File xv-3.10a-overflow.dif of Package xv
!
! Copy always not more as the length of the buffers for the
! filenames and the basename of them.
!
! Avoid to count over the allocated array under a pointer
! in xvbmp.c as the new glibc will call abort() on a free()
! on that pointer.
! Use unsigned integers for comparison to detected wrong
! picture dimensions otherwise the new gcc will fool us
! with a false negative check.
!
--- xv.c
+++ xv.c 2011-07-07 08:58:48.831925986 +0000
@@ -64,7 +64,7 @@ static const char *maingeom = NULL;
static const char *icongeom = NULL;
static Atom __SWM_VROOT = None;
-static char basefname[128]; /* just the current fname, no path */
+static char basefname[MAXNAMELEN+1]; /* just the current fname, no path */
#ifdef TV_L10N
# ifndef TV_FONTSET
@@ -2094,7 +2094,7 @@ static int openPic(filenum)
int oldCXOFF, oldCYOFF, oldCWIDE, oldCHIGH, wascropped;
char *tmp;
char *fullname, /* full name of the original file */
- filename[512]; /* full name of file to load (could be /tmp/xxx)*/
+ filename[MAXPATHLEN+1]; /* full name of file to load (could be /tmp/xxx)*/
#ifdef MACBINARY
char origname[512]; /* file name of original file (NO processing) */
origname[0] = '\0';
@@ -2137,7 +2137,7 @@ static int openPic(filenum)
return 0;
}
- sprintf(filename, "%s%d", pageBaseName, curPage+1);
+ snprintf(filename, sizeof(filename)-1, "%s%d", pageBaseName, curPage+1);
fullname = filename;
goto HAVE_FILENAME;
}
@@ -2180,8 +2180,8 @@ static int openPic(filenum)
i = LoadPad(&pinfo, fullfname);
fullname = fullfname;
- strcpy(filename, fullfname);
- strcpy(basefname, BaseName(fullfname));
+ strncpy(filename, fullfname, sizeof(filename)-1);
+ strncpy(basefname, BaseName(fullfname), sizeof(basefname)-1);
if (!i) goto FAILED; /* shouldn't happen */
@@ -2225,7 +2225,7 @@ static int openPic(filenum)
fullname = GetDirFullName();
if (ISPIPE(fullname[0])) { /* read from a pipe. */
- strcpy(filename, fullname);
+ strncpy(filename, fullname, sizeof(filename)-1);
if (readpipe(fullname, filename)) goto FAILED;
frompipe = 1;
}
@@ -2247,9 +2247,8 @@ static int openPic(filenum)
else fullname = namelist[filenum];
#endif
- strcpy(fullfname, fullname);
- strcpy(basefname, BaseName(fullname));
-
+ strncpy(fullfname, fullname, sizeof(fullfname)-1);
+ strncpy(basefname, BaseName(fullname), sizeof(basefname)-1);
/* chop off trailing ".Z", ".z", or ".gz" from displayed basefname, if any */
if (strlen(basefname)>2 && strcmp(basefname+strlen(basefname)-2,".Z")==0)
@@ -2345,7 +2344,7 @@ static int openPic(filenum)
}
}
- strcpy(filename, fullname);
+ strncpy(filename, fullname, sizeof(filename)-1);
/* if the file is STDIN, write it out to a temp file */
@@ -2357,7 +2356,7 @@ static int openPic(filenum)
#endif
#ifndef VMS
- sprintf(filename,"%s/xvXXXXXX",tmpdir);
+ snprintf(filename, sizeof(filename)-1, "%s/xvXXXXXX", tmpdir);
#else /* it is VMS */
sprintf(filename, "[]xvXXXXXX");
#endif
@@ -2415,7 +2414,7 @@ static int openPic(filenum)
/* if we made a /tmp file (from stdin, etc.) won't need it any more */
if (strcmp(fullname,filename)!=0) unlink(filename);
- strcpy(filename, tmpname);
+ strncpy(filename, tmpname, sizeof(filename)-1);
}
else filetype = RFT_ERROR;
@@ -2469,14 +2468,14 @@ static int openPic(filenum)
filetype = ReadFileType(tmpname);
if (strcmp(fullname,filename)!=0) unlink(filename);
- strcpy(filename, tmpname);
+ strncpy(filename, tmpname, sizeof(filename)-1);
}
ms_auto_no:
#endif /* HAVE_MGCSFX_AUTO */
if (filetype == RFT_ERROR) {
- char foostr[512];
- sprintf(foostr,"Can't open file '%s'\n\n %s.",filename, ERRSTR(errno));
+ char foostr[256+MAXPATHLEN+1];
+ snprintf(foostr, sizeof(foostr)-1, "Can't open file '%s'\n\n %s.",filename, ERRSTR(errno));
if (!polling) ErrPopUp(foostr, "\nBummer!");
--- xv.h
+++ xv.h 2011-07-07 09:00:42.988883250 +0000
@@ -87,6 +87,9 @@
# ifndef _LINUX_LIMITS_H
# include <linux/limits.h>
# endif
+# ifndef _LIBC_LIMITS_H_
+# include <limits.h>
+# endif
# ifndef USLEEP
# define USLEEP
# endif
@@ -327,9 +330,20 @@
#endif
#ifndef MAXPATHLEN
-# define MAXPATHLEN 256
+# ifdef PATH_MAX
+# define MAXPATHLEN PATH_MAX
+# else
+# define MAXPATHLEN 512
+# endif
#endif
+#ifndef MAXNAMELEN
+# ifdef NAME_MAX
+# define MAXNAMELEN NAME_MAX
+# else
+# define MAXNAMELEN 128
+# endif
+#endif
#ifdef SVR4
# define random lrand48
--- xvbmp.c
+++ xvbmp.c 2008-05-27 12:37:34.384175224 +0200
@@ -191,6 +191,9 @@ int LoadBMP(fname, pinfo)
bPad -= 12;
}
+ if (biClrUsed > (1 << biBitCount))
+ biClrUsed = (1 << biBitCount);
+
/* load up colormap, if any */
if (biBitCount == 1 || biBitCount == 4 || biBitCount == 8) {
int i, cmaplen;
@@ -237,7 +240,7 @@ int LoadBMP(fname, pinfo)
if (biWidth == 0 || biHeight == 0 || npixels/biWidth != biHeight ||
count/3 != npixels)
return (bmpError(bname, "image dimensions too large"));
- pic24 = (byte *) calloc((size_t) count, (size_t) 1);
+ pic24 = (byte *) calloc((size_t) (count + 1), (size_t) 1);
if (!pic24) return (bmpError(bname, "couldn't malloc 'pic24'"));
}
else {
@@ -245,7 +248,7 @@ int LoadBMP(fname, pinfo)
if (biWidth == 0 || biHeight == 0 || npixels/biWidth != biHeight)
return (bmpError(bname, "image dimensions too large"));
- pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
+ pic8 = (byte *) calloc((size_t) (npixels + 1), (size_t) 1);
if (!pic8) return(bmpError(bname, "couldn't malloc 'pic8'"));
}
@@ -466,7 +469,7 @@ static int loadBMP8(fp, pic8, w, h, comp
rv = 0;
- pend = pic8 + w * h;
+ pend = pic8 + l;
if (comp == BI_RGB) { /* read uncompressed data */
padw = ((w + 3)/4) * 4; /* 'w' padded to a multiple of 4pix (32 bits) */
--- xvpbm.c
+++ xvpbm.c 2008-05-26 17:47:31.890952085 +0200
@@ -5,6 +5,7 @@
* WritePBM(fp,pic,ptype,w,h,r,g,b,numcols,style,raw,cmt,comment)
*/
+#include <stdint.h>
#include "copyright.h"
#include "xv.h"
@@ -234,12 +235,17 @@ static int loadpbm(fp, pinfo, raw)
byte *pic8;
byte *pix;
int i,j,bit,w,h,npixels;
+ uint64_t pixchk;
w = pinfo->w;
h = pinfo->h;
npixels = w * h;
- if (w <= 0 || h <= 0 || npixels/w != h)
+
+ pixchk = (uint64_t)w;
+ pixchk *= (uint64_t)h;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
return pbmError(bname, "image dimensions too large");
pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -305,13 +311,17 @@ static int loadpgm(fp, pinfo, raw, maxv)
{
byte *pix, *pic8;
int i,j,bitshift,w,h,npixels, holdmaxv;
-
+ uint64_t pixchk;
w = pinfo->w;
h = pinfo->h;
npixels = w * h;
- if (w <= 0 || h <= 0 || npixels/w != h)
+
+ pixchk = (uint64_t)w;
+ pixchk *= (uint64_t)h;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
return pbmError(bname, "image dimensions too large");
pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -389,13 +399,20 @@ static int loadppm(fp, pinfo, raw, maxv)
{
byte *pix, *pic24, scale[256];
int i,j,bitshift, w, h, npixels, bufsize, holdmaxv;
+ uint64_t bufchk, pixchk;
w = pinfo->w;
h = pinfo->h;
npixels = w * h;
bufsize = 3*npixels;
- if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels)
+
+ pixchk = (uint64_t)w;
+ bufchk = (uint64_t)npixels;
+ pixchk *= (uint64_t)h;
+ bufchk *= 3ULL;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk)
return pbmError(bname, "image dimensions too large");
/* allocate 24-bit image */
@@ -481,6 +498,7 @@ static int loadpam(fp, pinfo, raw, maxv)
{
byte *p, *pix, *pic24, *linebuf, scale[256], bgR, bgG, bgB, r, g, b, a;
int i, j, bitshift, w, h, npixels, bufsize, linebufsize, holdmaxv;
+ uint64_t bufchk, pixchk, lnbchk;
w = pinfo->w;
h = pinfo->h;
@@ -488,8 +506,16 @@ static int loadpam(fp, pinfo, raw, maxv)
npixels = w * h;
bufsize = 3*npixels;
linebufsize = 4*w;
- if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels ||
- linebufsize/4 != w)
+
+ pixchk = (uint64_t)w;
+ bufchk = (uint64_t)npixels;
+ lnbchk = (uint64_t)w;
+ pixchk *= (uint64_t)h;
+ bufchk *= 3ULL;
+ lnbchk *= 4ULL;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk ||
+ (uint64_t)linebufsize != lnbchk)
return pbmError(bname, "image dimensions too large");
/* allocate 24-bit image */
--- xvtext.c
+++ xvtext.c 2011-11-02 12:38:01.383646158 +0000
@@ -545,9 +545,9 @@ void ChangeCommentText()
tv->freeonclose = 0;
if (strlen(fullfname))
- sprintf(tv->title, "File: '%s'", BaseName(fullfname));
+ snprintf(tv->title, TITLELEN-1, "File: '%s'", BaseName(fullfname));
else
- sprintf(tv->title, "<no file loaded>");
+ snprintf(tv->title, TITLELEN-1, "<no file loaded>");
computeText(tv); /* compute # lines and linestarts array */
