FreeBSD Bugzilla – Attachment 47211 Details for
Bug 72382
graphics/xv - Fix vulnerability
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 37.98 KB, created by
dirk.meyer
on 2004-10-06 14:50:09 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
dirk.meyer
Created:
2004-10-06 14:50:09 UTC
Size:
37.98 KB
patch
obsolete
>Index: files/patch-ae >=================================================================== >RCS file: /home/pcvs/ports/graphics/xv/files/patch-ae,v >retrieving revision 1.1 >diff -u -r1.1 patch-ae >--- files/patch-ae 16 Oct 1996 15:42:04 -0000 1.1 >+++ files/patch-ae 5 Oct 2004 17:41:29 -0000 >@@ -1,11 +1,28 @@ >---- xvimage.c~ Fri Jan 13 18:11:36 1995 >-+++ xvimage.c Tue Oct 15 16:41:47 1996 >-@@ -46,6 +46,274 @@ >+--- xvimage.c >++++ xvimage.c Wed Jan 12 15:10:24 2000 >+@@ -29,40 +29,302 @@ >+ static void flipSel PARM((int)); >+ static void do_zoom PARM((int, int)); >+ static void compute_zoom_rect PARM((int, int, int*, int*, int*, int*)); >+ static void do_unzoom PARM((void)); >+ static void do_pan PARM((int, int)); >+ static void do_pan_calc PARM((int, int, int *, int *)); >+ static void crop1 PARM((int, int, int, int, int)); >+ static int doAutoCrop24 PARM((void)); >+ static void floydDitherize1 PARM((XImage *, byte *, int, int, int, >+ byte *, byte *,byte *)); >+ static int highbit PARM((unsigned long)); >+ >+ static int doPadSolid PARM((char *, int, int, int, int)); >+ static int doPadBggen PARM((char *, int, int, int, int)); >+ static int doPadLoad PARM((char *, int, int, int, int)); >+ >+ static int doPadPaste PARM((byte *, int, int, int, int)); > static int ReadImageFile1 PARM((char *, PICINFO *)); > > >-+/* The following array represents the pixel values for each shade of >-+ * the primary color components. >++/* The following array represents the pixel values for each shade >++ * of the primary color components. > + * If 'p' is a pointer to a source image rgb-byte-triplet, we can > + * construct the output pixel value simply by 'oring' together > + * the corresponding components: >@@ -20,7 +37,7 @@ > + * This is both efficient and generic, since the only assumption > + * is that the primary color components have separate bits. > + * The order and distribution of bits does not matter, and we >-+ * don't need additional vaiables and shifting/masking code. >++ * don't need additional variables and shifting/masking code. > + * The array size is 3 KBytes total and thus very reasonable. > + */ > + >@@ -42,21 +59,14 @@ > + * The method is to draw points in a pixmap with the specified shades > + * of primary colors and then get the corresponding XImage pixel > + * representation. >-+ * Thus we can get away with any Bit-order/Byte-Order dependencies. >++ * Thus we can get away with any Bit-order/Byte-order dependencies. > + * >-+ * The routine uses some global X variables: theDisp, theScreen, >-+ * and dispDEEP. Adapt these to your application as necessary. >++ * The routine uses some global X variables: >++ * theDisp, theScreen, dispDEEP, and theCmap. >++ * Adapt these to your application as necessary. > + * I've not passed them in as parameters, since for other platforms > + * than X these may be different (see vfixpix.c), and so the > + * screen_init() interface is unique. >-+ * >-+ * BUG: I've read in the "Xlib Programming Manual" from O'Reilly & >-+ * Associates, that the DefaultColormap in TrueColor might not >-+ * provide the full shade representation in XAllocColor. >-+ * In this case one had to provide a 'best' colormap instead. >-+ * However, my tests with Xaccel on a Linux-Box with a Mach64 >-+ * card were fully successful, so I leave that potential problem >-+ * to you at the moment and would appreciate any suggestions... > + */ > + > +static void screen_init() >@@ -73,43 +83,45 @@ > + > + check_map = XCreatePixmap(theDisp, RootWindow(theDisp,theScreen), > + 1, 1, dispDEEP); >-+ check_gc = XCreateGC(theDisp, RootWindow(theDisp,theScreen), 0, NULL); >++ check_gc = XCreateGC(theDisp, check_map, 0, NULL); > + for (ci = 0; ci < 3; ci++) { > + for (i = 0; i < 256; i++) { >-+ check_col.flags = DoRed | DoGreen | DoBlue; > + check_col.red = 0; > + check_col.green = 0; > + check_col.blue = 0; > + /* Do proper upscaling from unsigned 8 bit (image data values) > + to unsigned 16 bit (X color representation). */ > + ((unsigned short *)&check_col.red)[ci] = (unsigned short)((i << 8) | i); >-+ if (!XAllocColor(theDisp, DefaultColormap(theDisp,theScreen), &check_col)) >-+ FatalError("XAllocColor in screen_init() failed"); /* shouldn't happen */ >++ if (theVisual->class == TrueColor) >++ XAllocColor(theDisp, theCmap, &check_col); >++ else >++ xvAllocColor(theDisp, theCmap, &check_col); > + screen_set[ci][i] = > + (((unsigned short *)&check_col.red)[ci] >> 8) & 0xff; > + XSetForeground(theDisp, check_gc, check_col.pixel); > + XDrawPoint(theDisp, check_map, check_gc, 0, 0); > + check_image = XGetImage(theDisp, check_map, 0, 0, 1, 1, > + AllPlanes, ZPixmap); >-+ if (!check_image) FatalError("XGetImage in screen_init() failed"); >-+ switch (check_image->bits_per_pixel) { >-+ case 8: >-+ screen_rgb[ci][i] = *(CARD8 *)check_image->data; >-+ break; >-+ case 16: >-+ screen_rgb[ci][i] = *(CARD16 *)check_image->data; >-+ break; >-+ case 24: >-+ screen_rgb[ci][i] = >-+ ((unsigned long)*(CARD8 *)check_image->data << 16) | >-+ ((unsigned long)*(CARD8 *)(check_image->data + 1) << 8) | >-+ (unsigned long)*(CARD8 *)(check_image->data + 2); >-+ break; >-+ case 32: >-+ screen_rgb[ci][i] = *(CARD32 *)check_image->data; >-+ break; >++ if (check_image) { >++ switch (check_image->bits_per_pixel) { >++ case 8: >++ screen_rgb[ci][i] = *(CARD8 *)check_image->data; >++ break; >++ case 16: >++ screen_rgb[ci][i] = *(CARD16 *)check_image->data; >++ break; >++ case 24: >++ screen_rgb[ci][i] = >++ ((unsigned long)*(CARD8 *)check_image->data << 16) | >++ ((unsigned long)*(CARD8 *)(check_image->data + 1) << 8) | >++ (unsigned long)*(CARD8 *)(check_image->data + 2); >++ break; >++ case 32: >++ screen_rgb[ci][i] = *(CARD32 *)check_image->data; >++ break; >++ } >++ XDestroyImage(check_image); > + } >-+ XDestroyImage(check_image); > + } > + } > + XFreeGC(theDisp, check_gc); >@@ -156,7 +168,6 @@ > + * current column. (If we are lucky, those variables are in registers, but > + * even if not, they're probably cheaper to access than array elements are.) > + * >-+ * The fserrors[] array is indexed [component#][position]. > + * We provide (#columns + 2) entries per component; the extra entry at each > + * end saves us from special-casing the first and last pixels. > + */ >@@ -275,7 +286,41 @@ > > #define DO_CROP 0 > #define DO_ZOOM 1 >-@@ -1883,33 +2151,17 @@ >+ >+ >+ /***********************************/ >+ void Resize(w,h) >+ int w,h; >+ { >+ RANGE(w,1,maxWIDE); RANGE(h,1,maxHIGH); >+ >+ if (HaveSelection()) DrawSelection(0); /* turn off old rect */ >+ >+ if (psUp) PSResize(); /* if PSDialog is open, mention size change */ >+ >+ /* if same size, and Ximage created, do nothing */ >+ if (w==eWIDE && h==eHIGH && theImage!=NULL) return; >+ >+ if (DEBUG) fprintf(stderr,"Resize(%d,%d) eSIZE=%d,%d cSIZE=%d,%d\n", >+ w,h,eWIDE,eHIGH,cWIDE,cHIGH); >+@@ -1866,156 +2128,145 @@ >+ if (!xim) FatalError("couldn't create xim!"); >+ >+ imagedata = (byte *) malloc((size_t) (xim->bytes_per_line * high)); >+ if (!imagedata) FatalError("couldn't malloc imagedata"); >+ >+ xim->data = (char *) imagedata; >+ floydDitherize1(xim, pic24,PIC24, (int) wide, (int) high, NULL,NULL,NULL); >+ >+ return xim; >+ } >+ >+ >+ >+ >+ if (theVisual->class == TrueColor || theVisual->class == DirectColor) { >+ >+ /************************************************************************/ > /* Non-ColorMapped Visuals: TrueColor, DirectColor */ > /************************************************************************/ > >@@ -311,7 +356,13 @@ > > imagedata = (byte *) malloc((size_t) (high * bperline)); > if (!imagedata) FatalError("couldn't malloc imagedata"); >-@@ -1923,82 +2175,87 @@ >+ >+ xim->data = (char *) imagedata; >+ >+ if (bperpix != 8 && bperpix != 16 && bperpix != 24 && bperpix != 32) { >+ char buf[128]; >+ sprintf(buf,"Sorry, no code written to handle %d-bit %s", >+ bperpix, "TrueColor/DirectColor displays!"); > FatalError(buf); > } > >@@ -363,19 +414,6 @@ > - *ip++ = (xcol>>8) & 0xff; > - *ip++ = (xcol>>16) & 0xff; > - *ip++ = (xcol>>24) & 0xff; >-- } >-- } >-- >-- else if (bperpix == 24) { >-- if (border == MSBFirst) { >-- *ip++ = (xcol>>16) & 0xff; >-- *ip++ = (xcol>>8) & 0xff; >-- *ip++ = xcol & 0xff; >-- } >-- else { /* LSBFirst */ >-- *ip++ = xcol & 0xff; >-- *ip++ = (xcol>>8) & 0xff; >-- *ip++ = (xcol>>16) & 0xff; > +#ifdef DO_FIXPIX_SMOOTH > +#if 0 > + /* If we wouldn't have to save the original pic24 image data, >@@ -396,7 +434,6 @@ > + * dithering/rendering in a loop using a temporary line buffer. > + */ > + if (bperpix < 24) { >-+ int alldone = 0; > + FSBUF *fs = fs2_init(wide); > + if (fs) { > + byte *row_buf = malloc((size_t)wide * 3); >@@ -422,12 +459,25 @@ > + } > + } > } >-+ alldone = 1; >+- } > + free(row_buf); >++ free(fs); >+ >+- else if (bperpix == 24) { >+- if (border == MSBFirst) { >+- *ip++ = (xcol>>16) & 0xff; >+- *ip++ = (xcol>>8) & 0xff; >+- *ip++ = xcol & 0xff; >+- } >+- else { /* LSBFirst */ >+- *ip++ = xcol & 0xff; >+- *ip++ = (xcol>>8) & 0xff; >+- *ip++ = (xcol>>16) & 0xff; >+- } >++ return xim; > } > + free(fs); > + } >-+ if (alldone) return xim; > + } > +#endif > +#endif >@@ -470,3 +520,20 @@ > } > } > } >+ } >+ >+ else { >+ >+ /************************************************************************/ >+ /* CMapped Visuals: PseudoColor, GrayScale, StaticGray, StaticColor... */ >+ /************************************************************************/ >+ >+ byte *pic8; >+ int bwdith; >+ >+ /* in all cases, make an 8-bit version of the image, either using >+ 'black' and 'white', or the stdcmap */ >+ >+ bwdith = 0; >+ >+ if (ncols == 0 && dispDEEP != 1) { /* do 'black' and 'white' dither */ >Index: files/patch-suse-2003-01-27 >=================================================================== >RCS file: files/patch-suse-2003-01-27 >diff -N files/patch-suse-2003-01-27 >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ files/patch-suse-2003-01-27 5 Oct 2004 17:41:30 -0000 >@@ -0,0 +1,675 @@ >+--- xv.c >++++ xv.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -146,9 +146,7 @@ >+ rmodeset, gamset, cgamset, perfect, owncmap, rwcolor, stdcmap; >+ int nodecor; >+ double gamval, rgamval, ggamval, bgamval; >+- >+- >+- >++winRepositionningInfoST winRepositionningInfo = { 0, 0}; >+ >+ /*******************************************/ >+ int main(argc, argv) >+@@ -2125,6 +2145,7 @@ >+ /* if the file is STDIN, write it out to a temp file */ >+ >+ if (strcmp(filename,STDINSTR)==0) { >++ int tmpfd; >+ FILE *fp; >+ >+ #ifndef VMS >+@@ -2135,11 +2156,15 @@ >+ mktemp(filename); >+ >+ clearerr(stdin); >+- fp = fopen(filename,"w"); >++ tmpfd = open(filename,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR); >++ if (tmpfd < 0) FatalError("openPic(): can't create temporary file"); >++ fp = fdopen(tmpfd,"w"); >+ if (!fp) FatalError("openPic(): can't write temporary file"); >+ >+ while ( (i=getchar()) != EOF) putc(i,fp); >++ fflush(fp); >+ fclose(fp); >++ close(tmpfd); >+ >+ /* and remove it from list, since we can never reload from stdin */ >+ if (strcmp(namelist[0], STDINSTR)==0) deleteFromList(0); >+@@ -2672,7 +2697,11 @@ >+ to generate the correct exposes (particularly with 'BitGravity' turned >+ on */ >+ >+- if (mainW && !useroot) GenExpose(mainW, 0, 0, (u_int) eWIDE, (u_int) eHIGH); >++ /*Brian T. Schellenberger: fix for X 4.2 refresh problem*/ >++ if (mainW && !useroot) { >++ XSync(theDisp, False); >++ GenExpose(mainW, 0, 0, (u_int) eWIDE, (u_int) eHIGH); >++ } >+ >+ return 1; >+ >+@@ -2812,7 +2846,8 @@ >+ >+ #ifdef GS_PATH >+ else if (strncmp((char *) magicno, "%!", (size_t) 2)==0 || >+- strncmp((char *) magicno, "\004%!", (size_t) 3)==0) rv = RFT_PS; >++ strncmp((char *) magicno, "\004%!", (size_t) 3)==0 || >++ strncmp((char *) magicno, "%PDF", (size_t) 4)==0) rv = RFT_PS; >+ #endif >+ >+ #ifdef HAVE_MAG >+@@ -2959,6 +2998,7 @@ >+ returns '0' on failure */ >+ >+ char namez[128], *fname, buf[512]; >++ int tmpfd; >+ >+ fname = name; >+ namez[0] = '\0'; >+@@ -3047,15 +3090,18 @@ >+ char *src, *dst; >+ { >+ char tmpname[128], buffer[8192]; /* XXX */ >+- int n, eof; >++ int n, eof, tmpfd; >+ FILE *sfp, *dfp; >+ >+ sprintf(dst, "%s/xvmXXXXXX", tmpdir); >+ mktemp(dst); >++ tmpfd = open(dst,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR); >++ if (tmpfd < 0) FatalError("RemoveMacbinary(): can't create temporary file"); >++ >+ SetISTR(ISTR_INFO, "Removing MacBinary..."); >+ >+ sfp = xv_fopen(src, "r"); >+- dfp = xv_fopen(dst, "w"); >++ dfp = fdopen(tmpfd, "w"); >+ if (!sfp || !dfp) { >+ SetISTR(ISTR_INFO, "Unable to remove a InfoFile header form '%s'.", src); >+ Warning(); >+@@ -3067,7 +3113,9 @@ >+ if (eof = feof(sfp)) >+ fwrite(buffer, 1, n, dfp); >+ fclose(sfp); >++ fflush(dfp); >+ fclose(dfp); >++ close(tmpfd); >+ if (!eof) { >+ SetISTR(ISTR_INFO, "Unable to remove a InfoFile header form '%s'.", src); >+ Warning(); >+@@ -3199,7 +3247,7 @@ >+ */ >+ >+ char fullcmd[512], tmpname[64], str[512]; >+- int i; >++ int i, tmpfd; >+ >+ if (!cmd || (strlen(cmd) < (size_t) 2)) return 1; >+ >+@@ -3210,6 +3258,9 @@ >+ ErrPopUp(str, "\nHow unlikely!"); >+ return 1; >+ } >++ tmpfd = open(tmpname,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR); >++ if (tmpfd < 0) FatalError("openPic(): can't create temporary file"); >++ close(tmpfd); >+ >+ /* build command */ >+ strcpy(fullcmd, cmd+1); /* skip the leading '!' character in cmd */ >+--- xv.h >++++ xv.h 2003-01-27 00:03:36.000000000 +0100 >+@@ -310,7 +294,9 @@ >+ # endif >+ #endif >+ >+- >++#ifndef S_IRWUSR >++# define S_IRWUSR (S_IRUSR|S_IWRITE) >++#endif >+ >+ #ifndef MAXPATHLEN >+ # define MAXPATHLEN 256 >+@@ -813,6 +811,13 @@ >+ #define WHERE >+ #endif >+ >++/* Needed for repositionning with negative geometries */ >++typedef struct { >++ int negativeX; >++ int negativeY; >++} winRepositionningInfoST; >++extern winRepositionningInfoST winRepositionningInfo; >++ >+ typedef unsigned char byte; >+ >+ typedef struct scrl { >+--- xvdir.c >++++ xvdir.