Attachment #51415 for bug #78111




        XpmCrBufFrP.c  XpmCrPFrBuf.c  XpmRdFToDat.c  XpmWrFFrP.c    Xpmrgb.c \
        XpmCrDatFrI.c  XpmCrPFrDat.c  XpmRdFToI.c    Xpmcreate.c    Xpmscan.c \
        XpmCrDatFrP.c  XpmCrPFrI.c    XpmRdFToP.c    Xpmdata.c \
        XpmCrIFrBuf.c  XpmImage.c     XpmWrFFrBuf.c  Xpmhashtab.c \
        Xpms_popen.c

#if UseLocalRegex
REGEX_SRCS = regexp.c

        XpmCrBufFrP.o  XpmCrPFrBuf.o  XpmRdFToDat.o  XpmWrFFrP.o    Xpmrgb.o \
        XpmCrDatFrI.o  XpmCrPFrDat.o  XpmRdFToI.o    Xpmcreate.o    Xpmscan.o \
        XpmCrDatFrP.o  XpmCrPFrI.o    XpmRdFToP.o    Xpmdata.o \
        XpmCrIFrBuf.o  XpmImage.o     XpmWrFFrBuf.o  Xpmhashtab.o \
        Xpms_popen.o

#if UseLocalRegex
REGEX_OBJS = regexp.o




/*
 * Copyright (C) 2004 The X.Org fundation
 * 
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
 * files (the "Software"), to deal in the Software without
 * restriction, including without limitation the rights to use, copy,
 * modify, merge, publish, distribute, sublicense, and/or sell copies
 * of the Software, and to permit persons to whom the Software is fur-
 * nished to do so, subject to the following conditions:
 * 
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT.  IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR
 * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
 * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 * 
 * Except as contained in this notice, the name of the X.Org fundation
 * shall not be used in advertising or otherwise to promote the sale,
 * use or other dealings in this Software without prior written
 * authorization from the X.Org fundation.
 */

/*
** This is a secure but NOT 100% compatible replacement for popen()
** Note:        - don't use pclose() use fclose() for closing the returned
**                filedesc.!!!
**
** Known Bugs:  - unable to use i/o-redirection like > or <
** Author:      - Thomas Biege <thomas@suse.de>
** Credits:     - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when
**                calling strtok()
*/

#include <sys/types.h>
#include <sys/wait.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include "XpmI.h"

#define __SEC_POPEN_TOKEN " "

FILE *Xpms_popen(char *cmd, const char *type)
{
  pid_t pid;
  int pfd[2];
  int rpipe = 0, wpipe = 0, i;
  char **argv;
  char *ptr;
  char *cmdcpy;


  if(cmd == NULL || cmd == "")
    return(NULL);

  if(type[0] != 'r' && type[0] != 'w')
    return(NULL);

  if ((cmdcpy = strdup(cmd)) == NULL)
    return(NULL);

  argv = NULL;
  if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL)
  {
    free(cmdcpy);
    return(NULL);
  }

  for(i = 0;; i++)
  {
    if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL)
    {
      free(cmdcpy);
      return(NULL);
    }

    if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL)
    {
      free(cmdcpy);
      return(NULL);
    }

    strcpy(argv[i], ptr);

    if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL)
    {
      if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL)
      {
        free(cmdcpy);
        return(NULL);
      }
      argv[i+1] = NULL;
      break;
    }
  }


  if(type[0] == 'r')
    rpipe = 1;
  else
    wpipe = 1;

  if (pipe(pfd) < 0)
  {
    free(cmdcpy);
    return(NULL);
  }

	if((pid = fork()) < 0)
  {
    close(pfd[0]);
    close(pfd[1]);
    free(cmdcpy);
    return(NULL);
  }

	if(pid == 0)    /* child */
  {
    if((pid = fork()) < 0)
    {
      close(pfd[0]);
      close(pfd[1]);
      free(cmdcpy);
      return(NULL);
    }
    if(pid > 0)
    {
      exit(0);  /* child nr. 1 exits */
    }

    /* child nr. 2 */
    if(rpipe)
    {
      close(pfd[0]);  /* close reading end, we don't need it */
      dup2(STDOUT_FILENO, STDERR_FILENO);
      if (pfd[1] != STDOUT_FILENO)
        dup2(pfd[1], STDOUT_FILENO);  /* redirect stdout to writing end of pipe */
    }
    else
    {
      close(pfd[1]);  /* close writing end, we don't need it */
      if (pfd[0] != STDIN_FILENO)
        dup2(pfd[0], STDIN_FILENO);    /* redirect stdin to reading end of pipe */
	  }

    if(strchr(argv[0], '/') == NULL)
      execvp(argv[0], argv);  /* search in $PATH */
    else
      execv(argv[0], argv);

    close(pfd[0]);
    close(pfd[1]);
    free(cmdcpy);
    return(NULL);  /* exec failed.. ooops! */
  }
  else          /* parent */
  {
    waitpid(pid, NULL, 0); /* wait for child nr. 1 */

    if(rpipe)
    {
      close(pfd[1]);
      free(cmdcpy);
      return(fdopen(pfd[0], "r"));
    }
    else
    {
      close(pfd[0]);
      free(cmdcpy);
      return(fdopen(pfd[1], "w"));
    }

  }
}


Lines 33-45 Link Here

(-)motif/lib/Xm/XpmAttrib.c (-6 / +8 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37		39
38	/* 3.2 backward compatibility code */	40	/* 3.2 backward compatibility code */
39	LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,	41	LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
40	XpmColor ***oldct));	42	XpmColor ***oldct));
41		43
42	LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));	44	LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
43		45
44	/*	46	/*
45	* Create a colortable compatible with the old style colortable	47	* Create a colortable compatible with the old style colortable
Lines 51-59 Link Here
51	XpmColor ***oldct;	53	XpmColor ***oldct;
52	{	54	{
53	XpmColor colorTable, color;	55	XpmColor colorTable, color;
54	int a;	56	unsigned int a;
55		57
56	if (ncolors >= SIZE_MAX / sizeof(XpmColor *))	58	if (ncolors >= UINT_MAX / sizeof(XpmColor *))
57	return XpmNoMemory;	59	return XpmNoMemory;
58		60
59	colorTable = (XpmColor *) XpmMalloc(ncolors sizeof(XpmColor *));	61	colorTable = (XpmColor *) XpmMalloc(ncolors sizeof(XpmColor *));
Lines 70-78 Link Here
70	static void	72	static void
71	FreeOldColorTable(colorTable, ncolors)	73	FreeOldColorTable(colorTable, ncolors)
72	XpmColor **colorTable;	74	XpmColor **colorTable;
73	int ncolors;	75	unsigned int ncolors;
74	{	76	{
75	int a, b;	77	unsigned int a, b;
76	XpmColor **color;	78	XpmColor **color;
77	char **sptr;	79	char **sptr;
78		80
Lines 123-129 Link Here
123	XpmExtension *ext;	125	XpmExtension *ext;
124	char **sptr;	126	char **sptr;
125		127
126	if (extensions) {	128	if (extensions && nextensions > 0) {
127	for (i = 0, ext = extensions; i < nextensions; i++, ext++) {	129	for (i = 0, ext = extensions; i < nextensions; i++, ext++) {
128	if (ext->name)	130	if (ext->name)
129	XpmFree(ext->name);	131	XpmFree(ext->name);




*  Developed by Arnaud Le Hors                                                *
\*****************************************************************************/

/* October 2004, source code review by Thomas Biege <thomas@suse.de> */


#include "XpmI.h"

LFUNC(WriteColors, int, (char **dataptr, unsigned int *data_size,
			 unsigned int *used_size, XpmColor *colors,
			 unsigned int ncolors, unsigned int cpp));

LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
			  unsigned int *used_size,
			  unsigned int width, unsigned int height,
			  unsigned int cpp, unsigned int *pixels,
			  XpmColor *colors));

LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
			      unsigned int *used_size,
			      XpmExtension *ext, unsigned int num));

LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
LFUNC(CommentsSize, int, (XpmInfo *info));

int


#undef RETURN
#define RETURN(status) \
do \
{ \
    if (ptr) \
	XpmFree(ptr); \
    return(status); \
} while(0)

int
XpmCreateBufferFromXpmImage(buffer_return, image, info)

    unsigned int cmts, extensions, ext_size = 0;
    unsigned int l, cmt_size = 0;
    char *ptr = NULL, *p;
    unsigned int ptr_size, used_size, tmp;

    *buffer_return = NULL;


#ifdef VOID_SPRINTF
    used_size = strlen(buf);
#endif
    ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
    if(ptr_size <= used_size ||
       ptr_size <= ext_size  ||
       ptr_size <= cmt_size)
    {
        return XpmNoMemory;
    }
    ptr = (char *) XpmMalloc(ptr_size);
    if (!ptr)
	return XpmNoMemory;

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->hints_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->hints_cmt) + 5;
#endif

#ifndef VOID_SPRINTF
	l +=
#endif
	snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
#ifdef VOID_SPRINTF
	l = strlen(buf);
#endif

    l = strlen(buf);
#endif
    ptr_size += l;
    if(ptr_size <= l)
        RETURN(XpmNoMemory);
    p = (char *) XpmRealloc(ptr, ptr_size);
    if (!p)
	RETURN(XpmNoMemory);

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->colors_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->colors_cmt) + 5;
#endif

     * 4 = 1 (for '"') + 3 (for '",\n')
     * 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
     */
     if(image->width  > UINT_MAX / image->cpp ||
       (tmp = image->width * image->cpp + 4) <= 4 ||
        image->height > UINT_MAX / tmp ||
       (tmp = image->height * tmp + 1) <= 1 ||
       (ptr_size += tmp) <= tmp)
	RETURN(XpmNoMemory);

    p = (char *) XpmRealloc(ptr, ptr_size);
    if (!p)

#ifndef VOID_SPRINTF
	used_size +=
#endif
	snprintf(ptr + used_size, ptr_size-used_size, "/*%s*/\n", info->pixels_cmt);
#ifdef VOID_SPRINTF
	used_size += strlen(info->pixels_cmt) + 5;
#endif
    }
    WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
		image->cpp, image->data, image->colorTable);

    /* print extensions */
    if (extensions)
	WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
			info->extensions, info->nextensions);

    /* close the array */

    return (XpmSuccess);
}


static int
WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
    char **dataptr;

    unsigned int ncolors;
    unsigned int cpp;
{
    char buf[BUFSIZ] = {0};
    unsigned int a, key, l;
    char *s, *s2;
    char **defaults;


	defaults = (char **) colors;
	s = buf + 1;
	if(cpp > (sizeof(buf) - (s-buf)))
		return(XpmNoMemory);
	strncpy(s, *defaults++, cpp);
	s += cpp;

	for (key = 1; key <= NKEYS; key++, defaults++) {
	    if ((s2 = *defaults)) {
#ifndef VOID_SPRINTF
		s +=
#endif
		/* assume C99 compliance */
		snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
#ifdef VOID_SPRINTF
		s += strlen(s);
#endif
		/* now let's check if s points out-of-bounds */
		if((s-buf) > sizeof(buf))
			return(XpmNoMemory);
	    }
	}
	if(sizeof(buf) - (s-buf) < 4)
		return(XpmNoMemory);
	strcpy(s, "\",\n");
	l = s + 3 - buf;
	if( *data_size                   >= UINT_MAX-l ||
	    *data_size + l               <= *used_size ||
	   (*data_size + l - *used_size) <= sizeof(buf))
		return(XpmNoMemory);
	s = (char *) XpmRealloc(*dataptr, *data_size + l);
	if (!s)
	    return (XpmNoMemory);

}

static void
WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
    char *dataptr;
    unsigned int data_size;
    unsigned int *used_size;
    unsigned int width;
    unsigned int height;

    char *s = dataptr;
    unsigned int x, y, h;

    if(height <= 1)
    	return;

    h = height - 1;
    for (y = 0; y < h; y++) {
	*s++ = '"';
	for (x = 0; x < width; x++, pixels++) {
	    if(cpp >= (data_size - (s-dataptr)))
		return;
	    strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? :-\ */
	    s += cpp;
	}
	if((data_size - (s-dataptr)) < 4)
		return;
	strcpy(s, "\",\n");
	s += 3;
    }
    /* duplicate some code to avoid a test in the loop */
    *s++ = '"';
    for (x = 0; x < width; x++, pixels++) {
	if(cpp >= (data_size - (s-dataptr)))
	    return;
	strncpy(s, colors[*pixels].string, cpp); /* how can we trust *pixels? */
	s += cpp;
    }
    *s++ = '"';
    *used_size += s - dataptr;
}

static unsigned int
ExtensionsSize(ext, num)
    XpmExtension *ext;
    unsigned int num;

    char **line;

    size = 0;
    if(num == 0)
    	return(0); /* ok? */
    for (x = 0; x < num; x++, ext++) {
	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
	size += strlen(ext->name) + 11;
	a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
	for (y = 0, line = ext->lines; y < a; y++, line++)
	    /* 4 = 3 (for ',\n"') + 1 (for '"') */
	    size += strlen(*line) + 4;
    }
    /* 13 is for ',\n"XPMENDEXT"' */
    if(size > UINT_MAX - 13) /* unlikely */
    	return(0);
    return size + 13;
}

static void
WriteExtensions(dataptr, data_size, used_size, ext, num)
    char *dataptr;
    unsigned int data_size;
    unsigned int *used_size;
    XpmExtension *ext;
    unsigned int num;


    for (x = 0; x < num; x++, ext++) {
#ifndef VOID_SPRINTF
	s +=
#endif
	snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
#ifdef VOID_SPRINTF
	s += strlen(ext->name) + 11;
#endif
	a = ext->nlines;
	for (y = 0, line = ext->lines; y < a; y++, line++) {
#ifndef VOID_SPRINTF
	    s +=
#endif
	    snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
#ifdef VOID_SPRINTF
	    s += strlen(*line) + 4;
#endif
	}
    }
    strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
    *used_size += s - dataptr + 13;
}


    int size = 0;

    /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */
    /* wrap possible but *very* unlikely */
    if (info->hints_cmt)
	size += 5 + strlen(info->hints_cmt);


Lines 33-45 Link Here

(-)motif/lib/Xm/XpmCrDatFrI.c (-18 / +76 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37		39
38	LFUNC(CreateColors, int, (char *dataptr, unsigned int data_size,	40	LFUNC(CreateColors, int, (char *dataptr, unsigned int data_size,
39	XpmColor *colors, unsigned int ncolors,	41	XpmColor *colors, unsigned int ncolors,
40	unsigned int cpp));	42	unsigned int cpp));
41		43
42	LFUNC(CreatePixels, void, (char **dataptr, unsigned int width,	44	LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size,
		45	unsigned int width,
43	unsigned int height, unsigned int cpp,	46	unsigned int height, unsigned int cpp,
44	unsigned int pixels, XpmColor colors));	47	unsigned int pixels, XpmColor colors));
45		48
Lines 47-53 Link Here
47	unsigned int *ext_size,	50	unsigned int *ext_size,
48	unsigned int *ext_nlines));	51	unsigned int *ext_nlines));
49		52
50	LFUNC(CreateExtensions, void, (char **dataptr, unsigned int offset,	53	LFUNC(CreateExtensions, void, (char **dataptr, unsigned int data_size,
		54	unsigned int offset,
51	XpmExtension *ext, unsigned int num,	55	XpmExtension *ext, unsigned int num,
52	unsigned int ext_nlines));	56	unsigned int ext_nlines));
53		57
Lines 88-93 Link Here
88		92
89	#undef RETURN	93	#undef RETURN
90	#define RETURN(status) \	94	#define RETURN(status) \
		95	do \
91	{ \	96	{ \
92	if (header) { \	97	if (header) { \
93	for (l = 0; l < header_nlines; l++) \	98	for (l = 0; l < header_nlines; l++) \
Lines 96-102 Link Here
96	XpmFree(header); \	101	XpmFree(header); \
97	} \	102	} \
98	return(status); \	103	return(status); \
99	}	104	} while(0)
100		105
101	int	106	int
102	XpmCreateDataFromXpmImage(data_return, image, info)	107	XpmCreateDataFromXpmImage(data_return, image, info)
Lines 127-136 Link Here
127	* alloc a temporary array of char pointer for the header section which	132	* alloc a temporary array of char pointer for the header section which
128	* is the hints line + the color table lines	133	* is the hints line + the color table lines
129	*/	134	*/
130	header_nlines = 1 + image->ncolors;	135	header_nlines = 1 + image->ncolors; /* this may wrap and/or become 0 */
		136
		137	/* 2nd check superfluous if we do not need header_nlines any further */
		138	if(header_nlines <= image->ncolors \|\|
		139	header_nlines >= UINT_MAX / sizeof(char *))
		140	return(XpmNoMemory);
		141
131	header_size = sizeof(char ) header_nlines;	142	header_size = sizeof(char ) header_nlines;
132	if (header_size >= SIZE_MAX / sizeof(char *))	143	if (header_size >= UINT_MAX / sizeof(char *))
133	return (XpmNoMemory);	144	return (XpmNoMemory);
134	header = (char *) XpmCalloc(header_size, sizeof(char ));	145	header = (char *) XpmCalloc(header_size, sizeof(char ));
135	if (!header)	146	if (!header)
136	return (XpmNoMemory);	147	return (XpmNoMemory);
Lines 175-182 Link Here
175		186
176	/* now we know the size needed, alloc the data and copy the header lines */	187	/* now we know the size needed, alloc the data and copy the header lines */
177	offset = image->width * image->cpp + 1;	188	offset = image->width * image->cpp + 1;
178	data_size = header_size + (image->height + ext_nlines) * sizeof(char *)	189
179	+ image->height * offset + ext_size;	190	if(offset <= image->width \|\| offset <= image->cpp)
		191	RETURN(XpmNoMemory);
		192
		193	if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *))
		194	RETURN(XpmNoMemory);
		195	data_size = (image->height + ext_nlines) * sizeof(char *);
		196
		197	if (image->height > UINT_MAX / offset \|\|
		198	image->height * offset > UINT_MAX - data_size)
		199	RETURN(XpmNoMemory);
		200	data_size += image->height * offset;
		201
		202	if( (header_size + ext_size) >= (UINT_MAX - data_size) )
		203	RETURN(XpmNoMemory);
		204	data_size += header_size + ext_size;
180		205
181	data = (char **) XpmMalloc(data_size);	206	data = (char **) XpmMalloc(data_size);
182	if (!data)	207	if (!data)
Lines 184-191 Link Here
184		209
185	data_nlines = header_nlines + image->height + ext_nlines;	210	data_nlines = header_nlines + image->height + ext_nlines;
186	data = (char ) (data + data_nlines);	211	data = (char ) (data + data_nlines);
		212
		213	/* can header have less elements then n suggests? */
187	n = image->ncolors;	214	n = image->ncolors;
188	for (l = 0, sptr = data, sptr2 = header; l <= n; l++, sptr++, sptr2++) {	215	for (l = 0, sptr = data, sptr2 = header; l <= n && sptr && sptr2; l++, sptr++, sptr2++) {
189	strcpy(sptr, sptr2);	216	strcpy(sptr, sptr2);
190	(sptr + 1) = sptr + strlen(*sptr2) + 1;	217	(sptr + 1) = sptr + strlen(*sptr2) + 1;
191	}	218	}
Lines 194-205 Link Here
194	data[header_nlines] = (char *) data + header_size	221	data[header_nlines] = (char *) data + header_size
195	+ (image->height + ext_nlines) * sizeof(char *);	222	+ (image->height + ext_nlines) * sizeof(char *);
196		223
197	CreatePixels(data + header_nlines, image->width, image->height,	224	CreatePixels(data + header_nlines, data_size-header_nlines, image->width, image->height,
198	image->cpp, image->data, image->colorTable);	225	image->cpp, image->data, image->colorTable);
199		226
200	/* print extensions */	227	/* print extensions */
201	if (extensions)	228	if (extensions)
202	CreateExtensions(data + header_nlines + image->height - 1, offset,	229	CreateExtensions(data + header_nlines + image->height - 1,
		230	data_size - header_nlines - image->height + 1, offset,
203	info->extensions, info->nextensions,	231	info->extensions, info->nextensions,
204	ext_nlines);	232	ext_nlines);
205		233
Lines 221-243 Link Here
221	char s, s2;	249	char s, s2;
222	char **defaults;	250	char **defaults;
223		251
		252	/* can ncolors be trusted here? */
224	for (a = 0; a < ncolors; a++, colors++, dataptr++) {	253	for (a = 0; a < ncolors; a++, colors++, dataptr++) {
225		254
226	defaults = (char **) colors;	255	defaults = (char **) colors;
		256	if(sizeof(buf) <= cpp)
		257	return(XpmNoMemory);
227	strncpy(buf, *defaults++, cpp);	258	strncpy(buf, *defaults++, cpp);
228	s = buf + cpp;	259	s = buf + cpp;
229		260
		261	if(sizeof(buf) <= (s-buf))
		262	return XpmNoMemory;
		263
230	for (key = 1; key <= NKEYS; key++, defaults++) {	264	for (key = 1; key <= NKEYS; key++, defaults++) {
231	if (s2 = *defaults) {	265	if (s2 = *defaults) {
232	#ifndef VOID_SPRINTF	266	#ifndef VOID_SPRINTF
233	s +=	267	s +=
234	#endif	268	#endif
235	sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);	269	/* assume C99 compliance */
		270	snprintf(s, sizeof(buf)-(s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
236	#ifdef VOID_SPRINTF	271	#ifdef VOID_SPRINTF
237	s += strlen(s);	272	s += strlen(s);
238	#endif	273	#endif
		274	/* does s point out-of-bounds? */
		275	if(sizeof(buf) < (s-buf))
		276	return XpmNoMemory;
239	}	277	}
240	}	278	}
		279	/* what about using strdup()? */
241	l = s - buf + 1;	280	l = s - buf + 1;
242	s = (char *) XpmMalloc(l);	281	s = (char *) XpmMalloc(l);
243	if (!s)	282	if (!s)
Lines 249-256 Link Here
249	}	288	}
250		289
251	static void	290	static void
252	CreatePixels(dataptr, width, height, cpp, pixels, colors)	291	CreatePixels(dataptr, data_size, width, height, cpp, pixels, colors)
253	char **dataptr;	292	char **dataptr;
		293	unsigned int data_size;
254	unsigned int width;	294	unsigned int width;
255	unsigned int height;	295	unsigned int height;
256	unsigned int cpp;	296	unsigned int cpp;
Lines 260-280 Link Here
260	char *s;	300	char *s;
261	unsigned int x, y, h, offset;	301	unsigned int x, y, h, offset;
262		302
		303	if(height <= 1)
		304	return;
		305
263	h = height - 1;	306	h = height - 1;
		307
264	offset = width * cpp + 1;	308	offset = width * cpp + 1;
		309
		310	if(offset <= width \|\| offset <= cpp)
		311	return;
		312
		313	/* why trust h? */
265	for (y = 0; y < h; y++, dataptr++) {	314	for (y = 0; y < h; y++, dataptr++) {
266	s = *dataptr;	315	s = *dataptr;
		316	/* why trust width? */
267	for (x = 0; x < width; x++, pixels++) {	317	for (x = 0; x < width; x++, pixels++) {
268	strncpy(s, colors[*pixels].string, cpp);	318	if(cpp > (data_size - (s - *dataptr)))
		319	return;
		320	strncpy(s, colors[pixels].string, cpp); / why trust pixel? */
269	s += cpp;	321	s += cpp;
270	}	322	}
271	*s = '\0';	323	*s = '\0';
		324	if(offset > data_size)
		325	return;
272	(dataptr + 1) = dataptr + offset;	326	(dataptr + 1) = dataptr + offset;
273	}	327	}
274	/* duplicate some code to avoid a test in the loop */	328	/* duplicate some code to avoid a test in the loop */
275	s = *dataptr;	329	s = *dataptr;
		330	/* why trust width? */
276	for (x = 0; x < width; x++, pixels++) {	331	for (x = 0; x < width; x++, pixels++) {
277	strncpy(s, colors[*pixels].string, cpp);	332	if(cpp > data_size - (s - *dataptr))
		333	return;
		334	strncpy(s, colors[pixels].string, cpp); / why should we trust pixel? /
278	s += cpp;	335	s += cpp;
279	}	336	}
280	*s = '\0';	337	*s = '\0';
Lines 307-314 Link Here
307	}	364	}
308		365
309	static void	366	static void
310	CreateExtensions(dataptr, offset, ext, num, ext_nlines)	367	CreateExtensions(dataptr, data_size, offset, ext, num, ext_nlines)
311	char **dataptr;	368	char **dataptr;
		369	unsigned int data_size;
312	unsigned int offset;	370	unsigned int offset;
313	XpmExtension *ext;	371	XpmExtension *ext;
314	unsigned int num;	372	unsigned int num;
Lines 321-332 Link Here
321	dataptr++;	379	dataptr++;
322	a = 0;	380	a = 0;
323	for (x = 0; x < num; x++, ext++) {	381	for (x = 0; x < num; x++, ext++) {
324	sprintf(*dataptr, "XPMEXT %s", ext->name);	382	snprintf(*dataptr, data_size, "XPMEXT %s", ext->name);
325	a++;	383	a++;
326	if (a < ext_nlines)	384	if (a < ext_nlines)
327	(dataptr + 1) = dataptr + strlen(ext->name) + 8;	385	(dataptr + 1) = dataptr + strlen(ext->name) + 8;
328	dataptr++;	386	dataptr++;
329	b = ext->nlines;	387	b = ext->nlines; /* can we trust these values? */
330	for (y = 0, line = ext->lines; y < b; y++, line++) {	388	for (y = 0, line = ext->lines; y < b; y++, line++) {
331	strcpy(dataptr, line);	389	strcpy(dataptr, line);
332	a++;	390	a++;

Lines 39-44 Link Here

(-)motif/lib/Xm/Xpmcreate.c (-32 / +70 lines)
39	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94	39	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
40	*/	40	*/
41		41
		42	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		43
42	#include "XpmI.h"	44	#include "XpmI.h"
43	#include <ctype.h>	45	#include <ctype.h>
44		46
Lines 560-566 Link Here
560	*/	562	*/
561	} else {	563	} else {
562	#endif	564	#endif
563	int i;	565	unsigned int i;
564		566
565	ncols = visual->map_entries;	567	ncols = visual->map_entries;
566	cols = (XColor *) XpmCalloc(ncols, sizeof(XColor));	568	cols = (XColor *) XpmCalloc(ncols, sizeof(XColor));
Lines 718-723 Link Here
718	/* function call in case of error, frees only locally allocated variables */	720	/* function call in case of error, frees only locally allocated variables */
719	#undef RETURN	721	#undef RETURN
720	#define RETURN(status) \	722	#define RETURN(status) \
		723	do \
721	{ \	724	{ \
722	if (ximage) XDestroyImage(ximage); \	725	if (ximage) XDestroyImage(ximage); \
723	if (shapeimage) XDestroyImage(shapeimage); \	726	if (shapeimage) XDestroyImage(shapeimage); \
Lines 728-734 Link Here
728	if (alloc_pixels) XpmFree(alloc_pixels); \	731	if (alloc_pixels) XpmFree(alloc_pixels); \
729	if (used_pixels) XpmFree(used_pixels); \	732	if (used_pixels) XpmFree(used_pixels); \
730	return (status); \	733	return (status); \
731	}	734	} while(0)
732		735
733	int	736	int
734	XpmCreateImageFromXpmImage(display, image,	737	XpmCreateImageFromXpmImage(display, image,
Lines 799-805 Link Here
799		802
800	ErrorStatus = XpmSuccess;	803	ErrorStatus = XpmSuccess;
801		804
802	if (image->ncolors >= SIZE_MAX / sizeof(Pixel))	805	if (image->ncolors >= UINT_MAX / sizeof(Pixel))
803	return (XpmNoMemory);	806	return (XpmNoMemory);
804		807
805	/* malloc pixels index tables */	808	/* malloc pixels index tables */
Lines 945-953 Link Here
945	return (XpmNoMemory);	948	return (XpmNoMemory);
946		949
947	#ifndef FOR_MSW	950	#ifndef FOR_MSW
948	if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)	951	if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
949	return XpmNoMemory;	952	XDestroyImage(*image_return);
		953	return XpmNoMemory;
		954	}
950	/* now that bytes_per_line must have been set properly alloc data */	955	/* now that bytes_per_line must have been set properly alloc data */
		956	if((*image_return)->bytes_per_line == 0 \|\| height == 0)
		957	return XpmNoMemory;
951	(*image_return)->data =	958	(*image_return)->data =
952	(char ) XpmMalloc((image_return)->bytes_per_line * height);	959	(char ) XpmMalloc((image_return)->bytes_per_line * height);
953		960
Lines 975-981 Link Here
975	LFUNC(_putbits, void, (register char *src, int dstoffset,	982	LFUNC(_putbits, void, (register char *src, int dstoffset,
976	register int numbits, register char *dst));	983	register int numbits, register char *dst));
977		984
978	LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));	985	LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
979		986
980	static unsigned char Const _reverse_byte[0x100] = {	987	static unsigned char Const _reverse_byte[0x100] = {
981	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,	988	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
Lines 1015-1026 Link Here
1015	static int	1022	static int
1016	_XReverse_Bytes(bpt, nb)	1023	_XReverse_Bytes(bpt, nb)
1017	register unsigned char *bpt;	1024	register unsigned char *bpt;
1018	register int nb;	1025	register unsigned int nb;
1019	{	1026	{
1020	do {	1027	do {
1021	bpt = _reverse_byte[bpt];	1028	bpt = _reverse_byte[bpt];
1022	bpt++;	1029	bpt++;
1023	} while (--nb > 0);	1030	} while (--nb > 0); /* is nb user-controled? */
1024	return 0;	1031	return 0;
1025	}	1032	}
1026		1033
Lines 1159-1165 Link Here
1159	register char *src;	1166	register char *src;
1160	register char *dst;	1167	register char *dst;
1161	register unsigned int *iptr;	1168	register unsigned int *iptr;
1162	register int x, y, i;	1169	register unsigned int x, y, i;
1163	register char *data;	1170	register char *data;
1164	Pixel pixel, px;	1171	Pixel pixel, px;
1165	int nbytes, depth, ibu, ibpp;	1172	int nbytes, depth, ibu, ibpp;
Lines 1169-1176 Link Here
1169	depth = image->depth;	1176	depth = image->depth;
1170	if (depth == 1) {	1177	if (depth == 1) {
1171	ibu = image->bitmap_unit;	1178	ibu = image->bitmap_unit;
1172	for (y = 0; y < height; y++)	1179	for (y = 0; y < height; y++) /* how can we trust height */
1173	for (x = 0; x < width; x++, iptr++) {	1180	for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
1174	pixel = pixels[*iptr];	1181	pixel = pixels[*iptr];
1175	for (i = 0, px = pixel; i < sizeof(unsigned long);	1182	for (i = 0, px = pixel; i < sizeof(unsigned long);
1176	i++, px >>= 8)	1183	i++, px >>= 8)
Lines 1245-1256 Link Here
1245	{	1252	{
1246	unsigned char *data;	1253	unsigned char *data;
1247	unsigned int *iptr;	1254	unsigned int *iptr;
1248	int y;	1255	unsigned int y;
1249	Pixel pixel;	1256	Pixel pixel;
1250		1257
1251	#ifdef WITHOUT_SPEEDUPS	1258	#ifdef WITHOUT_SPEEDUPS
1252		1259
1253	int x;	1260	unsigned int x;
1254	unsigned char *addr;	1261	unsigned char *addr;
1255		1262
1256	data = (unsigned char *) image->data;	1263	data = (unsigned char *) image->data;
Lines 1287-1293 Link Here
1287		1294
1288	#else /* WITHOUT_SPEEDUPS */	1295	#else /* WITHOUT_SPEEDUPS */
1289		1296
1290	int bpl = image->bytes_per_line;	1297	unsigned int bpl = image->bytes_per_line;
1291	unsigned char data_ptr, max_data;	1298	unsigned char data_ptr, max_data;
1292		1299
1293	data = (unsigned char *) image->data;	1300	data = (unsigned char *) image->data;
Lines 1355-1365 Link Here
1355	{	1362	{
1356	unsigned char *data;	1363	unsigned char *data;
1357	unsigned int *iptr;	1364	unsigned int *iptr;
1358	int y;	1365	unsigned int y;
1359		1366
1360	#ifdef WITHOUT_SPEEDUPS	1367	#ifdef WITHOUT_SPEEDUPS
1361		1368
1362	int x;	1369	unsigned int x;
1363	unsigned char *addr;	1370	unsigned char *addr;
1364		1371
1365	data = (unsigned char *) image->data;	1372	data = (unsigned char *) image->data;
Lines 1383-1389 Link Here
1383		1390
1384	Pixel pixel;	1391	Pixel pixel;
1385		1392
1386	int bpl = image->bytes_per_line;	1393	unsigned int bpl = image->bytes_per_line;
1387	unsigned char data_ptr, max_data;	1394	unsigned char data_ptr, max_data;
1388		1395
1389	data = (unsigned char *) image->data;	1396	data = (unsigned char *) image->data;
Lines 1436-1446 Link Here
1436	{	1443	{
1437	char *data;	1444	char *data;
1438	unsigned int *iptr;	1445	unsigned int *iptr;
1439	int y;	1446	unsigned int y;
1440		1447
1441	#ifdef WITHOUT_SPEEDUPS	1448	#ifdef WITHOUT_SPEEDUPS
1442		1449
1443	int x;	1450	unsigned int x;
1444		1451
1445	data = image->data;	1452	data = image->data;
1446	iptr = pixelindex;	1453	iptr = pixelindex;
Lines 1450-1456 Link Here
1450		1457
1451	#else /* WITHOUT_SPEEDUPS */	1458	#else /* WITHOUT_SPEEDUPS */
1452		1459
1453	int bpl = image->bytes_per_line;	1460	unsigned int bpl = image->bytes_per_line;
1454	char data_ptr, max_data;	1461	char data_ptr, max_data;
1455		1462
1456	data = image->data;	1463	data = image->data;
Lines 1485-1496 Link Here
1485	PutImagePixels(image, width, height, pixelindex, pixels);	1492	PutImagePixels(image, width, height, pixelindex, pixels);
1486	else {	1493	else {
1487	unsigned int *iptr;	1494	unsigned int *iptr;
1488	int y;	1495	unsigned int y;
1489	char *data;	1496	char *data;
1490		1497
1491	#ifdef WITHOUT_SPEEDUPS	1498	#ifdef WITHOUT_SPEEDUPS
1492		1499
1493	int x;	1500	unsigned int x;
1494		1501
1495	data = image->data;	1502	data = image->data;
1496	iptr = pixelindex;	1503	iptr = pixelindex;
Lines 1668-1673 Link Here
1668	Pixel px;	1675	Pixel px;
1669	int nbytes;	1676	int nbytes;
1670		1677
		1678	if(x < 0 \|\| y < 0)
		1679	return 0;
		1680
1671	for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)	1681	for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)
1672	((unsigned char *)&pixel)[i] = px;	1682	((unsigned char *)&pixel)[i] = px;
1673	src = &ximage->data[XYINDEX(x, y, ximage)];	1683	src = &ximage->data[XYINDEX(x, y, ximage)];
Lines 1699-1705 Link Here
1699	register int i;	1709	register int i;
1700	register char *data;	1710	register char *data;
1701	Pixel px;	1711	Pixel px;
1702	int nbytes, ibpp;	1712	unsigned int nbytes, ibpp;
		1713
		1714	if(x < 0 \|\| y < 0)
		1715	return 0;
1703		1716
1704	ibpp = ximage->bits_per_pixel;	1717	ibpp = ximage->bits_per_pixel;
1705	if (ximage->depth == 4)	1718	if (ximage->depth == 4)
Lines 1732-1737 Link Here
1732	{	1745	{
1733	unsigned char *addr;	1746	unsigned char *addr;
1734		1747
		1748	if(x < 0 \|\| y < 0)
		1749	return 0;
		1750
1735	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];	1751	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1736	((unsigned long )addr) = pixel;	1752	((unsigned long )addr) = pixel;
1737	return 1;	1753	return 1;
Lines 1746-1751 Link Here
1746	{	1762	{
1747	unsigned char *addr;	1763	unsigned char *addr;
1748		1764
		1765	if(x < 0 \|\| y < 0)
		1766	return 0;
		1767
1749	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];	1768	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1750	addr[0] = pixel >> 24;	1769	addr[0] = pixel >> 24;
1751	addr[1] = pixel >> 16;	1770	addr[1] = pixel >> 16;
Lines 1763-1768 Link Here
1763	{	1782	{
1764	unsigned char *addr;	1783	unsigned char *addr;
1765		1784
		1785	if(x < 0 \|\| y < 0)
		1786	return 0;
		1787
1766	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];	1788	addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
1767	addr[3] = pixel >> 24;	1789	addr[3] = pixel >> 24;
1768	addr[2] = pixel >> 16;	1790	addr[2] = pixel >> 16;
Lines 1780-1785 Link Here
1780	{	1802	{
1781	unsigned char *addr;	1803	unsigned char *addr;
1782		1804
		1805	if(x < 0 \|\| y < 0)
		1806	return 0;
		1807
1783	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];	1808	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
1784	addr[0] = pixel >> 8;	1809	addr[0] = pixel >> 8;
1785	addr[1] = pixel;	1810	addr[1] = pixel;
Lines 1795-1800 Link Here
1795	{	1820	{
1796	unsigned char *addr;	1821	unsigned char *addr;
1797		1822
		1823	if(x < 0 \|\| y < 0)
		1824	return 0;
		1825
1798	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];	1826	addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
1799	addr[1] = pixel >> 8;	1827	addr[1] = pixel >> 8;
1800	addr[0] = pixel;	1828	addr[0] = pixel;
Lines 1808-1813 Link Here
1808	int y;	1836	int y;
1809	unsigned long pixel;	1837	unsigned long pixel;
1810	{	1838	{
		1839	if(x < 0 \|\| y < 0)
		1840	return 0;
		1841
1811	ximage->data[ZINDEX8(x, y, ximage)] = pixel;	1842	ximage->data[ZINDEX8(x, y, ximage)] = pixel;
1812	return 1;	1843	return 1;
1813	}	1844	}
Lines 1819-1824 Link Here
1819	int y;	1850	int y;
1820	unsigned long pixel;	1851	unsigned long pixel;
1821	{	1852	{
		1853	if(x < 0 \|\| y < 0)
		1854	return 0;
		1855
1822	if (pixel & 1)	1856	if (pixel & 1)
1823	ximage->data[ZINDEX1(x, y, ximage)] \|= 0x80 >> (x & 7);	1857	ximage->data[ZINDEX1(x, y, ximage)] \|= 0x80 >> (x & 7);
1824	else	1858	else
Lines 1833-1838 Link Here
1833	int y;	1867	int y;
1834	unsigned long pixel;	1868	unsigned long pixel;
1835	{	1869	{
		1870	if(x < 0 \|\| y < 0)
		1871	return 0;
		1872
1836	if (pixel & 1)	1873	if (pixel & 1)
1837	ximage->data[ZINDEX1(x, y, ximage)] \|= 1 << (x & 7);	1874	ximage->data[ZINDEX1(x, y, ximage)] \|= 1 << (x & 7);
1838	else	1875	else
Lines 1845-1850 Link Here
1845	/* function call in case of error, frees only locally allocated variables */	1882	/* function call in case of error, frees only locally allocated variables */
1846	#undef RETURN	1883	#undef RETURN
1847	#define RETURN(status) \	1884	#define RETURN(status) \
		1885	do \
1848	{ \	1886	{ \
1849	if (USE_HASHTABLE) xpmHashTableFree(&hashtable); \	1887	if (USE_HASHTABLE) xpmHashTableFree(&hashtable); \
1850	if (colorTable) xpmFreeColorTable(colorTable, ncolors); \	1888	if (colorTable) xpmFreeColorTable(colorTable, ncolors); \
Lines 1860-1866 Link Here
1860	if (alloc_pixels) XpmFree(alloc_pixels); \	1898	if (alloc_pixels) XpmFree(alloc_pixels); \
1861	if (used_pixels) XpmFree(used_pixels); \	1899	if (used_pixels) XpmFree(used_pixels); \
1862	return(status); \	1900	return(status); \
1863	}	1901	} while(0)
1864		1902
1865	/*	1903	/*
1866	* This function parses an Xpm file or data and directly create an XImage	1904	* This function parses an Xpm file or data and directly create an XImage
Lines 1992-1999 Link Here
1992	xpmGetCmt(data, &colors_cmt);	2030	xpmGetCmt(data, &colors_cmt);
1993		2031
1994	/* malloc pixels index tables */	2032	/* malloc pixels index tables */
1995	if (ncolors >= SIZE_MAX / sizeof(Pixel))	2033	if (ncolors >= UINT_MAX / sizeof(Pixel))
1996	return XpmNoMemory;	2034	RETURN(XpmNoMemory);
1997		2035
1998	image_pixels = (Pixel ) XpmMalloc(sizeof(Pixel) ncolors);	2036	image_pixels = (Pixel ) XpmMalloc(sizeof(Pixel) ncolors);
1999	if (!image_pixels)	2037	if (!image_pixels)
Lines 2104-2110 Link Here
2104	* free the hastable	2142	* free the hastable
2105	*/	2143	*/
2106	if (ErrorStatus != XpmSuccess)	2144	if (ErrorStatus != XpmSuccess)
2107	RETURN(ErrorStatus)	2145	RETURN(ErrorStatus);
2108	else if (USE_HASHTABLE)	2146	else if (USE_HASHTABLE)
2109	xpmHashTableFree(&hashtable);	2147	xpmHashTableFree(&hashtable);
2110		2148
Lines 2117-2123 Link Here
2117	/*	2155	/*
2118	* parse extensions	2156	* parse extensions
2119	*/	2157	*/
2120	if (info && (info->valuemask & XpmReturnExtensions))	2158	if (info && (info->valuemask & XpmReturnExtensions)) {
2121	if (extensions) {	2159	if (extensions) {
2122	ErrorStatus = xpmParseExtensions(data, &info->extensions,	2160	ErrorStatus = xpmParseExtensions(data, &info->extensions,
2123	&info->nextensions);	2161	&info->nextensions);
Lines 2127-2133 Link Here
2127	info->extensions = NULL;	2165	info->extensions = NULL;
2128	info->nextensions = 0;	2166	info->nextensions = 0;
2129	}	2167	}
2130		2168	}
2131	/*	2169	/*
2132	* store found informations in the XpmImage structure	2170	* store found informations in the XpmImage structure
2133	*/	2171	*/
Lines 2251-2261 Link Here
2251		2289
2252	/* array of pointers malloced by need */	2290	/* array of pointers malloced by need */
2253	unsigned short *cidx[256];	2291	unsigned short *cidx[256];
2254	int char1;	2292	unsigned int char1;
2255		2293
2256	bzero((char )cidx, 256 sizeof(unsigned short )); / init */	2294	bzero((char )cidx, 256 sizeof(unsigned short )); / init */
2257	for (a = 0; a < ncolors; a++) {	2295	for (a = 0; a < ncolors; a++) {
2258	char1 = colorTable[a].string[0];	2296	char1 = (unsigned char) colorTable[a].string[0];
2259	if (cidx[char1] == NULL) { /* get new memory */	2297	if (cidx[char1] == NULL) { /* get new memory */
2260	cidx[char1] = (unsigned short *)	2298	cidx[char1] = (unsigned short *)
2261	XpmCalloc(256, sizeof(unsigned short));	2299	XpmCalloc(256, sizeof(unsigned short));
Lines 2273-2279 Link Here
2273	int cc1 = xpmGetC(data);	2311	int cc1 = xpmGetC(data);
2274	if (cc1 > 0 && cc1 < 256) {	2312	if (cc1 > 0 && cc1 < 256) {
2275	int cc2 = xpmGetC(data);	2313	int cc2 = xpmGetC(data);
2276	if (cc2 > 0 && cc2 < 256 && cidx[cc1][cc2] != 0) {	2314	if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0) {
2277	#ifndef FOR_MSW	2315	#ifndef FOR_MSW
2278	XPutPixel(image, x, y,	2316	XPutPixel(image, x, y,
2279	image_pixels[cidx[cc1][cc2] - 1]);	2317	image_pixels[cidx[cc1][cc2] - 1]);

Lines 33-38 Link Here

(-)motif/lib/Xm/Xpmdata.c (-5 / +8 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	/* Official version number */	38	/* Official version number */
37	static char *RCS_Version = "$XpmVersion: 3.4i $";	39	static char *RCS_Version = "$XpmVersion: 3.4i $";
38		40
Lines 274-280 Link Here
274	}	276	}
275	ungetc(c, file);	277	ungetc(c, file);
276	}	278	}
277	return (n);	279	return (n); /* this returns bytes read + 1 */
278	}	280	}
279		281
280	/*	282	/*
Lines 371-379 Link Here
371	{	373	{
372	if (!mdata->type)	374	if (!mdata->type)
373	*cmt = NULL;	375	*cmt = NULL;
374	else if (mdata->CommentLength != 0 && mdata->CommentLength < SIZE_MAX - 1) {	376	else if (mdata->CommentLength != 0 && mdata->CommentLength < UINT_MAX - 1) {
375	cmt = (char ) XpmMalloc(mdata->CommentLength + 1);	377	if( (cmt = (char ) XpmMalloc(mdata->CommentLength + 1)) == NULL)
376	strncpy(*cmt, mdata->Comment, mdata->CommentLength);	378	return XpmNoMemory;
		379	strncpy(*cmt, mdata->Comment, mdata->CommentLength);
377	(*cmt)[mdata->CommentLength] = '\0';	380	(*cmt)[mdata->CommentLength] = '\0';
378	mdata->CommentLength = 0;	381	mdata->CommentLength = 0;
379	} else	382	} else
Lines 400-406 Link Here
400	xpmParseHeader(mdata)	403	xpmParseHeader(mdata)
401	xpmData *mdata;	404	xpmData *mdata;
402	{	405	{
403	char buf[BUFSIZ];	406	char buf[BUFSIZ+1] = {0};
404	int l, n = 0;	407	int l, n = 0;
405		408
406	if (mdata->type) {	409	if (mdata->type) {




    unsigned int size = table->size;
    xpmHashAtom *t, *p;
    int i;
    unsigned int oldSize = size;

    t = atomTable;
    HASH_TABLE_GROWS
	table->size = size;
    table->limit = size / 3;
    if (size >= UINT_MAX / sizeof(*atomTable)) 
        return (XpmNoMemory);
    atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable));
    if (!atomTable)

    table->size = INITIAL_HASH_SIZE;
    table->limit = table->size / 3;
    table->used = 0;
   if (table->size >= UINT_MAX / sizeof(*atomTable))
       return (XpmNoMemory);
    atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
    if (!atomTable)




#define xpmatoui _Xmxpmatoui
#define xpmDataTypes _XmxpmDataTypes
#define xpmColorKeys _XmxpmColorKeys
#define Xpms_popen _Xms_popen

/* The following is the original XpmI.h header file,
   except that it includes XpmP.h instead of xpm.h */

 * lets try to solve include files
 */

#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
/* stdio.h doesn't declare popen on a Sequent DYNIX OS */
#ifdef sequent
extern FILE *popen();

Lines 47-53 Link Here

(-)motif/lib/Xm/Xpmmisc.c (-1 / +1 lines)
47	char *s1;	47	char *s1;
48	{	48	{
49	char *s2;	49	char *s2;
50	int l = strlen(s1) + 1;	50	size_t l = strlen(s1) + 1;
51		51
52	if (s2 = (char *) XpmMalloc(l))	52	if (s2 = (char *) XpmMalloc(l))
53	strcpy(s2, s1);	53	strcpy(s2, s1);




 * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
 */

/* October 2004, source code review by Thomas Biege <thomas@suse.de> */

#include "XpmI.h"
#include <ctype.h>
#include <string.h>
 
#ifdef HAS_STRLCAT
# define STRLCAT(dst, src, dstsize) do { \
       if (strlcat(dst, src, dstsize) >= (dstsize)) \
           return (XpmFileInvalid); } while(0)
# define STRLCPY(dst, src, dstsize) do { \
       if (strlcpy(dst, src, dstsize) >= (dstsize)) \
           return (XpmFileInvalid); } while(0)
#else
# define STRLCAT(dst, src, dstsize) do { \
       if ((strlen(dst) + strlen(src)) < (dstsize)) \
           strcat(dst, src); \
       else return (XpmFileInvalid); } while(0)
# define STRLCPY(dst, src, dstsize) do { \
       if (strlen(src) < (dstsize)) \
           strcpy(dst, src); \
       else return (XpmFileInvalid); } while(0)
#endif

LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,

/* function call in case of error, frees only locally allocated variables */
#undef RETURN
#define RETURN(status) \
do \
{ \
    if (colorTable) xpmFreeColorTable(colorTable, ncolors); \
    if (pixelindex) XpmFree(pixelindex); \

    if (colors_cmt) XpmFree(colors_cmt); \
    if (pixels_cmt) XpmFree(pixels_cmt); \
    return(status); \
} while(0)

/*
 * This function parses an Xpm file or data and store the found informations

    /*
     * parse extensions
     */
    if (info && (info->valuemask & XpmReturnExtensions)) {
	if (extensions) {
	    ErrorStatus = xpmParseExtensions(data, &info->extensions,
					     &info->nextensions);

	    info->extensions = NULL;
	    info->nextensions = 0;
	}
    }

    /*
     * store found informations in the XpmImage structure

    char **defaults;
    int ErrorStatus;

    if (ncolors >= UINT_MAX / sizeof(XpmColor))
        return (XpmNoMemory);
    colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
    if (!colorTable)

	    /*
	     * read pixel value
	     */
	    if (cpp >= UINT_MAX - 1) {
	        xpmFreeColorTable(colorTable, ncolors);
		return (XpmNoMemory);
	    }

		xpmFreeColorTable(colorTable, ncolors);
		return (XpmFileInvalid);
	    }
	    len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
	    s = defaults[curkey] = (char *) XpmMalloc(len);
	    if (!s) {
		xpmFreeColorTable(colorTable, ncolors);

	    /*
	     * read pixel value
	     */
	    if (cpp >= UINT_MAX - 1) {
	        xpmFreeColorTable(colorTable, ncolors);
		return (XpmNoMemory);
	    }

	    memcpy(s, curbuf, len);
	    color->c_color = s;
	    *curbuf = '\0';		/* reset curbuf */
	    if (a < ncolors - 1)	/* can we trust ncolors -> leave data's bounds */
		xpmNextString(data);	/* get to the next string */
	}
    }

    xpmHashTable *hashtable;
    unsigned int **pixels;
{
    unsigned int *iptr, *iptr2 = NULL;
    unsigned int a, x, y;

    if ((height > 0 && width >= UINT_MAX / height) ||
	width * height >= UINT_MAX / sizeof(unsigned int)) 
        return XpmNoMemory;
#ifndef FOR_MSW
    iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);

	{
	    unsigned short colidx[256];

	    if (ncolors > 256) {
	        return (XpmFileInvalid);
		XpmFree(iptr2); /* found by Egbert Eich */
            }

	    bzero((char *)colidx, 256 * sizeof(short));
	    for (a = 0; a < ncolors; a++)

	{

/* free all allocated pointers at all exits */
#define FREE_CIDX \
do \
{ \
	int f; for (f = 0; f < 256; f++) \
	if (cidx[f]) XpmFree(cidx[f]); \
} while(0)

	    /* array of pointers malloced by need */
	    unsigned short *cidx[256];
	    unsigned int char1;

	    bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
	    for (a = 0; a < ncolors; a++) {
		char1 = (unsigned char) colorTable[a].string[0];
		if (cidx[char1] == NULL) { /* get new memory */
		    cidx[char1] = (unsigned short *)
			XpmCalloc(256, sizeof(unsigned short));

		    int cc1 = xpmGetC(data);
		    if (cc1 > 0 && cc1 < 256) {
			int cc2 = xpmGetC(data);
			if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0)
			    *iptr = cidx[cc1][cc2] - 1;
			else {
			    FREE_CIDX;

	    char *s;
	    char buf[BUFSIZ];

	    if (cpp >= sizeof(buf)) {
	        return (XpmFileInvalid);
		XpmFree(iptr2); /* found by Egbert Eich */
            }

	    buf[cpp] = '\0';
	    if (USE_HASHTABLE) {

		    xpmNextString(data);
		    for (x = 0; x < width; x++, iptr++) {
			for (a = 0, s = buf; a < cpp; a++, s++)
			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
			slot = xpmHashSlot(hashtable, buf);
			if (!*slot) {	/* no color matches */
			    XpmFree(iptr2);

		    xpmNextString(data);
		    for (x = 0; x < width; x++, iptr++) {
			for (a = 0, s = buf; a < cpp; a++, s++)
			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
			for (a = 0; a < ncolors; a++)
			    if (!strcmp(colorTable[a].string, buf))
				break;

    while (!notstart && notend) {
	/* there starts an extension */
	ext = (XpmExtension *)
	    XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
	if (!ext) {
	    XpmFree(string);
	    XpmFreeExtensions(exts, num);

	while ((notstart = strncmp("XPMEXT", string, 6))
	       && (notend = strncmp("XPMENDEXT", string, 9))) {
	    sp = (char **)
		XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *)); /* can we iterate enough for a wrapping? */
	    if (!sp) {
		XpmFree(string);
		ext->nlines = nlines;

Lines 38-43 Link Here

(-)motif/lib/Xm/XpmRdFToBuf.c (-2 / +5 lines)
38	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94	38	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
39	*/	39	*/
40		40
		41	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		42
41	#include "XpmI.h"	43	#include "XpmI.h"
42	#include <sys/stat.h>	44	#include <sys/stat.h>
43	#if !defined(FOR_MSW) && !defined(WIN32)	45	#if !defined(FOR_MSW) && !defined(WIN32)
Lines 59-65 Link Here
59	char *filename;	61	char *filename;
60	char **buffer_return;	62	char **buffer_return;
61	{	63	{
62	int fd, fcheck, len;	64	int fd, fcheck;
		65	off_t len;
63	char *ptr;	66	char *ptr;
64	struct stat stats;	67	struct stat stats;
65	FILE *fp;	68	FILE *fp;
Lines 83-89 Link Here
83	close(fd);	86	close(fd);
84	return XpmOpenFailed;	87	return XpmOpenFailed;
85	}	88	}
86	len = (int) stats.st_size;	89	len = stats.st_size;
87	ptr = (char *) XpmMalloc(len + 1);	90	ptr = (char *) XpmMalloc(len + 1);
88	if (!ptr) {	91	if (!ptr) {
89	fclose(fp);	92	fclose(fp);

Lines 33-38 Link Here

(-)motif/lib/Xm/XpmRdFToI.c (-12 / +24 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37	#include <sys/stat.h>	39	#include <sys/stat.h>
38	#include <sys/param.h>	40	#include <sys/param.h>
Lines 122-127 Link Here
122	/*	124	/*
123	* open the given file to be read as an xpmData which is returned.	125	* open the given file to be read as an xpmData which is returned.
124	*/	126	*/
		127	#ifndef NO_ZPIPE
		128	FILE Xpms_popen(char cmd, const char *type);
		129	#else
		130	# define Xpms_popen popen
		131	#endif
		132
125	static int	133	static int
126	OpenReadFile(filename, mdata)	134	OpenReadFile(filename, mdata)
127	char *filename;	135	char *filename;
Lines 139-155 Link Here
139	mdata->type = XPMFILE;	147	mdata->type = XPMFILE;
140	} else {	148	} else {
141	#ifndef NO_ZPIPE	149	#ifndef NO_ZPIPE
142	int len = strlen(filename);	150	size_t len = strlen(filename);
		151
		152	if(len == 0 \|\|
		153	filename[len-1] == '/')
		154	return(XpmOpenFailed);
143	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {	155	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
144	mdata->type = XPMPIPE;	156	mdata->type = XPMPIPE;
145	sprintf(buf, "uncompress -c \"%s\"", filename);	157	snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename);
146	if (!(mdata->stream.file = popen(buf, "r")))	158	if (!(mdata->stream.file = Xpms_popen(buf, "r")))
147	return (XpmOpenFailed);	159	return (XpmOpenFailed);
148		160
149	} else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {	161	} else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
150	mdata->type = XPMPIPE;	162	mdata->type = XPMPIPE;
151	sprintf(buf, "gunzip -qc \"%s\"", filename);	163	snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename);
152	if (!(mdata->stream.file = popen(buf, "r")))	164	if (!(mdata->stream.file = Xpms_popen(buf, "r")))
153	return (XpmOpenFailed);	165	return (XpmOpenFailed);
154		166
155	} else {	167	} else {
Lines 157-175 Link Here
157	if (!(compressfile = (char *) XpmMalloc(len + 4)))	169	if (!(compressfile = (char *) XpmMalloc(len + 4)))
158	return (XpmNoMemory);	170	return (XpmNoMemory);
159		171
160	sprintf(compressfile, "%s.Z", filename);	172	snprintf(compressfile, len+4, "%s.Z", filename);
161	if (!stat(compressfile, &status)) {	173	if (!stat(compressfile, &status)) {
162	sprintf(buf, "uncompress -c \"%s\"", compressfile);	174	snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile);
163	if (!(mdata->stream.file = popen(buf, "r"))) {	175	if (!(mdata->stream.file = Xpms_popen(buf, "r"))) {
164	XpmFree(compressfile);	176	XpmFree(compressfile);
165	return (XpmOpenFailed);	177	return (XpmOpenFailed);
166	}	178	}
167	mdata->type = XPMPIPE;	179	mdata->type = XPMPIPE;
168	} else {	180	} else {
169	sprintf(compressfile, "%s.gz", filename);	181	snprintf(compressfile, len+4, "%s.gz", filename);
170	if (!stat(compressfile, &status)) {	182	if (!stat(compressfile, &status)) {
171	sprintf(buf, "gunzip -c \"%s\"", compressfile);	183	snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile);
172	if (!(mdata->stream.file = popen(buf, "r"))) {	184	if (!(mdata->stream.file = Xpms_popen(buf, "r"))) {
173	XpmFree(compressfile);	185	XpmFree(compressfile);
174	return (XpmOpenFailed);	186	return (XpmOpenFailed);
175	}	187	}
Lines 211-217 Link Here
211	break;	223	break;
212	#ifndef NO_ZPIPE	224	#ifndef NO_ZPIPE
213	case XPMPIPE:	225	case XPMPIPE:
214	pclose(mdata->stream.file);	226	fclose(mdata->stream.file);
215	break;	227	break;
216	#endif	228	#endif
217	}	229	}




 * HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
 */

/* October 2004, source code review by Thomas Biege <thomas@suse.de> */

#include "XpmI.h"

#define MAXPRINTABLE 92			/* number of printable ascii chars
					 * minus \ and " for string compat
					 * and ? to avoid ANSI trigraphs. */
					/* " */
static char *printable =
" .XoO+@#$%&*=-;:>,<1234567890qwertyuipasdfghjklzxcvbnmMNBVCZ\
ASDFGHJKLPIUYTREWQ!~^/()_`'][{}|";

/* function call in case of error, frees only locally allocated variables */
#undef RETURN
#define RETURN(status) \
do \
{ \
    if (pmap.pixelindex) XpmFree(pmap.pixelindex); \
    if (pmap.pixels) XpmFree(pmap.pixels); \
    if (colorTable) xpmFreeColorTable(colorTable, pmap.ncolors); \
    return(status); \
} while(0)

/*
 * This function scans the given image and stores the found informations in

    /* variables to return */
    PixelsMap pmap;
    XpmColor *colorTable = NULL;
    int ErrorStatus = 0;

    /* calculation variables */
    unsigned int width = 0;

    else
	cpp = 0;

    if ((height > 0 && width >= UINT_MAX / height) ||
	width * height >= UINT_MAX / sizeof(unsigned int))
        RETURN(XpmNoMemory);
    pmap.pixelindex =
	(unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
    if (!pmap.pixelindex)
	RETURN(XpmNoMemory);

    if (pmap.size >= UINT_MAX / sizeof(Pixel)) 
        RETURN(XpmNoMemory);

    pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);

     * color
     */

    if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor))
        RETURN(XpmNoMemory);
    colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
    if (!colorTable)


    /* first get a character string */
    a = 0;
    if (cpp >= UINT_MAX - 1)
        return (XpmNoMemory);
    if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
	return (XpmNoMemory);

    }

    /* first get character strings and rgb values */
    if (ncolors >= UINT_MAX / sizeof(XColor) || cpp >= UINT_MAX - 1)
        return (XpmNoMemory);
    xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
    if (!xcolors)

    char *dst;
    unsigned int *iptr;
    char *data;
    unsigned int x, y, i;
    int bits, depth, ibu, ibpp, offset;
    unsigned long lbt;
    Pixel pixel, px;

    unsigned char *addr;
    unsigned char *data;
    unsigned int *iptr;
    unsigned int x, y;
    unsigned long lbt;
    Pixel pixel;
    int depth;

    unsigned char *addr;
    unsigned char *data;
    unsigned int *iptr;
    unsigned int x, y;
    unsigned long lbt;
    Pixel pixel;
    int depth;

{
    unsigned int *iptr;
    unsigned char *data;
    unsigned int x, y;
    unsigned long lbt;
    Pixel pixel;
    int depth;

    int (*storeFunc) ();
{
    unsigned int *iptr;
    unsigned int x, y;
    char *data;
    Pixel pixel;
    int xoff, yoff, offset, bpl;

Lines 33-38 Link Here

(-)motif/lib/Xm/XpmWrFFrBuf.c (-1 / +3 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37		39
38	int	40	int
Lines 50-56 Link Here
50	fcheck = fwrite(buffer, len, 1, fp);	52	fcheck = fwrite(buffer, len, 1, fp);
51	fclose(fp);	53	fclose(fp);
52	if (fcheck != 1)	54	if (fcheck != 1)
53	return XpmOpenFailed;	55	return XpmOpenFailed; /* maybe use a better return value */
54		56
55	return XpmSuccess;	57	return XpmSuccess;
56	}	58	}

Lines 33-38 Link Here

(-)motif/lib/Xm/XpmWrFFrI.c (-10 / +26 lines)
33	* Developed by Arnaud Le Hors *	33	* Developed by Arnaud Le Hors *
34	\*****************************************************************************/	34	\*****************************************************************************/
35		35
		36	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		37
36	#include "XpmI.h"	38	#include "XpmI.h"
37	#if !defined(NO_ZPIPE) && defined(WIN32)	39	#if !defined(NO_ZPIPE) && defined(WIN32)
38	# define popen _popen	40	# define popen _popen
Lines 93-99 Link Here
93	XpmInfo *info;	95	XpmInfo *info;
94	{	96	{
95	xpmData mdata;	97	xpmData mdata;
96	char name, dot, *s, new_name[BUFSIZ];	98	char name, dot, *s, new_name[BUFSIZ] = {0};
97	int ErrorStatus;	99	int ErrorStatus;
98		100
99	/* open file to write */	101	/* open file to write */
Lines 112-118 Link Here
112	#endif	114	#endif
113	/* let's try to make a valid C syntax name */	115	/* let's try to make a valid C syntax name */
114	if (dot = index(name, '.')) {	116	if (dot = index(name, '.')) {
115	strcpy(new_name, name);	117	strncpy(new_name, name, sizeof(new_name));
		118	new_name[sizeof(new_name)-1] = 0;
116	/* change '.' to '_' */	119	/* change '.' to '_' */
117	name = s = new_name;	120	name = s = new_name;
118	while (dot = index(s, '.')) {	121	while (dot = index(s, '.')) {
Lines 122-128 Link Here
122	}	125	}
123	if (dot = index(name, '-')) {	126	if (dot = index(name, '-')) {
124	if (name != new_name) {	127	if (name != new_name) {
125	strcpy(new_name, name);	128	strncpy(new_name, name, sizeof(new_name));
		129	new_name[sizeof(new_name)-1] = 0;
126	name = new_name;	130	name = new_name;
127	}	131	}
128	/* change '-' to '_' */	132	/* change '-' to '_' */
Lines 239-245 Link Here
239	unsigned int x, y, h;	243	unsigned int x, y, h;
240		244
241	h = height - 1;	245	h = height - 1;
242	if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp)	246	if (cpp != 0 && width >= (UINT_MAX - 3)/cpp)
243	return (XpmNoMemory);	247	return (XpmNoMemory);
244	p = buf = (char ) XpmMalloc(width cpp + 3);	248	p = buf = (char ) XpmMalloc(width cpp + 3);
245	if (!buf)	249	if (!buf)
Lines 291-296 Link Here
291	/*	295	/*
292	* open the given file to be written as an xpmData which is returned	296	* open the given file to be written as an xpmData which is returned
293	*/	297	*/
		298	#ifndef NO_ZPIPE
		299	FILE Xpms_popen(char cmd, const char *type);
		300	#else
		301	# define Xpms_popen popen
		302	#endif
294	static int	303	static int
295	OpenWriteFile(filename, mdata)	304	OpenWriteFile(filename, mdata)
296	char *filename;	305	char *filename;
Lines 306-321 Link Here
306	mdata->type = XPMFILE;	315	mdata->type = XPMFILE;
307	} else {	316	} else {
308	#ifndef NO_ZPIPE	317	#ifndef NO_ZPIPE
309	int len = strlen(filename);	318	size_t len = strlen(filename);
		319
		320	if(len == 0 \|\|
		321	filename[0] == '/' \|\|
		322	strstr(filename, "../") != NULL \|\|
		323	filename[len-1] == '/')
		324	return(XpmOpenFailed);
		325
310	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {	326	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
311	sprintf(buf, "compress > \"%s\"", filename);	327	snprintf(buf, sizeof(buf), "compress > \"%s\"", filename);
312	if (!(mdata->stream.file = popen(buf, "w")))	328	if (!(mdata->stream.file = Xpms_popen(buf, "w")))
313	return (XpmOpenFailed);	329	return (XpmOpenFailed);
314		330
315	mdata->type = XPMPIPE;	331	mdata->type = XPMPIPE;
316	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {	332	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
317	sprintf(buf, "gzip -q > \"%s\"", filename);	333	snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename);
318	if (!(mdata->stream.file = popen(buf, "w")))	334	if (!(mdata->stream.file = Xpms_popen(buf, "w")))
319	return (XpmOpenFailed);	335	return (XpmOpenFailed);
320		336
321	mdata->type = XPMPIPE;	337	mdata->type = XPMPIPE;
Lines 346-352 Link Here
346	break;	362	break;
347	#ifndef NO_ZPIPE	363	#ifndef NO_ZPIPE
348	case XPMPIPE:	364	case XPMPIPE:
349	pclose(mdata->stream.file);	365	fclose(mdata->stream.file);
350	break;	366	break;
351	#endif	367	#endif
352	}	368	}

Return to bug 78111

Lines 169-175 Link Here

(-)motif/lib/Xm/Imakefile (-2 / +4 lines)
169	XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \	169	XpmCrBufFrP.c XpmCrPFrBuf.c XpmRdFToDat.c XpmWrFFrP.c Xpmrgb.c \
170	XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \	170	XpmCrDatFrI.c XpmCrPFrDat.c XpmRdFToI.c Xpmcreate.c Xpmscan.c \
171	XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \	171	XpmCrDatFrP.c XpmCrPFrI.c XpmRdFToP.c Xpmdata.c \
172	XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c	172	XpmCrIFrBuf.c XpmImage.c XpmWrFFrBuf.c Xpmhashtab.c \
		173	Xpms_popen.c
173		174
174	#if UseLocalRegex	175	#if UseLocalRegex
175	REGEX_SRCS = regexp.c	176	REGEX_SRCS = regexp.c
Lines 232-238 Link Here
232	XpmCrBufFrP.o XpmCrPFrBuf.o XpmRdFToDat.o XpmWrFFrP.o Xpmrgb.o \	233	XpmCrBufFrP.o XpmCrPFrBuf.o XpmRdFToDat.o XpmWrFFrP.o Xpmrgb.o \
233	XpmCrDatFrI.o XpmCrPFrDat.o XpmRdFToI.o Xpmcreate.o Xpmscan.o \	234	XpmCrDatFrI.o XpmCrPFrDat.o XpmRdFToI.o Xpmcreate.o Xpmscan.o \
234	XpmCrDatFrP.o XpmCrPFrI.o XpmRdFToP.o Xpmdata.o \	235	XpmCrDatFrP.o XpmCrPFrI.o XpmRdFToP.o Xpmdata.o \
235	XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o	236	XpmCrIFrBuf.o XpmImage.o XpmWrFFrBuf.o Xpmhashtab.o \
		237	Xpms_popen.o
236		238
237	#if UseLocalRegex	239	#if UseLocalRegex
238	REGEX_OBJS = regexp.o	240	REGEX_OBJS = regexp.o

Line 0 Link Here

(-)motif/lib/Xm/Xpms_popen.c (+182 lines)
		1	/*
		2	* Copyright (C) 2004 The X.Org fundation
		3	*
		4	* Permission is hereby granted, free of charge, to any person
		5	* obtaining a copy of this software and associated documentation
		6	* files (the "Software"), to deal in the Software without
		7	* restriction, including without limitation the rights to use, copy,
		8	* modify, merge, publish, distribute, sublicense, and/or sell copies
		9	* of the Software, and to permit persons to whom the Software is fur-
		10	* nished to do so, subject to the following conditions:
		11	*
		12	* The above copyright notice and this permission notice shall be
		13	* included in all copies or substantial portions of the Software.
		14	*
		15	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
		16	* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
		17	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
		18	* NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR
		19	* ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
		20	* CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
		21	* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
		22	*
		23	* Except as contained in this notice, the name of the X.Org fundation
		24	* shall not be used in advertising or otherwise to promote the sale,
		25	* use or other dealings in this Software without prior written
		26	* authorization from the X.Org fundation.
		27	*/
		28
		29	/*
		30	** This is a secure but NOT 100% compatible replacement for popen()
		31	** Note: - don't use pclose() use fclose() for closing the returned
		32	** filedesc.!!!
		33	**
		34	** Known Bugs: - unable to use i/o-redirection like > or <
		35	** Author: - Thomas Biege <thomas@suse.de>
		36	** Credits: - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when
		37	** calling strtok()
		38	*/
		39
		40	#include <sys/types.h>
		41	#include <sys/wait.h>
		42	#include <stdio.h>
		43	#include <stdlib.h>
		44	#include <unistd.h>
		45	#include <string.h>
		46	#include "XpmI.h"
		47
		48	#define __SEC_POPEN_TOKEN " "
		49
		50	FILE Xpms_popen(char cmd, const char *type)
		51	{
		52	pid_t pid;
		53	int pfd[2];
		54	int rpipe = 0, wpipe = 0, i;
		55	char **argv;
		56	char *ptr;
		57	char *cmdcpy;
		58
		59
		60	if(cmd == NULL \|\| cmd == "")
		61	return(NULL);
		62
		63	if(type[0] != 'r' && type[0] != 'w')
		64	return(NULL);
65
66	if ((cmdcpy = strdup(cmd)) == NULL)
67	return(NULL);
68
69	argv = NULL;
70	if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL)
71	{
72	free(cmdcpy);
73	return(NULL);
74	}
75
76	for(i = 0;; i++)
77	{
78	if( ( argv = (char *) realloc(argv, (i+1) sizeof(char *)) ) == NULL)
79	{
80	free(cmdcpy);
81	return(NULL);
82	}
83
84	if( ((argv+i) = (char ) malloc((strlen(ptr)+1) * sizeof(char))) == NULL)
85	{
86	free(cmdcpy);
87	return(NULL);
88	}
89
90	strcpy(argv[i], ptr);
91
92	if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL)
93	{
94	if( ( argv = (char *) realloc(argv, (i+2) sizeof(char *))) == NULL)
95	{
96	free(cmdcpy);
97	return(NULL);
98	}
99	argv[i+1] = NULL;
100	break;
101	}
102	}
103
104
105	if(type[0] == 'r')
106	rpipe = 1;
107	else
108	wpipe = 1;
109
110	if (pipe(pfd) < 0)
111	{
112	free(cmdcpy);
113	return(NULL);
114	}
115
116	if((pid = fork()) < 0)
117	{
118	close(pfd[0]);
119	close(pfd[1]);
120	free(cmdcpy);
121	return(NULL);
122	}
123
124	if(pid == 0) /* child */
125	{
126	if((pid = fork()) < 0)
127	{
128	close(pfd[0]);
129	close(pfd[1]);
130	free(cmdcpy);
131	return(NULL);
132	}
133	if(pid > 0)
134	{
135	exit(0); /* child nr. 1 exits */
136	}
137
138	/* child nr. 2 */
139	if(rpipe)
140	{
141	close(pfd[0]); /* close reading end, we don't need it */
142	dup2(STDOUT_FILENO, STDERR_FILENO);
143	if (pfd[1] != STDOUT_FILENO)
144	dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */
145	}
146	else
147	{
148	close(pfd[1]); /* close writing end, we don't need it */
149	if (pfd[0] != STDIN_FILENO)
150	dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */
151	}
152
153	if(strchr(argv[0], '/') == NULL)
154	execvp(argv[0], argv); /* search in $PATH */
155	else
156	execv(argv[0], argv);
157
158	close(pfd[0]);
159	close(pfd[1]);
160	free(cmdcpy);
161	return(NULL); /* exec failed.. ooops! */
162	}
163	else /* parent */
164	{
165	waitpid(pid, NULL, 0); /* wait for child nr. 1 */
166
167	if(rpipe)
168	{
169	close(pfd[1]);
170	free(cmdcpy);
171	return(fdopen(pfd[0], "r"));
172	}
173	else
174	{
175	close(pfd[0]);
176	free(cmdcpy);
177	return(fdopen(pfd[1], "w"));
178	}
179
180	}
181	}
182

Lines 36-56 Link Here

(-)motif/lib/Xm/XpmCrBufFrI.c (-27 / +75 lines)
36	* Developed by Arnaud Le Hors *	36	* Developed by Arnaud Le Hors *
37	\*****************************************************************************/	37	\*****************************************************************************/
38		38
		39	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		40
		41
39	#include "XpmI.h"	42	#include "XpmI.h"
40		43
41	LFUNC(WriteColors, int, (char *dataptr, unsigned int data_size,	44	LFUNC(WriteColors, int, (char *dataptr, unsigned int data_size,
42	unsigned int used_size, XpmColor colors,	45	unsigned int used_size, XpmColor colors,
43	unsigned int ncolors, unsigned int cpp));	46	unsigned int ncolors, unsigned int cpp));
44		47
45	LFUNC(WritePixels, void, (char dataptr, unsigned int used_size,	48	LFUNC(WritePixels, void, (char *dataptr, unsigned int data_size,
		49	unsigned int *used_size,
46	unsigned int width, unsigned int height,	50	unsigned int width, unsigned int height,
47	unsigned int cpp, unsigned int *pixels,	51	unsigned int cpp, unsigned int *pixels,
48	XpmColor *colors));	52	XpmColor *colors));
49		53
50	LFUNC(WriteExtensions, void, (char dataptr, unsigned int used_size,	54	LFUNC(WriteExtensions, void, (char *dataptr, unsigned int data_size,
		55	unsigned int *used_size,
51	XpmExtension *ext, unsigned int num));	56	XpmExtension *ext, unsigned int num));
52		57
53	LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num));	58	LFUNC(ExtensionsSize, unsigned int, (XpmExtension *ext, unsigned int num));
54	LFUNC(CommentsSize, int, (XpmInfo *info));	59	LFUNC(CommentsSize, int, (XpmInfo *info));
55		60
56	int	61	int
Lines 93-103 Link Here
93		98
94	#undef RETURN	99	#undef RETURN
95	#define RETURN(status) \	100	#define RETURN(status) \
		101	do \
96	{ \	102	{ \
97	if (ptr) \	103	if (ptr) \
98	XpmFree(ptr); \	104	XpmFree(ptr); \
99	return(status); \	105	return(status); \
100	}	106	} while(0)
101		107
102	int	108	int
103	XpmCreateBufferFromXpmImage(buffer_return, image, info)	109	XpmCreateBufferFromXpmImage(buffer_return, image, info)
Lines 111-117 Link Here
111	unsigned int cmts, extensions, ext_size = 0;	117	unsigned int cmts, extensions, ext_size = 0;
112	unsigned int l, cmt_size = 0;	118	unsigned int l, cmt_size = 0;
113	char ptr = NULL, p;	119	char ptr = NULL, p;
114	unsigned int ptr_size, used_size;	120	unsigned int ptr_size, used_size, tmp;
115		121
116	*buffer_return = NULL;	122	*buffer_return = NULL;
117		123
Lines 133-139 Link Here
133	#ifdef VOID_SPRINTF	139	#ifdef VOID_SPRINTF
134	used_size = strlen(buf);	140	used_size = strlen(buf);
135	#endif	141	#endif
136	ptr_size = used_size + ext_size + cmt_size + 1;	142	ptr_size = used_size + ext_size + cmt_size + 1; /* ptr_size can't be 0 */
		143	if(ptr_size <= used_size \|\|
		144	ptr_size <= ext_size \|\|
		145	ptr_size <= cmt_size)
		146	{
		147	return XpmNoMemory;
		148	}
137	ptr = (char *) XpmMalloc(ptr_size);	149	ptr = (char *) XpmMalloc(ptr_size);
138	if (!ptr)	150	if (!ptr)
139	return XpmNoMemory;	151	return XpmNoMemory;
Lines 144-150 Link Here
144	#ifndef VOID_SPRINTF	156	#ifndef VOID_SPRINTF
145	used_size +=	157	used_size +=
146	#endif	158	#endif
147	sprintf(ptr + used_size, "/%s/\n", info->hints_cmt);	159	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->hints_cmt);
148	#ifdef VOID_SPRINTF	160	#ifdef VOID_SPRINTF
149	used_size += strlen(info->hints_cmt) + 5;	161	used_size += strlen(info->hints_cmt) + 5;
150	#endif	162	#endif
Lines 162-168 Link Here
162	#ifndef VOID_SPRINTF	174	#ifndef VOID_SPRINTF
163	l +=	175	l +=
164	#endif	176	#endif
165	sprintf(buf + l, " %d %d", info->x_hotspot, info->y_hotspot);	177	snprintf(buf + l, sizeof(buf)-l, " %d %d", info->x_hotspot, info->y_hotspot);
166	#ifdef VOID_SPRINTF	178	#ifdef VOID_SPRINTF
167	l = strlen(buf);	179	l = strlen(buf);
168	#endif	180	#endif
Lines 184-189 Link Here
184	l = strlen(buf);	196	l = strlen(buf);
185	#endif	197	#endif
186	ptr_size += l;	198	ptr_size += l;
		199	if(ptr_size <= l)
		200	RETURN(XpmNoMemory);
187	p = (char *) XpmRealloc(ptr, ptr_size);	201	p = (char *) XpmRealloc(ptr, ptr_size);
188	if (!p)	202	if (!p)
189	RETURN(XpmNoMemory);	203	RETURN(XpmNoMemory);
Lines 196-202 Link Here
196	#ifndef VOID_SPRINTF	210	#ifndef VOID_SPRINTF
197	used_size +=	211	used_size +=
198	#endif	212	#endif
199	sprintf(ptr + used_size, "/%s/\n", info->colors_cmt);	213	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->colors_cmt);
200	#ifdef VOID_SPRINTF	214	#ifdef VOID_SPRINTF
201	used_size += strlen(info->colors_cmt) + 5;	215	used_size += strlen(info->colors_cmt) + 5;
202	#endif	216	#endif
Lines 212-218 Link Here
212	* 4 = 1 (for '"') + 3 (for '",\n')	226	* 4 = 1 (for '"') + 3 (for '",\n')
213	* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')	227	* 1 = - 2 (because the last line does not end with ',\n') + 3 (for '};\n')
214	*/	228	*/
215	ptr_size += image->height * (image->width * image->cpp + 4) + 1;	229	if(image->width > UINT_MAX / image->cpp \|\|
		230	(tmp = image->width * image->cpp + 4) <= 4 \|\|
		231	image->height > UINT_MAX / tmp \|\|
		232	(tmp = image->height * tmp + 1) <= 1 \|\|
		233	(ptr_size += tmp) <= tmp)
		234	RETURN(XpmNoMemory);
216		235
217	p = (char *) XpmRealloc(ptr, ptr_size);	236	p = (char *) XpmRealloc(ptr, ptr_size);
218	if (!p)	237	if (!p)
Lines 224-240 Link Here
224	#ifndef VOID_SPRINTF	243	#ifndef VOID_SPRINTF
225	used_size +=	244	used_size +=
226	#endif	245	#endif
227	sprintf(ptr + used_size, "/%s/\n", info->pixels_cmt);	246	snprintf(ptr + used_size, ptr_size-used_size, "/%s/\n", info->pixels_cmt);
228	#ifdef VOID_SPRINTF	247	#ifdef VOID_SPRINTF
229	used_size += strlen(info->pixels_cmt) + 5;	248	used_size += strlen(info->pixels_cmt) + 5;
230	#endif	249	#endif
231	}	250	}
232	WritePixels(ptr + used_size, &used_size, image->width, image->height,	251	WritePixels(ptr + used_size, ptr_size - used_size, &used_size, image->width, image->height,
233	image->cpp, image->data, image->colorTable);	252	image->cpp, image->data, image->colorTable);
234		253
235	/* print extensions */	254	/* print extensions */
236	if (extensions)	255	if (extensions)
237	WriteExtensions(ptr + used_size, &used_size,	256	WriteExtensions(ptr + used_size, ptr_size-used_size, &used_size,
238	info->extensions, info->nextensions);	257	info->extensions, info->nextensions);
239		258
240	/* close the array */	259	/* close the array */
Lines 245-250 Link Here
245	return (XpmSuccess);	264	return (XpmSuccess);
246	}	265	}
247		266
		267
248	static int	268	static int
249	WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)	269	WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
250	char **dataptr;	270	char **dataptr;
Lines 254-260 Link Here
254	unsigned int ncolors;	274	unsigned int ncolors;
255	unsigned int cpp;	275	unsigned int cpp;
256	{	276	{
257	char buf[BUFSIZ];	277	char buf[BUFSIZ] = {0};
258	unsigned int a, key, l;	278	unsigned int a, key, l;
259	char s, s2;	279	char s, s2;
260	char **defaults;	280	char **defaults;
Lines 264-285 Link Here
264		284
265	defaults = (char **) colors;	285	defaults = (char **) colors;
266	s = buf + 1;	286	s = buf + 1;
		287	if(cpp > (sizeof(buf) - (s-buf)))
		288	return(XpmNoMemory);
267	strncpy(s, *defaults++, cpp);	289	strncpy(s, *defaults++, cpp);
268	s += cpp;	290	s += cpp;
269		291
270	for (key = 1; key <= NKEYS; key++, defaults++) {	292	for (key = 1; key <= NKEYS; key++, defaults++) {
271	if (s2 = *defaults) {	293	if ((s2 = *defaults)) {
272	#ifndef VOID_SPRINTF	294	#ifndef VOID_SPRINTF
273	s +=	295	s +=
274	#endif	296	#endif
275	sprintf(s, "\t%s %s", xpmColorKeys[key - 1], s2);	297	/* assume C99 compliance */
		298	snprintf(s, sizeof(buf) - (s-buf), "\t%s %s", xpmColorKeys[key - 1], s2);
276	#ifdef VOID_SPRINTF	299	#ifdef VOID_SPRINTF
277	s += strlen(s);	300	s += strlen(s);
278	#endif	301	#endif
		302	/* now let's check if s points out-of-bounds */
		303	if((s-buf) > sizeof(buf))
		304	return(XpmNoMemory);
279	}	305	}
280	}	306	}
		307	if(sizeof(buf) - (s-buf) < 4)
		308	return(XpmNoMemory);
281	strcpy(s, "\",\n");	309	strcpy(s, "\",\n");
282	l = s + 3 - buf;	310	l = s + 3 - buf;
		311	if( *data_size >= UINT_MAX-l \|\|
		312	data_size + l <= used_size \|\|
		313	(data_size + l - used_size) <= sizeof(buf))
		314	return(XpmNoMemory);
283	s = (char ) XpmRealloc(dataptr, *data_size + l);	315	s = (char ) XpmRealloc(dataptr, *data_size + l);
284	if (!s)	316	if (!s)
285	return (XpmNoMemory);	317	return (XpmNoMemory);
Lines 292-299 Link Here
292	}	324	}
293		325
294	static void	326	static void
295	WritePixels(dataptr, used_size, width, height, cpp, pixels, colors)	327	WritePixels(dataptr, data_size, used_size, width, height, cpp, pixels, colors)
296	char *dataptr;	328	char *dataptr;
		329	unsigned int data_size;
297	unsigned int *used_size;	330	unsigned int *used_size;
298	unsigned int width;	331	unsigned int width;
299	unsigned int height;	332	unsigned int height;
Lines 304-330 Link Here
304	char *s = dataptr;	337	char *s = dataptr;
305	unsigned int x, y, h;	338	unsigned int x, y, h;
306		339
		340	if(height <= 1)
		341	return;
		342
307	h = height - 1;	343	h = height - 1;
308	for (y = 0; y < h; y++) {	344	for (y = 0; y < h; y++) {
309	*s++ = '"';	345	*s++ = '"';
310	for (x = 0; x < width; x++, pixels++) {	346	for (x = 0; x < width; x++, pixels++) {
311	strncpy(s, colors[*pixels].string, cpp);	347	if(cpp >= (data_size - (s-dataptr)))
		348	return;
		349	strncpy(s, colors[pixels].string, cpp); / how can we trust pixels? :-\ /
312	s += cpp;	350	s += cpp;
313	}	351	}
		352	if((data_size - (s-dataptr)) < 4)
		353	return;
314	strcpy(s, "\",\n");	354	strcpy(s, "\",\n");
315	s += 3;	355	s += 3;
316	}	356	}
317	/* duplicate some code to avoid a test in the loop */	357	/* duplicate some code to avoid a test in the loop */
318	*s++ = '"';	358	*s++ = '"';
319	for (x = 0; x < width; x++, pixels++) {	359	for (x = 0; x < width; x++, pixels++) {
320	strncpy(s, colors[*pixels].string, cpp);	360	if(cpp >= (data_size - (s-dataptr)))
		361	return;
		362	strncpy(s, colors[pixels].string, cpp); / how can we trust pixels? /
321	s += cpp;	363	s += cpp;
322	}	364	}
323	*s++ = '"';	365	*s++ = '"';
324	*used_size += s - dataptr;	366	*used_size += s - dataptr;
325	}	367	}
326		368
327	static int	369	static unsigned int
328	ExtensionsSize(ext, num)	370	ExtensionsSize(ext, num)
329	XpmExtension *ext;	371	XpmExtension *ext;
330	unsigned int num;	372	unsigned int num;
Lines 333-353 Link Here
333	char **line;	375	char **line;
334		376
335	size = 0;	377	size = 0;
		378	if(num == 0)
		379	return(0); /* ok? */
336	for (x = 0; x < num; x++, ext++) {	380	for (x = 0; x < num; x++, ext++) {
337	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */	381	/* 11 = 10 (for ',\n"XPMEXT ') + 1 (for '"') */
338	size += strlen(ext->name) + 11;	382	size += strlen(ext->name) + 11;
339	a = ext->nlines;	383	a = ext->nlines; /* how can we trust ext->nlines to be not out-of-bounds? */
340	for (y = 0, line = ext->lines; y < a; y++, line++)	384	for (y = 0, line = ext->lines; y < a; y++, line++)
341	/* 4 = 3 (for ',\n"') + 1 (for '"') */	385	/* 4 = 3 (for ',\n"') + 1 (for '"') */
342	size += strlen(*line) + 4;	386	size += strlen(*line) + 4;
343	}	387	}
344	/* 13 is for ',\n"XPMENDEXT"' */	388	/* 13 is for ',\n"XPMENDEXT"' */
		389	if(size > UINT_MAX - 13) /* unlikely */
		390	return(0);
345	return size + 13;	391	return size + 13;
346	}	392	}
347		393
348	static void	394	static void
349	WriteExtensions(dataptr, used_size, ext, num)	395	WriteExtensions(dataptr, data_size, used_size, ext, num)
350	char *dataptr;	396	char *dataptr;
		397	unsigned int data_size;
351	unsigned int *used_size;	398	unsigned int *used_size;
352	XpmExtension *ext;	399	XpmExtension *ext;
353	unsigned int num;	400	unsigned int num;
Lines 358-381 Link Here
358		405
359	for (x = 0; x < num; x++, ext++) {	406	for (x = 0; x < num; x++, ext++) {
360	#ifndef VOID_SPRINTF	407	#ifndef VOID_SPRINTF
361	s += 11 +	408	s +=
362	#endif	409	#endif
363	sprintf(s, ",\n\"XPMEXT %s\"", ext->name);	410	snprintf(s, data_size - (s-dataptr), ",\n\"XPMEXT %s\"", ext->name);
364	#ifdef VOID_SPRINTF	411	#ifdef VOID_SPRINTF
365	s += strlen(ext->name) + 11;	412	s += strlen(ext->name) + 11;
366	#endif	413	#endif
367	a = ext->nlines;	414	a = ext->nlines;
368	for (y = 0, line = ext->lines; y < a; y++, line++) {	415	for (y = 0, line = ext->lines; y < a; y++, line++) {
369	#ifndef VOID_SPRINTF	416	#ifndef VOID_SPRINTF
370	s += 4 +	417	s +=
371	#endif	418	#endif
372	sprintf(s, ",\n\"%s\"", *line);	419	snprintf(s, data_size - (s-dataptr), ",\n\"%s\"", *line);
373	#ifdef VOID_SPRINTF	420	#ifdef VOID_SPRINTF
374	s += strlen(*line) + 4;	421	s += strlen(*line) + 4;
375	#endif	422	#endif
376	}	423	}
377	}	424	}
378	strcpy(s, ",\n\"XPMENDEXT\"");	425	strncpy(s, ",\n\"XPMENDEXT\"", data_size - (s-dataptr)-1);
379	*used_size += s - dataptr + 13;	426	*used_size += s - dataptr + 13;
380	}	427	}
381		428
Lines 386-391 Link Here
386	int size = 0;	433	int size = 0;
387		434
388	/* 5 = 2 (for "/_") + 3 (for "_/\n") */	435	/* 5 = 2 (for "/_") + 3 (for "_/\n") */
		436	/* wrap possible but very unlikely */
389	if (info->hints_cmt)	437	if (info->hints_cmt)
390	size += 5 + strlen(info->hints_cmt);	438	size += 5 + strlen(info->hints_cmt);
391		439

Lines 139-151 Link Here

(-)motif/lib/Xm/Xpmhashtab.c (-3 / +3 lines)
139	unsigned int size = table->size;	139	unsigned int size = table->size;
140	xpmHashAtom t, p;	140	xpmHashAtom t, p;
141	int i;	141	int i;
142	int oldSize = size;	142	unsigned int oldSize = size;
143		143
144	t = atomTable;	144	t = atomTable;
145	HASH_TABLE_GROWS	145	HASH_TABLE_GROWS
146	table->size = size;	146	table->size = size;
147	table->limit = size / 3;	147	table->limit = size / 3;
148	if (size >= SIZE_MAX / sizeof(*atomTable))	148	if (size >= UINT_MAX / sizeof(*atomTable))
149	return (XpmNoMemory);	149	return (XpmNoMemory);
150	atomTable = (xpmHashAtom ) XpmMalloc(size sizeof(*atomTable));	150	atomTable = (xpmHashAtom ) XpmMalloc(size sizeof(*atomTable));
151	if (!atomTable)	151	if (!atomTable)
Lines 207-213 Link Here
207	table->size = INITIAL_HASH_SIZE;	207	table->size = INITIAL_HASH_SIZE;
208	table->limit = table->size / 3;	208	table->limit = table->size / 3;
209	table->used = 0;	209	table->used = 0;
210	if (table->size >= SIZE_MAX / sizeof(*atomTable))	210	if (table->size >= UINT_MAX / sizeof(*atomTable))
211	return (XpmNoMemory);	211	return (XpmNoMemory);
212	atomTable = (xpmHashAtom ) XpmMalloc(table->size sizeof(*atomTable));	212	atomTable = (xpmHashAtom ) XpmMalloc(table->size sizeof(*atomTable));
213	if (!atomTable)	213	if (!atomTable)

Lines 54-59 Link Here

(-)motif/lib/Xm/XpmI.h (+3 lines)
54	#define xpmatoui _Xmxpmatoui	54	#define xpmatoui _Xmxpmatoui
55	#define xpmDataTypes _XmxpmDataTypes	55	#define xpmDataTypes _XmxpmDataTypes
56	#define xpmColorKeys _XmxpmColorKeys	56	#define xpmColorKeys _XmxpmColorKeys
		57	#define Xpms_popen _Xms_popen
57		58
58	/* The following is the original XpmI.h header file,	59	/* The following is the original XpmI.h header file,
59	except that it includes XpmP.h instead of xpm.h */	60	except that it includes XpmP.h instead of xpm.h */
Lines 108-115 Link Here
108	* lets try to solve include files	109	* lets try to solve include files
109	*/	110	*/
110		111
		112	#include <sys/types.h>
111	#include <stdio.h>	113	#include <stdio.h>
112	#include <stdlib.h>	114	#include <stdlib.h>
		115	#include <limits.h>
113	/* stdio.h doesn't declare popen on a Sequent DYNIX OS */	116	/* stdio.h doesn't declare popen on a Sequent DYNIX OS */
114	#ifdef sequent	117	#ifdef sequent
115	extern FILE *popen();	118	extern FILE *popen();

