File xv-3.10a-overflow.dif of Package xv
!
! Copy always not more as the length of the buffers for the
! filenames and the basename of them.
!
! Avoid to count over the allocated array under a pointer
! in xvbmp.c as the new glibc will call abort() on a free()
! on that pointer.
! Use unsigned integers for comparison to detected wrong
! picture dimensions otherwise the new gcc will fool us
! with a false negative check.
!
---
src/xv.c | 33 ++++++++++++++++-----------------
src/xv.h | 16 +++++++++++++++-
src/xvbmp.c | 9 ++++++---
src/xvpbm.c | 38 ++++++++++++++++++++++++++++++++------
src/xvpcx.c | 3 ++-
src/xvtext.c | 4 ++--
6 files changed, 73 insertions(+), 30 deletions(-)
--- src/xv.c
+++ src/xv.c 2023-05-30 09:09:45.343497970 +0000
@@ -64,7 +64,7 @@ static const char *maingeom = NULL;
static const char *icongeom = NULL;
static Atom __SWM_VROOT = None;
-static char basefname[NAME_MAX+1]; /* just the current fname, no path */
+static char basefname[MAXNAMELEN+1]; /* just the current fname, no path */
#ifdef TV_L10N
# ifndef TV_FONTSET
@@ -2104,7 +2104,7 @@ static int openPic(filenum)
int oldCXOFF, oldCYOFF, oldCWIDE, oldCHIGH, wascropped;
char *tmp;
char *fullname, /* full name of the original file */
- filename[512]; /* full name of file to load (could be /tmp/xxx)*/
+ filename[MAXPATHLEN+1]; /* full name of file to load (could be /tmp/xxx)*/
#ifdef MACBINARY
char origname[512]; /* file name of original file (NO processing) */
origname[0] = '\0';
@@ -2147,7 +2147,7 @@ static int openPic(filenum)
return 0;
}
- sprintf(filename, "%s%d", pageBaseName, curPage+1);
+ snprintf(filename, sizeof(filename)-1, "%s%d", pageBaseName, curPage+1);
fullname = filename;
goto HAVE_FILENAME;
}
@@ -2192,9 +2192,9 @@ static int openPic(filenum)
if (!i) goto FAILED; /* shouldn't happen */
fullname = fullfname;
- strcpy(filename, fullfname);
- if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
- strcpy(basefname, BaseName(fullfname));
+ strncpy(filename, fullfname, sizeof(filename)-1);
+ if (strlen(BaseName(fullfname)) > MAXNAMELEN) goto FAILED;
+ strncpy(basefname, BaseName(fullfname), sizeof(basefname)-1);
if (killpage) { /* kill old page files, if any */
@@ -2237,7 +2237,7 @@ static int openPic(filenum)
fullname = GetDirFullName();
if (ISPIPE(fullname[0])) { /* read from a pipe. */
- strcpy(filename, fullname);
+ strncpy(filename, fullname, sizeof(filename)-1);
if (readpipe(fullname, filename)) goto FAILED;
frompipe = 1;
}
@@ -2259,10 +2259,9 @@ static int openPic(filenum)
else fullname = namelist[filenum];
#endif
- strcpy(fullfname, fullname);
- if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
- strcpy(basefname, BaseName(fullname));
-
+ strncpy(fullfname, fullname, sizeof(fullfname)-1);
+ if (strlen(BaseName(fullfname)) > MAXNAMELEN) goto FAILED;
+ strncpy(basefname, BaseName(fullname), sizeof(basefname)-1);
/* chop off trailing ".Z", ".z", or ".gz" from displayed basefname, if any */
if (strlen(basefname)>2 && strcmp(basefname+strlen(basefname)-2,".Z")==0)
@@ -2358,7 +2357,7 @@ static int openPic(filenum)
}
}
- strcpy(filename, fullname);
+ strncpy(filename, fullname, sizeof(filename)-1);
/* if the file is STDIN, write it out to a temp file */
@@ -2370,7 +2369,7 @@ static int openPic(filenum)
#endif
#ifndef VMS
- sprintf(filename,"%s/xvXXXXXX",tmpdir);
+ snprintf(filename, sizeof(filename)-1, "%s/xvXXXXXX", tmpdir);
#else /* it is VMS */
sprintf(filename, "[]xvXXXXXX");
#endif
@@ -2428,7 +2427,7 @@ static int openPic(filenum)
/* if we made a /tmp file (from stdin, etc.) won't need it any more */
if (strcmp(fullname,filename)!=0) unlink(filename);
- strcpy(filename, tmpname);
+ strncpy(filename, tmpname, sizeof(filename)-1);
}
else filetype = RFT_ERROR;
@@ -2482,14 +2481,14 @@ static int openPic(filenum)
filetype = ReadFileType(tmpname);
if (strcmp(fullname,filename)!=0) unlink(filename);
- strcpy(filename, tmpname);
+ strncpy(filename, tmpname, sizeof(filename)-1);
}
ms_auto_no:
#endif /* HAVE_MGCSFX_AUTO */
if (filetype == RFT_ERROR) {
