Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 56036 Details for
Bug 88742
media-gfx/xv: new jumbo patches include security fixes
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
quick patch for some issues
xv-various-sec.diff (text/plain), 12.69 KB, created by
Tavis Ormandy (RETIRED)
on 2005-04-11 15:37:30 UTC
(
hide
)
Description:
quick patch for some issues
Filename:
MIME Type:
Creator:
Tavis Ormandy (RETIRED)
Created:
2005-04-11 15:37:30 UTC
Size:
12.69 KB
patch
obsolete
>diff -ruN xv-3.10a.orig/xvbrowse.c xv-3.10a/xvbrowse.c >--- xv-3.10a.orig/xvbrowse.c 2005-04-11 17:55:47.000000000 +0100 >+++ xv-3.10a/xvbrowse.c 2005-04-11 22:37:27.000000000 +0100 >@@ -4950,7 +4950,18 @@ > > if (dstdir) { > #ifndef VMS /* we don't delete directories in VMS */ >- sprintf(buf, "rm -rf %s", dst); >+ char *x, *y, *name; >+ >+ x = name = (char *) malloc((5 * strlen(dst))+3);*x++ = 0x27; >+ for (y = dst; *y; ++y) { >+ if (0x27 == *y) { >+ strcpy(x, "'\"'\"'"); >+ x += strlen(x); >+ } else *x++ = *y; >+ } >+ strcpy (x, "'"); >+ sprintf(buf, "rm -rf %s", name); >+ free (name); > if (system(buf)) { /* okay, so it's cheating... */ > SetISTR(ISTR_WARNING, "Unable to remove directory %s", dst); > return 1; >diff -ruN xv-3.10a.orig/xv.c xv-3.10a/xv.c >--- xv-3.10a.orig/xv.c 2005-04-11 17:55:47.000000000 +0100 >+++ xv-3.10a/xv.c 2005-04-11 22:51:11.000000000 +0100 >@@ -2828,7 +2828,7 @@ > /* returns '1' on success, with name of uncompressed file in uncompname > returns '0' on failure */ > >- char namez[128], *fname, buf[512]; >+ char namez[128], *fname, buf[512], *tname; > > fname = name; > namez[0] = '\0'; >@@ -2871,11 +2871,27 @@ > #endif > > #ifndef VMS >- if (filetype == RFT_COMPRESS) >- sprintf(buf,"%s -c %s >%s", UNCOMPRESS, fname, uncompname); >+ if (filetype == RFT_COMPRESS || filetype == RFT_BZIP2) { >+ char *x, *y; >+ >+ x = tname = (char *) malloc((5 * strlen(fname))+3);*x++ = 0x27; >+ for (y = fname; *y; ++y) { >+ if (0x27 == *y) { >+ strcpy(x, "'\"'\"'"); >+ x += strlen(x); >+ } else *x++ = *y; >+ } >+ strcpy (x, "'"); >+ } >+ if (filetype == RFT_COMPRESS) { >+ sprintf(buf,"%s -c %s >%s", UNCOMPRESS, tname, uncompname); >+ free (tname); >+ } > # ifdef BUNZIP2 >- else if (filetype == RFT_BZIP2) >- sprintf(buf,"%s -c %s >%s", BUNZIP2, fname, uncompname); >+ else if (filetype == RFT_BZIP2) { >+ sprintf(buf,"%s -c %s >%s", BUNZIP2, tname, uncompname); >+ free (tname); >+ } > # endif > #else /* it IS VMS */ > # ifdef GUNZIP >Files xv-3.10a.orig/xv.core and xv-3.10a/xv.core differ >Files xv-3.10a.orig/.xvgam.c.swp and xv-3.10a/.xvgam.c.swp differ >diff -ruN xv-3.10a.orig/xvpds.c xv-3.10a/xvpds.c >--- xv-3.10a.orig/xvpds.c 2005-04-11 17:55:45.000000000 +0100 >+++ xv-3.10a/xvpds.c 2005-04-11 20:53:31.000000000 +0100 >@@ -191,7 +191,7 @@ > > count=0; > bp=buff; >- while (1) { >+ while (count<MAX_SIZE) { > c=fgetc(f); > switch (c) { > >@@ -210,6 +210,7 @@ > default: count++; *bp++ = c; > } > } >+ return (count); > } > > >@@ -397,7 +398,7 @@ > > if (strcmp(scanbuff,"END") == 0) { > break; >- } else if (sscanf(scanbuff," RECORD_TYPE = %s",rtbuff) == 1) { >+ } else if (sscanf(scanbuff," RECORD_TYPE = %62s",rtbuff) == 1) { > if (strncmp(rtbuff,"VARIABLE_LENGTH", (size_t) 15) == 