diff options
| author | Egbert Eich <eich@suse.de> | 2004-09-21 17:57:35 +0000 |
|---|---|---|
| committer | Egbert Eich <eich@suse.de> | 2004-09-21 17:57:35 +0000 |
| commit | a983dafac59dcb425666a5a5556da4734e50c6c5 (patch) | |
| tree | 6fbd73d497da68397e83ee8d27790965f80ca26a /src/create.c | |
| parent | 2773a7214e282f6f673483f5233b880505947c3f (diff) | |
| download | xorg-lib-libXpm-a983dafac59dcb425666a5a5556da4734e50c6c5.tar.gz | |
Merged over libXpm security fix provided by Chris Evans, Matthieu Herrb and
Alan Coopersmith from release 6.8.1.
Fail during initialization with error if font/fontset is not set for
widget. This prevents a sig11 later when the non-existent font/fontset
structs are referenced.
Check if xf86Info.kbdProc pointer is really set before calling it on abort
as this pointer won't be set if the new modular keyboard driver is used
(Matthias Hopf).
Added new libs to the bindist control files.
Removed inclusion of unnecessary kernel header on Linux. This may fail in
an -ansi environment.
Diffstat (limited to 'src/create.c')
| -rw-r--r-- | src/create.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/create.c b/src/create.c index 790e23e..8710c18 100644 --- a/src/create.c +++ b/src/create.c @@ -1,3 +1,4 @@ +/* $XdotOrg: xc/extras/Xpm/lib/create.c,v 1.2.4.1 2004/09/15 15:47:39 daniel Exp $ */ /* * Copyright (C) 1989-95 GROUPE BULL * @@ -816,6 +817,9 @@ XpmCreateImageFromXpmImage(display, image, ErrorStatus = XpmSuccess; + if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) + return (XpmNoMemory); + /* malloc pixels index tables */ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); if (!image_pixels) @@ -988,6 +992,8 @@ CreateXImage(display, visual, depth, format, width, height, image_return) return (XpmNoMemory); #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height) + return XpmNoMemory; /* now that bytes_per_line must have been set properly alloc data */ (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); @@ -2055,6 +2061,9 @@ xpmParseDataAndCreate(display, data, image_return, shapeimage_return, xpmGetCmt(data, &colors_cmt); /* malloc pixels index tables */ + if (ncolors >= SIZE_MAX / sizeof(Pixel)) + return XpmNoMemory; + image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); if (!image_pixels) RETURN(XpmNoMemory); @@ -2309,7 +2318,8 @@ ParseAndPutPixels( } obm = SelectObject(*dc, image->bitmap); #endif - + if (ncolors > 256) + return (XpmFileInvalid); bzero((char *)colidx, 256 * sizeof(short)); for (a = 0; a < ncolors; a++) @@ -2415,6 +2425,9 @@ if (cidx[f]) XpmFree(cidx[f]);} char *s; char buf[BUFSIZ]; + if (cpp >= sizeof(buf)) + return (XpmFileInvalid); + buf[cpp] = '\0'; if (USE_HASHTABLE) { xpmHashAtom *slot; |