kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/graphics/xpm/patches/patch-ag
jlam f705b2b3cc Apply fixes derived from the HEAD branch of X.Org (6.8.99) to address 
problems noted in CAN-2004-0914:

    Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as
    used in XFree86 and other packages, include (1) multiple integer
    overflows, (2) out-of-bounds memory accesses, (3) directory
    traversal, (4) shell metacharacter, (5) endless loops, and (6)
    memory leaks, which could allow remote attackers to obtain
    sensitive information, cause a denial of service (application
    crash), or execute arbitary code via a certain XPM image file.

Bump PKGREVISION to 4.  Since this is a security-related fix, also
bump the BUILDLINK_RECOMMENDED version for this package.
2005-06-14 18:10:37 +00:00

387 lines
10 KiB
Text
Raw Blame History

$NetBSD: patch-ag,v 1.2 2005/06/14 18:10:37 jlam Exp $
--- lib/create.c.orig 1998-03-19 14:51:00.000000000 -0500
+++ lib/create.c
@@ -43,6 +43,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
#include "XpmI.h"
#include <ctype.h>
@@ -517,7 +519,7 @@ CreateColors(display, attributes, colors
/* variables stored in the XpmAttributes structure */
Visual *visual;
Colormap colormap;
- XpmColorSymbol *colorsymbols;
+ XpmColorSymbol *colorsymbols = NULL;
unsigned int numsymbols;
XpmAllocColorFunc allocColor;
void *closure;
@@ -525,7 +527,7 @@ CreateColors(display, attributes, colors
char *colorname;
unsigned int color, key;
Bool pixel_defined;
- XpmColorSymbol *symbol;
+ XpmColorSymbol *symbol = NULL;
char **defaults;
int ErrorStatus = XpmSuccess;
char *s;
@@ -583,7 +585,7 @@ CreateColors(display, attributes, colors
*/
} else {
#endif
- int i;
+ unsigned int i;
#ifndef AMIGA
ncols = visual->map_entries;
@@ -743,12 +745,14 @@ FreeColors(display, colormap, pixels, n,
/* function call in case of error */
+
#undef RETURN
#define RETURN(status) \
+do \
{ \
ErrorStatus = status; \
goto error; \
-}
+} while(0)
int
XpmCreateImageFromXpmImage(display, image,
@@ -765,7 +769,6 @@ XpmCreateImageFromXpmImage(display, imag
unsigned int depth;
int bitmap_format;
XpmFreeColorsFunc freeColors;
- void *closure;
/* variables to return */
XImage *ximage = NULL;
@@ -812,13 +815,12 @@ XpmCreateImageFromXpmImage(display, imag
freeColors = attributes->free_colors;
else
freeColors = FreeColors;
- if (attributes && (attributes->valuemask & XpmColorClosure))
- closure = attributes->color_closure;
- else
- closure = NULL;
ErrorStatus = XpmSuccess;
+ if (image->ncolors >= UINT_MAX / sizeof(Pixel))
+ return (XpmNoMemory);
+
/* malloc pixels index tables */
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
if (!image_pixels)
@@ -991,7 +993,13 @@ CreateXImage(display, visual, depth, for
return (XpmNoMemory);
#if !defined(FOR_MSW) && !defined(AMIGA)
+ if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
+ XDestroyImage(*image_return);
+ return XpmNoMemory;
+ }
/* now that bytes_per_line must have been set properly alloc data */
+ if((*image_return)->bytes_per_line == 0 || height == 0)
+ return XpmNoMemory;
(*image_return)->data =
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
@@ -1020,7 +1028,7 @@ CreateXImage(display, visual, depth, for
LFUNC(_putbits, void, (register char *src, int dstoffset,
register int numbits, register char *dst));
-LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));
+LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
static unsigned char Const _reverse_byte[0x100] = {
0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
@@ -1060,12 +1068,12 @@ static unsigned char Const _reverse_byte
static int
_XReverse_Bytes(bpt, nb)
register unsigned char *bpt;
- register int nb;
+ register unsigned int nb;
{
do {
*bpt = _reverse_byte[*bpt];
bpt++;
- } while (--nb > 0);
+ } while (--nb > 0); /* is nb user-controled? */
return 0;
}
@@ -1204,18 +1212,18 @@ PutImagePixels(image, width, height, pix
register char *src;
register char *dst;
register unsigned int *iptr;
- register int x, y, i;
+ register unsigned int x, y;
register char *data;
Pixel pixel, px;
- int nbytes, depth, ibu, ibpp;
+ int nbytes, depth, ibu, ibpp, i;
data = image->data;
iptr = pixelindex;
depth = image->depth;
if (depth == 1) {
ibu = image->bitmap_unit;
- for (y = 0; y < height; y++)
- for (x = 0; x < width; x++, iptr++) {
+ for (y = 0; y < height; y++) /* how can we trust height */
+ for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
pixel = pixels[*iptr];
for (i = 0, px = pixel; i < sizeof(unsigned long);
i++, px >>= 8)
@@ -1290,12 +1298,12 @@ PutImagePixels32(image, width, height, p
{
unsigned char *data;
unsigned int *iptr;
- int y;
+ unsigned int y;
Pixel pixel;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
unsigned char *addr;
data = (unsigned char *) image->data;
@@ -1332,7 +1340,7 @@ PutImagePixels32(image, width, height, p
#else /* WITHOUT_SPEEDUPS */
- int bpl = image->bytes_per_line;
+ unsigned int bpl = image->bytes_per_line;
unsigned char *data_ptr, *max_data;
data = (unsigned char *) image->data;
@@ -1400,11 +1408,11 @@ PutImagePixels16(image, width, height, p
{
unsigned char *data;
unsigned int *iptr;
- int y;
+ unsigned int y;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
unsigned char *addr;
data = (unsigned char *) image->data;
@@ -1428,7 +1436,7 @@ PutImagePixels16(image, width, height, p
Pixel pixel;
- int bpl = image->bytes_per_line;
+ unsigned int bpl = image->bytes_per_line;
unsigned char *data_ptr, *max_data;
data = (unsigned char *) image->data;
@@ -1481,11 +1489,11 @@ PutImagePixels8(image, width, height, pi
{
char *data;
unsigned int *iptr;
- int y;
+ unsigned int y;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
data = image->data;
iptr = pixelindex;
@@ -1495,7 +1503,7 @@ PutImagePixels8(image, width, height, pi
#else /* WITHOUT_SPEEDUPS */
- int bpl = image->bytes_per_line;
+ unsigned int bpl = image->bytes_per_line;
char *data_ptr, *max_data;
data = image->data;
@@ -1530,12 +1538,12 @@ PutImagePixels1(image, width, height, pi
PutImagePixels(image, width, height, pixelindex, pixels);
else {
unsigned int *iptr;
- int y;
+ unsigned int y;
char *data;
#ifdef WITHOUT_SPEEDUPS
- int x;
+ unsigned int x;
data = image->data;
iptr = pixelindex;
@@ -1755,10 +1763,12 @@ PutPixel1(ximage, x, y, pixel)
register char *src;
register char *dst;
register int i;
- register char *data;
Pixel px;
int nbytes;
+ if(x < 0 || y < 0)
+ return 0;
+
for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)
((unsigned char *)&pixel)[i] = px;
src = &ximage->data[XYINDEX(x, y, ximage)];
@@ -1788,9 +1798,11 @@ PutPixel(ximage, x, y, pixel)
register char *src;
register char *dst;
register int i;
- register char *data;
Pixel px;
- int nbytes, ibpp;
+ unsigned int nbytes, ibpp;
+
+ if(x < 0 || y < 0)
+ return 0;
ibpp = ximage->bits_per_pixel;
if (ximage->depth == 4)
@@ -1823,6 +1835,9 @@ PutPixel32(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
*((unsigned long *)addr) = pixel;
return 1;
@@ -1837,6 +1852,9 @@ PutPixel32MSB(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
addr[0] = pixel >> 24;
addr[1] = pixel >> 16;
@@ -1854,6 +1872,9 @@ PutPixel32LSB(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
addr[3] = pixel >> 24;
addr[2] = pixel >> 16;
@@ -1871,6 +1892,9 @@ PutPixel16MSB(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
addr[0] = pixel >> 8;
addr[1] = pixel;
@@ -1886,6 +1910,9 @@ PutPixel16LSB(ximage, x, y, pixel)
{
unsigned char *addr;
+ if(x < 0 || y < 0)
+ return 0;
+
addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
addr[1] = pixel >> 8;
addr[0] = pixel;
@@ -1899,6 +1926,9 @@ PutPixel8(ximage, x, y, pixel)
int y;
unsigned long pixel;
{
+ if(x < 0 || y < 0)
+ return 0;
+
ximage->data[ZINDEX8(x, y, ximage)] = pixel;
return 1;
}
@@ -1910,6 +1940,9 @@ PutPixel1MSB(ximage, x, y, pixel)
int y;
unsigned long pixel;
{
+ if(x < 0 || y < 0)
+ return 0;
+
if (pixel & 1)
ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7);
else
@@ -1924,6 +1957,9 @@ PutPixel1LSB(ximage, x, y, pixel)
int y;
unsigned long pixel;
{
+ if(x < 0 || y < 0)
+ return 0;
+
if (pixel & 1)
ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7);
else
@@ -1953,7 +1989,6 @@ xpmParseDataAndCreate(display, data, ima
unsigned int depth;
int bitmap_format;
XpmFreeColorsFunc freeColors;
- void *closure;
/* variables to return */
XImage *ximage = NULL;
@@ -2011,10 +2046,6 @@ xpmParseDataAndCreate(display, data, ima
freeColors = attributes->free_colors;
else
freeColors = FreeColors;
- if (attributes && (attributes->valuemask & XpmColorClosure))
- closure = attributes->color_closure;
- else
- closure = NULL;
cmts = info && (info->valuemask & XpmReturnComments);
@@ -2063,6 +2094,9 @@ xpmParseDataAndCreate(display, data, ima
xpmGetCmt(data, &colors_cmt);
/* malloc pixels index tables */
+ if (ncolors >= UINT_MAX / sizeof(Pixel))
+ RETURN(XpmNoMemory);
+
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
if (!image_pixels)
RETURN(XpmNoMemory);
@@ -2173,7 +2207,7 @@ xpmParseDataAndCreate(display, data, ima
* free the hastable
*/
if (ErrorStatus != XpmSuccess)
- RETURN(ErrorStatus)
+ RETURN(ErrorStatus);
else if (USE_HASHTABLE)
xpmHashTableFree(&hashtable);
@@ -2364,11 +2398,11 @@ if (cidx[f]) XpmFree(cidx[f]);}
/* array of pointers malloced by need */
unsigned short *cidx[256];
- int char1;
+ unsigned int char1;
bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
for (a = 0; a < ncolors; a++) {
- char1 = colorTable[a].string[0];
+ char1 = (unsigned char) colorTable[a].string[0];
if (cidx[char1] == NULL) { /* get new memory */
cidx[char1] = (unsigned short *)
XpmCalloc(256, sizeof(unsigned short));
Reference in a new issue View git blame Copy permalink