Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:11.4:Update
xv.import4872
xv-3.10a-overflow.dif
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xv-3.10a-overflow.dif of Package xv.import4872
! ! Copy always not more as the length of the buffers for the ! filenames and the basename of them. ! ! Avoid to count over the allocated array under a pointer ! in xvbmp.c as the new glibc will call abort() on a free() ! on that pointer. ! Use unsigned integers for comparison to detected wrong ! picture dimensions otherwise the new gcc will fool us ! with a false negative check. ! --- xv.c +++ xv.c 2011-07-07 08:58:48.831925986 +0000 @@ -64,7 +64,7 @@ static const char *maingeom = NULL; static const char *icongeom = NULL; static Atom __SWM_VROOT = None; -static char basefname[128]; /* just the current fname, no path */ +static char basefname[MAXNAMELEN+1]; /* just the current fname, no path */ #ifdef TV_L10N # ifndef TV_FONTSET @@ -2094,7 +2094,7 @@ static int openPic(filenum) int oldCXOFF, oldCYOFF, oldCWIDE, oldCHIGH, wascropped; char *tmp; char *fullname, /* full name of the original file */ - filename[512]; /* full name of file to load (could be /tmp/xxx)*/ + filename[MAXPATHLEN+1]; /* full name of file to load (could be /tmp/xxx)*/ #ifdef MACBINARY char origname[512]; /* file name of original file (NO processing) */ origname[0] = '\0'; @@ -2137,7 +2137,7 @@ static int openPic(filenum) return 0; } - sprintf(filename, "%s%d", pageBaseName, curPage+1); + snprintf(filename, sizeof(filename)-1, "%s%d", pageBaseName, curPage+1); fullname = filename; goto HAVE_FILENAME; } @@ -2180,8 +2180,8 @@ static int openPic(filenum) i = LoadPad(&pinfo, fullfname); fullname = fullfname; - strcpy(filename, fullfname); - strcpy(basefname, BaseName(fullfname)); + strncpy(filename, fullfname, sizeof(filename)-1); + strncpy(basefname, BaseName(fullfname), sizeof(basefname)-1); if (!i) goto FAILED; /* shouldn't happen */ @@ -2225,7 +2225,7 @@ static int openPic(filenum) fullname = GetDirFullName(); if (ISPIPE(fullname[0])) { /* read from a pipe. */ - strcpy(filename, fullname); + strncpy(filename, fullname, sizeof(filename)-1); if (readpipe(fullname, filename)) goto FAILED; frompipe = 1; } @@ -2247,9 +2247,8 @@ static int openPic(filenum) else fullname = namelist[filenum]; #endif - strcpy(fullfname, fullname); - strcpy(basefname, BaseName(fullname)); - + strncpy(filename, fullfname, sizeof(filename)-1); + strncpy(basefname, BaseName(fullfname), sizeof(basefname)-1); /* chop off trailing ".Z", ".z", or ".gz" from displayed basefname, if any */ if (strlen(basefname)>2 && strcmp(basefname+strlen(basefname)-2,".Z")==0) @@ -2345,7 +2344,7 @@ static int openPic(filenum) } } - strcpy(filename, fullname); + strncpy(filename, fullname, sizeof(filename)-1); /* if the file is STDIN, write it out to a temp file */ @@ -2357,7 +2356,7 @@ static int openPic(filenum) #endif #ifndef VMS - sprintf(filename,"%s/xvXXXXXX",tmpdir); + snprintf(filename, sizeof(filename)-1, "%s/xvXXXXXX", tmpdir); #else /* it is VMS */ sprintf(filename, "[]xvXXXXXX"); #endif @@ -2415,7 +2414,7 @@ static int openPic(filenum) /* if we made a /tmp file (from stdin, etc.) won't need it any more */ if (strcmp(fullname,filename)!=0) unlink(filename); - strcpy(filename, tmpname); + strncpy(filename, tmpname, sizeof(filename)-1); } else filetype = RFT_ERROR; @@ -2469,14 +2468,14 @@ static int openPic(filenum) filetype = ReadFileType(tmpname); if (strcmp(fullname,filename)!=0) unlink(filename); - strcpy(filename, tmpname); + strncpy(filename, tmpname, sizeof(filename)-1); } ms_auto_no: #endif /* HAVE_MGCSFX_AUTO */ if (filetype == RFT_ERROR) { - char foostr[512]; - sprintf(foostr,"Can't open file '%s'\n\n %s.",filename, ERRSTR(errno)); + char foostr[256+MAXPATHLEN+1]; + snprintf(foostr, sizeof(foostr)-1, "Can't open file '%s'\n\n %s.",filename, ERRSTR(errno)); if (!polling) ErrPopUp(foostr, "\nBummer!"); --- xv.h +++ xv.h 2011-07-07 09:00:42.988883250 +0000 @@ -87,6 +87,9 @@ # ifndef _LINUX_LIMITS_H # include <linux/limits.h> # endif +# ifndef _LIBC_LIMITS_H_ +# include <limits.h> +# endif # ifndef