- char foostr[512];
- sprintf(foostr,"Can't open file '%s'\n\n %s.",filename, ERRSTR(errno));
+ char foostr[256+MAXPATHLEN+1];
+ snprintf(foostr, sizeof(foostr)-1, "Can't open file '%s'\n\n %s.",filename, ERRSTR(errno));
if (!polling) ErrPopUp(foostr, "\nBummer!");
--- src/xv.h
+++ src/xv.h 2023-05-30 08:48:51.110190986 +0000
@@ -117,6 +117,9 @@
# ifndef _LINUX_LIMITS_H
# include <linux/limits.h>
# endif
+# ifndef _LIBC_LIMITS_H_
+# include <limits.h>
+# endif
# ifndef USLEEP
# define USLEEP
# endif
@@ -370,9 +373,20 @@
#endif
#ifndef MAXPATHLEN
-# define MAXPATHLEN 256
+# ifdef PATH_MAX
+# define MAXPATHLEN PATH_MAX
+# else
+# define MAXPATHLEN 512
+# endif
#endif
+#ifndef MAXNAMELEN
+# ifdef NAME_MAX
+# define MAXNAMELEN NAME_MAX
+# else
+# define MAXNAMELEN 128
+# endif
+#endif
#ifdef SVR4
# define random lrand48
--- src/xvpbm.c
+++ src/xvpbm.c 2023-05-30 09:09:45.347497898 +0000
@@ -5,6 +5,7 @@
* WritePBM(fp,pic,ptype,w,h,r,g,b,numcols,style,raw,cmt,comment)
*/
+#include <stdint.h>
#include "copyright.h"
#include "xv.h"
@@ -234,12 +235,17 @@ static int loadpbm(fp, pinfo, raw)
byte *pic8;
byte *pix;
int i,j,bit,w,h,npixels;
+ uint64_t pixchk;
w = pinfo->w;
h = pinfo->h;
npixels = w * h;
- if (w <= 0 || h <= 0 || npixels/w != h)
+
+ pixchk = (uint64_t)w;
+ pixchk *= (uint64_t)h;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
return pbmError(bname, "image dimensions too large");
pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -305,13 +311,17 @@ static int loadpgm(fp, pinfo, raw, maxv)
{
byte *pix, *pic8;
int i,j,bitshift,w,h,npixels, holdmaxv;
-
+ uint64_t pixchk;
w = pinfo->w;
h = pinfo->h;
npixels = w * h;
- if (w <= 0 || h <= 0 || npixels/w != h)
+
+ pixchk = (uint64_t)w;
+ pixchk *= (uint64_t)h;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
return pbmError(bname, "image dimensions too large");
pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -389,13 +399,20 @@ static int loadppm(fp, pinfo, raw, maxv)
{
byte *pix, *pic24, scale[256];
int i,j,bitshift, w, h, npixels, bufsize, holdmaxv;
+ uint64_t bufchk, pixchk;
w = pinfo->w;
h = pinfo->h;
npixels = w * h;
bufsize = 3*npixels;
- if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels)
+
+ pixchk = (uint64_t)w;
+ bufchk = (uint64_t)npixels;
+ pixchk *= (uint64_t)h;
+ bufchk *= 3ULL;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk)
return pbmError(bname, "image dimensions too large");
/* allocate 24-bit image */
@@ -481,6 +498,7 @@ static int loadpam(fp, pinfo, raw, maxv)
{
byte *p, *pix, *pic24, *linebuf, scale[256], bgR, bgG, bgB, r, g, b, a;
int i, j, bitshift, w, h, npixels, bufsize, linebufsize, holdmaxv;
+ uint64_t bufchk, pixchk, lnbchk;
w = pinfo->w;
h = pinfo->h;
@@ -488,8 +506,16 @@ static int loadpam(fp, pinfo, raw, maxv)
npixels = w * h;
bufsize = 3*npixels;
linebufsize = 4*w;
- if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels ||
- linebufsize/4 != w)
+
+ pixchk = (uint64_t)w;
+ bufchk = (uint64_t)npixels;
+ lnbchk = (uint64_t)w;
+ pixchk *= (uint64_t)h;
+ bufchk *= 3ULL;
+ lnbchk *= 4ULL;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk ||
+ (uint64_t)linebufsize != lnbchk)
return pbmError(bname, "image dimensions too large");
/* allocate 24-bit image */
--- src/xvpcx.c
+++ src/xvpcx.c 2023-05-30 13:31:20.392741202 +0000
@@ -255,7 +255,8 @@ static int pcxLoadImage24(fname, fp, pin
byte *hdr;
{
byte *pix, *pic24, scale[256];
- int c, i, j, w, h, maxv, cnt, planes, bperlin, nbytes, count;
+ int c, i, j, w, h, maxv, cnt, planes, bperlin;
+ long nbytes, count;
w = pinfo->w; h = pinfo->h;
--- src/xvtext.c
+++ src/xvtext.c 2023-05-30 09:09:45.347497898 +0000
@@ -545,9 +545,9 @@ void ChangeCommentText()
tv->freeonclose = 0;
if (strlen(fullfname))
- sprintf(tv->title, "File: '%s'", BaseName(fullfname));
+ snprintf(tv->title, TITLELEN-1, "File: '%s'", BaseName(fullfname));
else
- sprintf(tv->title, "<no file loaded>");
+ snprintf(tv->title, TITLELEN-1, "<no file loaded>");
computeText(tv); /* compute # lines and linestarts array */