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -80,7 +83,7 @@ >+ "PIC", >+ #endif /* HAVE_PIC */ >+ #ifdef HAVE_MAKI >+- "MAKI", >++ "MAKI (640x400 only)", >+ #endif /* HAVE_MAKI */ >+ #ifdef HAVE_PI >+ "PI", >+--- xvevent.c >++++ xvevent.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -64,6 +64,8 @@ >+ >+ static void annotatePic PARM((void)); >+ >++static int debkludge_offx; >++static int debkludge_offy; >+ >+ /****************/ >+ int EventLoop() >+@@ -676,6 +694,29 @@ >+ p_offy = xwa.y; >+ } >+ >++ /* Gather info to keep right border inside */ >++ { >++ Window current; >++ Window root_r; >++ Window parent_r; >++ Window *children_r; >++ int nchildren_r; >++ XWindowAttributes xwa; >++ >++ parent_r=mainW; >++ current=mainW; >++ do { >++ current=parent_r; >++ XQueryTree(theDisp, current, &root_r, &parent_r, >++ &children_r, &nchildren_r); >++ if (children_r!=NULL) { >++ XFree(children_r); >++ } >++ } while(parent_r!=root_r); >++ XGetWindowAttributes(theDisp, current, &xwa); >++ debkludge_offx=eWIDE-xwa.width+p_offx; >++ debkludge_offy=eHIGH-xwa.height+p_offy; >++ } >+ >+ /* move window around a bit... */ >+ { >+@@ -2078,6 +2127,26 @@ >+ if (xwa->width < dispWIDE && xwc.x < p_offx) xwc.x = p_offx; >+ if (xwa->height < dispHIGH && xwc.y < p_offy) xwc.y = p_offy; >+ >++ /* Try to keep bottom right decorations inside */ >++ if (xwc.x+eWIDE-debkludge_offx>dispWIDE) { >++ xwc.x=dispWIDE-eWIDE+debkludge_offx; >++ if (xwc.x<0) xwc.x=0; >++ } >++ if (xwc.y+eHIGH-debkludge_offy>dispHIGH) { >++ xwc.y=dispHIGH-eHIGH+debkludge_offy; >++ if (xwc.y<0) xwc.y=0; >++ } >++ >++ /* In case of negative offset for first image */ >++ if (winRepositionningInfo.negativeX) { >++ xwc.x+=winRepositionningInfo.negativeX; >++ winRepositionningInfo.negativeX=0; >++ } >++ if (winRepositionningInfo.negativeY) { >++ xwc.y+=winRepositionningInfo.negativeY; >++ winRepositionningInfo.negativeY=0; >++ } >++ >+ xwc.width = xwa->width; >+ xwc.height = xwa->height; >+ >+--- xvfits.c >++++ xvfits.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -14,7 +14,7 @@ >+ * provided "as is" without express or implied warranty. >+ */ >+ >+- >++#define NEEDSDIR /* for S_IRUSR|S_IWUSR */ >+ #include "xv.h" >+ >+ #define NCARDS (36) >+@@ -223,7 +223,7 @@ >+ * If there was a problem writing files, then a error message will be set. >+ */ >+ >+- int i, np=nx * ny, ioerror, nwrt; >++ int i, np=nx * ny, ioerror, nwrt, tmpfd; >+ FILE *fp; >+ char *error; >+ byte *work; >+@@ -246,7 +246,12 @@ >+ >+ for (i=0; i < nz && !error; i++) { >+ sprintf(filename, "%s%d", basename, i+1); >+- fp = xv_fopen(filename, "w"); >++ tmpfd = open(filename,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR); >++ if (tmpfd < 0) { >++ error = "Unable to open temporary file"; >++ break; >++ } >++ fp = fdopen(tmpfd, "w"); >+ if (!fp) { >+ error = "Unable to open temporary file"; >+ break; >+@@ -254,13 +259,17 @@ >+ >+ if (wrheader(fp, nx, ny, comment)) { >+ error = "I/O error writing temporary file"; >++ fflush(fp); >+ fclose(fp); >++ close(tmpfd); >+ unlink(filename); >+ break; >+ } >+ >+ nwrt = fwrite(image+i*np, sizeof(byte), (size_t) np, fp); >++ fflush(fp); >+ fclose(fp); >++ close(tmpfd); >+ >+ if (nwrt == 0) { /* failed to write any data */ >+ error = "I/O error writing temporary file"; >+--- xvimage.c >++++ xvimage.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -21,6 +21,7 @@ >+ * int LoadPad(pinfo, fname); >+ */ >+ >++#define NEEDSDIR /* for S_IRUSR|S_IWUSR */ >+ #include "copyright.h" >+ >+ #include "xv.h" >+@@ -2927,7 +2930,7 @@ >+ char *str; >+ int wide, high, opaque,omode; >+ { >+- int i; >++ int i, tmpfd; >+ byte *bgpic24; >+ char syscmd[512], fname[128], errstr[512]; >+ PICINFO pinfo; >+@@ -2949,6 +2952,13 @@ >+ strcpy(fname, "Sys$Disk:[]xvuXXXXXX"); >+ #endif >+ mktemp(fname); >++ tmpfd = open(fname, O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR); >++ if (tmpfd < 0) { >++ sprintf(errstr, "Error: can't create temporary file %s", fname); >++ ErrPopUp(errstr, "\nDoh!"); >++ return 0; >++ } >++ close(tmpfd); >+ >+ /* run bggen to generate the background */ >+ sprintf(syscmd, "bggen -g %dx%d %s > %s", wide, high, str, fname); >+--- xvmaki.c >++++ xvmaki.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -355,8 +355,12 @@ >+ return -1; >+ } >+ >+- if(w != 640 || h != 400) >++ if(w != 640 || h != 400) { >++ char str[512]; >++ sprintf(str,"MAKI: %s Should be 640x400", maki_msgs[MAKI_SIZE]); >++ ErrPopUp(str, "\nBummer!"); >+ maki_error(mi, MAKI_SIZE); >++ } >+ >+ maki.fp = fp; >+ maki.width = w; >+@@ -669,6 +673,7 @@ >+ static void maki_init_info(mi) >+ struct maki_info *mi; >+ { >++ xvbzero((char *)mi, sizeof(struct maki_info)); >+ mi->fp = NULL; >+ mi->fsize = 0; >+ mi->x0 = mi->y0 = mi->x1 = mi->y1 = 0; >+--- xvpds.c >++++ xvpds.