0) { > /* itype=PDSVARIABLE; */ > } else if (strncmp(rtbuff,"FIXED_LENGTH", (size_t) 12) == 0) { >@@ -416,7 +417,7 @@ > if (irecsize == 0) irecsize=recsize; > lastwasinote=FALSE; > continue; >- } else if (sscanf(scanbuff," FILE_TYPE = %s", rtbuff) != 0) { >+ } else if (sscanf(scanbuff," FILE_TYPE = %62s", rtbuff) != 0) { > lastwasinote=FALSE; > if (strncmp(rtbuff,"IMAGE", (size_t) 5) == 0) { > isimage=TRUE; >@@ -445,85 +446,85 @@ > lastwasinote=FALSE; continue; > } else if (sscanf(scanbuff," SAMPLE_BITS = %d", &samplesize) == 1) { > lastwasinote=FALSE; continue; >- } else if (sscanf(scanbuff," SAMPLE_TYPE = %s", sampletype) == 1) { >+ } else if (sscanf(scanbuff," SAMPLE_TYPE = %50s", sampletype) == 1) { > lastwasinote=FALSE; continue; >- } else if (sscanf(scanbuff," SPACECRAFT_NAME = %s %s", >+ } else if (sscanf(scanbuff," SPACECRAFT_NAME = %50s %1020s", > spacecraft,garbage) == 2 ) { >- strcat(spacecraft,xv_strstr(scanbuff, spacecraft)+strlen(spacecraft)); >+ if (strlen (spacecraft) + strlen (xv_strstr(scanbuff, spacecraft)+strlen(spacecraft)) < COMMENTSIZE-2) >+ strcat(spacecraft,xv_strstr(scanbuff, spacecraft)+strlen(spacecraft)); > lastwasinote=FALSE; continue; >- } else if (sscanf(scanbuff," SPACECRAFT_NAME = %s", spacecraft) == 1) { >+ } else if (sscanf(scanbuff," SPACECRAFT_NAME = %50s", spacecraft) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," TARGET_NAME = %s", target) == 1) { >+ } else if (sscanf(scanbuff," TARGET_NAME = %50s", target) == 1) { > lastwasinote=FALSE; continue; >- } else if (sscanf(scanbuff," TARGET_BODY = %s", target) == 1) { >+ } else if (sscanf(scanbuff," TARGET_BODY = %50s", target) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," MISSION_PHASE_NAME = %s", mphase) == 1) { >+ } else if (sscanf(scanbuff," MISSION_PHASE_NAME = %50s", mphase) == 1) { > lastwasinote=FALSE; continue; >- } else if (sscanf(scanbuff," MISSION_PHASE = %s", mphase) == 1) { >+ } else if (sscanf(scanbuff," MISSION_PHASE = %50s", mphase) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," INSTRUMENT_NAME = %s", iname) == 1) { >+ } else if (sscanf(scanbuff," INSTRUMENT_NAME = %50s", iname) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," GAIN_MODE_ID = %s", gainmode) == 1) { >+ } else if (sscanf(scanbuff," GAIN_MODE_ID = %50s", gainmode) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," INSTRUMENT_GAIN_STATE = %s",gainmode)==1) { >+ } else if (sscanf(scanbuff," INSTRUMENT_GAIN_STATE = %50s", gainmode)==1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," EDIT_MODE_ID = %s", editmode) == 1) { >+ } else if (sscanf(scanbuff," EDIT_MODE_ID = %50s", editmode) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," INSTRUMENT_EDIT_MODE = %s", editmode)==1) { >+ } else if (sscanf(scanbuff," INSTRUMENT_EDIT_MODE = %50s", editmode)==1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," SCAN_MODE_ID = %s", scanmode) == 1) { >+ } else if (sscanf(scanbuff," SCAN_MODE_ID = %50s", scanmode) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," INSTRUMENT_SCAN_RATE = %s", scanmode)==1) { >+ } else if (sscanf(scanbuff," INSTRUMENT_SCAN_RATE = %50s", scanmode)==1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," SHUTTER_MODE_ID = %s", shuttermode) == 1) { >+ } else if (sscanf(scanbuff," SHUTTER_MODE_ID = %50s", shuttermode) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," INSTRUMENT_SHUTTER_MODE = %s", >- shuttermode) == 1) { >+ } else if (sscanf(scanbuff," INSTRUMENT_SHUTTER_MODE = %50s", shuttermode) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," SCAN_MODE_ID = %s", scanmode) == 1) { >+ } else if (sscanf(scanbuff," SCAN_MODE_ID = %50s", scanmode) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," INSTRUMENT_SCAN_RATE = %s", scanmode)==1) { >+ } else if (sscanf(scanbuff," INSTRUMENT_SCAN_RATE = %50s", scanmode)==1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," SPACECRAFT_EVENT_TIME = %s", itime) == 1) { >+ } else if (sscanf(scanbuff," SPACECRAFT_EVENT_TIME = %50s", itime) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," IMAGE_TIME = %s", itime) == 1) { >+ } else if (sscanf(scanbuff," IMAGE_TIME = %50s", itime) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," FILTER_NAME = %s", filtname) == 1) { >+ } else if (sscanf(scanbuff," FILTER_NAME = %50s", filtname) == 1) { > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff," INSTRUMENT_FILTER_NAME = %s",filtname)==1) { >+ } else if (sscanf(scanbuff," INSTRUMENT_FILTER_NAME = %50s", filtname)==1) { > lastwasinote=FALSE; continue; > >- } else if ((sscanf(scanbuff," EXPOSURE_DURATION = %s", exposure) == 1) >- || (sscanf(scanbuff," INSTRUMENT_EXPOSURE_DURATION = %s", >+ } else if ((sscanf(scanbuff," EXPOSURE_DURATION = %50s", exposure) == 1) >+ || (sscanf(scanbuff," INSTRUMENT_EXPOSURE_DURATION = %50s", > exposure) == 1)) { > tmptmp = (char *) index(scanbuff,'='); > tmptmp++; > while((*tmptmp) == ' ') > tmptmp++; >- strcpy(exposure,tmptmp); >+ strncpy(exposure,tmptmp,COMMENTSIZE); > lastwasinote=FALSE; continue; > >- } else if (sscanf(scanbuff, "NOTE = %s", inote) == 1) { >+ } else if (sscanf(scanbuff, "NOTE = %1000s", inote) == 1) { > tmptmp = (char *) index(scanbuff,'='); tmptmp++; > while (((*tmptmp) == ' ') || ((*tmptmp) == '"')) tmptmp++; >- strcpy(inote,tmptmp); >+ strncpy(inote,tmptmp,sizeof(inote)-2); > strcat(inote," "); > > /* evil and somewhat risky: A "note" (really, any textual >@@ -548,7 +549,7 @@ > } else if (lastwasinote) { > tmptmp=scanbuff; > while (((*tmptmp) == ' ') || ((*tmptmp) == '"')) tmptmp++; >- strcat(inote,tmptmp); >+ strncat(inote,tmptmp,sizeof(inote)-strlen(inote)-2); > strcat(inote," "); > if (index(tmptmp,'"') != NULL) > lastwasinote=FALSE; >@@ -650,24 +651,25 @@ > strcat(infobuff,spacecraft); > } > >- if (*target) { >+ if (*target && (strlen(infobuff)+strlen(target)+2 < sizeof (infobuff))) { > strcat(infobuff,", "); > strcat(infobuff,target); > } > >- if (*filtname) { >+ if (*filtname && (strlen(infobuff)+strlen(filtname)+2 < sizeof (infobuff))) { > strcat(infobuff,", "); > strcat(infobuff,filtname); > } > >- if (*itime) { >+ if (*itime && (strlen(infobuff)+strlen(itime)+2 < sizeof (infobuff))) { > strcat(infobuff,", "); > strcat(infobuff,itime); > } > >- SetISTR(ISTR_WARNING,infobuff); >+ /* OUCH! */ >+ SetISTR(ISTR_WARNING,"%s",infobuff); > >- strcpy(pdsuncompfname,fname); >+ strncpy(pdsuncompfname,fname, sizeof(pdsuncompfname)); > ftypstr = ""; > > switch (itype) { >@@ -823,25 +825,25 @@ > char