Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Factory:NonFree
xv
xv-3.10a-overflow.dif
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xv-3.10a-overflow.dif of Package xv
! ! Copy always not more as the length of the buffers for the ! filenames and the basename of them. ! ! Avoid to count over the allocated array under a pointer ! in xvbmp.c as the new glibc will call abort() on a free() ! on that pointer. ! Use unsigned integers for comparison to detected wrong ! picture dimensions otherwise the new gcc will fool us ! with a false negative check. ! --- src/xv.c | 33 ++++++++++++++++----------------- src/xv.h | 16 +++++++++++++++- src/xvbmp.c | 9 ++++++--- src/xvpbm.c | 38 ++++++++++++++++++++++++++++++++------ src/xvpcx.c | 3 ++- src/xvtext.c | 4 ++-- 6 files changed, 73 insertions(+), 30 deletions(-) --- src/xv.c +++ src/xv.c 2023-05-30 09:09:45.343497970 +0000 @@ -64,7 +64,7 @@ static const char *maingeom = NULL; static const char *icongeom = NULL; static Atom __SWM_VROOT = None; -static char basefname[NAME_MAX+1]; /* just the current fname, no path */ +static char basefname[MAXNAMELEN+1]; /* just the current fname, no path */ #ifdef TV_L10N # ifndef TV_FONTSET @@ -2104,7 +2104,7 @@ static int openPic(filenum) int oldCXOFF, oldCYOFF, oldCWIDE, oldCHIGH, wascropped; char *tmp; char *fullname, /* full name of the original file */ - filename[512]; /* full name of file to load (could be /tmp/xxx)*/ + filename[MAXPATHLEN+1]; /* full name of file to load (could be /tmp/xxx)*/ #ifdef MACBINARY char origname[512]; /* file name of original file (NO processing) */ origname[0] = '\0'; @@ -2147,7 +2147,7 @@ static int openPic(filenum) return 0; } - sprintf(filename, "%s%d", pageBaseName, curPage+1); + snprintf(filename, sizeof(filename)-1, "%s%d", pageBaseName, curPage+1); fullname = filename; goto HAVE_FILENAME; } @@ -2192,9 +2192,9 @@ static int openPic(filenum) if (!i) goto FAILED; /* shouldn't happen */ fullname = fullfname; - strcpy(filename, fullfname); - if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED; - strcpy(basefname, BaseName(fullfname)); + strncpy(filename, fullfname, sizeof(filename)-1); + if (strlen(BaseName(fullfname)) > MAXNAMELEN) goto FAILED; + strncpy(basefname, BaseName(fullfname), sizeof(basefname)-1); if (killpage) { /* kill old page files, if any */ @@ -2237,7 +2237,7 @@ static int openPic(filenum) fullname = GetDirFullName(); if (ISPIPE(fullname[0])) { /* read from a pipe. */ - strcpy(filename, fullname); + strncpy(filename, fullname, sizeof(filename)-1); if (readpipe(fullname, filename)) goto FAILED; frompipe = 1; } @@ -2259,10 +2259,9 @@ static int openPic(filenum) else fullname = namelist[filenum]; #endif - strcpy(fullfname, fullname); - if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED; - strcpy(basefname, BaseName(fullname)); - + strncpy(fullfname, fullname, sizeof(fullfname)-1); + if (strlen(BaseName(fullfname)) > MAXNAMELEN) goto FAILED; + strncpy(basefname, BaseName(fullname), sizeof(basefname)-1); /* chop off trailing ".Z", ".z", or ".gz" from displayed basefname, if any */ if (strlen(basefname)>2 && strcmp(basefname+strlen(basefname)-2,".Z")==0) @@ -2358,7 +2357,7 @@ static int openPic(filenum) } } - strcpy(filename, fullname); + strncpy(filename, fullname, sizeof(filename)-1); /* if the file is STDIN, write it out to a temp file */ @@ -2370,7 +2369,7 @@ static int openPic(filenum) #endif #ifndef VMS - sprintf(filename,"%s/xvXXXXXX",tmpdir); + snprintf(filename, sizeof(filename)-1, "%s/xvXXXXXX", tmpdir); #else /* it is VMS */ sprintf(filename, "[]xvXXXXXX"); #endif @@ -2428,7 +2427,7 @@ static int openPic(filenum) /* if we made a /tmp file (from stdin, etc.) won't need it any more */ if (strcmp(fullname,filename)!=0) unlink(filename); - strcpy(filename, tmpname); + strncpy(filename, tmpname, sizeof(filename)-1); } else filetype = RFT_ERROR; @@ -2482,14 +2481,14 @@ static int openPic(filenum) filetype = ReadFileType(tmpname); if (strcmp(fullname,filename)!