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -102,7 +102,7 @@ >+ * This software is provided "as is" without any express or implied warranty. >+ */ >+ >+- >++#define NEEDSDIR /* for S_IRUSR|S_IWUSR */ >+ #include "xv.h" >+ >+ #ifdef HAVE_PDS >+@@ -250,7 +250,7 @@ >+ { >+ /* returns '1' on success, '0' on failure */ >+ >+- int tempnum; >++ int tempnum, tmpfd; >+ FILE *zf; >+ static int isfixed,teco,i,j,itype,vaxbyte, >+ recsize,hrecsize,irecsize,isimage,labelrecs,labelsofar, >+@@ -690,6 +690,12 @@ >+ #ifndef VMS >+ sprintf(pdsuncompfname,"%s/xvhuffXXXXXX", tmpdir); >+ mktemp(pdsuncompfname); >++ tmpfd = open(pdsuncompfname,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR); >++ if (tmpfd < 0) { >++ SetISTR(ISTR_WARNING,"Unable to create temporarly file."); >++ return 0; >++ } >++ close(tmpfd); >+ sprintf(scanbuff,"%s %s - 4 >%s",PDSUNCOMP,fname,pdsuncompfname); >+ #else >+ strcpy(pdsuncompfname,"sys$disk:[]xvhuffXXXXXX"); >+--- xvps.c >++++ xvps.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -1564,7 +1564,7 @@ >+ /* build command string */ >+ >+ #ifndef VMS /* VMS needs quotes around mixed case command lines */ >+- sprintf(tmp, "%s -sDEVICE=%s -r%d -q -dNOPAUSE -sOutputFile=%s%%d ", >++ sprintf(tmp, "%s -sDEVICE=%s -r%d -q -dSAFER -dNOPAUSE -sOutputFile=%s%%d ", >+ GS_PATH, gsDev, gsRes, tmpname); >+ #else >+ sprintf(tmp, >+--- xvtiff.c >++++ xvtiff.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -5,6 +5,7 @@ >+ * LoadTIFF(fname, numcols, quick) - load a TIFF file >+ */ >+ >++#define NEEDSDIR /* for S_IRUSR|S_IWUSR */ >+ #ifndef va_start >+ # define NEEDSARGS >+ #endif >+@@ -56,7 +89,7 @@ >+ return 0; >+ } >+ >+- fseek(fp, 0L, 2); >++ fseek(fp, 0L, SEEK_END); >+ filesize = ftell(fp); >+ fclose(fp); >+ >+@@ -1065,7 +1308,7 @@ >+ int fromskew, toskew; >+ { >+ while (h-- > 0) { >+- UNROLL8(w,0, *cp++ = PALmap[*pp++][0]); >++ UNROLL8(w,, *cp++ = PALmap[*pp++][0]); >+ cp += toskew; >+ pp += fromskew; >+ } >+@@ -1262,7 +1504,7 @@ >+ } >+ } else { >+ while (h-- > 0) { >+- UNROLL8(w,0, >++ UNROLL8(w,, >+ *cp++ = pp[0]; >+ *cp++ = pp[1]; >+ *cp++ = pp[2]; >+@@ -1335,7 +1577,7 @@ >+ } >+ } else { >+ while (h-- > 0) { >+- UNROLL8(w,0, >++ UNROLL8(w,, >+ *cp++ = *r++; >+ *cp++ = *g++; >+ *cp++ = *b++; >+--- xvtiffwr.c >++++ xvtiffwr.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -78,6 +78,9 @@ >+ TIFFSetField(tif, TIFFTAG_GROUP3OPTIONS, >+ GROUP3OPT_2DENCODING+GROUP3OPT_FILLBITS); >+ >++ if (comp == COMPRESSION_LZW) >++ TIFFSetField(tif, TIFFTAG_PREDICTOR, 2); >++ >+ TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); >+ TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 1); >+ TIFFSetField(tif, TIFFTAG_ORIENTATION, ORIENTATION_TOPLEFT); >+--- xvvd.c >++++ xvvd.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -793,7 +794,7 @@ >+ returns '0' on failure */ >+ >+ char namez[128], *fname, buf[512], tmp[HEADERSIZE]; >+- int n; >++ int n, tmpfd; >+ FILE *pfp, *tfp; >+ >+ fname = name; >+@@ -834,10 +835,17 @@ >+ Warning(); >+ return 0; >+ } >+- if ((tfp = fopen(uncompname, "w")) == NULL) { >++ if ((tmpfd = open(uncompname,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR)) < 0) { >++ SetISTR(ISTR_INFO, "Unable to create temporarly file.", >++ BaseName(uncompname)); >++ Warning(); >++ pclose(pfp); >++ } >++ if ((tfp = fdopen(tmpfd, "w")) == NULL) { >+ SetISTR(ISTR_INFO, "Unable to create temporarly file.", >+ BaseName(uncompname)); >+ Warning(); >++ close(tmpfd); >+ pclose(pfp); >+ return 0; >+ } >+@@ -846,11 +854,15 @@ >+ BaseName(fname)); >+ Warning(); >+ pclose(pfp); >++ fflush(tfp); >+ fclose(tfp); >++ close(tmpfd); >+ return 0; >+ } >+ fwrite(tmp, 1, n, tfp); >++ fflush(tfp); >+ fclose(tfp); >++ close(tmpfd); >+ pclose(pfp); >+ >+ /* if we renamed the file to end with a .Z for the sake of 'uncompress', >+--- xvxpm.c >++++ xvxpm.c 2003-01-27 00:03:36.000000000 +0100 >+@@ -77,96 +77,104 @@ >+ hentry *clmp; /* colormap hash-table */ >+ hentry *c_sptr; /* cmap hash-table search pointer*/ >+ XColor col; >+- >++ >+ bname = BaseName(fname); >+ fp = fopen(fname, "r"); >+ if (!fp) >+ return (XpmLoadError(bname, "couldn't open file")); >+- >++ >+ if (DEBUG) >+ printf("LoadXPM(): Loading xpm from %s\n", fname); >+- >++ >+ fseek(fp, 0L, 2); >+ filesize = ftell(fp); >+ fseek(fp, 0L, 0); >+- >++ >+ bufchar = -2; >+ in_quote = FALSE; >+- >++ >+ /* Read in the values line. It is the first string in the >+ * xpm, and contains four numbers. w, h, num_colors, and >+ * chars_per_pixel. */ >+- >++ >+ /* First, get to the first string */ >+ while (((c = XpmGetc(fp))!=EOF) && (c != '"')) ; >+ line_pos = 0; >+- >++ >+ /* Now, read in the string */ >+ while (((c = XpmGetc(fp))!=EOF) && (line_pos < VALUES_LEN) && (c != '"')) { >+ values[line_pos++] = c; >+ } >+ if (c != '"') >+ return (XpmLoadError(bname, "error parsing values line")); >+- >++ >+ values[line_pos] = '\0'; >+ sscanf(values, "%d%d%d%d", &w, &h, &nc, &cpp); >+ if (nc <= 0 || cpp <= 0) >+ return (XpmLoadError(bname, "No colours in Xpm?")); >+- >++ >+ if (nc > 256) >+ pinfo->type = PIC24; >+ else >+ pinfo->type = PIC8; >+- >++ >+ if (DEBUG) >+ printf("LoadXPM(): reading a %dx%d image (%d colors)\n", w, h, nc); >+- >++ >+ /* We got this far... */ >+ WaitCursor(); >+- >++ >+ if (!hash_init(nc)) >+ return (XpmLoadError(bname, "Not enough memory to hash colormap")); >+- >++ >+ clmp = (hentry *) malloc(nc * sizeof(hentry)); /* Holds the colormap */ >+ if (pinfo->type == PIC8) pic = (byte *) malloc((size_t) (w*h)); >+ else pic = (byte *) malloc((size_t) (w*h*3)); >+- >++ >+ if (!clmp || !pic) >+ return (XpmLoadError(bname, "Not enough memory to load pixmap")); >+- >++ >+ c_sptr = clmp; >+ i_sptr = pic; >+- >++ >+ /* initialize the 'hex' array for zippy ASCII-hex -> int conversion */ >+- >++ >+ for (i = 0 ; i < 256 ; i++) hex[i] = 0; >+ for (i = '0'; i <= '9' ; i++) hex[i] = i - '0'; >+ for (i = 'a'; i <= 'f' ; i++) hex[i] = i - 'a' + 10; >+ for (i = 'A'; i <= 'F' ; i++) hex[i] = i - 'A' + 10; >+- >++ >+ /* Again, we've made progress. */ >+ WaitCursor(); >+- >++ >+ /* Now, we need to read the colormap. */ >+ pinfo->colType = F_BWDITHER; >+ for (i = 0 ; i < nc ; i++) { >+ while (((c = XpmGetc(fp))!=EOF) && (c != '"')) ; >+ if (c != '"') >+ return (XpmLoadError(bname, "Error reading colormap")); >+- >++ >+ for (j = 0 ; j < cpp ; j++) >+ c_sptr->token[j] = XpmGetc(fp); >+ c_sptr->token[j] = '\0'; >+- >++ >+ while (((c = XpmGetc(fp))!=EOF) && ((c == ' ') || (c == '\t'))) ; >+ if (c == EOF) /* The failure condition of getc() */ >+ return (XpmLoadError(bname, "Error parsing colormap line")); >+- >++ >+ do { >+ char key[3]; >+- char color[40]; /* Need to figure a good size for this... */ >++ char color[80]; /* Need to figure a good size for this... */ >+ short hd; /* Hex digits per R, G, or B */ >+- >++ >++/* >++ * Problem with spaces in color names >++ * >++ * X s Color Name m Other Name c Last Name >++ * >++ * ... this parser doesn't find `Any Name' >++ */ >++ >+ for (j=0; j<2 && (c != ' ') && (c != '\t') && (c != EOF); j++) { >+ key[j] = c; >+ c = XpmGetc(fp); >+@@ -177,7 +185,7 @@ >+ if (c == EOF) /* The failure condition of getc() */ >+ return (XpmLoadError(bname, "Error parsing colormap line")); >+ >+- for (j=0; j<39 && (c!=' ') && (c!='\t') && (c!='"') && c!=EOF; j++) { >++ for (j=0; j<79 && (c!=' ') && (c!='\t') && (c!='"') && c!=EOF; j++) { >+ color[j] = c; >+ c = XpmGetc(fp); >+ } >+@@ -236,13 +244,13 @@ >+ else { /* 'None' or unrecognized color spec */ >+ int rgb; >+ >+- if (strcmp(color, "None") == 0) rgb = 0xb2c0dc; /* infobg */ >++ if (strcasecmp(color, "None") == 0) rgb = 0xb2c0dc; /* infobg */ >+ else { >+ SetISTR(ISTR_INFO, "%s: unknown color spec '%s'", bname, color); >+ Timer(1000); >+ rgb = 0x808080; >+ } >+- >++ >+ if (pinfo->type == PIC8) { >+ pinfo->r[i] = (rgb>>16) & 0xff; >+ pinfo->g[i] = (rgb>> 8) & 0xff; >+@@ -309,28 +317,29 @@ >+ *i_sptr++ = mapentry->cv_rgb[2]; >+ } >+ } /* for ( j < w ) */ >+- (void)XpmGetc(fp); /* Throw away the close " */ >+- >++ while (((c = XpmGetc(fp))!=EOF) && /* Throw away the close " and */ >++ (c != '"')) ; /* erase all remaining pixels */ >++ >+ if (!(i%7)) WaitCursor(); >+ } /* for ( i < h ) */ >+- >++ >+ pinfo->pic = pic; >+ pinfo->normw = pinfo->w = w; >+ pinfo->normh = pinfo->h = h; >+ pinfo->frmType = F_XPM; >+ >+ if (DEBUG) printf("LoadXPM(): pinfo->colType is %d\n", pinfo->colType); >+- >++ >+ sprintf(pinfo->fullInfo, "Xpm v3 Pixmap (%ld bytes)", filesize); >+ sprintf(pinfo->shrtInfo, "%dx%d Xpm.", w, h); >+ pinfo->comment = (char *)NULL; >+- >++ >+ hash_destroy(); >+ free(clmp); >+- >++ >+ if (fp != stdin) >+ fclose(fp); >+- >++ >+ return(1); >+ } >+ >Index: files/patch-suse-2004-07-28 >=================================================================== >RCS file: files/patch-suse-2004-07-28 >diff -N files/patch-suse-2004-07-28 >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ files/patch-suse-2004-07-28 5 Oct 2004 17:41:30 -0000 >@@ -0,0 +1,195 @@ >+--- xvbmp.c >++++ xvbmp.c Wed Jul 28 15:16:05 2004 >+@@ -32,7 +32,7 @@ >+ static int loadBMP1 PARM((FILE *, byte *, u_int, u_int)); >+ static int loadBMP4 PARM((FILE *, byte *, u_int, u_int, u_int)); >+ static int loadBMP8 PARM((FILE *, byte *, u_int, u_int, u_int)); >+-static int loadBMP24 PARM((FILE *, byte *, u_int, u_int)); >++static int loadBMP24 PARM((FILE *, byte *, u_int, u_int, u_int)); >+ static u_int getshort PARM((FILE *)); >+ static u_int getint PARM((FILE *)); >+ static void putshort PARM((FILE *, int)); >+@@ -127,7 +127,8 @@ >+ >+ >+ /* error checking */ >+- if ((biBitCount!=1 && biBitCount!=4 && biBitCount!=8 && biBitCount!=24) || >++ if ((biBitCount!=1 && biBitCount!=4 && biBitCount!=8 && >++ biBitCount!=24 && biBitCount!=32) || >+ biPlanes!=1 || biCompression>BI_RLE4) { >+ >+ sprintf(buf,"Bogus BMP File! (bitCount=%d, Planes=%d, Compression=%d)", >+@@ -137,7 +138,8 @@ >+ goto ERROR; >+ } >+ >+- if (((biBitCount==1 || biBitCount==24) && biCompression != BI_RGB) || >++ if (((biBitCount==1 || biBitCount==24 || biBitCount==32) >++ && biCompression != BI_RGB) || >+ (biBitCount==4 && biCompression==BI_RLE8) || >+ (biBitCount==8 && biCompression==BI_RLE4)) { >+ >+@@ -159,7 +161,7 @@ >+ } >+ >+ /* load up colormap, if any */ >+- if (biBitCount!=24) { >++ if (biBitCount!=24 && biBitCount!=32) { >+ int i, cmaplen; >+ >+ cmaplen = (biClrUsed) ? biClrUsed : 1 << biBitCount; >+@@ -197,7 +199,7 @@ >+ >+ /* create pic8 or pic24 */ >+ >+- if (biBitCount==24) { >++ if (biBitCount==24 || biBitCount==32) { >+ pic24 = (byte *) calloc((size_t) biWidth * biHeight * 3, (size_t) 1); >+ if (!pic24) return (bmpError(bname, "couldn't malloc 'pic24'")); >+ } >+@@ -212,16 +214,18 @@ >+ if (biBitCount == 1) rv = loadBMP1(fp,pic8,biWidth,biHeight); >+ else if (biBitCount == 4) rv = loadBMP4(fp,pic8,biWidth,biHeight, >+ biCompression); >+- else if (biBitCount == 8) rv = loadBMP8(fp,pic8,biWidth,biHeight, >++ else if (biBitCount == 8) rv = loadBMP8(fp,pic8,biWidth,biHeight, >+ biCompression); >+- else rv = loadBMP24(fp,pic24,biWidth,biHeight); >++ else rv = loadBMP24(fp,pic24,biWidth,biHeight, >++ biBitCount); >++ >+ >+ if (rv) bmpError(bname, "File appears truncated. Winging it.\n"); >+ >+ fclose(fp); >+ >+ >+- if (biBitCount == 24) { >++ if (biBitCount == 24 || biBitCount == 32) { >+ pinfo->pic = pic24; >+ pinfo->type = PIC24; >+ } >+@@ -264,12 +268,13 @@ >+ u_int w,h; >+ { >+ int i,j,c,bitnum,padw; >+- byte *pp; >++ byte *pp = pic8 + ((h - 1) * w); >++ size_t l = w*h; >+ >+ c = 0; >+ padw = ((w + 31)/32) * 32; /* 'w', padded to be a multiple of 32 */ >+ >+- for (i=h-1; i>=0; i--) { >++ for (i=h-1; i>=0 && (pp - pic8 <= l); i--) { >+ pp = pic8 + (i * w); >+ if ((i&0x3f)==0) WaitCursor(); >+ for (j=bitnum=0; j<padw; j++,bitnum++) { >+@@ -298,8 +303,8 @@ >+ u_int w,h,comp; >+ { >+ int i,j,c,c1,x,y,nybnum,padw,rv; >+- byte *pp; >+- >++ byte *pp = pic8 + ((h - 1) * w); >++ size_t l = w*h; >+ >+ rv = 0; >+ c = c1 = 0; >+@@ -307,7 +312,7 @@ >+ if (comp == BI_RGB) { /* read uncompressed data */ >+ padw = ((w + 7)/8) * 8; /* 'w' padded to a multiple of 8pix (32 bits) */ >+ >+- for (i=h-1; i>=0; i--) { >++ for (i=h-1; i>=0 && (pp - pic8 <= l); i--) { >+ pp = pic8 + (i * w); >+ if ((i&0x3f)==0) WaitCursor(); >+ >+@@ -335,7 +340,7 @@ >+ >+ if (c) { /* encoded mode */ >+ c1 = getc(fp); >+- for (i=0; i<c; i++,x++,pp++) >++ for (i=0; i<c && (pp - pic8 <= l); i++,x++,pp++) >+ *pp = (i&1) ? (c1 & 0x0f) : ((c1>>4)&0x0f); >+ } >+ >+@@ -355,7 +360,7 @@ >+ } >+ >+ else { /* absolute mode */ >+- for (i=0; i<c; i++, x++, pp++) { >++ for (i=0; i<c && (pp - pic8 <= l); i++, x++, pp++) { >+ if ((i&1) == 0) c1 = getc(fp); >+ *pp = (i&1) ? (c1 & 0x0f) : ((c1>>4)&0x0f); >+ } >+@@ -384,14 +389,15 @@ >+ u_int w,h,comp; >+ { >+ int i,j,c,c1,padw,x,y,rv; >+- byte *pp; >++ byte *pp = pic8 + ((h - 1) * w); >++ size_t l = w*h; >+ >+ rv = 0; >+ >+ if (comp == BI_RGB) { /* read uncompressed data */ >+ padw = ((w + 3)/4) * 4; /* 'w' padded to a multiple of 4pix (32 bits) */ >+ >+- for (i=h-1; i>=0; i--) { >++ for (i=h-1; i>=0 && (pp - pic8 <= l); i--) { >+ pp = pic8 + (i * w); >+ if ((i&0x3f)==0) WaitCursor(); >+ >+@@ -412,7 +418,7 @@ >+ >+ if (c) { /* encoded mode */ >+ c1 = getc(fp); >+- for (i=0; i<c; i++,x++,pp++) *pp = c1; >++ for (i=0; i<c && (pp - pic8 <= l); i++,x++,pp++) *pp = c1; >+ } >+ >+ else { /* c==0x00 : escape codes */ >+@@ -431,7 +437,7 @@ >+ } >+ >+ else { /* absolute mode */ >+- for (i=0; i<c; i++, x++, pp++) { >++ for (i=0; i<c && (pp - pic8 <= l); i++, x++, pp++) { >+ c1 = getc(fp); >+ *pp = c1; >+ } >+@@ -454,19 +460,21 @@ >+ >+ >+ /*******************************************/ >+-static int loadBMP24(fp, pic24, w, h) >++static int loadBMP24(fp, pic24, w, h, bits) >+ FILE *fp; >+ byte *pic24; >+- u_int w,h; >++ u_int w,h, bits; >+ { >+ int i,j,padb,rv; >+- byte *pp; >++ byte *pp = pic24 + ((h - 1) * w * 3); >++ size_t l = w*h*3; >+ >+ rv = 0; >+ >+ padb = (4 - ((w*3) % 4)) & 0x03; /* # of pad bytes to read at EOscanline */ >++ if (bits==32) padb = 0; >+ >+- for (i=h-1; i>=0; i--) { >++ for (i=h-1; i>=0 && (pp - pic24 <= l); i--) { >+ pp = pic24 + (i * w * 3); >+ if ((i&0x3f)==0) WaitCursor(); >+ >+@@ -474,6 +482,7 @@ >+ pp[2] = getc(fp); /* blue */ >+ pp[1] = getc(fp); /* green */ >+ pp[0] = getc(fp); /* red */ >++ if (bits==32) getc(fp); >+ pp += 3; >+ } >+ >Index: files/patch-suse-2004-08-24 >=================================================================== >RCS file: files/patch-suse-2004-08-24 >diff -N files/patch-suse-2004-08-24 >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ files/patch-suse-2004-08-24 5 Oct 2004 17:41:30 -0000 >@@ -0,0 +1,138 @@ >+--- xvbmp.c >++++ xvbmp.c Tue Aug 24 12:42:52 2004 >+@@ -129,7 +129,9 @@ >+ /* error checking */ >+ if ((biBitCount!=1 && biBitCount!=4 && biBitCount!=8 && >+ biBitCount!=24 && biBitCount!=32) || >+- biPlanes!=1 || biCompression>BI_RLE4) { >++ biPlanes!=1 || biCompression>BI_RLE4 || >++ biWidth<= 0 || biHeight <= 0 || >++ (biClrUsed && biClrUsed > (1 << biBitCount))) { >+ >+ sprintf(buf,"Bogus BMP File! (bitCount=%d, Planes=%d, Compression=%d)", >+ biBitCount, biPlanes, biCompression); >+@@ -159,6 +161,9 @@ >+ >+ bPad = bfOffBits - (biSize + 14); >+ } >++ >++ if (biClrUsed > (1 << biBitCount)) >++ biClrUsed = (1 << biBitCount); >+ >+ /* load up colormap, if any */ >+ if (biBitCount!=24 && biBitCount!=32) { >+--- xviris.c >++++ xviris.c Tue Aug 24 13:01:42 2004 >+@@ -267,6 +267,12 @@ >+ >+ rlebuflen = 2 * xsize + 10; >+ tablen = ysize * zsize; >++ >++ if (rlebuflen <= 0 || tablen <= 0 || (tablen * sizeof(long)) < 0) { >++ loaderr = "Bogus IRIS File!"; >++ return (byte *)NULL; >++ } >++ >+ starttab = (u_long *) malloc((size_t) tablen * sizeof(long)); >+ lengthtab = (u_long *) malloc((size_t) tablen * sizeof(long)); >+ rledat = (byte *) malloc((size_t) rlebuflen); >+--- xvpcx.c >++++ xvpcx.c Tue Aug 24 13:12:15 2004 >+@@ -222,7 +222,14 @@ >+ byte *image; >+ >+ /* note: overallocation to make life easier... */ >+- image = (byte *) malloc((size_t) (pinfo->h + 1) * pinfo->w + 16); >++ int count = (pinfo->h + 1) * pinfo->w + 16; >++ >++ if (count <= 0 || pinfo->h <= 0 || pinfo->w <= 0) { >++ pcxError(fname, "Bogus PCX file!!"); >++ return (0); >++ } >++ >++ image = (byte *) malloc((size_t) count); >+ if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()"); >+ >+ xvbzero((char *) image, (size_t) ((pinfo->h+1) * pinfo->w + 16)); >+@@ -250,17 +257,25 @@ >+ { >+ byte *pix, *pic24, scale[256]; >+ int c, i, j, w, h, maxv, cnt, planes, bperlin, nbytes; >++ int count; >+ >+ w = pinfo->w; h = pinfo->h; >+ >+ planes = (int) hdr[PCX_PLANES]; >+ bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8); >+ >++ count = w*h*planes; >++ >++ if (count <= 0 || planes <= 0 || w <= 0 || h <= 0) { >++ pcxError(fname, "Bogus PCX file!!"); >++ return (0); >++ } >++ >+ /* allocate 24-bit image */ >+- pic24 = (byte *) malloc((size_t) w*h*planes); >++ pic24 = (byte *) malloc((size_t) count); >+ if (!pic24) FatalError("couldn't malloc 'pic24'"); >+ >+- xvbzero((char *) pic24, (size_t) w*h*planes); >++ xvbzero((char *) pic24, (size_t) count); >+ >+ maxv = 0; >+ pix = pinfo->pic = pic24; >+@@ -268,6 +283,12 @@ >+ j = 0; /* bytes per line, in this while loop */ >+ nbytes = bperlin*h*planes; >+ >++ if (nbytes < 0) { >++ pcxError(fname, "Bogus PCX file!!"); >++ free(pic24); >++ return (0); >++ } >++ >+ while (nbytes > 0 && (c = getc(fp)) != EOF) { >+ if ((c & 0xC0) == 0xC0) { /* have a rep. count */ >+ cnt = c & 0x3F; >+--- xvpm.c >++++ xvpm.c Tue Aug 24 13:16:43 2004 >+@@ -119,6 +119,9 @@ >+ >+ isize = pm_isize(&thePic); >+ >++ if (isize <= 0) >++ return pmError(bname, "Bogus PM file!!"); >++ >+ if (DEBUG) >+ fprintf(stderr,"%s: LoadPM() - loading a %dx%d %s pic, %d planes\n", >+ cmd, w, h, (thePic.pm_form==PM_I) ? "PM_I" : "PM_C", >+@@ -135,6 +138,8 @@ >+ return( pmError(bname, "file read error") ); >+ } >+ >++ if (thePic.pm_cmtsize+1 <= 0) >++ return pmError(bname, "Bogus PM file!!"); >+ >+ /* alloc and read in comment, if any */ >+ if (thePic.pm_cmtsize>0) { >+@@ -155,6 +160,9 @@ >+ int *intptr; >+ byte *pic24, *picptr; >+ >++ if (w <= 0 || h <= 0 || w*h*3 <= 0) >++ return pmError(bname, "Bogus PM file!!"); >++ >+ if ((pic24 = (byte *) malloc((size_t) w*h*3))==NULL) { >+ if (thePic.pm_cmt) free(thePic.pm_cmt); >+ return( pmError(bname, "unable to malloc 24-bit picture") ); >+@@ -189,6 +197,9 @@ >+ >+ else if (thePic.pm_form == PM_C && thePic.pm_np>1) { >+ byte *pic24, *picptr, *rptr, *gptr, *bptr; >++ >++ if (w <= 0 || h <= 0 || w*h*3 <= 0) >++ return pmError(bname, "Bogus PM file!!"); >+ >+ if ((pic24 = (byte *) malloc((size_t) w*h*3))==NULL) { >+ if (thePic.pm_cmt) free(thePic.pm_cmt);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=47211">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 72382
: 47211