b874ab977f
"Multiple buffer overflows in imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to execute arbitrary code via certain image files." (1.9.15 is also affected) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026 Patch from Pavel Kankovsky.
97 lines
2.4 KiB
Text
97 lines
2.4 KiB
Text
$NetBSD: patch-am,v 1.1 2004/12/10 09:30:42 salo Exp $
|
|
|
|
--- gdk_imlib/io-xpm.c.orig 2002-03-04 18:06:29.000000000 +0100
|
|
+++ gdk_imlib/io-xpm.c 2004-12-10 10:00:56.000000000 +0100
|
|
@@ -40,8 +40,12 @@
|
|
context = 0;
|
|
i = j = 0;
|
|
cmap = NULL;
|
|
+ memset(lookup, 0, sizeof(lookup));
|
|
|
|
line = malloc(lsz);
|
|
+ if (!line)
|
|
+ return NULL;
|
|
+
|
|
while (!done)
|
|
{
|
|
pc = c;
|
|
@@ -70,25 +74,25 @@
|
|
{
|
|
/* Header */
|
|
sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
|
|
- if (ncolors > 32766)
|
|
+ if (ncolors <= 0 || ncolors > 32766)
|
|
{
|
|
fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n");
|
|
free(line);
|
|
return NULL;
|
|
}
|
|
- if (cpp > 5)
|
|
+ if (cpp <= 0 || cpp > 5)
|
|
{
|
|
fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n");
|
|
free(line);
|
|
return NULL;
|
|
}
|
|
- if (*w > 32767)
|
|
+ if (*w <= 0 || *w > 32767)
|
|
{
|
|
fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
|
|
free(line);
|
|
return NULL;
|
|
}
|
|
- if (*h > 32767)
|
|
+ if (*h <= 0 || *h > 32767)
|
|
{
|
|
fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
|
|
free(line);
|
|
@@ -120,11 +124,13 @@
|
|
{
|
|
int slen;
|
|
int hascolor, iscolor;
|
|
+ int space;
|
|
|
|
hascolor = 0;
|
|
iscolor = 0;
|
|
tok[0] = 0;
|
|
col[0] = 0;
|
|
+ space = sizeof(col) - 1;
|
|
s[0] = 0;
|
|
len = strlen(line);
|
|
strncpy(cmap[j].str, line, cpp);
|
|
@@ -147,10 +153,10 @@
|
|
{
|
|
if (k >= len)
|
|
{
|
|
- if (col[0])
|
|
- strcat(col, " ");
|
|
- if (strlen(col) + strlen(s) < sizeof(col))
|
|
- strcat(col, s);
|
|
+ if (col[0] && space > 0)
|
|
+ strncat(col, " ", space), space -= 1;
|
|
+ if (slen <= space)
|
|
+ strcat(col, s), space -= slen;
|
|
}
|
|
if (col[0])
|
|
{
|
|
@@ -180,14 +186,17 @@
|
|
}
|
|
}
|
|
}
|
|
+ if (slen < sizeof(tok))
|
|
strcpy(tok, s);
|
|
col[0] = 0;
|
|
+ space = sizeof(col) - 1;
|
|
}
|
|
else
|
|
{
|
|
- if (col[0])
|
|
- strcat(col, " ");
|
|
- strcat(col, s);
|
|
+ if (col[0] && space > 0)
|
|
+ strcat(col, " "), space -= 1;
|
|
+ if (slen <= space)
|
|
+ strcat(col, s), space -= slen;
|
|
}
|
|
}
|
|
}
|