	ptr_size += l;	203	ptr_size += l;
		204	if(ptr_size <= l)
		205	RETURN(XpmNoMemory);
192	p = (char *) XpmRealloc(ptr, ptr_size);	206	p = (char *) XpmRealloc(ptr, ptr_size);
193	if (!p)	207	if (!p)
194	RETURN(XpmNoMemory);	208	RETURN(XpmNoMemory);
Lines 201-207 Link Here
201	#ifndef VOID_SPRINTF	215	#ifndef VOID_SPRINTF
202	used_size +=	216	used_size +=
203	#endif	217	#endif
204	sprintf(ptr + used_size, "/%s/\n", info->colors_cmt);	218	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->colors_cmt);
205	#ifdef VOID_SPRINTF	219	#ifdef VOID_SPRINTF
206	used_size += strlen(info->colors_cmt) + 5;	220	used_size += strlen(info->colors_cmt) + 5;
207	#endif	221	#endif
Lines 217-223 Link Here
217	* 4 = 1 (for '"') + 3 (for '",\n')	231	* 4 = 1 (for '"') + 3 (for '",\n')
218	* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')	232	* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
219	*/	233	*/
220	ptr_size += image->height * (image->width * image->cpp + 4) + 1;	234	if(image->width > UINT_MAX / image->cpp \|\|
		235	(tmp = image->width * image->cpp + 4) <= 4 \|\|
		236	image->height > UINT_MAX / tmp \|\|
		237	(tmp = image->height * tmp + 1) <= 1 \|\|
		238	(ptr_size += tmp) <= tmp)
		239	RETURN(XpmNoMemory);
221		240
222	p = (char *) XpmRealloc(ptr, ptr_size);	241	p = (char *) XpmRealloc(ptr, ptr_size);
223	if (!p)	242	if (!p)
Lines 229-245 Link Here
229	#ifndef VOID_SPRINTF	248	#ifndef VOID_SPRINTF
230	used_size +=	249	used_size +=
231	#endif	250	#endif
232	sprintf(ptr + used_size, "/%s/\n", info->pixels_cmt);	251	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->pixels_cmt);
233	#ifdef VOID_SPRINTF	252	#ifdef VOID_SPRINTF
234	used_size += strlen(info->pixels_cmt) + 5;	253	used_size += strlen(info->pixels_cmt) + 5;
235	#endif	254	#endif
236	}	255	}
237	WritePixels(ptr + used_size, &used_size, image->width, image->height,	256	WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
238	image->cpp, image->data, image->colorTable);	257	image->cpp, image->data, image->colorTable);
239		258
240	/* print extensions */	259	/* print extensions */
241	if (extensions)	260	if (extensions)
242	WriteExtensions(ptr + used_size, &used_size,	261	WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
243	info->extensions, info->nextensions);	262	info->extensions, info->nextensions);
244		263
245	/* close the array */	264	/* close the array */
Lines 250-255 Link Here
250	return (XpmSuccess);	269	return (XpmSuccess);
251	}	270	}
252		271
		272
253	static int	273	static int
254	WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)	274	WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
255	char **dataptr;	275	char **dataptr;
Lines 259-265 Link Here
259	unsigned int ncolors;	279	unsigned int ncolors;
260	unsigned int cpp;	280	unsigned int cpp;
261	{	281	{
262	char buf[BUFSIZ];	282	char buf[BUFSIZ] = {0};
263	unsigned int a, key, l;	283	unsigned int a, key, l;
264	char s, s2;	284	char s, s2;
265	char **defaults;	285	char **defaults;
Lines 269-290 Link Here
269		289
270	defaults = (char **) colors;	290	defaults = (char **) colors;
271	s = buf + 1;	291	s = buf + 1;
272	strncpy(s, *defaults++, cpp);	292	if(cpp > (sizeof(buf) - (s-buf)))
273	s += cpp;	293	return(XpmNoMemory);
274		294	strncpy(s, *defaults++, cpp);
275	for (key = 1; key <= NKEYS; key++, defaults++) {	295	s += cpp;
276	if ((s2 = *defaults)) {	296
277	#ifndef VOID_SPRINTF	297	for (key = 1; key <= NKEYS; key++, defaults++) {
278	s +=	298	if ((s2 = *defaults)) {
279	#endif	299	#ifndef VOID_SPRINTF
280	sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);	300	s +=
281	#ifdef VOID_SPRINTF	301	#endif
282	s += strlen(s);	302	/* assume C99 compliance */
283	#endif	303	snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
284	}	304	#ifdef VOID_SPRINTF
285	}	305	s += strlen(s);
286	strcpy(s, "\",\n");	306	#endif
287	l = s + 3 - buf;	307	/* now let's check if s points out-of-bounds */
		308	if((s-buf) > sizeof(buf))
		309	return(XpmNoMemory);
		310	}
		311	}
		312	if(sizeof(buf) - (s-buf) < 4)
		313	return(XpmNoMemory);
		314	strcpy(s, "\",\n");
		315	l = s + 3 - buf;
		316	if( *data_size >= UINT_MAX-l \|\|
		317	data_size + l <= used_size \|\|
		318	(data_size + l - used_size) <= sizeof(buf))
		319	return(XpmNoMemory);
288	s = (char ) XpmRealloc(dataptr, *data_size + l);	320	s = (char ) XpmRealloc(dataptr, *data_size + l);
289	if (!s)	321	if (!s)
290	return (XpmNoMemory);	322	return (XpmNoMemory);
Lines 297-304 Link Here
297	}	329	}
298		330
299	static void	331	static void
300	WritePixels(dataptr, used_size, width, height, cpp, pixels, colors)	332	WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
301	char *dataptr;	333	char *dataptr;
		334	unsigned int data_size;
302	unsigned int *used_size;	335	unsigned int *used_size;
303	unsigned int width;	336	unsigned int width;
304	unsigned int height;	337	unsigned int height;
Lines 309-335 Link Here
309	char *s = dataptr;	342	char *s = dataptr;
310	unsigned int x, y, h;	343	unsigned int x, y, h;
311		344
		345	if(height <= 1)
		346	return;
		347
312	h = height - 1;	348	h = height - 1;
313	for (y = 0; y < h; y++) {	349	for (y = 0; y < h; y++) {
314	*s++ = '"';	350	*s++ = '"';
315	for (x = 0; x < width; x++, pixels++) {	351	for (x = 0; x < width; x++, pixels++) {
316	strncpy(s, colors[*pixels].string, cpp);	352	if(cpp >= (data_size - (s-dataptr)))
		353	return;
		354	strncpy(s, colors[pixels].string, cpp); / how can we trust pixels? :-\ /
317	s += cpp;	355	s += cpp;
318	}	356	}
		357	if((data_size - (s-dataptr)) < 4)
		358	return;
319	strcpy(s, "\",\n");	359	strcpy(s, "\",\n");
320	s += 3;	360	s += 3;
321	}	361	}
322	/* duplicate some code to avoid a test in the loop */	362	/* duplicate some code to avoid a test in the loop */
323	*s++ = '"';	363	*s++ = '"';
324	for (x = 0; x < width; x++, pixels++) {	364	for (x = 0; x < width; x++, pixels++) {
325	strncpy(s, colors[*pixels].string, cpp);	365	if(cpp >= (data_size - (s-dataptr)))
		366	return;
		367	strncpy(s, colors[pixels].string, cpp); / how can we trust pixels? /
326	s += cpp;	368	s += cpp;
327	}	369	}
328	*s++ = '"';	370	*s++ = '"';
329	*used_size += s - dataptr;	371	*used_size += s - dataptr;
330	}	372	}
331		373
332	static int	374	static unsigned int
333	ExtensionsSize(ext, num)	375	ExtensionsSize(ext, num)
334	XpmExtension *ext;	376	XpmExtension *ext;
335	unsigned int num;	377	unsigned int num;
Lines 338-358 Link Here
338	char **line;	380	char **line;
339		381
340	size = 0;	382	size = 0;
		383	if(num == 0)
		384	return(0); /* ok? */
341	for (x = 0; x < num; x++, ext++) {	385	for (x = 0; x < num; x++, ext++) {
342	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */	386	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
343	size += strlen(ext->name) + 11;	387	size += strlen(ext->name) + 11;
344	a = ext->nlines;	388	a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
345	for (y = 0, line = ext->lines; y < a; y++, line++)	389	for (y = 0, line = ext->lines; y < a; y++, line++)
346	/* 4 = 3 (for ',\n"') + 1 (for '"') */	390	/* 4 = 3 (for ',\n"') + 1 (for '"') */
347	size += strlen(*line) + 4;	391	size += strlen(*line) + 4;
348	}	392	}
349	/* 13 is for ',\n"XPMENDEXT"' */	393	/* 13 is for ',\n"XPMENDEXT"' */
		394	if(size > UINT_MAX - 13) /* unlikely */
		395	return(0);
350	return size + 13;	396	return size + 13;
351	}	397	}
352		398
353	static void	399	static void
354	WriteExtensions(dataptr, used_size, ext, num)	400	WriteExtensions(dataptr, data_size, used_size, ext, num)
355	char *dataptr;	401	char *dataptr;
		402	unsigned int data_size;
356	unsigned int *used_size;	403	unsigned int *used_size;
357	XpmExtension *ext;	404	XpmExtension *ext;
358	unsigned int num;	405	unsigned int num;
Lines 363-386 Link Here
363		410
364	for (x = 0; x < num; x++, ext++) {	411	for (x = 0; x < num; x++, ext++) {
365	#ifndef VOID_SPRINTF	412	#ifndef VOID_SPRINTF
366	s += 11 +	413	s +=
367	#endif	414	#endif
368	sprintf(s, ",\n\"XPMEXT %s\"", ext->name);	415	snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
369	#ifdef VOID_SPRINTF	416	#ifdef VOID_SPRINTF
370	s += strlen(ext->name) + 11;	417	s += strlen(ext->name) + 11;
371	#endif	418	#endif
372	a = ext->nlines;	419	a = ext->nlines;
373	for (y = 0, line = ext->lines; y < a; y++, line++) {	420	for (y = 0, line = ext->lines; y < a; y++, line++) {
374	#ifndef VOID_SPRINTF	421	#ifndef VOID_SPRINTF
375	s += 4 +	422	s +=
376	#endif	423	#endif
377	sprintf(s, ",\n\"%s\"", *line);	424	snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
378	#ifdef VOID_SPRINTF	425	#ifdef VOID_SPRINTF
379	s += strlen(*line) + 4;	426	s += strlen(*line) + 4;
380	#endif	427	#endif
381	}	428	}
382	}	429	}
383	strcpy(s, ",\n\"XPMENDEXT\"");	430	strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
384	*used_size += s - dataptr + 13;	431	*used_size += s - dataptr + 13;
385	}	432	}
386		433
Lines 391-396 Link Here
391	int size = 0;	438	int size = 0;
392		439
393	/* 5 = 2 (for "/_") + 3 (for "_/\n") */	440	/* 5 = 2 (for "/_") + 3 (for "_/\n") */
		441	/* wrap possible but very unlikely */
394	if (info->hints_cmt)	442	if (info->hints_cmt)
395	size += 5 + strlen(info->hints_cmt);	443	size += 5 + strlen(info->hints_cmt);
396		444

Lines 144-156 Link Here

(-)lib/Xm/Xpmhashtab.c (-3 / +3 lines)
144	unsigned int size = table->size;	144	unsigned int size = table->size;
145	xpmHashAtom t, p;	145	xpmHashAtom t, p;
146	int i;	146	int i;
147	int oldSize = size;	147	unsigned int oldSize = size;
148		148
149	t = atomTable;	149	t = atomTable;
150	HASH_TABLE_GROWS	150	HASH_TABLE_GROWS
151	table->size = size;	151	table->size = size;