=0) unlink(filename); - strcpy(filename, tmpname); + strncpy(filename, tmpname, sizeof(filename)-1); } ms_auto_no: #endif /* HAVE_MGCSFX_AUTO */ if (filetype == RFT_ERROR) { - char foostr[512]; - sprintf(foostr,"Can't open file '%s'\n\n %s.",filename, ERRSTR(errno)); + char foostr[256+MAXPATHLEN+1]; + snprintf(foostr, sizeof(foostr)-1, "Can't open file '%s'\n\n %s.",filename, ERRSTR(errno)); if (!polling) ErrPopUp(foostr, "\nBummer!"); --- src/xv.h +++ src/xv.h 2023-05-30 08:48:51.110190986 +0000 @@ -117,6 +117,9 @@ # ifndef _LINUX_LIMITS_H # include <linux/limits.h> # endif +# ifndef _LIBC_LIMITS_H_ +# include <limits.h> +# endif # ifndef USLEEP # define USLEEP # endif @@ -370,9 +373,20 @@ #endif #ifndef MAXPATHLEN -# define MAXPATHLEN 256 +# ifdef PATH_MAX +# define MAXPATHLEN PATH_MAX +# else +# define MAXPATHLEN 512 +# endif #endif +#ifndef MAXNAMELEN +# ifdef NAME_MAX +# define MAXNAMELEN NAME_MAX +# else +# define MAXNAMELEN 128 +# endif +#endif #ifdef SVR4 # define random lrand48 --- src/xvpbm.c +++ src/xvpbm.c 2023-05-30 09:09:45.347497898 +0000 @@ -5,6 +5,7 @@ * WritePBM(fp,pic,ptype,w,h,r,g,b,numcols,style,raw,cmt,comment) */ +#include <stdint.h> #include "copyright.h" #include "xv.h" @@ -234,12 +235,17 @@ static int loadpbm(fp, pinfo, raw) byte *pic8; byte *pix; int i,j,bit,w,h,npixels; + uint64_t pixchk; w = pinfo->w; h = pinfo->h; npixels = w * h; - if (w <= 0 || h <= 0 || npixels/w != h) + + pixchk = (uint64_t)w; + pixchk *= (uint64_t)h; + + if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk) return pbmError(bname, "image dimensions too large"); pic8 = (byte *) calloc((size_t) npixels, (size_t) 1); @@ -305,13 +311,17 @@ static int loadpgm(fp, pinfo, raw, maxv) { byte *pix, *pic8; int i,j,bitshift,w,h,npixels, holdmaxv; - + uint64_t pixchk; w = pinfo->w; h = pinfo->h; npixels = w * h; - if (w <= 0 || h <= 0 || npixels/w != h) + + pixchk = (uint64_t)w; + pixchk *= (uint64_t)h; + + if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk) return pbmError(bname, "image dimensions too large"); pic8 = (byte *) calloc((size_t) npixels, (size_t) 1); @@ -389,13 +399,20 @@ static int loadppm(fp, pinfo, raw, maxv) { byte *pix, *pic24, scale[256]; int i,j,bitshift, w, h, npixels, bufsize, holdmaxv; + uint64_t bufchk, pixchk; w = pinfo->w; h = pinfo->h; npixels = w * h; bufsize = 3*npixels; - if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels) + + pixchk = (uint64_t)w; + bufchk = (uint64_t)npixels; + pixchk *= (uint64_t)h; + bufchk *= 3ULL; + + if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk) return pbmError(bname, "image dimensions too large"); /* allocate 24-bit image */ @@ -481,6 +498,7 @@ static int loadpam(fp, pinfo, raw, maxv) { byte *p, *pix, *pic24, *linebuf, scale[256], bgR, bgG, bgB, r, g, b, a; int i, j, bitshift, w, h, npixels, bufsize, linebufsize, holdmaxv; + uint64_t bufchk, pixchk, lnbchk; w = pinfo->w; h = pinfo->h; @@ -488,8 +506,16 @@ static int loadpam(fp, pinfo, raw, maxv) npixels = w * h; bufsize = 3*npixels; linebufsize = 4*w; - if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels || - linebufsize/4 != w) + + pixchk = (uint64_t)w; + bufchk = (uint64_t)npixels; + lnbchk = (uint64_t)w; + pixchk *= (uint64_t)h; + bufchk *= 3ULL; + lnbchk *= 4ULL; + + if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk || + (uint64_t)linebufsize != lnbchk) return pbmError(bname, "image dimensions too large"); /* allocate 24-bit image */ --- src/xvpcx.c +++ src/xvpcx.c 2023-05-30 13:31:20.392741202 +0000 @@ -255,7 +255,8 @@ static int pcxLoadImage24(fname, fp, pin byte *hdr; { byte *pix, *pic24, scale[256]; - int c, i, j, w, h, maxv, cnt, planes, bperlin, nbytes, count; + int c, i, j, w, h, maxv, cnt, planes, bperlin; + long nbytes, count; w = pinfo->w; h = pinfo->h; --- src/xvtext.c +++ src/xvtext.c 2023-05-30 09:09:45.347497898 +0000 @@ -545,9 +545,9 @@ void ChangeCommentText() tv->freeonclose = 0; if (strlen(fullfname)) - sprintf(tv->title, "File: '%s'", BaseName(fullfname)); + snprintf(tv->title, TITLELEN-1, "File: '%s'", BaseName(fullfname)); else - sprintf(tv->title, "<no file loaded>"); + snprintf(tv->title, TITLELEN-1, "<no file loaded>"); computeText(tv); /* compute # lines and linestarts array */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor