59 lines
1.9 KiB
Plaintext
59 lines
1.9 KiB
Plaintext
$OpenBSD: patch-lib_Xm_Xpmcreate_c,v 1.1 2004/09/01 22:57:36 pvalchev Exp $
|
|
--- lib/Xm/Xpmcreate.c.orig Fri Apr 28 09:05:21 2000
|
|
+++ lib/Xm/Xpmcreate.c Wed Sep 1 01:39:33 2004
|
|
@@ -1,4 +1,5 @@
|
|
/* $XConsortium: Xpmcreate.c /main/8 1996/09/20 08:15:02 pascale $ */
|
|
+/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */
|
|
/*
|
|
* Copyright (C) 1989-95 GROUPE BULL
|
|
*
|
|
@@ -799,6 +800,9 @@ XpmCreateImageFromXpmImage(display, imag
|
|
|
|
ErrorStatus = XpmSuccess;
|
|
|
|
+ if (image->ncolors >= SIZE_MAX / sizeof(Pixel))
|
|
+ return (XpmNoMemory);
|
|
+
|
|
/* malloc pixels index tables */
|
|
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
|
|
if (!image_pixels)
|
|
@@ -942,6 +946,8 @@ CreateXImage(display, visual, depth, for
|
|
return (XpmNoMemory);
|
|
|
|
#ifndef FOR_MSW
|
|
+ if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
|
|
+ return XpmNoMemory;
|
|
/* now that bytes_per_line must have been set properly alloc data */
|
|
(*image_return)->data =
|
|
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
|
|
@@ -1987,6 +1993,9 @@ xpmParseDataAndCreate(display, data, ima
|
|
xpmGetCmt(data, &colors_cmt);
|
|
|
|
/* malloc pixels index tables */
|
|
+ if (ncolors >= SIZE_MAX / sizeof(Pixel))
|
|
+ return XpmNoMemory;
|
|
+
|
|
image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
|
|
if (!image_pixels)
|
|
RETURN(XpmNoMemory);
|
|
@@ -2200,6 +2209,9 @@ ParseAndPutPixels(dc, data, width, heigh
|
|
{
|
|
unsigned short colidx[256];
|
|
|
|
+ if (ncolors > 256)
|
|
+ return (XpmFileInvalid);
|
|
+
|
|
bzero((char *)colidx, 256 * sizeof(short));
|
|
for (a = 0; a < ncolors; a++)
|
|
colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
|
|
@@ -2297,6 +2309,9 @@ if (cidx[f]) XpmFree(cidx[f]);}
|
|
{
|
|
char *s;
|
|
char buf[BUFSIZ];
|
|
+
|
|
+ if (cpp >= sizeof(buf))
|
|
+ return (XpmFileInvalid);
|
|
|
|
buf[cpp] = '\0';
|
|
if (USE_HASHTABLE) {
|