ports/72382: graphics/xv - Fix vulnerability

dirk.meyer at dinoex.sub.org dirk.meyer at dinoex.sub.org
Wed Oct 6 13:50:10 UTC 2004


>Number:         72382
>Category:       ports
>Synopsis:       graphics/xv - Fix vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 06 13:50:09 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Dirk Meyer
>Release:        FreeBSD 5.3-BETA6
>Organization:
privat
>Environment:

	FreeBSD ports

>Description:

	grpahics/xv marked as forbidden.
	Security patch is now availibe by SuSe.

>How-To-Repeat:

	try to build.

>Fix:

	apply this patch:

- import securitry patches
- update FixPix4xv.patch
Obtained from: SuSe

Index: files/patch-ae
===================================================================
RCS file: /home/pcvs/ports/graphics/xv/files/patch-ae,v
retrieving revision 1.1
diff -u -r1.1 patch-ae
--- files/patch-ae	16 Oct 1996 15:42:04 -0000	1.1
+++ files/patch-ae	5 Oct 2004 17:41:29 -0000
@@ -1,11 +1,28 @@
---- xvimage.c~	Fri Jan 13 18:11:36 1995
-+++ xvimage.c	Tue Oct 15 16:41:47 1996
-@@ -46,6 +46,274 @@
+--- xvimage.c
++++ xvimage.c	Wed Jan 12 15:10:24 2000
+@@ -29,40 +29,302 @@
+ static void flipSel           PARM((int));
+ static void do_zoom           PARM((int, int));
+ static void compute_zoom_rect PARM((int, int, int*, int*, int*, int*));
+ static void do_unzoom         PARM((void));
+ static void do_pan            PARM((int, int));
+ static void do_pan_calc       PARM((int, int, int *, int *));
+ static void crop1             PARM((int, int, int, int, int));
+ static int  doAutoCrop24      PARM((void));
+ static void floydDitherize1   PARM((XImage *, byte *, int, int, int, 
+ 				    byte *, byte *,byte *));
+ static int  highbit           PARM((unsigned long));
+ 
+ static int  doPadSolid        PARM((char *, int, int, int, int));
+ static int  doPadBggen        PARM((char *, int, int, int, int));
+ static int  doPadLoad         PARM((char *, int, int, int, int));
+ 
+ static int  doPadPaste        PARM((byte *, int, int, int, int));
  static int  ReadImageFile1    PARM((char *, PICINFO *));
  
  
-+/* The following array represents the pixel values for each shade of
-+ * the primary color components.
++/* The following array represents the pixel values for each shade
++ * of the primary color components.
 + * If 'p' is a pointer to a source image rgb-byte-triplet, we can
 + * construct the output pixel value simply by 'oring' together
 + * the corresponding components:
@@ -20,7 +37,7 @@
 + * This is both efficient and generic, since the only assumption
 + * is that the primary color components have separate bits.
 + * The order and distribution of bits does not matter, and we
-+ * don't need additional vaiables and shifting/masking code.
++ * don't need additional variables and shifting/masking code.
 + * The array size is 3 KBytes total and thus very reasonable.
 + */
 +
@@ -42,21 +59,14 @@
 + * The method is to draw points in a pixmap with the specified shades
 + * of primary colors and then get the corresponding XImage pixel
 + * representation.
-+ * Thus we can get away with any Bit-order/Byte-Order dependencies.
++ * Thus we can get away with any Bit-order/Byte-order dependencies.
 + *
-+ * The routine uses some global X variables: theDisp, theScreen,
-+ * and dispDEEP. Adapt these to your application as necessary.
++ * The routine uses some global X variables:
++ * theDisp, theScreen, dispDEEP, and theCmap.
++ * Adapt these to your application as necessary.
 + * I've not passed them in as parameters, since for other platforms
 + * than X these may be different (see vfixpix.c), and so the
 + * screen_init() interface is unique.
-+ *
-+ * BUG: I've read in the "Xlib Programming Manual" from O'Reilly &
-+ * Associates, that the DefaultColormap in TrueColor might not
-+ * provide the full shade representation in XAllocColor.
-+ * In this case one had to provide a 'best' colormap instead.
-+ * However, my tests with Xaccel on a Linux-Box with a Mach64
-+ * card were fully successful, so I leave that potential problem
-+ * to you at the moment and would appreciate any suggestions...
 + */
 +
 +static void screen_init()
@@ -73,43 +83,45 @@
 +
 +  check_map = XCreatePixmap(theDisp, RootWindow(theDisp,theScreen),
 +			    1, 1, dispDEEP);
-+  check_gc = XCreateGC(theDisp, RootWindow(theDisp,theScreen), 0, NULL);
++  check_gc = XCreateGC(theDisp, check_map, 0, NULL);
 +  for (ci = 0; ci < 3; ci++) {
 +    for (i = 0; i < 256; i++) {
-+      check_col.flags = DoRed | DoGreen | DoBlue;
 +      check_col.red = 0;
 +      check_col.green = 0;
 +      check_col.blue = 0;
 +      /* Do proper upscaling from unsigned 8 bit (image data values)
 +	 to unsigned 16 bit (X color representation). */
 +      ((unsigned short *)&check_col.red)[ci] = (unsigned short)((i << 8) | i);
-+      if (!XAllocColor(theDisp, DefaultColormap(theDisp,theScreen), &check_col))
-+	FatalError("XAllocColor in screen_init() failed"); /* shouldn't happen */
++      if (theVisual->class == TrueColor)
++	XAllocColor(theDisp, theCmap, &check_col);
++      else
++	xvAllocColor(theDisp, theCmap, &check_col);
 +      screen_set[ci][i] =
 +	(((unsigned short *)&check_col.red)[ci] >> 8) & 0xff;
 +      XSetForeground(theDisp, check_gc, check_col.pixel);
 +      XDrawPoint(theDisp, check_map, check_gc, 0, 0);
 +      check_image = XGetImage(theDisp, check_map, 0, 0, 1, 1,
 +			      AllPlanes, ZPixmap);
-+      if (!check_image) FatalError("XGetImage in screen_init() failed");
-+      switch (check_image->bits_per_pixel) {
-+      case 8:
-+	screen_rgb[ci][i] = *(CARD8 *)check_image->data;
-+	break;
-+      case 16:
-+	screen_rgb[ci][i] = *(CARD16 *)check_image->data;
-+	break;
-+      case 24:
-+	screen_rgb[ci][i] =
-+	  ((unsigned long)*(CARD8 *)check_image->data << 16) |
-+	  ((unsigned long)*(CARD8 *)(check_image->data + 1) << 8) |
-+	  (unsigned long)*(CARD8 *)(check_image->data + 2);
-+	break;
-+      case 32:
-+	screen_rgb[ci][i] = *(CARD32 *)check_image->data;
-+	break;
++      if (check_image) {
++	switch (check_image->bits_per_pixel) {
++	case 8:
++	  screen_rgb[ci][i] = *(CARD8 *)check_image->data;
++	  break;
++	case 16:
++	  screen_rgb[ci][i] = *(CARD16 *)check_image->data;
++	  break;
++	case 24:
++	  screen_rgb[ci][i] =
++	    ((unsigned long)*(CARD8 *)check_image->data << 16) |
++	    ((unsigned long)*(CARD8 *)(check_image->data + 1) << 8) |
++	    (unsigned long)*(CARD8 *)(check_image->data + 2);
++	  break;
++	case 32:
++	  screen_rgb[ci][i] = *(CARD32 *)check_image->data;
++	  break;
++	}
++	XDestroyImage(check_image);
 +      }
-+      XDestroyImage(check_image);
 +    }
 +  }
 +  XFreeGC(theDisp, check_gc);
@@ -156,7 +168,6 @@
 + * current column.  (If we are lucky, those variables are in registers, but
 + * even if not, they're probably cheaper to access than array elements are.)
 + *
-+ * The fserrors[] array is indexed [component#][position].
 + * We provide (#columns + 2) entries per component; the extra entry at each
 + * end saves us from special-casing the first and last pixels.
 + */
@@ -275,7 +286,41 @@
  
  #define DO_CROP 0
  #define DO_ZOOM 1
-@@ -1883,33 +2151,17 @@
+ 
+ 
+ /***********************************/
+ void Resize(w,h)
+ int w,h;
+ {
+   RANGE(w,1,maxWIDE);  RANGE(h,1,maxHIGH);
+ 
+   if (HaveSelection()) DrawSelection(0);  /* turn off old rect */
+ 
+   if (psUp) PSResize();   /* if PSDialog is open, mention size change  */
+ 
+   /* if same size, and Ximage created, do nothing */
+   if (w==eWIDE && h==eHIGH && theImage!=NULL) return;
+ 
+   if (DEBUG) fprintf(stderr,"Resize(%d,%d)  eSIZE=%d,%d  cSIZE=%d,%d\n",
+ 		     w,h,eWIDE,eHIGH,cWIDE,cHIGH);
+@@ -1866,156 +2128,145 @@
+     if (!xim) FatalError("couldn't create xim!");
+ 
+     imagedata = (byte *) malloc((size_t) (xim->bytes_per_line * high));
+     if (!imagedata) FatalError("couldn't malloc imagedata");
+ 
+     xim->data = (char *) imagedata;
+     floydDitherize1(xim, pic24,PIC24, (int) wide, (int) high, NULL,NULL,NULL);
+ 
+     return xim;
+   }
+ 
+ 
+ 
+ 
+   if (theVisual->class == TrueColor || theVisual->class == DirectColor) {
+ 
+     /************************************************************************/
      /* Non-ColorMapped Visuals:  TrueColor, DirectColor                     */
      /************************************************************************/
  
