File smalltalk-2.1.10-xpm-secfix-thomas.patch of Package smalltalk

--- packages/blox/tk/BloxTK.c
+++ packages/blox/tk/BloxTK.c
@@ -84,6 +84,7 @@
 #if defined(SCO) || defined(__USLC__)
 #include <stdint.h>	/* For SIZE_MAX */
 #endif
+#include <sys/types.h>
 #include <limits.h>
 #ifndef SIZE_MAX
 # ifdef ULONG_MAX
@@ -94,14 +95,14 @@
 #endif
 
 #ifdef HAS_STRLCAT
-# define STRLCAT(dst, src, dstsize) { \
+# define STRLCAT(dst, src, dstsize) do { \
   	if (strlcat(dst, src, dstsize) >= (dstsize)) \
-	    return (TCL_ERROR); }	/* File invalid */
+	    return (TCL_ERROR); } while(0) /* File invalid */
 #else
-# define STRLCAT(dst, src, dstsize) { \
+# define STRLCAT(dst, src, dstsize) do { \
 	if ((strlen(dst) + strlen(src)) < (dstsize)) \
  	    strcat(dst, src); \
-	else return (TCL_ERROR); }	/* File invalid */
+	else return (TCL_ERROR); } while(0) /* File invalid */
 #endif
 
 /* Smalltalk call-ins */
@@ -449,7 +450,7 @@
   n--;
   mdata->cptr--;
 
-  return (n);
+  return (n); /* this returns bytes read + 1 */
 }
 
 /*
@@ -485,7 +486,7 @@
 int
 xpmParseHeader (XpmData * mdata)
 {
-  char buf[BUFSIZ + 1];
+  char buf[BUFSIZ + 1] = {0};
   int l, n = 0;
 
   mdata->Bos = '\0';
@@ -757,7 +758,7 @@
 	      xpmFreeColorTable (colorTable, ncolors);
 	      return (TCL_ERROR);	/* File invalid */
 	    }
-	  len = strlen (curbuf) + 1;
+	  len = strlen (curbuf) + 1; /* integer overflow just theoretically possible */
 	  s = defaults[curkey] = (char *) malloc (len);
 	  if (!s)
 	    {
@@ -817,7 +818,7 @@
 	  memcpy(s, curbuf, len);
 	  color->c_color = s;
 	  *curbuf = '\0';	/* reset curbuf */
-	  if (a < ncolors - 1)
+	  if (a < ncolors - 1)	/* can we trust ncolors -> leave data's bounds */
 	    xpmNextString (data);	/* get to the next string */
 	}
     }
@@ -867,10 +868,10 @@
 		unsigned int ncolors, unsigned int cpp, XpmColor * colorTable,
 		unsigned int **pixels)
 {
-  unsigned int *iptr, *iptr2;
+  unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
   unsigned int a, x, y;
 
-  if ((height > 0 && width >= SIZE_MAX / height) ||
+  if ((height > 0 && width >= UINT_MAX / height) ||
     width * height >= UINT_MAX / sizeof(unsigned int))
     return (TCL_ERROR);		/* No memory */
   iptr2 = (unsigned int *) malloc (sizeof (unsigned int) * width * height);
@@ -886,8 +887,10 @@
       {
 	unsigned int colrgb[256];
 	
-	if (ncolors > 256)
+	if (ncolors > 256) {
+	  free(iptr2); 		/* found by Egbert Eich */
 	  return (TCL_ERROR);	/* File invalid */
+	}
 
 	memset (colrgb, 0, 256 * sizeof (int));
 	for (a = 0; a < 256; a++)
@@ -918,8 +921,12 @@
       {
 
 /* free all allocated pointers at all exits */
-#define FREE_CRGB {int f; for (f = 0; f < 256; f++) \
-if (crgb[f]) free(crgb[f]);}
+#define FREE_CRGB \
+do \
+{ \
+       int f; for (f = 0; f < 256; f++) \
+       if (crgb[f]) free(crgb[f]); \
+} while(0)
 
 	/* array of pointers malloced by need */
 	unsigned int *crgb[256];
@@ -969,6 +976,7 @@
       break;
 
     default:			/* Long color names */
+      free(iptr2); 		/* found by Egbert Eich */
       return (TCL_ERROR);	/* Not supported */
     }
   *pixels = iptr2;