pkgsrc/graphics/gdk-pixbuf/patches/patch-am

$NetBSD: patch-am,v 1.1 2005/11/26 09:40:49 salo Exp $

Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186.

--- gdk-pixbuf/io-xpm.c.orig	2001-03-01 21:16:28.000000000 +0100
+++ gdk-pixbuf/io-xpm.c	2005-11-26 10:22:24.000000000 +0100
@@ -243,8 +243,8 @@ xpm_extract_color (const gchar *buffer)
 			break;
 		else {
 			if (numnames > 0) {
-				space -= 1;
-				strcat (color, " ");
+				strncat (color, " ", space);
+				space -= MIN (space, 1);
 			}
 
 			strncat (color, temp, space);
@@ -281,7 +281,8 @@ file_buffer (enum buf_op op, gpointer ha
 		/* Fall through to the xpm_read_string. */
 
 	case op_body:
-		xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
+		if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
+			return NULL;
 		return h->buffer;
 
 	default:
@@ -317,13 +318,6 @@ mem_buffer (enum buf_op op, gpointer han
 	return NULL;
 }
 
-/* Destroy notification function for the pixbuf */
-static void
-free_buffer (guchar *pixels, gpointer data)
-{
-	free (pixels);
-}
-
 static gboolean
 xpm_color_parse (const char *spec, XColor *color)
 {
@@ -342,7 +336,8 @@ pixbuf_create_from_xpm (const gchar * (*
 	gchar pixel_str[32];
 	GHashTable *color_hash;
 	_XPMColor *colors, *color, *fallbackcolor;
-	guchar *pixels, *pixtmp;
+	guchar *pixtmp;
+	GdkPixbuf* pixbuf;
 
 	fallbackcolor = NULL;
 
@@ -352,17 +347,31 @@ pixbuf_create_from_xpm (const gchar * (*
 		return NULL;
 	}
 	sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
-	if (cpp >= 32) {
+	if (cpp <= 0 || cpp >= 32) {
 		g_warning ("XPM has more than 31 chars per pixel.");
 		return NULL;
 	}
+	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1) ||
+            n_col >= G_MAXINT / sizeof (_XPMColor)) {
+		g_warning ("XPM file has invalid number of colors.");
+		return NULL;
+	}
 
 	/* The hash is used for fast lookups of color from chars */
 	color_hash = g_hash_table_new (g_str_hash, g_str_equal);
 
 	name_buf = g_new (gchar, n_col * (cpp + 1));
-	colors = g_new (_XPMColor, n_col);
-
+	if (!name_buf) {
+		g_warning ("Cannot allocate memory for loading XPM image.");
+		g_hash_table_destroy (color_hash);
+		return NULL;
+	}
+	colors = (_XPMColor *) g_malloc (sizeof (_XPMColor) * n_col);
+	if (!colors) {
+		g_warning ("Cannot allocate memory for loading XPM image.");
+		g_hash_table_destroy (color_hash);
+		return NULL;
+	}
 	for (cnt = 0; cnt < n_col; cnt++) {
 		gchar *color_name;
 
@@ -397,12 +406,8 @@ pixbuf_create_from_xpm (const gchar * (*
 			fallbackcolor = color;
 	}
 
-	if (is_trans)
-		pixels = malloc (w * h * 4);
-	else
-		pixels = malloc (w * h * 3);
-
-	if (!pixels) {
+	pixbuf = gdk_pixbuf_new(GDK_COLORSPACE_RGB, is_trans, 8, w, h);
+	if (!pixbuf) {
 		g_hash_table_destroy (color_hash);
 		g_free (colors);
 		g_free (name_buf);
@@ -410,7 +415,7 @@ pixbuf_create_from_xpm (const gchar * (*
 	}
 
 	wbytes = w * cpp;
-	pixtmp = pixels;
+	pixtmp = pixbuf->pixels;
 
 	for (ycnt = 0; ycnt < h; ycnt++) {
 		buffer = (*get_buf) (op_body, handle);
@@ -443,9 +448,7 @@ pixbuf_create_from_xpm (const gchar * (*
 	g_free (colors);
 	g_free (name_buf);
 
-	return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8,
-					 w, h, is_trans ? (w * 4) : (w * 3),
-					 free_buffer, NULL);
+	return pixbuf;
 }
 
 /* Shared library entry point for file loading */