@@ -311,7 +356,13 @@
  
      imagedata = (byte *) malloc((size_t) (high * bperline));
      if (!imagedata) FatalError("couldn't malloc imagedata");
-@@ -1923,82 +2175,87 @@
+ 
+     xim->data = (char *) imagedata;
+ 
+     if (bperpix != 8 && bperpix != 16 && bperpix != 24 && bperpix != 32) {
+       char buf[128];
+       sprintf(buf,"Sorry, no code written to handle %d-bit %s",
+ 	      bperpix, "TrueColor/DirectColor displays!");
        FatalError(buf);
      }
  
@@ -363,19 +414,6 @@
 -	    *ip++ = (xcol>>8)  & 0xff;
 -	    *ip++ = (xcol>>16) & 0xff;
 -	    *ip++ = (xcol>>24) & 0xff;
--	  }
--	}
--
--	else if (bperpix == 24) {
--	  if (border == MSBFirst) {
--	    *ip++ = (xcol>>16) & 0xff;
--	    *ip++ = (xcol>>8)  & 0xff;
--	    *ip++ =  xcol      & 0xff;
--	  }
--	  else {  /* LSBFirst */
--	    *ip++ =  xcol      & 0xff;
--	    *ip++ = (xcol>>8)  & 0xff;
--	    *ip++ = (xcol>>16) & 0xff;
 +#ifdef DO_FIXPIX_SMOOTH
 +#if 0
 +    /* If we wouldn't have to save the original pic24 image data,
@@ -396,7 +434,6 @@
 +     * dithering/rendering in a loop using a temporary line buffer.
 +     */
 +    if (bperpix < 24) {
-+      int alldone = 0;
 +      FSBUF *fs = fs2_init(wide);
 +      if (fs) {
 +	byte *row_buf = malloc((size_t)wide * 3);
@@ -422,12 +459,25 @@
 +	      }
 +	    }
  	  }
-+	  alldone = 1;
+-	}
 +	  free(row_buf);
++	  free(fs);
+ 
+-	else if (bperpix == 24) {
+-	  if (border == MSBFirst) {
+-	    *ip++ = (xcol>>16) & 0xff;
+-	    *ip++ = (xcol>>8)  & 0xff;
+-	    *ip++ =  xcol      & 0xff;
+-	  }
+-	  else {  /* LSBFirst */
+-	    *ip++ =  xcol      & 0xff;
+-	    *ip++ = (xcol>>8)  & 0xff;
+-	    *ip++ = (xcol>>16) & 0xff;
+-	  }
++	  return xim;
  	}
 +	free(fs);
 +      }
-+      if (alldone) return xim;
 +    }
 +#endif
 +#endif
@@ -470,3 +520,20 @@
  	}
        }
      }
+   }
+ 
+   else {
+ 
+     /************************************************************************/
+     /* CMapped Visuals:  PseudoColor, GrayScale, StaticGray, StaticColor... */
+     /************************************************************************/
+ 
+     byte *pic8;
+     int   bwdith;
+ 
+     /* in all cases, make an 8-bit version of the image, either using
+        'black' and 'white', or the stdcmap */
+ 
+     bwdith = 0;
+ 
+     if (ncols == 0 && dispDEEP != 1) {   /* do 'black' and 'white' dither */
Index: files/patch-suse-2003-01-27
===================================================================
RCS file: files/patch-suse-2003-01-27
diff -N files/patch-suse-2003-01-27
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-suse-2003-01-27	5 Oct 2004 17:41:30 -0000
@@ -0,0 +1,675 @@
+--- xv.c
++++ xv.c	2003-01-27 00:03:36.000000000 +0100
+@@ -146,9 +146,7 @@
+      rmodeset, gamset, cgamset, perfect, owncmap, rwcolor, stdcmap;
+ int  nodecor;
+ double gamval, rgamval, ggamval, bgamval;
+-
+-
+-
++winRepositionningInfoST winRepositionningInfo = { 0, 0};
+ 
+ /*******************************************/
+ int main(argc, argv)
+@@ -2125,6 +2145,7 @@
+     /* if the file is STDIN, write it out to a temp file */
+ 
+     if (strcmp(filename,STDINSTR)==0) {
++      int tmpfd;
+       FILE *fp;
+ 
+ #ifndef VMS      
+@@ -2135,11 +2156,15 @@
+       mktemp(filename);
+ 
+       clearerr(stdin);
+-      fp = fopen(filename,"w");
++      tmpfd = open(filename,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR);
++      if (tmpfd < 0) FatalError("openPic(): can't create temporary file");
++      fp = fdopen(tmpfd,"w");
+       if (!fp) FatalError("openPic(): can't write temporary file");
+     
+       while ( (i=getchar()) != EOF) putc(i,fp);
++      fflush(fp);
+       fclose(fp);
++      close(tmpfd);
+ 
+       /* and remove it from list, since we can never reload from stdin */
+       if (strcmp(namelist[0], STDINSTR)==0) deleteFromList(0);
+@@ -2672,7 +2697,11 @@
+      to generate the correct exposes (particularly with 'BitGravity' turned
+      on */
+ 
+-  if (mainW && !useroot) GenExpose(mainW, 0, 0, (u_int) eWIDE, (u_int) eHIGH);
++  /*Brian T. Schellenberger: fix for X 4.2 refresh problem*/
++  if (mainW && !useroot) {
++    XSync(theDisp, False);
++    GenExpose(mainW, 0, 0, (u_int) eWIDE, (u_int) eHIGH);
++  }
+ 
+   return 1;
+ 
+@@ -2812,7 +2846,8 @@
+ 
+ #ifdef GS_PATH
+   else if (strncmp((char *) magicno, "%!",     (size_t) 2)==0 ||
+-	   strncmp((char *) magicno, "\004%!", (size_t) 3)==0)   rv = RFT_PS;
++	   strncmp((char *) magicno, "\004%!", (size_t) 3)==0 ||
++	   strncmp((char *) magicno, "%PDF",   (size_t) 4)==0)   rv = RFT_PS;
+ #endif
+ 
+ #ifdef HAVE_MAG
+@@ -2959,6 +2998,7 @@
+      returns '0' on failure */
+ 
+   char namez[128], *fname, buf[512];
++  int tmpfd;
+ 
+   fname = name;
+   namez[0] = '\0';
+@@ -3047,15 +3090,18 @@
+      char *src, *dst;
+ {
+   char tmpname[128], buffer[8192]; /* XXX */
+-  int n, eof;
++  int n, eof, tmpfd;
+   FILE *sfp, *dfp;
+ 
+   sprintf(dst, "%s/xvmXXXXXX", tmpdir);
+   mktemp(dst);
++  tmpfd = open(dst,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR);
++  if (tmpfd < 0) FatalError("RemoveMacbinary(): can't create temporary file");
++
+   SetISTR(ISTR_INFO, "Removing MacBinary...");
+ 
+   sfp = xv_fopen(src, "r"); 
+-  dfp = xv_fopen(dst, "w"); 
++  dfp = fdopen(tmpfd, "w"); 
+   if (!sfp || !dfp) {
+     SetISTR(ISTR_INFO, "Unable to remove a InfoFile header form '%s'.", src);
+     Warning();
+@@ -3067,7 +3113,9 @@
+   if (eof = feof(sfp))
+     fwrite(buffer, 1, n, dfp);
+   fclose(sfp);
++  fflush(dfp);
+   fclose(dfp);
++  close(tmpfd);
+   if (!eof) {
+     SetISTR(ISTR_INFO, "Unable to remove a InfoFile header form '%s'.", src);
+     Warning();
+@@ -3199,7 +3247,7 @@
+    */
+ 
+   char fullcmd[512], tmpname[64], str[512];
+-  int i;
++  int i, tmpfd;
+ 
+   if (!cmd || (strlen(cmd) < (size_t) 2)) return 1;
+ 
+@@ -3210,6 +3258,9 @@
+     ErrPopUp(str, "\nHow unlikely!");
+     return 1;
+   }
++  tmpfd = open(tmpname,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR);
++  if (tmpfd < 0) FatalError("openPic(): can't create temporary file");
++  close(tmpfd);
+ 
+   /* build command */
+   strcpy(fullcmd, cmd+1);  /* skip the leading '!' character in cmd */
+--- xv.h
++++ xv.h	2003-01-27 00:03:36.000000000 +0100
+@@ -310,7 +294,9 @@
+ #  endif
+ #endif
+ 
+-
++#ifndef		S_IRWUSR
++#  define	S_IRWUSR	(S_IRUSR|S_IWRITE)
++#endif
+ 
+ #ifndef MAXPATHLEN
+ #  define MAXPATHLEN 256
+@@ -813,6 +811,13 @@
+ #define WHERE
+ #endif
+ 
++/* Needed for repositionning with negative geometries */
++typedef struct {
++  int negativeX;
++  int negativeY;
++} winRepositionningInfoST;
++extern winRepositionningInfoST winRepositionningInfo;
++
+ typedef unsigned char byte;
+ 
+ typedef struct scrl { 
+--- xvdir.c
++++ xvdir.c	2003-01-27 00:03:36.000000000 +0100
+@@ -80,7 +83,7 @@
+ 			       "PIC",
+ #endif /* HAVE_PIC */
+ #ifdef HAVE_MAKI
+-			       "MAKI",
++			       "MAKI (640x400 only)",
+ #endif /* HAVE_MAKI */
+ #ifdef HAVE_PI
+ 			       "PI",
+--- xvevent.c
++++ xvevent.c	2003-01-27 00:03:36.000000000 +0100
+@@ -64,6 +64,8 @@
+ 
+ static void   annotatePic      PARM((void));
+ 
++static int    debkludge_offx;
++static int    debkludge_offy;
+ 
+ /****************/
+ int EventLoop()
+@@ -676,6 +694,29 @@
+ 	p_offy = xwa.y;
+       }
+ 
++      /* Gather info to keep right border inside */
++      {
++	Window current;
++	Window root_r;
++	Window parent_r;
++	Window *children_r;
++	int nchildren_r;
++	XWindowAttributes xwa;
++
++	parent_r=mainW;
++	current=mainW;
++	do {
++	  current=parent_r;
++	  XQueryTree(theDisp, current, &root_r, &parent_r,
++		     &children_r, &nchildren_r);
++	  if (children_r!=NULL) {
++	    XFree(children_r);
++	  }
++	} while(parent_r!=root_r);
++	XGetWindowAttributes(theDisp, current, &xwa);
++	debkludge_offx=eWIDE-xwa.width+p_offx;
++	debkludge_offy=eHIGH-xwa.height+p_offy;
++      }
+       
+       /* move window around a bit... */
+       {
+@@ -2078,6 +2127,26 @@
+   if (xwa->width  < dispWIDE && xwc.x < p_offx) xwc.x = p_offx;
+   if (xwa->height < dispHIGH && xwc.y < p_offy) xwc.y = p_offy;
+ 
++  /* Try to keep bottom right decorations inside */
++  if (xwc.x+eWIDE-debkludge_offx>dispWIDE) {
++    xwc.x=dispWIDE-eWIDE+debkludge_offx;
++    if (xwc.x<0) xwc.x=0;
++  }
++  if (xwc.y+eHIGH-debkludge_offy>dispHIGH) {
++    xwc.y=dispHIGH-eHIGH+debkludge_offy;
++    if (xwc.y<0) xwc.y=0;
++  }
++
++  /* In case of negative offset for first image */
++  if (winRepositionningInfo.negativeX) {
++    xwc.x+=winRepositionningInfo.negativeX;
++    winRepositionningInfo.negativeX=0;
++  }
++  if (winRepositionningInfo.negativeY) {
++    xwc.y+=winRepositionningInfo.negativeY;
++    winRepositionningInfo.negativeY=0;
++  }
++
+   xwc.width  = xwa->width;
+   xwc.height = xwa->height;
+ 
+--- xvfits.c
++++ xvfits.c	2003-01-27 00:03:36.000000000 +0100
+@@ -14,7 +14,7 @@
+  * provided "as is" without express or implied warranty.
+  */
+ 
+-
++#define  NEEDSDIR /* for S_IRUSR|S_IWUSR */
+ #include "xv.h"
+ 
+ #define NCARDS    (36)
+@@ -223,7 +223,7 @@
+    * If there was a problem writing files, then a error message will be set.
+    */
+   
+-  int   i, np=nx * ny, ioerror, nwrt;
++  int   i, np=nx * ny, ioerror, nwrt, tmpfd;
+   FILE *fp;
+   char *error;
+   byte *work;
+@@ -246,7 +246,12 @@
+ 
+   for (i=0; i < nz && !error; i++) {
+     sprintf(filename, "%s%d", basename, i+1);
+-    fp = xv_fopen(filename, "w");
++    tmpfd = open(filename,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR);
++    if (tmpfd < 0) {
++      error = "Unable to open temporary file";
++      break;
++    }
++    fp = fdopen(tmpfd, "w");
+     if (!fp) {
+       error = "Unable to open temporary file";
+       break;
+@@ -254,13 +259,17 @@
+     
+     if (wrheader(fp, nx, ny, comment)) {
+       error = "I/O error writing temporary file";
++      fflush(fp);
+       fclose(fp);
++      close(tmpfd);
+       unlink(filename);
+       break;
+     }
+ 
+     nwrt = fwrite(image+i*np, sizeof(byte), (size_t) np, fp);
++    fflush(fp);
+     fclose(fp);
++    close(tmpfd);
+ 
+     if (nwrt == 0) {  /* failed to write any data */
+       error = "I/O error writing temporary file";
+--- xvimage.c
++++ xvimage.c	2003-01-27 00:03:36.000000000 +0100
+@@ -21,6 +21,7 @@
+  *            int  LoadPad(pinfo, fname);
+  */
+ 
++#define  NEEDSDIR             /* for S_IRUSR|S_IWUSR */
+ #include "copyright.h"
+ 
+ #include "xv.h"
+@@ -2927,7 +2930,7 @@
+      char *str;
+      int   wide, high, opaque,omode;
+ {
+-  int i;
++  int i, tmpfd;
+   byte *bgpic24;
+   char syscmd[512], fname[128], errstr[512];
+   PICINFO pinfo;
+@@ -2949,6 +2952,13 @@
+   strcpy(fname, "Sys$Disk:[]xvuXXXXXX");
+ #endif
+   mktemp(fname);
++  tmpfd = open(fname, O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR);
++  if (tmpfd < 0) {
++    sprintf(errstr, "Error: can't create temporary file %s", fname);
++    ErrPopUp(errstr, "\nDoh!");
++    return 0;
++  }
++  close(tmpfd);
+ 
+   /* run bggen to generate the background */
+   sprintf(syscmd, "bggen -g %dx%d %s > %s", wide, high, str, fname);
+--- xvmaki.c
++++ xvmaki.c	2003-01-27 00:03:36.000000000 +0100
+@@ -355,8 +355,12 @@
+ 	return -1;
+     }
+     
+-    if(w != 640 || h != 400)
++    if(w != 640 || h != 400) {
++        char  str[512];
++        sprintf(str,"MAKI: %s Should be 640x400", maki_msgs[MAKI_SIZE]);
++	ErrPopUp(str, "\nBummer!");
+ 	maki_error(mi, MAKI_SIZE);
++    }
+     
+     maki.fp = fp;
+     maki.width = w;
+@@ -669,6 +673,7 @@
+ static void maki_init_info(mi)
+     struct maki_info *mi;
+ {
++    xvbzero((char *)mi, sizeof(struct maki_info));
+     mi->fp = NULL;
+     mi->fsize = 0;
+     mi->x0 = mi->y0 = mi->x1 = mi->y1 = 0;
+--- xvpds.c
++++ xvpds.c	2003-01-27 00:03:36.000000000 +0100
+@@ -102,7 +102,7 @@
+  * This software is provided "as is" without any express or implied warranty.
+  */
+ 
+-
++#define  NEEDSDIR       /* for S_IRUSR|S_IWUSR */
+ #include "xv.h"
+ 
+ #ifdef HAVE_PDS
+@@ -250,7 +250,7 @@
+ {
+   /* returns '1' on success, '0' on failure */
+ 
+-  int tempnum;
++  int tempnum, tmpfd;
+   FILE	*zf;
+   static int isfixed,teco,i,j,itype,vaxbyte,
+              recsize,hrecsize,irecsize,isimage,labelrecs,labelsofar,
+@@ -690,6 +690,12 @@
+ #ifndef VMS
+     sprintf(pdsuncompfname,"%s/xvhuffXXXXXX", tmpdir);
+     mktemp(pdsuncompfname);
++    tmpfd = open(pdsuncompfname,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR);
++    if (tmpfd < 0) {
++	SetISTR(ISTR_WARNING,"Unable to create temporarly file.");
++	return 0;
++    }
++    close(tmpfd);
+     sprintf(scanbuff,"%s %s - 4 >%s",PDSUNCOMP,fname,pdsuncompfname);
+ #else
+     strcpy(pdsuncompfname,"sys$disk:[]xvhuffXXXXXX");
+--- xvps.c
++++ xvps.c	2003-01-27 00:03:36.000000000 +0100
+@@ -1564,7 +1564,7 @@