152	table->limit = size / 3;	152	table->limit = size / 3;
153	if (size >= SIZE_MAX / sizeof(*atomTable))	153	if (size >= UINT_MAX / sizeof(*atomTable))
154	return (XpmNoMemory);	154	return (XpmNoMemory);
155	atomTable = (xpmHashAtom ) XpmMalloc(size sizeof(*atomTable));	155	atomTable = (xpmHashAtom ) XpmMalloc(size sizeof(*atomTable));
156	if (!atomTable)	156	if (!atomTable)
Lines 212-218 Link Here
212	table->size = INITIAL_HASH_SIZE;	212	table->size = INITIAL_HASH_SIZE;
213	table->limit = table->size / 3;	213	table->limit = table->size / 3;
214	table->used = 0;	214	table->used = 0;
215	if (table->size >= SIZE_MAX / sizeof(*atomTable))	215	if (table->size >= UINT_MAX / sizeof(*atomTable))
216	return (XpmNoMemory);	216	return (XpmNoMemory);
217	atomTable = (xpmHashAtom ) XpmMalloc(table->size sizeof(*atomTable));	217	atomTable = (xpmHashAtom ) XpmMalloc(table->size sizeof(*atomTable));
218	if (!atomTable)	218	if (!atomTable)

Lines 49-69 Link Here

(-)lib/Xm/Xpmparse.c (-28 / +37 lines)
49	#include <string.h>	49	#include <string.h>
50		50
51	#ifdef HAS_STRLCAT	51	#ifdef HAS_STRLCAT
52	# define STRLCAT(dst, src, dstsize) { \	52	# define STRLCAT(dst, src, dstsize) do { \
53	if (strlcat(dst, src, dstsize) >= (dstsize)) \	53	if (strlcat(dst, src, dstsize) >= (dstsize)) \
54	return (XpmFileInvalid); }	54	return (XpmFileInvalid); } while(0)
55	# define STRLCPY(dst, src, dstsize) { \	55	# define STRLCPY(dst, src, dstsize) do { \
56	if (strlcpy(dst, src, dstsize) >= (dstsize)) \	56	if (strlcpy(dst, src, dstsize) >= (dstsize)) \
57	return (XpmFileInvalid); }	57	return (XpmFileInvalid); } while(0)
58	#else	58	#else
59	# define STRLCAT(dst, src, dstsize) { \	59	# define STRLCAT(dst, src, dstsize) do { \
60	if ((strlen(dst) + strlen(src)) < (dstsize)) \	60	if ((strlen(dst) + strlen(src)) < (dstsize)) \
61	strcat(dst, src); \	61	strcat(dst, src); \
62	else return (XpmFileInvalid); }	62	else return (XpmFileInvalid); } while(0)
63	# define STRLCPY(dst, src, dstsize) { \	63	# define STRLCPY(dst, src, dstsize) do { \
64	if (strlen(src) < (dstsize)) \	64	if (strlen(src) < (dstsize)) \
65	strcpy(dst, src); \	65	strcpy(dst, src); \
66	else return (XpmFileInvalid); }	66	else return (XpmFileInvalid); } while(0)
67	#endif	67	#endif
68		68
69	LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,	69	LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
Lines 83-88 Link Here
83	/* function call in case of error, frees only locally allocated variables */	83	/* function call in case of error, frees only locally allocated variables */
84	#undef RETURN	84	#undef RETURN
85	#define RETURN(status) \	85	#define RETURN(status) \
		86	do \
86	{ \	87	{ \
87	if (colorTable) xpmFreeColorTable(colorTable, ncolors); \	88	if (colorTable) xpmFreeColorTable(colorTable, ncolors); \
88	if (pixelindex) XpmFree(pixelindex); \	89	if (pixelindex) XpmFree(pixelindex); \
Lines 90-96 Link Here
90	if (colors_cmt) XpmFree(colors_cmt); \	91	if (colors_cmt) XpmFree(colors_cmt); \
91	if (pixels_cmt) XpmFree(pixels_cmt); \	92	if (pixels_cmt) XpmFree(pixels_cmt); \
92	return(status); \	93	return(status); \
93	}	94	} while(0)
94		95
95	/*	96	/*
