59 lines
1.7 KiB
Text
59 lines
1.7 KiB
Text
$NetBSD: patch-be,v 1.1 2004/12/18 00:39:31 tron Exp $
|
|
|
|
--- lib/Xm/Xpmcreate.c.orig 2000-04-28 16:05:21.000000000 +0100
|
|
+++ lib/Xm/Xpmcreate.c 2004-12-17 23:28:32.000000000 +0000
|
|
@@ -1,4 +1,5 @@
|
|
/* $XConsortium: Xpmcreate.c /main/8 1996/09/20 08:15:02 pascale $ */
|
|
+/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */
|
|
/*
|
|
* Copyright (C) 1989-95 GROUPE BULL
|
|
*
|
|
@@ -799,6 +800,9 @@
|
|
|
|
ErrorStatus = XpmSuccess;
|
|
|
|
+ if (image->ncolors >= SIZE_MAX / sizeof(Pixel))
|
|
+ return (XpmNoMemory);
|
|
+
|
|
/* malloc pixels index tables */
|
|
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
|
|
if (!image_pixels)
|
|
@@ -942,6 +946,8 @@
|
|
return (XpmNoMemory);
|
|
|
|
#ifndef FOR_MSW
|
|
+ if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
|
|
+ return XpmNoMemory;
|
|
/* now that bytes_per_line must have been set properly alloc data */
|
|
(*image_return)->data =
|
|
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
|
|
@@ -1987,6 +1993,9 @@
|
|
xpmGetCmt(data, &colors_cmt);
|
|
|
|
/* malloc pixels index tables */
|
|
+ if (ncolors >= SIZE_MAX / sizeof(Pixel))
|
|
+ return XpmNoMemory;
|
|
+
|
|
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
|
|
if (!image_pixels)
|
|
RETURN(XpmNoMemory);
|
|
@@ -2200,6 +2209,9 @@
|
|
{
|
|
unsigned short colidx[256];
|
|
|
|
+ if (ncolors > 256)
|
|
+ return (XpmFileInvalid);
|
|
+
|
|
bzero((char *)colidx, 256 * sizeof(short));
|
|
for (a = 0; a < ncolors; a++)
|
|
colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
|
|
@@ -2298,6 +2310,9 @@
|
|
char *s;
|
|
char buf[BUFSIZ];
|
|
|
|
+ if (cpp >= sizeof(buf))
|
|
+ return (XpmFileInvalid);
|
|
+
|
|
buf[cpp] = '\0';
|
|
if (USE_HASHTABLE) {
|
|
xpmHashAtom *slot;
|