USLEEP # define USLEEP # endif @@ -327,9 +330,20 @@ #endif #ifndef MAXPATHLEN -# define MAXPATHLEN 256 +# ifdef PATH_MAX +# define MAXPATHLEN PATH_MAX +# else +# define MAXPATHLEN 512 +# endif #endif +#ifndef MAXNAMELEN +# ifdef NAME_MAX +# define MAXNAMELEN NAME_MAX +# else +# define MAXNAMELEN 128 +# endif +#endif #ifdef SVR4 # define random lrand48 --- xvbmp.c +++ xvbmp.c 2008-05-27 12:37:34.384175224 +0200 @@ -191,6 +191,9 @@ int LoadBMP(fname, pinfo) bPad -= 12; } + if (biClrUsed > (1 << biBitCount)) + biClrUsed = (1 << biBitCount); + /* load up colormap, if any */ if (biBitCount == 1 || biBitCount == 4 || biBitCount == 8) { int i, cmaplen; @@ -237,7 +240,7 @@ int LoadBMP(fname, pinfo) if (biWidth == 0 || biHeight == 0 || npixels/biWidth != biHeight || count/3 != npixels) return (bmpError(bname, "image dimensions too large")); - pic24 = (byte *) calloc((size_t) count, (size_t) 1); + pic24 = (byte *) calloc((size_t) (count + 1), (size_t) 1); if (!pic24) return (bmpError(bname, "couldn't malloc 'pic24'")); } else { @@ -245,7 +248,7 @@ int LoadBMP(fname, pinfo) if (biWidth == 0 || biHeight == 0 || npixels/biWidth != biHeight) return (bmpError(bname, "image dimensions too large")); - pic8 = (byte *) calloc((size_t) npixels, (size_t) 1); + pic8 = (byte *) calloc((size_t) (npixels + 1), (size_t) 1); if (!pic8) return(bmpError(bname, "couldn't malloc 'pic8'")); } @@ -466,7 +469,7 @@ static int loadBMP8(fp, pic8, w, h, comp rv = 0; - pend = pic8 + w * h; + pend = pic8 + l; if (comp == BI_RGB) { /* read uncompressed data */ padw = ((w + 3)/4) * 4; /* 'w' padded to a multiple of 4pix (32 bits) */ --- xvpbm.c +++ xvpbm.c 2008-05-26 17:47:31.890952085 +0200 @@ -5,6 +5,7 @@ * WritePBM(fp,pic,ptype,w,h,r,g,b,numcols,style,raw,cmt,comment) */ +#include <stdint.h> #include "copyright.h" #include "xv.h" @@ -234,12 +235,17 @@ static int loadpbm(fp, pinfo, raw) byte *pic8; byte *pix; int i,j,bit,w,h,npixels; + uint64_t pixchk; w = pinfo->w; h = pinfo->h; npixels = w * h; - if (w <= 0 || h <= 0 || npixels/w != h) + + pixchk = (uint64_t)w; + pixchk *= (uint64_t)h; + + if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk) return pbmError(bname, "image dimensions too large"); pic8 = (byte *) calloc((size_t) npixels, (size_t) 1); @@ -305,13 +311,17 @@ static int loadpgm(fp, pinfo, raw, maxv) { byte *pix, *pic8; int i,j,bitshift,w,h,npixels, holdmaxv; - + uint64_t pixchk; w = pinfo->w; h = pinfo->h; npixels = w * h; - if (w <= 0 || h <= 0 || npixels/w != h) + + pixchk = (uint64_t)w; + pixchk *= (uint64_t)h; + + if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk) return pbmError(bname, "image dimensions too large"); pic8 = (byte *) calloc((size_t) npixels, (size_t) 1); @@ -389,13 +399,20 @@ static int loadppm(fp, pinfo, raw, maxv) { byte *pix, *pic24, scale[256]; int i,j,bitshift, w, h, npixels, bufsize, holdmaxv; + uint64_t bufchk, pixchk; w = pinfo->w; h = pinfo->h; npixels = w * h; bufsize = 3*npixels; - if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels) + + pixchk = (uint64_t)w; + bufchk = (uint64_t)npixels; + pixchk *= (uint64_t)h; + bufchk *= 3ULL; + + if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk) return pbmError(bname, "image dimensions too large"); /* allocate 24-bit image */ @@ -481,6 +498,7 @@ static int loadpam(fp, pinfo, raw, maxv) { byte *p, *pix, *pic24, *linebuf, scale[256], bgR, bgG, bgB, r, g, b, a; int i, j, bitshift, w, h, npixels, bufsize, linebufsize, holdmaxv; + uint64_t bufchk, pixchk, lnbchk; w = pinfo->w; h = pinfo->h; @@ -488,8 +506,16 @@ static int loadpam(fp, pinfo, raw, maxv) npixels = w * h; bufsize = 3*npixels; linebufsize = 4*w; - if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels || - linebufsize/4 != w) + + pixchk = (uint64_t)w; + bufchk = (uint64_t)npixels; + lnbchk = (uint64_t)w; + pixchk *= (uint64_t)h; + bufchk *= 3ULL; + lnbchk *= 4ULL; + + if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk || + (uint64_t)linebufsize != lnbchk) return pbmError(bname, "image dimensions too large"); /* allocate 24-bit image */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor