File xv-3.10a-overflow.dif of Package xv

Overview Repositories Revisions Requests Users Attributes Meta

File xv-3.10a-overflow.dif of Package xv

!
! Copy always not more as the length of the buffers for the
! filenames and the basename of them.
!
! Avoid to count over the allocated array under a pointer
! in xvbmp.c as the new glibc will call abort() on a free()
! on that pointer.
! Use unsigned integers for comparison to detected wrong
! picture dimensions otherwise the new gcc will fool us
! with a false negative check.
!
---
 src/xv.c    |   25 ++++++++++++-------------
 src/xv.h    |   17 ++++++++++++++++-
 src/xvpbm.c |   38 ++++++++++++++++++++++++++++++++------
 src/xvpcx.c |    3 ++-
 4 files changed, 62 insertions(+), 21 deletions(-)

--- src/xv.c
+++ src/xv.c	2024-10-15 07:57:00.657132702 +0000
@@ -51,7 +51,7 @@ static const char *icongeom = NULL;
 static Atom   __SWM_VROOT = None;
 static int dpiMultSet = 0;
 
-static char   basefname[NAME_MAX+1];   /* just the current fname, no path */
+static char   basefname[MAXNAMELEN+1];   /* just the current fname, no path */
 
 #ifdef TV_L10N
 #  ifndef TV_FONTSET
@@ -2341,7 +2341,7 @@ static int openPic(int filenum)
       return 0;
     }
 
-    sprintf(filename, "%s%d", pageBaseName, curPage+1);
+    snprintf(filename, sizeof(filename)-1, "%s%d", pageBaseName, curPage+1);
     fullname = filename;
     goto HAVE_FILENAME;
   }
@@ -2386,9 +2386,9 @@ static int openPic(int filenum)
     if (!i) goto FAILED;   /* shouldn't happen */
 
     fullname = fullfname;
-    strcpy(filename, fullfname);
-    if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
-    strcpy(basefname, BaseName(fullfname));
+    strncpy(filename, fullfname, sizeof(filename)-1);
+    if (strlen(BaseName(fullfname)) > MAXNAMELEN) goto FAILED;
+    strncpy(basefname, BaseName(fullfname), sizeof(basefname)-1);
 
 
     if (killpage) {      /* kill old page files, if any */
@@ -2431,7 +2431,7 @@ static int openPic(int filenum)
     fullname = GetDirFullName();
 
     if (ISPIPE(fullname[0])) {    /* read from a pipe. */
-      strcpy(filename, fullname);
+      strncpy(filename, fullname, sizeof(filename)-1);
       if (readpipe(fullname, filename)) goto FAILED;
       frompipe = 1;
     }
@@ -2453,10 +2453,9 @@ static int openPic(int filenum)
   else fullname = namelist[filenum];
 #endif
 
-  strcpy(fullfname, fullname);
-  if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
-  strcpy(basefname, BaseName(fullname));
-
+  strncpy(fullfname, fullname, sizeof(fullfname)-1);
+  if (strlen(BaseName(fullfname)) > MAXNAMELEN) goto FAILED;
+  strncpy(basefname, BaseName(fullname), sizeof(basefname)-1);
 
   /* chop off trailing ".Z", ".z", or ".gz" from displayed basefname, if any */
   if (strlen(basefname)>2 && strcmp(basefname+strlen(basefname)-2,".Z")==0)
@@ -2556,7 +2555,7 @@ static int openPic(int filenum)
       }
     }
 
-    strcpy(filename, fullname);
+    strncpy(filename, fullname, sizeof(filename)-1);
 
 
     /* if the file is STDIN, write it out to a temp file */
@@ -2568,7 +2567,7 @@ static int openPic(int filenum)
 #endif
 
 #ifndef VMS
-      sprintf(filename,"%s/xvXXXXXX",tmpdir);
+      snprintf(filename, sizeof(filename)-1, "%s/xvXXXXXX", tmpdir);
 #else /* it is VMS */
       sprintf(filename, "[]xvXXXXXX");
 #endif
@@ -2626,7 +2625,7 @@ static int openPic(int filenum)
       /* if we made a /tmp file (from stdin, etc.) won't need it any more */
       if (strcmp(fullname,filename)!=0) unlink(filename);
 
-      strcpy(filename, tmpname);
+      strncpy(filename, tmpname, sizeof(filename)-1);
     }
     else filetype = RFT_ERROR;
 
--- src/xv.h
+++ src/xv.h	2024-08-13 13:49:08.173562534 +0000
@@ -118,6 +118,9 @@
 #  ifndef _LINUX_LIMITS_H
 #    include <linux/limits.h>
 #  endif
+#  ifndef _LIBC_LIMITS_H_
+#    include <limits.h>
+#  endif
 #  ifndef USLEEP
 #    define USLEEP
 #  endif
@@ -371,7 +374,19 @@
 #endif
 
 #ifndef MAXPATHLEN
-#  define MAXPATHLEN 256
+#  ifdef PATH_MAX
+#    define MAXPATHLEN PATH_MAX
+#  else
+#    define MAXPATHLEN 512
+#  endif
+#endif
+
+#ifndef MAXNAMELEN
+#  ifdef NAME_MAX
+#    define MAXNAMELEN NAME_MAX
+#  else
+#    define MAXNAMELEN 128
+#  endif
 #endif
 
 #define XV_MAXQUOTEDPATHLEN	(3 * MAXPATHLEN + 10)
--- src/xvpbm.c
+++ src/xvpbm.c	2024-08-13 13:51:11.747365804 +0000
@@ -5,6 +5,7 @@
  * WritePBM(fp,pic,ptype,w,h,r,g,b,numcols,style,raw,cmt,comment)
  */
 
+#include <stdint.h>
 #include "copyright.h"
 
 #include "xv.h"
@@ -229,12 +230,17 @@ static int loadpbm(FILE *fp, PICINFO *pi
   byte *pic8;
   byte *pix;
   int   i,j,bit,w,h,npixels;
+  uint64_t pixchk;
 
   w = pinfo->w;
   h = pinfo->h;
 
   npixels = w * h;
-  if (w <= 0 || h <= 0 || npixels/w != h)
+
+  pixchk = (uint64_t)w;
+  pixchk *= (uint64_t)h;
+
+  if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
     return pbmError(bname, "image dimensions too large");
 
   pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -297,13 +303,17 @@ static int loadpgm(FILE *fp, PICINFO *pi
 {
   byte *pix, *pic8;
   int   i,j,bitshift,w,h,npixels, holdmaxv;
-
+  uint64_t pixchk;
 
   w = pinfo->w;
   h = pinfo->h;
 
   npixels = w * h;
-  if (w <= 0 || h <= 0 || npixels/w != h)
+
+  pixchk = (uint64_t)w;
+  pixchk *= (uint64_t)h;
+
+  if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
     return pbmError(bname, "image dimensions too large");
 
   pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -378,13 +388,20 @@ static int loadppm(FILE *fp, PICINFO *pi
 {
   byte *pix, *pic24, scale[256];
   int   i,j,bitshift, w, h, npixels, bufsize, holdmaxv;
+  uint64_t  bufchk, pixchk;
 
   w = pinfo->w;
   h = pinfo->h;
 
   npixels = w * h;
   bufsize = 3*npixels;
-  if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels)
+
+  pixchk = (uint64_t)w;
+  bufchk = (uint64_t)npixels;
+  pixchk *= (uint64_t)h;
+  bufchk *= 3ULL;
+
+  if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk)
     return pbmError(bname, "image dimensions too large");
 
   /* allocate 24-bit image */
@@ -467,6 +484,7 @@ static int loadpam(FILE *fp, PICINFO *pi
 {
   byte *p, *pix, *pic24, *linebuf, scale[256], bgR, bgG, bgB, r, g, b, a;
   int   i, j, w, h, npixels, bufsize, linebufsize, holdmaxv;
+  uint64_t  bufchk, pixchk, lnbchk;
   /* int bitshift; */
 
   w = pinfo->w;
@@ -475,8 +493,16 @@ static int loadpam(FILE *fp, PICINFO *pi
   npixels = w * h;
   bufsize = 3*npixels;
   linebufsize = 4*w;
-  if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels ||
-      linebufsize/4 != w)
+
+  pixchk = (uint64_t)w;
+  bufchk = (uint64_t)npixels;
+  lnbchk = (uint64_t)w;
+  pixchk *= (uint64_t)h;
+  bufchk *= 3ULL;
+  lnbchk *= 4ULL;
+
+  if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk ||
+      (uint64_t)linebufsize != lnbchk)
     return pbmError(bname, "image dimensions too large");
 
   /* allocate 24-bit image */
--- src/xvpcx.c
+++ src/xvpcx.c	2024-08-13 13:52:07.662371779 +0000
@@ -245,7 +245,8 @@ static int pcxLoadImage8(const char *fna
 static int pcxLoadImage24(const char *fname, FILE *fp, PICINFO *pinfo, byte *hdr)
 {
   byte *pix, *pic24, scale[256];
-  int   c, i, j, w, h, maxv, cnt, planes, bperlin, nbytes, count;
+  int   c, i, j, w, h, maxv, cnt, planes, bperlin;
+  long  nbytes, count;
 
   w = pinfo->w;  h = pinfo->h;

Places

File xv-3.10a-overflow.dif of Package xv

Places