tmp[256]; > *(pinfo->comment) = '\0'; > >- sprintf(tmp, "Spacecraft: %-28sTarget: %-32s\n", spacecraft, target); >+ snprintf(tmp, sizeof (tmp), "Spacecraft: %-28sTarget: %-32s\n", spacecraft, target); > strcat(pinfo->comment, tmp); > >- sprintf(tmp, "Filter: %-32sMission phase: %-24s\n", filtname, mphase); >+ snprintf(tmp, sizeof (tmp), "Filter: %-32sMission phase: %-24s\n", filtname, mphase); > strcat(pinfo->comment, tmp); > >- sprintf(tmp, "Image time: %-28sGain mode: %-29s\n", itime, gainmode); >+ snprintf(tmp, sizeof (tmp), "Image time: %-28sGain mode: %-29s\n", itime, gainmode); > strcat(pinfo->comment, tmp); > >- sprintf(tmp, "Edit mode: %-29sScan mode: %-29s\n", editmode, scanmode); >+ snprintf(tmp, sizeof (tmp), "Edit mode: %-29sScan mode: %-29s\n", editmode, scanmode); > strcat(pinfo->comment, tmp); > >- sprintf(tmp, "Exposure: %-30sShutter mode: %-25s\n", exposure,shuttermode); >+ snprintf(tmp, sizeof (tmp), "Exposure: %-30sShutter mode: %-25s\n", exposure,shuttermode); > strcat(pinfo->comment, tmp); > >- sprintf(tmp, "Instrument: %-28sImage time: %-28s\n", iname, itime); >+ snprintf(tmp, sizeof (tmp), "Instrument: %-28sImage time: %-28s\n", iname, itime); > strcat(pinfo->comment, tmp); > >- sprintf(tmp, "Image Note: %-28s", inote); >+ snprintf(tmp, sizeof (tmp), "Image Note: %-28s", inote); > strcat(pinfo->comment, tmp); > } > >diff -ruN xv-3.10a.orig/xvps.c xv-3.10a/xvps.c >--- xv-3.10a.orig/xvps.c 2005-04-11 17:55:47.000000000 +0100 >+++ xv-3.10a/xvps.c 2005-04-11 21:51:27.000000000 +0100 >@@ -1629,14 +1629,26 @@ > > > do { >- buildCmdStr(cmdstr, gscmd, fname, quick, epsf); >+ char *x, *y, *name; > >+ x = name = (char *) malloc((5 * strlen(fname))+3);*x++ = 0x27; >+ for (y = fname; *y; ++y) { >+ if (0x27 == *y) { >+ strcpy(x, "'\"'\"'"); >+ x += strlen(x); >+ } else *x++ = *y; >+ } >+ strcpy (x, "'"); >+ >+ buildCmdStr(cmdstr, gscmd, name, quick, epsf); >+ free (name); > if (DEBUG) fprintf(stderr,"LoadPS: executing command '%s'\n", cmdstr); > SetISTR(ISTR_INFO, "Running '%s'...", GS_PATH); > sprintf(tmp, "Running %s", cmdstr); > if (doalert && epsf==0) OpenAlert(tmp); /* open alert first time only */ > > WaitCursor(); >+ > gsresult = system(cmdstr); > WaitCursor(); > #ifdef VMS >@@ -1741,10 +1753,10 @@ > > #ifndef VMS > >- if (epsf) sprintf(str, "echo '\n showpage ' | cat '%s' - | %s -", >+ if (epsf) sprintf(str, "echo '\n showpage ' | cat %s - | %s -", > fname, gscmd); > >- else if (quick) sprintf(str, "echo '%s' | cat - '%s' | %s -", >+ else if (quick) sprintf(str, "echo '%s' | cat - %s | %s -", > "/showpage { showpage quit } bind def", > fname, gscmd); > >diff -ruN xv-3.10a.orig/xvtiff.c xv-3.10a/xvtiff.c >--- xv-3.10a.orig/xvtiff.c 2005-04-11 17:55:47.000000000 +0100 >+++ xv-3.10a/xvtiff.c 2005-04-11 17:59:13.000000000 +0100 >@@ -512,7 +512,7 @@ > vsprintf(cp, fmt, ap); > strcat(cp, "."); > >- SetISTR(ISTR_WARNING,buf); >+ SetISTR(ISTR_WARNING,"%s",buf); > > error_occurred = 1; > } >@@ -536,7 +536,7 @@ > vsprintf(cp, fmt, ap); > strcat(cp, "."); > >- SetISTR(ISTR_WARNING,buf); >+ SetISTR(ISTR_WARNING,"%s",buf); > } > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=56036">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 88742
:
56036
|
56161