+   /* build command string */
+ 
+ #ifndef VMS  /* VMS needs quotes around mixed case command lines */
+-  sprintf(tmp, "%s -sDEVICE=%s -r%d -q -dNOPAUSE -sOutputFile=%s%%d ",
++  sprintf(tmp, "%s -sDEVICE=%s -r%d -q -dSAFER -dNOPAUSE -sOutputFile=%s%%d ",
+ 	  GS_PATH, gsDev, gsRes, tmpname);
+ #else
+   sprintf(tmp, 
+--- xvtiff.c
++++ xvtiff.c	2003-01-27 00:03:36.000000000 +0100
+@@ -5,6 +5,7 @@
+  * LoadTIFF(fname, numcols, quick)  -  load a TIFF file
+  */
+ 
++#define  NEEDSDIR       /* for S_IRUSR|S_IWUSR */
+ #ifndef va_start
+ # define NEEDSARGS
+ #endif
+@@ -56,7 +89,7 @@
+     return 0;
+   }
+ 
+-  fseek(fp, 0L, 2);
++  fseek(fp, 0L, SEEK_END);
+   filesize = ftell(fp);
+   fclose(fp);
+ 
+@@ -1065,7 +1308,7 @@
+      int fromskew, toskew;
+ {
+   while (h-- > 0) {
+-    UNROLL8(w,0, *cp++ = PALmap[*pp++][0]);
++    UNROLL8(w,, *cp++ = PALmap[*pp++][0]);
+     cp += toskew;
+     pp += fromskew;
+   }
+@@ -1262,7 +1504,7 @@
+     }
+   } else {
+     while (h-- > 0) {
+-      UNROLL8(w,0,
++      UNROLL8(w,,
+ 	      *cp++ = pp[0];
+ 	      *cp++ = pp[1];
+ 	      *cp++ = pp[2];
+@@ -1335,7 +1577,7 @@
+     }
+   } else {
+     while (h-- > 0) {
+-      UNROLL8(w,0,
++      UNROLL8(w,,
+ 	      *cp++ = *r++;
+ 	      *cp++ = *g++;
+ 	      *cp++ = *b++;
+--- xvtiffwr.c
++++ xvtiffwr.c	2003-01-27 00:03:36.000000000 +0100
+@@ -78,6 +78,9 @@
+       TIFFSetField(tif, TIFFTAG_GROUP3OPTIONS,
+ 	  GROUP3OPT_2DENCODING+GROUP3OPT_FILLBITS);
+ 
++  if (comp == COMPRESSION_LZW)
++      TIFFSetField(tif, TIFFTAG_PREDICTOR, 2);
++
+   TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
+   TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 1);
+   TIFFSetField(tif, TIFFTAG_ORIENTATION, ORIENTATION_TOPLEFT);
+--- xvvd.c
++++ xvvd.c	2003-01-27 00:03:36.000000000 +0100
+@@ -793,7 +794,7 @@
+        returns '0' on failure */
+ 
+     char namez[128], *fname, buf[512], tmp[HEADERSIZE];
+-    int n;
++    int n, tmpfd;
+     FILE *pfp, *tfp;
+   
+     fname = name;
+@@ -834,10 +835,17 @@
+ 	Warning();
+ 	return 0;
+     }
+-    if ((tfp = fopen(uncompname, "w")) == NULL) {
++    if ((tmpfd = open(uncompname,O_WRONLY|O_CREAT|O_EXCL,S_IRWUSR)) < 0) {
++	SetISTR(ISTR_INFO, "Unable to create temporarly file.",
++		BaseName(uncompname));
++	Warning();
++	pclose(pfp);
++    }
++    if ((tfp = fdopen(tmpfd, "w")) == NULL) {
+ 	SetISTR(ISTR_INFO, "Unable to create temporarly file.",
+ 		BaseName(uncompname));
+ 	Warning();
++	close(tmpfd);
+ 	pclose(pfp);
+ 	return 0;
+     }
+@@ -846,11 +854,15 @@
+ 		BaseName(fname));
+ 	Warning();
+ 	pclose(pfp);
++	fflush(tfp);
+ 	fclose(tfp);
++	close(tmpfd);
+ 	return 0;
+     }
+     fwrite(tmp, 1, n, tfp);
++    fflush(tfp);
+     fclose(tfp);
++    close(tmpfd);
+     pclose(pfp);
+     
+     /* if we renamed the file to end with a .Z for the sake of 'uncompress', 
+--- xvxpm.c
++++ xvxpm.c	2003-01-27 00:03:36.000000000 +0100
+@@ -77,96 +77,104 @@
+   hentry  *clmp;		/* colormap hash-table */
+   hentry  *c_sptr;		/* cmap hash-table search pointer*/
+   XColor   col;
+-  
++
+   bname = BaseName(fname);
+   fp = fopen(fname, "r");
+   if (!fp)
+     return (XpmLoadError(bname, "couldn't open file"));