96	* This function parses an Xpm file or data and store the found informations	97	* This function parses an Xpm file or data and store the found informations
Lines 354-360 Link Here
354	char **defaults;	355	char **defaults;
355	int ErrorStatus;	356	int ErrorStatus;
356		357
357	if (ncolors >= SIZE_MAX / sizeof(XpmColor))	358	if (ncolors >= UINT_MAX / sizeof(XpmColor))
358	return (XpmNoMemory);	359	return (XpmNoMemory);
359	colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));	360	colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
360	if (!colorTable)	361	if (!colorTable)
Lines 367-373 Link Here
367	/*	368	/*
368	* read pixel value	369	* read pixel value
369	*/	370	*/
370	if (cpp >= SIZE_MAX - 1) {	371	if (cpp >= UINT_MAX - 1) {
371	xpmFreeColorTable(colorTable, ncolors);	372	xpmFreeColorTable(colorTable, ncolors);
372	return (XpmNoMemory);	373	return (XpmNoMemory);
373	}	374	}
Lines 436-442 Link Here
436	xpmFreeColorTable(colorTable, ncolors);	437	xpmFreeColorTable(colorTable, ncolors);
437	return (XpmFileInvalid);	438	return (XpmFileInvalid);
438	}	439	}
439	len = strlen(curbuf) + 1;	440	len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
440	s = defaults[curkey] = (char *) XpmMalloc(len);	441	s = defaults[curkey] = (char *) XpmMalloc(len);
441	if (!s) {	442	if (!s) {
442	xpmFreeColorTable(colorTable, ncolors);	443	xpmFreeColorTable(colorTable, ncolors);
Lines 455-461 Link Here
455	/*	456	/*
456	* read pixel value	457	* read pixel value
457	*/	458	*/
458	if (cpp >= SIZE_MAX - 1) {	459	if (cpp >= UINT_MAX - 1) {
459	xpmFreeColorTable(colorTable, ncolors);	460	xpmFreeColorTable(colorTable, ncolors);
460	return (XpmNoMemory);	461	return (XpmNoMemory);
461	}	462	}
Lines 500-506 Link Here
500	memcpy(s, curbuf, len);	501	memcpy(s, curbuf, len);
501	color->c_color = s;	502	color->c_color = s;
502	curbuf = '\0'; / reset curbuf */	503	curbuf = '\0'; / reset curbuf */
503	if (a < ncolors - 1)	504	if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */
504	xpmNextString(data); /* get to the next string */	505	xpmNextString(data); /* get to the next string */
505	}	506	}
506	}	507	}
Lines 519-529 Link Here
519	xpmHashTable *hashtable;	520	xpmHashTable *hashtable;
520	unsigned int **pixels;	521	unsigned int **pixels;
521	{	522	{
522	unsigned int iptr, iptr2;	523	unsigned int iptr, iptr2 = NULL;
523	unsigned int a, x, y;	524	unsigned int a, x, y;
524		525
525	if ((height > 0 && width >= SIZE_MAX / height) \|\|	526	if ((height > 0 && width >= UINT_MAX / height) \|\|
526	width * height >= SIZE_MAX / sizeof(unsigned int))	527	width * height >= UINT_MAX / sizeof(unsigned int))
527	return XpmNoMemory;	528	return XpmNoMemory;
528	#ifndef FOR_MSW	529	#ifndef FOR_MSW
529	iptr2 = (unsigned int ) XpmMalloc(sizeof(unsigned int) width * height);	530	iptr2 = (unsigned int ) XpmMalloc(sizeof(unsigned int) width * height);
Lines 548-555 Link Here
548	{	549	{
549	unsigned short colidx[256];	550	unsigned short colidx[256];
550		551
551	if (ncolors > 256)	552	if (ncolors > 256) {
552	return (XpmFileInvalid);	553	return (XpmFileInvalid);
		554	XpmFree(iptr2); /* found by Egbert Eich */
		555	}
553		556
554	bzero((char )colidx, 256 sizeof(short));	557	bzero((char )colidx, 256 sizeof(short));
