File xv-3.10a-overflow.dif of Package xv

!
! Copy always not more as the length of the buffers for the
! filenames and the basename of them.
!
! Avoid to count over the allocated array under a pointer
! in xvbmp.c as the new glibc will call abort() on a free()
! on that pointer.
! Use unsigned integers for comparison to detected wrong
! picture dimensions otherwise the new gcc will fool us
! with a false negative check.
!
---
 src/xv.c     |   33 ++++++++++++++++-----------------
 src/xv.h     |   16 +++++++++++++++-
 src/xvbmp.c  |    9 ++++++---
 src/xvpbm.c  |   38 ++++++++++++++++++++++++++++++++------
 src/xvpcx.c  |    3 ++-
 src/xvtext.c |    4 ++--
 6 files changed, 73 insertions(+), 30 deletions(-)

--- src/xv.c
+++ src/xv.c	2023-05-30 09:09:45.343497970 +0000
@@ -64,7 +64,7 @@ static const char *maingeom = NULL;
 static const char *icongeom = NULL;
 static Atom   __SWM_VROOT = None;
 
-static char   basefname[NAME_MAX+1];   /* just the current fname, no path */
+static char   basefname[MAXNAMELEN+1];   /* just the current fname, no path */
 
 #ifdef TV_L10N
 #  ifndef TV_FONTSET
@@ -2104,7 +2104,7 @@ static int openPic(filenum)
   int   oldCXOFF, oldCYOFF, oldCWIDE, oldCHIGH, wascropped;
   char *tmp;
   char *fullname,       /* full name of the original file */
-        filename[512];  /* full name of file to load (could be /tmp/xxx)*/
+        filename[MAXPATHLEN+1];  /* full name of file to load (could be /tmp/xxx)*/
 #ifdef MACBINARY
   char origname[512];	/* file name of original file (NO processing) */
   origname[0] = '\0';
@@ -2147,7 +2147,7 @@ static int openPic(filenum)
       return 0;
     }
 
-    sprintf(filename, "%s%d", pageBaseName, curPage+1);
+    snprintf(filename, sizeof(filename)-1, "%s%d", pageBaseName, curPage+1);
     fullname = filename;
     goto HAVE_FILENAME;
   }
@@ -2192,9 +2192,9 @@ static int openPic(filenum)
     if (!i) goto FAILED;   /* shouldn't happen */
 
     fullname = fullfname;
-    strcpy(filename, fullfname);
-    if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
-    strcpy(basefname, BaseName(fullfname));
+    strncpy(filename, fullfname, sizeof(filename)-1);
+    if (strlen(BaseName(fullfname)) > MAXNAMELEN) goto FAILED;
+    strncpy(basefname, BaseName(fullfname), sizeof(basefname)-1);
 
 
     if (killpage) {      /* kill old page files, if any */
@@ -2237,7 +2237,7 @@ static int openPic(filenum)
     fullname = GetDirFullName();
 
     if (ISPIPE(fullname[0])) {    /* read from a pipe. */
-      strcpy(filename, fullname);
+      strncpy(filename, fullname, sizeof(filename)-1);
       if (readpipe(fullname, filename)) goto FAILED;
       frompipe = 1;
     }
@@ -2259,10 +2259,9 @@ static int openPic(filenum)
   else fullname = namelist[filenum];
 #endif
 
-  strcpy(fullfname, fullname);
-  if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
-  strcpy(basefname, BaseName(fullname));
-
+  strncpy(fullfname, fullname, sizeof(fullfname)-1);
+  if (strlen(BaseName(fullfname)) > MAXNAMELEN) goto FAILED;
+  strncpy(basefname, BaseName(fullname), sizeof(basefname)-1);
 
   /* chop off trailing ".Z", ".z", or ".gz" from displayed basefname, if any */
   if (strlen(basefname)>2 && strcmp(basefname+strlen(basefname)-2,".Z")==0)
@@ -2358,7 +2357,7 @@ static int openPic(filenum)
       }
     }
 
-    strcpy(filename, fullname);
+    strncpy(filename, fullname, sizeof(filename)-1);
 
 
     /* if the file is STDIN, write it out to a temp file */
@@ -2370,7 +2369,7 @@ static int openPic(filenum)
 #endif
 
 #ifndef VMS
-      sprintf(filename,"%s/xvXXXXXX",tmpdir);
+      snprintf(filename, sizeof(filename)-1, "%s/xvXXXXXX", tmpdir);
 #else /* it is VMS */
       sprintf(filename, "[]xvXXXXXX");
 #endif
@@ -2428,7 +2427,7 @@ static int openPic(filenum)
       /* if we made a /tmp file (from stdin, etc.) won't need it any more */
       if (strcmp(fullname,filename)!=0) unlink(filename);
 
-      strcpy(filename, tmpname);
+      strncpy(filename, tmpname, sizeof(filename)-1);
     }
     else filetype = RFT_ERROR;
 
@@ -2482,14 +2481,14 @@ static int openPic(filenum)
 
       filetype = ReadFileType(tmpname);
       if (strcmp(fullname,filename)!=0) unlink(filename);
-      strcpy(filename, tmpname);
+      strncpy(filename, tmpname, sizeof(filename)-1);
   }
 ms_auto_no:
 #endif /* HAVE_MGCSFX_AUTO */
 
   if (filetype == RFT_ERROR) {
-    char  foostr[512];
-    sprintf(foostr,"Can't open file '%s'\n\n  %s.",filename, ERRSTR(errno));
+    char  foostr[256+MAXPATHLEN+1];
+    snprintf(foostr, sizeof(foostr)-1, "Can't open file '%s'\n\n  %s.",filename, ERRSTR(errno));
 
     if (!polling) ErrPopUp(foostr, "\nBummer!");
 
