Author: fabbione
Date: 2004-10-30 00:48:51 -0500 (Sat, 30 Oct 2004)
New Revision: 1994
Added:
branches/ubuntu/debian/patches/000_stolen_from_x.org.diff
Removed:
branches/ubuntu/debian/patches/000_stolen_from_freedesktop.org.diff
Modified:
branches/ubuntu/debian/changelog
Log:
Import 4.3.0.dfsg.1-6ubuntu18 release.
Modified: branches/ubuntu/debian/changelog
===================================================================
--- branches/ubuntu/debian/changelog 2004-10-30 05:47:08 UTC (rev 1993)
+++ branches/ubuntu/debian/changelog 2004-10-30 05:48:51 UTC (rev 1994)
@@ -1,3 +1,13 @@
+xfree86 (4.3.0.dfsg.1-6ubuntu18) warty; urgency=low
+
+ * debian/patches/000_stolen_from_freedesktop.org:
+ + Moved to 000_stolen_from_x.org.
+ * debian/patches/000_stolen_from_x.org:
+ + Security fix for libXpm, taken from X11R6.8. CVE numbers CAN-2004-0687
+ and CAN-2004-0688.
+
+ -- Daniel Stone <[EMAIL PROTECTED]> Wed, 15 Sep 2004 10:55:28 +1000
+
xfree86 (4.3.0.dfsg.1-6ubuntu17) warty; urgency=low
* Fix framebuffer detection again. (Closes #1176)
Deleted: branches/ubuntu/debian/patches/000_stolen_from_freedesktop.org.diff
===================================================================
--- branches/ubuntu/debian/patches/000_stolen_from_freedesktop.org.diff
2004-10-30 05:47:08 UTC (rev 1993)
+++ branches/ubuntu/debian/patches/000_stolen_from_freedesktop.org.diff
2004-10-30 05:48:51 UTC (rev 1994)
@@ -1,98 +0,0 @@
-$Id: 000_stolen_from_freedesktop.org.diff 1734 2004-08-12 22:38:58Z branden $
-
-xc/programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c @ 1.3
- * programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c:
- (chipsClockSelect), (chipsClockFind), (chipsModeInitHiQV),
- (chipsModeInitWingine), (chipsModeInit655xx):
- Fixed Segfault on video mode switching when pScrn->currentMode did
- not contain a valid mode.
-2004-05-24 Egbert Eich <[EMAIL PROTECTED]>
-
---- xc/programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c~ 2004-08-12
17:30:47.000000000 -0500
-+++ xc/programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c 2004-08-12
17:30:51.000000000 -0500
-@@ -158,7 +158,8 @@
- static void chipsUnlock(ScrnInfoPtr pScrn);
- static void chipsClockSave(ScrnInfoPtr pScrn, CHIPSClockPtr Clock);
- static void chipsClockLoad(ScrnInfoPtr pScrn, CHIPSClockPtr Clock);
--static Bool chipsClockFind(ScrnInfoPtr pScrn, int no, CHIPSClockPtr
Clock);
-+static Bool chipsClockFind(ScrnInfoPtr pScrn, DisplayModePtr mode,
-+ int no, CHIPSClockPtr Clock);
- static void chipsCalcClock(ScrnInfoPtr pScrn, int Clock,
- unsigned char *vclk);
- static int chipsGetHWClock(ScrnInfoPtr pScrn);
-@@ -4689,7 +4690,7 @@
- break;
-
- default:
-- if (!chipsClockFind(pScrn, no, &TmpClock))
-+ if (!chipsClockFind(pScrn, NULL, no, &TmpClock))
