$OpenBSD: patch-Imlib_load_c,v 1.5 2004/09/15 19:41:44 robert Exp $
--- Imlib/load.c.orig	Fri Mar 22 15:43:04 2002
+++ Imlib/load.c	Wed Sep 15 11:28:55 2004
@@ -254,7 +254,8 @@
   png_read_image(png_ptr, lines);
   png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
   ptr = data;
-  if (color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+  if (color_type == PNG_COLOR_TYPE_GRAY
+      || color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
     {
       for (y = 0; y < *h; y++)
 	{
@@ -279,6 +280,7 @@
 	    }
 	}
     }
+#if 0
   else if (color_type == PNG_COLOR_TYPE_GRAY)
     {
       for (y = 0; y < *h; y++)
@@ -294,6 +296,7 @@
 	    }
 	}
     }
+#endif
   else
     {
       for (y = 0; y < *h; y++)
@@ -631,12 +634,12 @@
   fread(dbuf, 4, 2, file);
   *w = (int)dbuf[0];
   *h = (int)dbuf[1];
-  if (*w > 32767)
+  if ((*w < 0) || (*w > 32767))
     {
       fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
       return NULL;
     }
-  if (*h > 32767)
+  if ((*h < 0) || (*h > 32767))
     {
       fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
       return NULL;
@@ -645,9 +648,9 @@
   planes = (int)word;
   fread(&word, 2, 1, file);
   bpp = (int)word;
-  if (bpp != 1 && bpp != 4 && bpp != 8 && bpp && 16 && bpp != 24 && bpp != 32)
+  if (bpp != 1 && bpp != 4 && bpp != 8 && bpp != 16 && bpp != 24 && bpp != 32)
     {
-      fprintf(stderr, "IMLIB ERROR: unknown bitdepth in file\n");
+      fprintf(stderr, "IMLIB ERROR: unknown bitdepth %d in file\n", bpp);
       return NULL;
     }
   fread(dbuf, 4, 4, file);
@@ -661,6 +664,9 @@
   ncolors = (int)dbuf[0];
   if (ncolors == 0)
     ncolors = 1 << bpp;
+  if ((ncolors < 0) || (ncolors > (1 << bpp)))
+    ncolors = 1 << bpp;
+
   /* some more sanity checks */
   if (((comp == BI_RLE4) && (bpp != 4)) || ((comp == BI_RLE8) && (bpp != 8)) || ((comp == BI_BITFIELDS) && (bpp != 16 && bpp != 32)))
     {
@@ -786,9 +792,13 @@
 		  for (bit = 0; bit < 8; bit++)
 		    {
 		      index = ((byte & (0x80 >> bit)) ? 1 : 0);
+		      /* possibly corrupted file? */
+		      if (index < ncolors && poffset < *w * *h * 3)
+			{
 		      ptr[poffset] = cmap[index].r;
 		      ptr[poffset + 1] = cmap[index].g;
 		      ptr[poffset + 2] = cmap[index].b;
+			}
 		      column++;
 		    }
 		}
@@ -810,9 +820,13 @@
 			  index = ((byte & (0xF0 >> nibble * 4)) >> (!nibble * 4));
 			  if (index >= 16)
 			    index = 15;
+			  /* possibly corrupted file? */
+			  if (index < ncolors && poffset < *w * *h * 3)
+			    {
 			  ptr[poffset] = cmap[index].r;
 			  ptr[poffset + 1] = cmap[index].g;
 			  ptr[poffset + 2] = cmap[index].b;
+			    }
 			  column++;
 			}
 		    }
@@ -851,9 +865,13 @@
 				{
 				  linepos++;
 				  byte = getc(file);
+				  /* possibly corrupted file? */
+				  if (byte < ncolors && poffset < *w * *h * 3)
+				    {
 				  ptr[poffset] = cmap[byte].r;
 				  ptr[poffset + 1] = cmap[byte].g;
 				  ptr[poffset + 2] = cmap[byte].b;
+				    }
 				  column++;
 				}
 			      if (absolute & 0x01)
@@ -864,9 +882,13 @@
 			{
 			  for (i = 0; i < first; i++)
 			    {
+			      /* possibly corrupted file? */
+			      if (byte < ncolors && poffset < *w * *h * 3)
+				{
 			      ptr[poffset] = cmap[byte].r;
 			      ptr[poffset + 1] = cmap[byte].g;
 			      ptr[poffset + 2] = cmap[byte].b;
+				}
 			      column++;
 			      linepos++;
 			    }
@@ -874,9 +896,13 @@
 		    }
 		  else
 		    {
+		      /* possibly corrupted file? */
+		      if (byte < ncolors && poffset < *w * *h * 3)
+			{
 		      ptr[poffset] = cmap[byte].r;
 		      ptr[poffset + 1] = cmap[byte].g;
 		      ptr[poffset + 2] = cmap[byte].b;
+			}
 		      column++;
 		    }
 		}
@@ -884,9 +910,12 @@
 	  else if (bpp == 24)
 	    {
 	      linepos += fread(bbuf, 1, 3, file);
+	      if (poffset< *w * *h * 3)
+		{
 	      ptr[poffset] = (unsigned char)bbuf[2];
 	      ptr[poffset + 1] = (unsigned char)bbuf[1];
 	      ptr[poffset + 2] = (unsigned char)bbuf[0];
+		}
 	      column++;
 	    }
 	  else if (bpp == 16)
@@ -894,12 +923,16 @@
 	      unsigned char       temp;
 
 	      linepos += fread(&word, 2, 1, file);
+	      /* possibly corrupted file? */
+	      if (poffset < *w * *h * 3)
+		{
 	      temp = (word & rmask) >> rshift;
 	      ptr[poffset] = temp;
 	      temp = (word & gmask) >> gshift;
 	      ptr[poffset + 1] = temp;
 	      temp = (word & bmask) >> gshift;
 	      ptr[poffset + 2] = temp;
+		}
 	      column++;
 	    }
 	  else
@@ -907,12 +940,16 @@
 	      unsigned char       temp;
 
 	      linepos += fread(&dword, 4, 1, file);
+	      /* possibly corrupted file? */
+	      if (poffset < *w * *h * 3)
+		{
 	      temp = (dword & rmask) >> rshift;
 	      ptr[poffset] = temp;
 	      temp = (dword & gmask) >> gshift;
 	      ptr[poffset + 1] = temp;
 	      temp = (dword & bmask) >> bshift;
 	      ptr[poffset + 2] = temp;
+		}
 	      column++;
 	    }
 	}
@@ -1061,7 +1098,7 @@
 			  if (line[k] != ' ')
 			    {
 			      s[0] = 0;
-			      sscanf(&line[k], "%256s", s);
+			      sscanf(&line[k], "%255s", s);
 			      slen = strlen(s);
 			      k += slen;
 			      if (!strcmp(s, "c"))
@@ -1861,7 +1898,7 @@
 	  free(im);
 	  return NULL;
 	}
-      sscanf(s, "%256s %i", s1, &num);
+      sscanf(s, "%255s %i", s1, &num);
       if (num <= 0)
 	{
 	  fclose(p);
@@ -1870,10 +1907,10 @@
 	}
       while (fgets(s, 4096, p))
 	{
-	  sscanf(s, "%256s", s1);
+	  sscanf(s, "%255s", s1);
 	  if (!strcmp("IMAGE", s1))
 	    {
-	      sscanf(s, "%256s %i %256s %i %i %i %i %i %i %i %i %i", s1, &size,
+	      sscanf(s, "%255s %i %255s %i %i %i %i %i %i %i %i %i", s1, &size,
 		     s2, &w, &h, &r, &g, &b, &bl, &br, &bt, &bb);
 	      if (!iden[0])
 		break;