--- src/xv.h
+++ src/xv.h	2023-05-30 08:48:51.110190986 +0000
@@ -117,6 +117,9 @@
 #  ifndef _LINUX_LIMITS_H
 #    include <linux/limits.h>
 #  endif
+#  ifndef _LIBC_LIMITS_H_
+#    include <limits.h>
+#  endif
 #  ifndef USLEEP
 #    define USLEEP
 #  endif
@@ -370,9 +373,20 @@
 #endif
 
 #ifndef MAXPATHLEN
-#  define MAXPATHLEN 256
+#  ifdef PATH_MAX
+#    define MAXPATHLEN PATH_MAX
+#  else
+#    define MAXPATHLEN 512
+#  endif
 #endif
 
+#ifndef MAXNAMELEN
+#  ifdef NAME_MAX
+#    define MAXNAMELEN NAME_MAX
+#  else
+#    define MAXNAMELEN 128
+#  endif
+#endif
 
 #ifdef SVR4
 #  define random lrand48
--- src/xvpbm.c
+++ src/xvpbm.c	2023-05-30 09:09:45.347497898 +0000
@@ -5,6 +5,7 @@
  * WritePBM(fp,pic,ptype,w,h,r,g,b,numcols,style,raw,cmt,comment)
  */
 
+#include <stdint.h>
 #include "copyright.h"
 
 #include "xv.h"
@@ -234,12 +235,17 @@ static int loadpbm(fp, pinfo, raw)
   byte *pic8;
   byte *pix;
   int   i,j,bit,w,h,npixels;
+  uint64_t pixchk;
 
   w = pinfo->w;
   h = pinfo->h;
 
   npixels = w * h;
-  if (w <= 0 || h <= 0 || npixels/w != h)
+
+  pixchk = (uint64_t)w;
+  pixchk *= (uint64_t)h;
+
+  if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
     return pbmError(bname, "image dimensions too large");
 
   pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -305,13 +311,17 @@ static int loadpgm(fp, pinfo, raw, maxv)
 {
   byte *pix, *pic8;
   int   i,j,bitshift,w,h,npixels, holdmaxv;
-
+  uint64_t pixchk;
 
   w = pinfo->w;
   h = pinfo->h;
 
   npixels = w * h;
-  if (w <= 0 || h <= 0 || npixels/w != h)
+
+  pixchk = (uint64_t)w;
+  pixchk *= (uint64_t)h;
+
+  if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
     return pbmError(bname, "image dimensions too large");
 
   pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -389,13 +399,20 @@ static int loadppm(fp, pinfo, raw, maxv)
 {
   byte *pix, *pic24, scale[256];
   int   i,j,bitshift, w, h, npixels, bufsize, holdmaxv;
+  uint64_t  bufchk, pixchk;
 
   w = pinfo->w;
   h = pinfo->h;
 
   npixels = w * h;
   bufsize = 3*npixels;
-  if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels)
+
+  pixchk = (uint64_t)w;
+  bufchk = (uint64_t)npixels;
+  pixchk *= (uint64_t)h;
+  bufchk *= 3ULL;
+
+  if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk)
     return pbmError(bname, "image dimensions too large");
 
   /* allocate 24-bit image */
@@ -481,6 +498,7 @@ static int loadpam(fp, pinfo, raw, maxv)
 {
   byte *p, *pix, *pic24, *linebuf, scale[256], bgR, bgG, bgB, r, g, b, a;
   int   i, j, bitshift, w, h, npixels, bufsize, linebufsize, holdmaxv;
+  uint64_t  bufchk, pixchk, lnbchk;
 
   w = pinfo->w;
   h = pinfo->h;
@@ -488,8 +506,16 @@ static int loadpam(fp, pinfo, raw, maxv)
   npixels = w * h;
   bufsize = 3*npixels;
   linebufsize = 4*w;
-  if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels ||
-      linebufsize/4 != w)
+
+  pixchk = (uint64_t)w;
+  bufchk = (uint64_t)npixels;
+  lnbchk = (uint64_t)w;
+  pixchk *= (uint64_t)h;
+  bufchk *= 3ULL;
+  lnbchk *= 4ULL;
+
+  if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk ||
+      (uint64_t)linebufsize != lnbchk)
     return pbmError(bname, "image dimensions too large");
 
   /* allocate 24-bit image */
--- src/xvpcx.c
+++ src/xvpcx.c	2023-05-30 13:31:20.392741202 +0000
@@ -255,7 +255,8 @@ static int pcxLoadImage24(fname, fp, pin
      byte *hdr;
 {
   byte *pix, *pic24, scale[256];
-  int   c, i, j, w, h, maxv, cnt, planes, bperlin, nbytes, count;
+  int   c, i, j, w, h, maxv, cnt, planes, bperlin;
+  long  nbytes, count;
 
   w = pinfo->w;  h = pinfo->h;
 
--- src/xvtext.c
+++ src/xvtext.c	2023-05-30 09:09:45.347497898 +0000
@@ -545,9 +545,9 @@ void ChangeCommentText()
   tv->freeonclose = 0;
 
   if (strlen(fullfname))
-    sprintf(tv->title, "File: '%s'", BaseName(fullfname));
+    snprintf(tv->title, TITLELEN-1, "File: '%s'", BaseName(fullfname));
   else
-    sprintf(tv->title, "<no file loaded>");
+    snprintf(tv->title, TITLELEN-1, "<no file loaded>");
 
   computeText(tv);      /* compute # lines and linestarts array */
 
openSUSE Build Service is sponsored by