Lines 39-64 Link Here

(-)motif/lib/Xm/Xpmparse.c (-29 / +41 lines)
39	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94	39	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
40	*/	40	*/
41		41
		42	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		43
42	#include "XpmI.h"	44	#include "XpmI.h"
43	#include <ctype.h>	45	#include <ctype.h>
44	#include <string.h>	46	#include <string.h>
45		47
46	#ifdef HAS_STRLCAT	48	#ifdef HAS_STRLCAT
47	# define STRLCAT(dst, src, dstsize) { \	49	# define STRLCAT(dst, src, dstsize) do { \
48	if (strlcat(dst, src, dstsize) >= (dstsize)) \	50	if (strlcat(dst, src, dstsize) >= (dstsize)) \
49	return (XpmFileInvalid); }	51	return (XpmFileInvalid); } while(0)
50	# define STRLCPY(dst, src, dstsize) { \	52	# define STRLCPY(dst, src, dstsize) do { \
51	if (strlcpy(dst, src, dstsize) >= (dstsize)) \	53	if (strlcpy(dst, src, dstsize) >= (dstsize)) \
52	return (XpmFileInvalid); }	54	return (XpmFileInvalid); } while(0)
53	#else	55	#else
54	# define STRLCAT(dst, src, dstsize) { \	56	# define STRLCAT(dst, src, dstsize) do { \
55	if ((strlen(dst) + strlen(src)) < (dstsize)) \	57	if ((strlen(dst) + strlen(src)) < (dstsize)) \
56	strcat(dst, src); \	58	strcat(dst, src); \
57	else return (XpmFileInvalid); }	59	else return (XpmFileInvalid); } while(0)
58	# define STRLCPY(dst, src, dstsize) { \	60	# define STRLCPY(dst, src, dstsize) do { \
59	if (strlen(src) < (dstsize)) \	61	if (strlen(src) < (dstsize)) \
60	strcpy(dst, src); \	62	strcpy(dst, src); \
61	else return (XpmFileInvalid); }	63	else return (XpmFileInvalid); } while(0)
62	#endif	64	#endif
63		65
64	LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,	66	LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
Lines 78-83 Link Here
78	/* function call in case of error, frees only locally allocated variables */	80	/* function call in case of error, frees only locally allocated variables */
79	#undef RETURN	81	#undef RETURN
80	#define RETURN(status) \	82	#define RETURN(status) \
		83	do \
81	{ \	84	{ \
82	if (colorTable) xpmFreeColorTable(colorTable, ncolors); \	85	if (colorTable) xpmFreeColorTable(colorTable, ncolors); \
83	if (pixelindex) XpmFree(pixelindex); \	86	if (pixelindex) XpmFree(pixelindex); \
Lines 85-91 Link Here
85	if (colors_cmt) XpmFree(colors_cmt); \	88	if (colors_cmt) XpmFree(colors_cmt); \
86	if (pixels_cmt) XpmFree(pixels_cmt); \	89	if (pixels_cmt) XpmFree(pixels_cmt); \
87	return(status); \	90	return(status); \
88	}	91	} while(0)
89		92
90	/*	93	/*
91	* This function parses an Xpm file or data and store the found informations	94	* This function parses an Xpm file or data and store the found informations
Lines 183-189 Link Here
183	/*	186	/*
184	* parse extensions	187	* parse extensions
185	*/	188	*/
186	if (info && (info->valuemask & XpmReturnExtensions))	189	if (info && (info->valuemask & XpmReturnExtensions)) {
187	if (extensions) {	190	if (extensions) {
188	ErrorStatus = xpmParseExtensions(data, &info->extensions,	191	ErrorStatus = xpmParseExtensions(data, &info->extensions,
189	&info->nextensions);	192	&info->nextensions);
Lines 193-198 Link Here
193	info->extensions = NULL;	196	info->extensions = NULL;
194	info->nextensions = 0;	197	info->nextensions = 0;
195	}	198	}
		199	}
196		200
197	/*	201	/*
198	* store found informations in the XpmImage structure	202	* store found informations in the XpmImage structure
Lines 348-354 Link Here
348	char **defaults;	352	char **defaults;
349	int ErrorStatus;	353	int ErrorStatus;
350		354
351	if (ncolors >= SIZE_MAX / sizeof(XpmColor))	355	if (ncolors >= UINT_MAX / sizeof(XpmColor))
352	return (XpmNoMemory);	356	return (XpmNoMemory);
353	colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));	357	colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
354	if (!colorTable)	358	if (!colorTable)
Lines 361-367 Link Here
361	/*	365	/*
362	* read pixel value	366	* read pixel value
363	*/	367	*/
364	if (cpp >= SIZE_MAX - 1) {	368	if (cpp >= UINT_MAX - 1) {
365	xpmFreeColorTable(colorTable, ncolors);	369	xpmFreeColorTable(colorTable, ncolors);
366	return (XpmNoMemory);	370	return (XpmNoMemory);
367	}	371	}
Lines 430-436 Link Here
430	xpmFreeColorTable(colorTable, ncolors);	434	xpmFreeColorTable(colorTable, ncolors);
431	return (XpmFileInvalid);	435	return (XpmFileInvalid);
432	}	436	}
433	len = strlen(curbuf) + 1;	437	len = strlen(curbuf) + 1; /* integer overflow just theoretically possible */
434	s = defaults[curkey] = (char *) XpmMalloc(len);	438	s = defaults[curkey] = (char *) XpmMalloc(len);
435	if (!s) {	439	if (!s) {
436	xpmFreeColorTable(colorTable, ncolors);	440	xpmFreeColorTable(colorTable, ncolors);
Lines 449-455 Link Here
449	/*	453	/*
450	* read pixel value	454	* read pixel value
451	*/	455	*/
452	if (cpp >= SIZE_MAX - 1) {	456	if (cpp >= UINT_MAX - 1) {
453	xpmFreeColorTable(colorTable, ncolors);	457	xpmFreeColorTable(colorTable, ncolors);
454	return (XpmNoMemory);	458	return (XpmNoMemory);
455	}	459	}
Lines 494-500 Link Here
494	memcpy(s, curbuf, len);	498	memcpy(s, curbuf, len);
495	color->c_color = s;	499	color->c_color = s;
496	curbuf = '\0'; / reset curbuf */	500	curbuf = '\0'; / reset curbuf */
497	if (a < ncolors - 1)	501	if (a < ncolors - 1) /* can we trust ncolors -> leave data's bounds */
498	xpmNextString(data); /* get to the next string */	502	xpmNextString(data); /* get to the next string */
499	}	503	}
500	}	504	}
Lines 513-523 Link Here
513	xpmHashTable *hashtable;	517	xpmHashTable *hashtable;
514	unsigned int **pixels;	518	unsigned int **pixels;
515	{	519	{
516	unsigned int iptr, iptr2;	520	unsigned int iptr, iptr2 = NULL;
517	unsigned int a, x, y;	521	unsigned int a, x, y;
518		522
519	if ((height > 0 && width >= SIZE_MAX / height) \|\|	523	if ((height > 0 && width >= UINT_MAX / height) \|\|
520	width * height >= SIZE_MAX / sizeof(unsigned int))	524	width * height >= UINT_MAX / sizeof(unsigned int))
521	return XpmNoMemory;	525	return XpmNoMemory;
522	#ifndef FOR_MSW	526	#ifndef FOR_MSW
523	iptr2 = (unsigned int ) XpmMalloc(sizeof(unsigned int) width * height);	527	iptr2 = (unsigned int ) XpmMalloc(sizeof(unsigned int) width * height);
Lines 542-549 Link Here
542	{	546	{
543	unsigned short colidx[256];	547	unsigned short colidx[256];
544		548
545	if (ncolors > 256)	549	if (ncolors > 256) {
546	return (XpmFileInvalid);	550	return (XpmFileInvalid);
		551	XpmFree(iptr2); /* found by Egbert Eich */
		552	}
547		553
548	bzero((char )colidx, 256 sizeof(short));	554	bzero((char )colidx, 256 sizeof(short));
549	for (a = 0; a < ncolors; a++)	555	for (a = 0; a < ncolors; a++)
Lines 570-585 Link Here
570	{	576	{
571		577
572	/* free all allocated pointers at all exits */	578	/* free all allocated pointers at all exits */
573	#define FREE_CIDX {int f; for (f = 0; f < 256; f++) \	579	#define FREE_CIDX \
574	if (cidx[f]) XpmFree(cidx[f]);}	580	do \
		581	{ \
		582	int f; for (f = 0; f < 256; f++) \
		583	if (cidx[f]) XpmFree(cidx[f]); \
		584	} while(0)
575		585
576	/* array of pointers malloced by need */	586	/* array of pointers malloced by need */
577	unsigned short *cidx[256];	587	unsigned short *cidx[256];
578	int char1;	588	unsigned int char1;
579		589
580	bzero((char )cidx, 256 sizeof(unsigned short )); / init */	590	bzero((char )cidx, 256 sizeof(unsigned short )); / init */
581	for (a = 0; a < ncolors; a++) {	591	for (a = 0; a < ncolors; a++) {
582	char1 = colorTable[a].string[0];	592	char1 = (unsigned char) colorTable[a].string[0];
583	if (cidx[char1] == NULL) { /* get new memory */	593	if (cidx[char1] == NULL) { /* get new memory */
584	cidx[char1] = (unsigned short *)	594	cidx[char1] = (unsigned short *)
585	XpmCalloc(256, sizeof(unsigned short));	595	XpmCalloc(256, sizeof(unsigned short));
Lines 598-604 Link Here
598	int cc1 = xpmGetC(data);	608	int cc1 = xpmGetC(data);
599	if (cc1 > 0 && cc1 < 256) {	609	if (cc1 > 0 && cc1 < 256) {
600	int cc2 = xpmGetC(data);	610	int cc2 = xpmGetC(data);
601	if (cc2 > 0 && cc2 < 256 && cidx[cc1][cc2] != 0)	611	if (cc2 > 0 && cc2 < 256 && cidx[cc1] && cidx[cc1][cc2] != 0)
602	*iptr = cidx[cc1][cc2] - 1;	612	*iptr = cidx[cc1][cc2] - 1;
603	else {	613	else {
604	FREE_CIDX;	614	FREE_CIDX;
Lines 622-629 Link Here
622	char *s;	632	char *s;
623	char buf[BUFSIZ];	633	char buf[BUFSIZ];
624		634
625	if (cpp >= sizeof(buf))	635	if (cpp >= sizeof(buf)) {
626	return (XpmFileInvalid);	636	return (XpmFileInvalid);
		637	XpmFree(iptr2); /* found by Egbert Eich */
		638	}
627		639
628	buf[cpp] = '\0';	640	buf[cpp] = '\0';
629	if (USE_HASHTABLE) {	641	if (USE_HASHTABLE) {
Lines 633-639 Link Here
633	xpmNextString(data);	645	xpmNextString(data);
634	for (x = 0; x < width; x++, iptr++) {	646	for (x = 0; x < width; x++, iptr++) {
635	for (a = 0, s = buf; a < cpp; a++, s++)	647	for (a = 0, s = buf; a < cpp; a++, s++)
636	*s = xpmGetC(data);	648	s = xpmGetC(data); / int assigned to char, not a problem here */
637	slot = xpmHashSlot(hashtable, buf);	649	slot = xpmHashSlot(hashtable, buf);
638	if (!slot) { / no color matches */	650	if (!slot) { / no color matches */
639	XpmFree(iptr2);	651	XpmFree(iptr2);
Lines 647-653 Link Here
647	xpmNextString(data);	659	xpmNextString(data);
648	for (x = 0; x < width; x++, iptr++) {	660	for (x = 0; x < width; x++, iptr++) {
649	for (a = 0, s = buf; a < cpp; a++, s++)	661	for (a = 0, s = buf; a < cpp; a++, s++)
650	*s = xpmGetC(data);	662	s = xpmGetC(data); / int assigned to char, not a problem here */
651	for (a = 0; a < ncolors; a++)	663	for (a = 0; a < ncolors; a++)
652	if (!strcmp(colorTable[a].string, buf))	664	if (!strcmp(colorTable[a].string, buf))
653	break;	665	break;
Lines 702-708 Link Here
702	while (!notstart && notend) {	714	while (!notstart && notend) {
703	/* there starts an extension */	715	/* there starts an extension */
704	ext = (XpmExtension *)	716	ext = (XpmExtension *)
705	XpmRealloc(exts, (num + 1) * sizeof(XpmExtension));	717	XpmRealloc(exts, (num + 1) * sizeof(XpmExtension)); /* can the loop be forced to iterate often enough to make "(num + 1) * sizeof(XpmExtension)" wrapping? */
706	if (!ext) {	718	if (!ext) {
707	XpmFree(string);	719	XpmFree(string);
708	XpmFreeExtensions(exts, num);	720	XpmFreeExtensions(exts, num);
Lines 739-745 Link Here
739	while ((notstart = strncmp("XPMEXT", string, 6))	751	while ((notstart = strncmp("XPMEXT", string, 6))
740	&& (notend = strncmp("XPMENDEXT", string, 9))) {	752	&& (notend = strncmp("XPMENDEXT", string, 9))) {
741	sp = (char **)	753	sp = (char **)
742	XpmRealloc(ext->lines, (nlines + 1) * sizeof(char *));	754	XpmRealloc(ext->lines, (nlines + 1) * sizeof(char )); / can we iterate enough for a wrapping? */
743	if (!sp) {	755	if (!sp) {
744	XpmFree(string);	756	XpmFree(string);
745	ext->nlines = nlines;	757	ext->nlines = nlines;

Lines 38-49 Link Here

(-)motif/lib/Xm/Xpmscan.c (-14 / +17 lines)
38	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94	38	* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
39	*/	39	*/
40		40
		41	/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
		42
41	#include "XpmI.h"	43	#include "XpmI.h"
42		44
43	#define MAXPRINTABLE 92 /* number of printable ascii chars	45	#define MAXPRINTABLE 92 /* number of printable ascii chars
44	* minus \ and " for string compat	46	* minus \ and " for string compat
45	* and ? to avoid ANSI trigraphs. */	47	* and ? to avoid ANSI trigraphs. */
46		48	/* " */
47	static char *printable =	49	static char *printable =
48	" .XoO+@#$%&*=-;:>,<1234567890qwertyuipasdfghjklzxcvbnmMNBVCZ\	50	" .XoO+@#$%&*=-;:>,<1234567890qwertyuipasdfghjklzxcvbnmMNBVCZ\
49	ASDFGHJKLPIUYTREWQ!~^/()_`'][{}\|";	51	ASDFGHJKLPIUYTREWQ!~^/()_`'][{}\|";
Lines 158-169 Link Here
158	/* function call in case of error, frees only locally allocated variables */	160	/* function call in case of error, frees only locally allocated variables */
159	#undef RETURN	161	#undef RETURN
160	#define RETURN(status) \	162	#define RETURN(status) \
		163	do \
161	{ \	164	{ \
162	if (pmap.pixelindex) XpmFree(pmap.pixelindex); \	165	if (pmap.pixelindex) XpmFree(pmap.pixelindex); \
163	if (pmap.pixels) XpmFree(pmap.pixels); \	166	if (pmap.pixels) XpmFree(pmap.pixels); \
164	if (colorTable) xpmFreeColorTable(colorTable, pmap.ncolors); \	167	if (colorTable) xpmFreeColorTable(colorTable, pmap.ncolors); \
165	return(status); \	168	return(status); \
166	}	169	} while(0)
167		170
168	/*	171	/*
169	* This function scans the given image and stores the found informations in	172	* This function scans the given image and stores the found informations in
Lines 184-190 Link Here
184	/* variables to return */	187	/* variables to return */
185	PixelsMap pmap;	188	PixelsMap pmap;
186	XpmColor *colorTable = NULL;	189	XpmColor *colorTable = NULL;
187	int ErrorStatus;	190	int ErrorStatus = 0;
188		191
189	/* calculation variables */	192	/* calculation variables */
190	unsigned int width = 0;	193	unsigned int width = 0;
Lines 221-235 Link Here
221	else	224	else
222	cpp = 0;	225	cpp = 0;
223		226
224	if ((height > 0 && width >= SIZE_MAX / height) \|\|	227	if ((height > 0 && width >= UINT_MAX / height) \|\|
225	width * height >= SIZE_MAX / sizeof(unsigned int))	228	width * height >= UINT_MAX / sizeof(unsigned int))
226	RETURN(XpmNoMemory);	229	RETURN(XpmNoMemory);
227	pmap.pixelindex =	230	pmap.pixelindex =
228	(unsigned int ) XpmCalloc(width height, sizeof(unsigned int));	231	(unsigned int ) XpmCalloc(width height, sizeof(unsigned int));
229	if (!pmap.pixelindex)	232	if (!pmap.pixelindex)
230	RETURN(XpmNoMemory);	233	RETURN(XpmNoMemory);
231		234
232	if (pmap.size >= SIZE_MAX / sizeof(Pixel))	235	if (pmap.size >= UINT_MAX / sizeof(Pixel))
233	RETURN(XpmNoMemory);	236	RETURN(XpmNoMemory);
234		237
235	pmap.pixels = (Pixel ) XpmMalloc(sizeof(Pixel) pmap.size);	238	pmap.pixels = (Pixel ) XpmMalloc(sizeof(Pixel) pmap.size);
Lines 287-293 Link Here
287	* color	290	* color
288	*/	291	*/
289		292
290	if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))	293	if (pmap.ncolors >= UINT_MAX / sizeof(XpmColor))
291	RETURN(XpmNoMemory);	294	RETURN(XpmNoMemory);
292	colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));	295	colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
293	if (!colorTable)	296	if (!colorTable)
Lines 336-342 Link Here
336		339
337	/* first get a character string */	340	/* first get a character string */
338	a = 0;	341	a = 0;
339	if (cpp >= SIZE_MAX - 1)	342	if (cpp >= UINT_MAX - 1)
340	return (XpmNoMemory);	343	return (XpmNoMemory);
341	if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))	344	if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
342	return (XpmNoMemory);	345	return (XpmNoMemory);
Lines 429-435 Link Here
429	}	432	}
430		433
431	/* first get character strings and rgb values */	434	/* first get character strings and rgb values */
432	if (ncolors >= SIZE_MAX / sizeof(XColor) \|\| cpp >= SIZE_MAX - 1)	435	if (ncolors >= UINT_MAX / sizeof(XColor) \|\| cpp >= UINT_MAX - 1)
433	return (XpmNoMemory);	436	return (XpmNoMemory);
434	xcolors = (XColor ) XpmMalloc(sizeof(XColor) ncolors);	437	xcolors = (XColor ) XpmMalloc(sizeof(XColor) ncolors);
435	if (!xcolors)	438	if (!xcolors)
Lines 586-592 Link Here
586	char *dst;	589	char *dst;
587	unsigned int *iptr;	590	unsigned int *iptr;
588	char *data;	591	char *data;
589	int x, y, i;	592	unsigned int x, y, i;
590	int bits, depth, ibu, ibpp, offset;	593	int bits, depth, ibu, ibpp, offset;
591	unsigned long lbt;	594	unsigned long lbt;
592	Pixel pixel, px;	595	Pixel pixel, px;
Lines 688-694 Link Here
688	unsigned char *addr;	691	unsigned char *addr;
689	unsigned char *data;	692	unsigned char *data;
690	unsigned int *iptr;	693	unsigned int *iptr;
691	int x, y;	694	unsigned int x, y;
692	unsigned long lbt;	695	unsigned long lbt;
693	Pixel pixel;	696	Pixel pixel;
694	int depth;	697	int depth;
Lines 753-759 Link Here
753	unsigned char *addr;	756	unsigned char *addr;
754	unsigned char *data;	757	unsigned char *data;
755	unsigned int *iptr;	758	unsigned int *iptr;
756	int x, y;	759	unsigned int x, y;
757	unsigned long lbt;	760	unsigned long lbt;
758	Pixel pixel;	761	Pixel pixel;
759	int depth;	762	int depth;
Lines 798-804 Link Here
798	{	801	{
799	unsigned int *iptr;	802	unsigned int *iptr;
800	unsigned char *data;	803	unsigned char *data;
801	int x, y;	804	unsigned int x, y;
802	unsigned long lbt;	805	unsigned long lbt;
803	Pixel pixel;	806	Pixel pixel;
804	int depth;	807	int depth;
Lines 831-837 Link Here
831	int (*storeFunc) ();	834	int (*storeFunc) ();
832	{	835	{
833	unsigned int *iptr;	836	unsigned int *iptr;
834	int x, y;	837	unsigned int x, y;
835	char *data;	838	char *data;
836	Pixel pixel;	839	Pixel pixel;
837	int xoff, yoff, offset, bpl;	840	int xoff, yoff, offset, bpl;