555	for (a = 0; a < ncolors; a++)	558	for (a = 0; a < ncolors; a++)
Lines 576-591 Link Here
576	{	579	{
577		580
578	/* free all allocated pointers at all exits */	581	/* free all allocated pointers at all exits */
579	#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \	582	#define FREE_CIDX \
580	if (cidx[f]) XpmFree(cidx[f]);}	583	do \
		584	{ \
		585	int f; for (f = 0; f < 256; f++) \
		586	if (cidx[f]) XpmFree(cidx[f]); \
		587	} while(0)
581		588
582	/* array of pointers malloced by need */	589	/* array of pointers malloced by need */
583	unsigned short *cidx[256];	590	unsigned short *cidx[256];
584	int char1;	591	unsigned int char1;
585		592
586	bzero((char )cidx, 256 sizeof(unsigned short )); / init */	593	bzero((char )cidx, 256 sizeof(unsigned short )); / init */
587	for (a = 0; a < ncolors; a++) {	594	for (a = 0; a < ncolors; a++) {
588	char1 = colorTable[a].string[0];	595	char1 = (unsigned char) colorTable[a].string[0];
589	if (cidx[char1] == NULL) { /* get new memory */	596	if (cidx[char1] == NULL) { /* get new memory */
590	cidx[char1] = (unsigned short *)	597	cidx[char1] = (unsigned short *)
591	XpmCalloc(256, sizeof(unsigned short));	598	XpmCalloc(256, sizeof(unsigned short));
Lines 604-610 Link Here
604	int cc1 = xpmGetC(data);	611	int cc1 = xpmGetC(data);
605	if (cc1 > 0 && cc1 < 256) {	612	if (cc1 > 0 && cc1 < 256) {
606	int cc2 = xpmGetC(data);	613	int cc2 = xpmGetC(data);
607	if (cc2 > 0 && cc2 < 256 && cidx[cc1][cc2] != 0)	614	if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0)
608	*iptr = cidx[cc1][cc2] - 1;	615	*iptr = cidx[cc1][cc2] - 1;
609	else {	616	else {
610	FREE_CIDX;	617	FREE_CIDX;
Lines 628-635 Link Here
628	char *s;	635	char *s;
629	char buf[BUFSIZ];	636	char buf[BUFSIZ];
630		637
631	if (cpp >= sizeof(buf))	638	if (cpp >= sizeof(buf)) {
632	return (XpmFileInvalid);	639	return (XpmFileInvalid);
		640	XpmFree(iptr2); /* found by Egbert Eich */
		641	}
633		642
634	buf[cpp] = '\0';	643	buf[cpp] = '\0';
635	if (USE_HASHTABLE) {	644	if (USE_HASHTABLE) {
Lines 639-645 Link Here
639	xpmNextString(data);	648	xpmNextString(data);
640	for (x = 0; x < width; x++, iptr++) {	649	for (x = 0; x < width; x++, iptr++) {
641	for (a = 0, s = buf; a < cpp; a++, s++)	650	for (a = 0, s = buf; a < cpp; a++, s++)
642	*s = xpmGetC(data);	651	s = xpmGetC(data); / int assigned to char, not a problem here */
643	slot = xpmHashSlot(hashtable, buf);	652	slot = xpmHashSlot(hashtable, buf);
644	if (!slot) { / no color matches */	653	if (!slot) { / no color matches */
645	XpmFree(iptr2);	654	XpmFree(iptr2);
Lines 653-659 Link Here
653	xpmNextString(data);	662	xpmNextString(data);
654	for (x = 0; x < width; x++, iptr++) {	663	for (x = 0; x < width; x++, iptr++) {
655	for (a = 0, s = buf; a < cpp; a++, s++)	664	for (a = 0, s = buf; a < cpp; a++, s++)
656	*s = xpmGetC(data);	665	s = xpmGetC(data); / int assigned to char, not a problem here */
657	for (a = 0; a < ncolors; a++)	666	for (a = 0; a < ncolors; a++)
658	if (!strcmp(colorTable[a].string, buf))	667	if (!strcmp(colorTable[a].string, buf))
659	break;	668	break;
Lines 708-714 Link Here
708	while (!notstart && notend) {	717	while (!notstart && notend) {
709	/* there starts an extension */	718	/* there starts an extension */
710	ext = (XpmExtension *)	719	ext = (XpmExtension *)
711	XpmRealloc(exts, (num + 1) * sizeof(XpmExtension));	720	XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
712	if (!ext) {	721	if (!ext) {
713	XpmFree(string);	722	XpmFree(string);
714	XpmFreeExtensions(exts, num);	723	XpmFreeExtensions(exts, num);
Lines 745-751 Link Here
745	while ((notstart = strncmp("XPMEXT", string, 6))	754	while ((notstart = strncmp("XPMEXT", string, 6))
746	&& (notend = strncmp("XPMENDEXT", string, 9))) {	755	&& (notend = strncmp("XPMENDEXT", string, 9))) {
747	sp = (char **)	756	sp = (char **)
748	XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *));	757	XpmRealloc(ext->lines, (nlines + 1) * sizeof(char )); / can we iterate enough for a wrapping? */
749	if (!sp) {	758	if (!sp) {
750	XpmFree(string);	759	XpmFree(string);
751	ext->nlines = nlines;	760	ext->nlines = nlines;

Lines 43-54 Link Here

(-)lib/Xm/Xpmscan.c (-13 / +16 lines)
43	#endif	43	#endif
44		44
45		45
		46	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		47
46	#include "XpmI.h"	48	#include "XpmI.h"
47		49
48	#define MAXPRINTABLE 92 /* number of printable ascii chars	50	#define MAXPRINTABLE 92 /* number of printable ascii chars
49	* minus \ and " for string compat	51	* minus \ and " for string compat
50	* and ? to avoid ANSI trigraphs. */	52	* and ? to avoid ANSI trigraphs. */
51		53	/* " */
52	static char *printable =	54	static char *printable =
53	" .XoO+@#$%&*=-;:>,<1234567890qwertyuipasdfghjklzxcvbnmMNBVCZ\	55	" .XoO+@#$%&*=-;:>,<1234567890qwertyuipasdfghjklzxcvbnmMNBVCZ\
54	ASDFGHJKLPIUYTREWQ!~^/()_`'][{}\|";	56	ASDFGHJKLPIUYTREWQ!~^/()_`'][{}\|";
Lines 163-174 Link Here
163	/* function call in case of error, frees only locally allocated variables */	165	/* function call in case of error, frees only locally allocated variables */
164	#undef RETURN	166	#undef RETURN
165	#define RETURN(status) \	167	#define RETURN(status) \
		168	do \
166	{ \	169	{ \
167	if (pmap.pixelindex) XpmFree(pmap.pixelindex); \	170	if (pmap.pixelindex) XpmFree(pmap.pixelindex); \
168	if (pmap.pixels) XpmFree(pmap.pixels); \	171	if (pmap.pixels) XpmFree(pmap.pixels); \
169	if (colorTable) xpmFreeColorTable(colorTable, pmap.ncolors); \	172	if (colorTable) xpmFreeColorTable(colorTable, pmap.ncolors); \
170	return(status); \	173	return(status); \
171	}	174	} while(0)
172		175
173	/*	176	/*
174	* This function scans the given image and stores the found informations in	177	* This function scans the given image and stores the found informations in
Lines 226-240 Link Here
226	else	229	else
227	cpp = 0;	230	cpp = 0;
228		231
229	if ((height > 0 && width >= SIZE_MAX / height) \|\|	232	if ((height > 0 && width >= UINT_MAX / height) \|\|
230	width * height >= SIZE_MAX / sizeof(unsigned int))	233	width * height >= UINT_MAX / sizeof(unsigned int))
231	RETURN(XpmNoMemory);	234	RETURN(XpmNoMemory);
232	pmap.pixelindex =	235	pmap.pixelindex =
233	(unsigned int ) XpmCalloc(width height, sizeof(unsigned int));	236	(unsigned int ) XpmCalloc(width height, sizeof(unsigned int));
234	if (!pmap.pixelindex)	237	if (!pmap.pixelindex)
235	RETURN(XpmNoMemory);	238	RETURN(XpmNoMemory);
236		239
237	if (pmap.size >= SIZE_MAX / sizeof(Pixel))	240	if (pmap.size >= UINT_MAX / sizeof(Pixel))
238	RETURN(XpmNoMemory);	241	RETURN(XpmNoMemory);
239		242
240	pmap.pixels = (Pixel ) XpmMalloc(sizeof(Pixel) pmap.size);	243	pmap.pixels = (Pixel ) XpmMalloc(sizeof(Pixel) pmap.size);
Lines 292-298 Link Here
292	* color	295	* color
293	*/	296	*/
294		297
295	if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))	298	if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor))
296	RETURN(XpmNoMemory);	299	RETURN(XpmNoMemory);
297	colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));	300	colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
298	if (!colorTable)	301	if (!colorTable)
Lines 341-347 Link Here
341		344
342	/* first get a character string */	345	/* first get a character string */
343	a = 0;	346	a = 0;
344	if (cpp >= SIZE_MAX - 1)	347	if (cpp >= UINT_MAX - 1)
345	return (XpmNoMemory);	348	return (XpmNoMemory);
346	if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))	349	if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
347	return (XpmNoMemory);	350	return (XpmNoMemory);
Lines 434-440 Link Here
434	}	437	}
435		438
436	/* first get character strings and rgb values */	439	/* first get character strings and rgb values */
437	if (ncolors >= SIZE_MAX / sizeof(XColor) \|\| cpp >= SIZE_MAX - 1)	440	if (ncolors >= UINT_MAX / sizeof(XColor) \|\| cpp >= UINT_MAX - 1)
438	return (XpmNoMemory);	441	return (XpmNoMemory);
439	xcolors = (XColor ) XpmMalloc(sizeof(XColor) ncolors);	442	xcolors = (XColor ) XpmMalloc(sizeof(XColor) ncolors);
440	if (!xcolors)	443	if (!xcolors)
Lines 591-597 Link Here
591	char *dst;	594	char *dst;
592	unsigned int *iptr;	595	unsigned int *iptr;
593	char *data;	596	char *data;
594	int x, y, i;	597	unsigned int x, y, i;
595	int bits, depth, ibu, ibpp, offset;	598	int bits, depth, ibu, ibpp, offset;
596	unsigned long lbt;	599	unsigned long lbt;
597	Pixel pixel, px;	600	Pixel pixel, px;
Lines 693-699 Link Here
693	unsigned char *addr;	696	unsigned char *addr;
694	unsigned char *data;	697	unsigned char *data;
695	unsigned int *iptr;	698	unsigned int *iptr;
696	int x, y;	699	unsigned int x, y;
697	unsigned long lbt;	700	unsigned long lbt;
698	Pixel pixel;	701	Pixel pixel;
699	int depth;	702	int depth;
Lines 758-764 Link Here
758	unsigned char *addr;	761	unsigned char *addr;
759	unsigned char *data;	762	unsigned char *data;
760	unsigned int *iptr;	763	unsigned int *iptr;
761	int x, y;	764	unsigned int x, y;
762	unsigned long lbt;	765	unsigned long lbt;
763	Pixel pixel;	766	Pixel pixel;
764	int depth;	767	int depth;
Lines 803-809 Link Here
803	{	806	{
804	unsigned int *iptr;	807	unsigned int *iptr;
805	unsigned char *data;	808	unsigned char *data;
806	int x, y;	809	unsigned int x, y;
807	unsigned long lbt;	810	unsigned long lbt;
808	Pixel pixel;	811	Pixel pixel;
809	int depth;	812	int depth;
Lines 836-842 Link Here
836	int (*storeFunc) ();	839	int (*storeFunc) ();
837	{	840	{
838	unsigned int *iptr;	841	unsigned int *iptr;
839	int x, y;	842	unsigned int x, y;
840	char *data;	843	char *data;
841	Pixel pixel;	844	Pixel pixel;
842	int xoff, yoff, offset, bpl;	845	int xoff, yoff, offset, bpl;