- return (FALSE);
- chipsClockLoad(pScrn, &TmpClock);
- }
-@@ -4770,7 +4771,8 @@
- }
-
- static Bool
--chipsClockFind(ScrnInfoPtr pScrn, int no, CHIPSClockPtr Clock)
-+chipsClockFind(ScrnInfoPtr pScrn, DisplayModePtr mode,
-+ int no, CHIPSClockPtr Clock )
- {
- vgaHWPtr hwp = VGAHWPTR(pScrn);
- CHIPSPtr cPtr = CHIPSPTR(pScrn);
-@@ -4790,9 +4792,9 @@
- case HiQV_STYLE:
- Clock->msr = cPtr->CRTclkInx << 2;
- Clock->fr03 = cPtr->FPclkInx << 2;
-- Clock->Clock = pScrn->currentMode->Clock;
-+ Clock->Clock = mode ? mode->Clock : 0;
- if (xf86ReturnOptValBool(cPtr->Options, OPTION_USE_MODELINE, FALSE)) {
-- Clock->FPClock = pScrn->currentMode->Clock;
-+ Clock->FPClock = mode ? mode->Clock : 0;
- } else
- Clock->FPClock = cPtr->FPclock;
- break;
-@@ -4831,7 +4833,7 @@
- if ((cPtr->PanelType & ChipsLCD) && cPtr->FPclock)
- Clock->Clock = cPtr->FPclock;
- else
-- Clock->Clock = pScrn->currentMode->SynthClock;
-+ Clock->Clock = mode ? mode->SynthClock : 0;
- }
- break;
- case OLD_STYLE:
-@@ -4856,7 +4858,7 @@
- } else {
- Clock->msr = 3 << 2;
- Clock->xr33 = 0;
-- Clock->Clock = pScrn->currentMode->SynthClock;
-+ Clock->Clock = mode ? mode->SynthClock : 0;
- }
- break;
- }
-@@ -5369,7 +5371,7 @@
- pScrn->vtSema = TRUE;
-
- /* init clock */
-- if (!chipsClockFind(pScrn, mode->ClockIndex, &ChipsNew->Clock)) {
-+ if (!chipsClockFind(pScrn, mode, mode->ClockIndex, &ChipsNew->Clock)) {
- ErrorF("bomb 2\n");
- return (FALSE);
- }
-@@ -5972,7 +5974,7 @@
- pScrn->vtSema = TRUE;
-
- /* init clock */
-- if (!chipsClockFind(pScrn, mode->ClockIndex, &ChipsNew->Clock)) {
-+ if (!chipsClockFind(pScrn, mode, mode->ClockIndex, &ChipsNew->Clock)) {
- ErrorF("bomb 4\n");
- return (FALSE);
- }
-@@ -6214,7 +6216,7 @@
- pScrn->vtSema = TRUE;
-
- /* init clock */
-- if (!chipsClockFind(pScrn, mode->ClockIndex, &ChipsNew->Clock)) {
-+ if (!chipsClockFind(pScrn, mode, mode->ClockIndex, &ChipsNew->Clock)) {
- ErrorF("bomb 6\n");
- return (FALSE);
- }
Added: branches/ubuntu/debian/patches/000_stolen_from_x.org.diff
===================================================================
--- branches/ubuntu/debian/patches/000_stolen_from_x.org.diff 2004-10-30
05:47:08 UTC (rev 1993)
+++ branches/ubuntu/debian/patches/000_stolen_from_x.org.diff 2004-10-30
05:48:51 UTC (rev 1994)
@@ -0,0 +1,560 @@
+$Id$
+
+xc/programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c @ 1.3
+ * programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c:
+ (chipsClockSelect), (chipsClockFind), (chipsModeInitHiQV),
+ (chipsModeInitWingine), (chipsModeInit655xx):
+ Fixed Segfault on video mode switching when pScrn->currentMode did
+ not contain a valid mode.
+
+Also merge libXpm security fix from X11R6.8.1, fixing multiple integer
+overflows (CAN-2004-0687) and stack overflows (CAN-2004-0688).
+
+diff -urN xc.orig/programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c
xc/programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c
+--- xc.orig/programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c
2004-09-15 10:58:47.014750536 +1000
++++ xc/programs/Xserver/hw/xfree86/drivers/chips/ct_driver.c 2004-09-15
10:59:38.263959472 +1000
+@@ -158,7 +158,8 @@
+ static void chipsUnlock(ScrnInfoPtr pScrn);
+ static void chipsClockSave(ScrnInfoPtr pScrn, CHIPSClockPtr Clock);
+ static void chipsClockLoad(ScrnInfoPtr pScrn, CHIPSClockPtr Clock);
+-static Bool chipsClockFind(ScrnInfoPtr pScrn, int no, CHIPSClockPtr
Clock);
++static Bool chipsClockFind(ScrnInfoPtr pScrn, DisplayModePtr mode,
++ int no, CHIPSClockPtr Clock);
+ static void chipsCalcClock(ScrnInfoPtr pScrn, int Clock,
+ unsigned char *vclk);
+ static int chipsGetHWClock(ScrnInfoPtr pScrn);
+@@ -4689,7 +4690,7 @@
+ break;
+
+ default:
+- if (!chipsClockFind(pScrn, no, &TmpClock))
++ if (!chipsClockFind(pScrn, NULL, no, &TmpClock))
+ return (FALSE);
+ chipsClockLoad(pScrn, &TmpClock);
+ }
+@@ -4770,7 +4771,8 @@
+ }
+
+ static Bool
+-chipsClockFind(ScrnInfoPtr pScrn, int no, CHIPSClockPtr Clock)
++chipsClockFind(ScrnInfoPtr pScrn, DisplayModePtr mode,
++ int no, CHIPSClockPtr Clock )
+ {
+ vgaHWPtr hwp = VGAHWPTR(pScrn);
+ CHIPSPtr cPtr = CHIPSPTR(pScrn);
+@@ -4790,9 +4792,9 @@
+ case HiQV_STYLE:
+ Clock->msr = cPtr->CRTclkInx << 2;
+ Clock->fr03 = cPtr->FPclkInx << 2;
+- Clock->Clock = pScrn->currentMode->Clock;
++ Clock->Clock = mode ? mode->Clock : 0;
+ if (xf86ReturnOptValBool(cPtr->Options, OPTION_USE_MODELINE, FALSE)) {
+- Clock->FPClock = pScrn->currentMode->Clock;
++ Clock->FPClock = mode ? mode->Clock : 0;
+ } else
+ Clock->FPClock = cPtr->FPclock;
+ break;
+@@ -4831,7 +4833,7 @@
+ if ((cPtr->PanelType & ChipsLCD) && cPtr->FPclock)
+ Clock->Clock = cPtr->FPclock;
+ else
+- Clock->Clock = pScrn->currentMode->SynthClock;
++ Clock->Clock = mode ? mode->SynthClock : 0;
+ }
+ break;
+ case OLD_STYLE:
+@@ -4856,7 +4858,7 @@
+ } else {
+ Clock->msr = 3 << 2;
+ Clock->xr33 = 0;
+- Clock->Clock = pScrn->currentMode->SynthClock;
++ Clock->Clock = mode ? mode->SynthClock : 0;
+ }
+ break;
+ }
+@@ -5369,7 +5371,7 @@
+ pScrn->vtSema = TRUE;
+
+ /* init clock */
+- if (!chipsClockFind(pScrn, mode->ClockIndex, &ChipsNew->Clock)) {
++ if (!chipsClockFind(pScrn, mode, mode->ClockIndex, &ChipsNew->Clock)) {
+ ErrorF("bomb 2\n");
+ return (FALSE);
+ }
+@@ -5972,7 +5974,7 @@
+ pScrn->vtSema = TRUE;
+
+ /* init clock */
+- if (!chipsClockFind(pScrn, mode->ClockIndex, &ChipsNew->Clock)) {
++ if (!chipsClockFind(pScrn, mode, mode->ClockIndex, &ChipsNew->Clock)) {
+ ErrorF("bomb 4\n");
+ return (FALSE);
+ }
+@@ -6214,7 +6216,7 @@
+ pScrn->vtSema = TRUE;
+
+ /* init clock */
+- if (!chipsClockFind(pScrn, mode->ClockIndex, &ChipsNew->Clock)) {
++ if (!chipsClockFind(pScrn, mode, mode->ClockIndex, &ChipsNew->Clock)) {
+ ErrorF("bomb 6\n");
+ return (FALSE);
+ }
+diff -urN xc.orig/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/Attrib.c
+--- xc.orig/extras/Xpm/lib/Attrib.c 1999-01-12 00:23:09.000000000 +1100
++++ xc/extras/Xpm/lib/Attrib.c 2004-09-15 11:00:13.481605576 +1000
+@@ -35,7 +35,7 @@
+ #include "XpmI.h"
+
+ /* 3.2 backward compatibility code */
+-LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors,
++LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
+ XpmColor ***oldct));
+
+ LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
+@@ -46,12 +46,15 @@
+ static int
+ CreateOldColorTable(ct, ncolors, oldct)
+ XpmColor *ct;
+- int ncolors;
++ unsigned int ncolors;
+ XpmColor ***oldct;
+ {
+ XpmColor **colorTable, **color;
+ int a;
+
++ if (ncolors >= SIZE_MAX / sizeof(XpmColor *))
++ return XpmNoMemory;
++
+ colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *));
+ if (!colorTable) {
+ *oldct = NULL;
+diff -urN xc.orig/extras/Xpm/lib/CrDatFrI.c xc/extras/Xpm/lib/CrDatFrI.c
+--- xc.orig/extras/Xpm/lib/CrDatFrI.c 2001-10-28 14:32:09.000000000 +1100
++++ xc/extras/Xpm/lib/CrDatFrI.c 2004-09-15 11:00:13.482605424 +1000
+@@ -124,6 +124,8 @@
+ */
+ header_nlines = 1 + image->ncolors;
+ header_size = sizeof(char *) * header_nlines;
++ if (header_size >= SIZE_MAX / sizeof(char *))
++ return (XpmNoMemory);
+ header = (char **) XpmCalloc(header_size, sizeof(char *));
+ if (!header)
+ return (XpmNoMemory);
+diff -urN xc.orig/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/WrFFrI.c
+--- xc.orig/extras/Xpm/lib/WrFFrI.c 2001-10-28 14:32:09.000000000 +1100
++++ xc/extras/Xpm/lib/WrFFrI.c 2004-09-15 11:00:13.499602840 +1000
+@@ -248,6 +248,8 @@
+ unsigned int x, y, h;
+
+ h = height - 1;
++ if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp)
++ return XpmNoMemory;
+ p = buf = (char *) XpmMalloc(width * cpp + 3);
+ if (!buf)
+ return (XpmNoMemory);
+diff -urN xc.orig/extras/Xpm/lib/XpmI.h xc/extras/Xpm/lib/XpmI.h
+--- xc.orig/extras/Xpm/lib/XpmI.h 2002-01-08 06:40:23.000000000 +1100
++++ xc/extras/Xpm/lib/XpmI.h 2004-09-15 11:00:13.506601776 +1000
+@@ -85,6 +85,18 @@
+ boundCheckingCalloc((long)(nelem),(long) (elsize))
+ #endif
+
++#if defined(SCO) || defined(__USLC__)
++#include <stdint.h> /* For SIZE_MAX */
++#endif
++#include <limits.h>
++#ifndef SIZE_MAX
++# ifdef ULONG_MAX
++# define SIZE_MAX ULONG_MAX
++# else
++# define SIZE_MAX UINT_MAX
++# endif
++#endif
++
+ #define XPMMAXCMTLEN BUFSIZ
+ typedef struct {
+ unsigned int type;
+@@ -186,9 +198,9 @@
+ } *xpmHashAtom;
+
+ typedef struct {
+- int size;
+- int limit;
+- int used;
++ unsigned int size;
++ unsigned int limit;
++ unsigned int used;
+ xpmHashAtom *atomTable;
+ } xpmHashTable;
+
+diff -urN xc.orig/extras/Xpm/lib/create.c xc/extras/Xpm/lib/create.c
+--- xc.orig/extras/Xpm/lib/create.c 2002-01-08 06:40:49.000000000 +1100
++++ xc/extras/Xpm/lib/create.c 2004-09-15 11:00:13.522599344 +1000
+@@ -1,3 +1,4 @@
++/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */
+ /*
+ * Copyright (C) 1989-95 GROUPE BULL
+ *
+@@ -819,6 +820,9 @@
+
+ ErrorStatus = XpmSuccess;
+
++ if (image->ncolors >= SIZE_MAX / sizeof(Pixel))
++ return (XpmNoMemory);
++
+ /* malloc pixels index tables */
+ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
+ if (!image_pixels)
+@@ -991,6 +995,8 @@
+ return (XpmNoMemory);
+
+ #if !defined(FOR_MSW) && !defined(AMIGA)
++ if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
++ return XpmNoMemory;
+ /* now that bytes_per_line must have been set properly alloc data */
+ (*image_return)->data =
+ (char *) XpmMalloc((*image_return)->bytes_per_line * height);
+@@ -2061,6 +2067,9 @@
+ xpmGetCmt(data, &colors_cmt);
+
+ /* malloc pixels index tables */
++ if (ncolors >= SIZE_MAX / sizeof(Pixel))
++ return XpmNoMemory;
++
+ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
+ if (!image_pixels)
+ RETURN(XpmNoMemory);
+@@ -2315,7 +2324,8 @@
+ }
+ obm = SelectObject(*dc, image->bitmap);
+ #endif
+-
++ if (ncolors > 256)
++ return (XpmFileInvalid);
+
+ bzero((char *)colidx, 256 * sizeof(short));
+ for (a = 0; a < ncolors; a++)
+@@ -2421,6 +2431,9 @@
+ char *s;
+ char buf[BUFSIZ];
+
++ if (cpp >= sizeof(buf))
++ return (XpmFileInvalid);
++
+ buf[cpp] = '\0';
+ if (USE_HASHTABLE) {
+ xpmHashAtom *slot;
+diff -urN xc.orig/extras/Xpm/lib/data.c xc/extras/Xpm/lib/data.c
+--- xc.orig/extras/Xpm/lib/data.c 2002-01-08 06:40:49.000000000 +1100
++++ xc/extras/Xpm/lib/data.c 2004-09-15 11:00:13.532597824 +1000
+@@ -375,7 +375,7 @@
+ {
+ if (!data->type)
+ *cmt = NULL;
+- else if (data->CommentLength) {
++ else if (data->CommentLength != 0 && data->CommentLength < SIZE_MAX - 1) {
+ *cmt = (char *) XpmMalloc(data->CommentLength + 1);
+ strncpy(*cmt, data->Comment, data->CommentLength);
+ (*cmt)[data->CommentLength] = '\0';
+diff -urN xc.orig/extras/Xpm/lib/hashtab.c xc/extras/Xpm/lib/hashtab.c
+--- xc.orig/extras/Xpm/lib/hashtab.c 1999-01-12 00:23:11.000000000 +1100
++++ xc/extras/Xpm/lib/hashtab.c 2004-09-15 11:00:13.533597672 +1000
+@@ -135,7 +135,7 @@
+ xpmHashTable *table;
+ {
+ xpmHashAtom *atomTable = table->atomTable;
+- int size = table->size;
++ unsigned int size = table->size;
+ xpmHashAtom *t, *p;
+ int i;
+ int oldSize = size;
+@@ -144,6 +144,8 @@
+ HASH_TABLE_GROWS
+ table->size = size;
+ table->limit = size / 3;
++ if (size >= SIZE_MAX / sizeof(*atomTable))
++ return (XpmNoMemory);
+ atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable));
+ if (!atomTable)
+ return (XpmNoMemory);
+@@ -204,6 +206,8 @@
+ table->size = INITIAL_HASH_SIZE;
+ table->limit = table->size / 3;
+ table->used = 0;
++ if (table->size >= SIZE_MAX / sizeof(*atomTable))
++ return (XpmNoMemory);
+ atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
+ if (!atomTable)
+ return (XpmNoMemory);
+diff -urN xc.orig/extras/Xpm/lib/parse.c xc/extras/Xpm/lib/parse.c
+--- xc.orig/extras/Xpm/lib/parse.c 2001-10-28 14:32:10.000000000 +1100
++++ xc/extras/Xpm/lib/parse.c 2004-09-15 11:00:13.541596456 +1000
+@@ -1,3 +1,4 @@
++/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */
+ /*
+ * Copyright (C) 1989-95 GROUPE BULL
+ *
+@@ -44,6 +45,24 @@
+ #include <ctype.h>
+ #include <string.h>
+
++#ifdef HAS_STRLCAT
++# define STRLCAT(dst, src, dstsize) { \
++ if (strlcat(dst, src, dstsize) >= (dstsize)) \
++ return (XpmFileInvalid); }
++# define STRLCPY(dst, src, dstsize) { \
++ if (strlcpy(dst, src, dstsize) >= (dstsize)) \
++ return (XpmFileInvalid); }
++#else
++# define STRLCAT(dst, src, dstsize) { \
++ if ((strlen(dst) + strlen(src)) < (dstsize)) \
++ strcat(dst, src); \
++ else return (XpmFileInvalid); }
++# define STRLCPY(dst, src, dstsize) { \
++ if (strlen(src) < (dstsize)) \
++ strcpy(dst, src); \
++ else return (XpmFileInvalid); }
++#endif
++
+ LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
+ unsigned int height, unsigned int ncolors,
+ unsigned int cpp, XpmColor *colorTable,
+@@ -66,7 +85,7 @@
+ unsigned int *extensions;
+ {
+ unsigned int l;
+- char buf[BUFSIZ];
++ char buf[BUFSIZ + 1];
+
+ if (!data->format) { /* XPM 2 or 3 */
+
+@@ -175,10 +194,10 @@
+ XpmColor **colorTablePtr;
+ xpmHashTable *hashtable;
+ {
+- unsigned int key = 0, l, a, b;
++ unsigned int key = 0, l, a, b, len;
+ unsigned int curkey; /* current color key */
+ unsigned int lastwaskey; /* key read */
+- char buf[BUFSIZ];
++ char buf[BUFSIZ+1];
+ char curbuf[BUFSIZ]; /* current buffer */
+ char **sptr, *s;
+ XpmColor *color;
+@@ -186,6 +205,8 @@
+ char **defaults;
+ int ErrorStatus;
+
++ if (ncolors >= SIZE_MAX / sizeof(XpmColor))
++ return (XpmNoMemory);
+ colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
+ if (!colorTable)
+ return (XpmNoMemory);
+@@ -197,6 +218,10 @@
+ /*
+ * read pixel value
+ */
++ if (cpp >= SIZE_MAX - 1) {
++ xpmFreeColorTable(colorTable, ncolors);
++ return (XpmNoMemory);
++ }
+ color->string = (char *) XpmMalloc(cpp + 1);
+ if (!color->string) {
+ xpmFreeColorTable(colorTable, ncolors);
+@@ -234,13 +259,14 @@
+ }
+ if (!lastwaskey && key < NKEYS) { /* open new key */
+ if (curkey) { /* flush string */
+- s = (char *) XpmMalloc(strlen(curbuf) + 1);
++ len = strlen(curbuf) + 1;
++ s = (char *) XpmMalloc(len);
+ if (!s) {
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmNoMemory);
+ }
+ defaults[curkey] = s;
+- strcpy(s, curbuf);
++ memcpy(s, curbuf, len);
+ }
+ curkey = key + 1; /* set new key */
+ *curbuf = '\0'; /* reset curbuf */
+@@ -251,9 +277,9 @@
+ return (XpmFileInvalid);
+ }
+ if (!lastwaskey)
+- strcat(curbuf, " "); /* append space */
++ STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */
+ buf[l] = '\0';
+- strcat(curbuf, buf);/* append buf */
++ STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */
+ lastwaskey = 0;
+ }
+ }
+@@ -261,12 +287,13 @@
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmFileInvalid);
+ }
+- s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1);
++ len = strlen(curbuf) + 1;
++ s = defaults[curkey] = (char *) XpmMalloc(len);
+ if (!s) {
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmNoMemory);
+ }
+- strcpy(s, curbuf);
++ memcpy(s, curbuf, len);
+ }
+ } else { /* XPM 1 */
+ /* get to the beginning of the first string */
+@@ -279,6 +306,10 @@
+ /*
+ * read pixel value
+ */
++ if (cpp >= SIZE_MAX - 1) {
++ xpmFreeColorTable(colorTable, ncolors);
++ return (XpmNoMemory);
++ }
+ color->string = (char *) XpmMalloc(cpp + 1);
+ if (!color->string) {
+ xpmFreeColorTable(colorTable, ncolors);
+@@ -307,16 +338,17 @@
+ *curbuf = '\0'; /* init curbuf */
+ while ((l = xpmNextWord(data, buf, BUFSIZ))) {
+ if (*curbuf != '\0')
+- strcat(curbuf, " ");/* append space */
++ STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
+ buf[l] = '\0';
+- strcat(curbuf, buf); /* append buf */
++ STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
+ }
+- s = (char *) XpmMalloc(strlen(curbuf) + 1);
++ len = strlen(curbuf) + 1;
++ s = (char *) XpmMalloc(len);
+ if (!s) {
+ xpmFreeColorTable(colorTable, ncolors);
+ return (XpmNoMemory);
+ }
+- strcpy(s, curbuf);
++ memcpy(s, curbuf, len);
+ color->c_color = s;
+ *curbuf = '\0'; /* reset curbuf */
+ if (a < ncolors - 1)
+@@ -341,6 +373,9 @@
+ unsigned int *iptr, *iptr2;
+ unsigned int a, x, y;
+
++ if ((height > 0 && width >= SIZE_MAX / height) ||
++ width * height >= SIZE_MAX / sizeof(unsigned int))
++ return XpmNoMemory;
+ #ifndef FOR_MSW
+ iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);
+ #else
+@@ -364,6 +399,9 @@
+ {
+ unsigned short colidx[256];
+
++ if (ncolors > 256)
++ return (XpmFileInvalid);
++
+ bzero((char *)colidx, 256 * sizeof(short));
+ for (a = 0; a < ncolors; a++)
+ colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
+@@ -442,6 +480,9 @@
+ char *s;
+ char buf[BUFSIZ];
+
++ if (cpp >= sizeof(buf))
++ return (XpmFileInvalid);
++
+ buf[cpp] = '\0';
+ if (USE_HASHTABLE) {
+ xpmHashAtom *slot;
+diff -urN xc.orig/extras/Xpm/lib/scan.c xc/extras/Xpm/lib/scan.c
+--- xc.orig/extras/Xpm/lib/scan.c 2002-01-08 06:40:49.000000000 +1100
++++ xc/extras/Xpm/lib/scan.c 2004-09-15 11:00:13.563593112 +1000
+@@ -107,7 +107,8 @@
+ LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp,
+ XpmAttributes *attributes));
+
+-LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors,
++LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors,
++ unsigned int ncolors,
+ Pixel *pixels, unsigned int mask,
+ unsigned int cpp, XpmAttributes *attributes));
+
+@@ -232,11 +233,17 @@
+ else
+ cpp = 0;
+
++ if ((height > 0 && width >= SIZE_MAX / height) ||
++ width * height >= SIZE_MAX / sizeof(unsigned int))
++ RETURN(XpmNoMemory);
+ pmap.pixelindex =
+ (unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
+ if (!pmap.pixelindex)
+ RETURN(XpmNoMemory);
+
++ if (pmap.size >= SIZE_MAX / sizeof(Pixel))
++ RETURN(XpmNoMemory);
++
+ pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);
+ if (!pmap.pixels)
+ RETURN(XpmNoMemory);
+@@ -301,7 +308,8 @@
+ * get rgb values and a string of char, and possibly a name for each
+ * color
+ */
+-
++ if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))
++ RETURN(XpmNoMemory);
+ colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
+ if (!colorTable)
+ RETURN(XpmNoMemory);
+@@ -360,6 +368,8 @@
+
+ /* first get a character string */
+ a = 0;
++ if (cpp >= SIZE_MAX - 1)
++ return (XpmNoMemory);
+ if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
+ return (XpmNoMemory);
+ *s++ = printable[c = a % MAXPRINTABLE];
+@@ -407,7 +417,7 @@
+ ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes)
+ Display *display;
+ XpmColor *colors;
+- int ncolors;
++ unsigned int ncolors;
+ Pixel *pixels;
+ unsigned int mask;
+ unsigned int cpp;
+@@ -451,6 +461,8 @@
+ }
+
+ /* first get character strings and rgb values */
++ if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1)
++ return (XpmNoMemory);
+ xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
+ if (!xcolors)
+ return (XpmNoMemory);
+diff -urN xc.orig/lib/Xpm/Imakefile xc/lib/Xpm/Imakefile
+--- xc.orig/lib/Xpm/Imakefile 2000-09-19 23:46:06.000000000 +1100
++++ xc/lib/Xpm/Imakefile 2004-09-15 11:00:13.579590680 +1000
+@@ -42,11 +42,16 @@
+ SPRINTFDEF = -DVOID_SPRINTF
+ #endif
+
++#if HasStrlcat
++STRLCATDEF = -DHAS_STRLCAT
++#endif
++
+ #if defined(Win32Architecture)
+ ZPIPEDEF = -DNO_ZPIPE
+ #endif
+
+-DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(ZPIPEDEF) $(ZFILEDEF)
++DEFINES = $(STRDUPDEF) $(STRCASECMPDEF) $(SPRINTFDEF) $(STRLCATDEF) \
++ $(ZPIPEDEF) $(ZFILEDEF)
+
+ HEADERS = xpm.h
+
Property changes on: branches/ubuntu/debian/patches/000_stolen_from_x.org.diff
___________________________________________________________________
Name: svn:keywords
+ Id