+-  
++
+   if (DEBUG)
+     printf("LoadXPM(): Loading xpm from %s\n", fname);
+-  
++
+   fseek(fp, 0L, 2);
+   filesize = ftell(fp);
+   fseek(fp, 0L, 0);
+-  
++
+   bufchar = -2;
+   in_quote = FALSE;
+-  
++
+   /* Read in the values line.  It is the first string in the
+    * xpm, and contains four numbers.  w, h, num_colors, and
+    * chars_per_pixel. */
+-  
++
+   /* First, get to the first string */
+   while (((c = XpmGetc(fp))!=EOF) && (c != '"')) ;
+   line_pos = 0;
+-  
++
+   /* Now, read in the string */
+   while (((c = XpmGetc(fp))!=EOF) && (line_pos < VALUES_LEN) && (c != '"')) {
+     values[line_pos++] = c;
+   }
+   if (c != '"')
+     return (XpmLoadError(bname, "error parsing values line"));
+-  
++
+   values[line_pos] = '\0';
+   sscanf(values, "%d%d%d%d", &w, &h, &nc, &cpp);
+   if (nc <= 0 || cpp <= 0)
+     return (XpmLoadError(bname, "No colours in Xpm?"));
+-  
++
+   if (nc > 256)
+     pinfo->type = PIC24;
+   else
+     pinfo->type = PIC8;
+-  
++
+   if (DEBUG)
+     printf("LoadXPM(): reading a %dx%d image (%d colors)\n", w, h, nc);
+-  
++
+   /* We got this far... */
+   WaitCursor();
+-  
++
+   if (!hash_init(nc))
+     return (XpmLoadError(bname, "Not enough memory to hash colormap"));
+-  
++
+   clmp = (hentry *) malloc(nc * sizeof(hentry)); /* Holds the colormap */
+   if (pinfo->type == PIC8) pic = (byte *) malloc((size_t) (w*h));
+                       else pic = (byte *) malloc((size_t) (w*h*3));
+-  
++
+   if (!clmp || !pic)
+     return (XpmLoadError(bname, "Not enough memory to load pixmap"));
+-  
++
+   c_sptr = clmp;
+   i_sptr = pic;
+-  
++
+   /* initialize the 'hex' array for zippy ASCII-hex -> int conversion */
+-  
++
+   for (i = 0 ; i < 256 ; i++)   hex[i] = 0;
+   for (i = '0'; i <= '9' ; i++) hex[i] = i - '0';
+   for (i = 'a'; i <= 'f' ; i++) hex[i] = i - 'a' + 10;
+   for (i = 'A'; i <= 'F' ; i++) hex[i] = i - 'A' + 10;
+-  
++
+   /* Again, we've made progress. */
+   WaitCursor();
+-  
++
+   /* Now, we need to read the colormap. */
+   pinfo->colType = F_BWDITHER;
+   for (i = 0 ; i < nc ; i++) {
+     while (((c = XpmGetc(fp))!=EOF) && (c != '"')) ;
+     if (c != '"')
+       return (XpmLoadError(bname, "Error reading colormap"));
+-    
++
+     for (j = 0 ; j < cpp ; j++)
+       c_sptr->token[j] = XpmGetc(fp);
+     c_sptr->token[j] = '\0';
+-    
++
+     while (((c = XpmGetc(fp))!=EOF) && ((c == ' ') || (c == '\t'))) ;
+     if (c == EOF)		/* The failure condition of getc() */
+       return (XpmLoadError(bname, "Error parsing colormap line"));
+-    
++
+     do {
+       char  key[3];
+-      char  color[40];	/* Need to figure a good size for this... */
++      char  color[80];	/* Need to figure a good size for this... */
+       short hd;		/* Hex digits per R, G, or B */
+-      
++
++/*
++ *  Problem with spaces in color names
++ *
++ *    X s Color Name m Other Name c Last Name
++ *
++ *  ... this parser doesn't find `Any Name'
++ */
++
+       for (j=0; j<2 && (c != ' ') && (c != '\t') && (c != EOF); j++) {
+ 	key[j] = c;
+ 	c = XpmGetc(fp);
+@@ -177,7 +185,7 @@
+       if (c == EOF)	/* The failure condition of getc() */
+ 	return (XpmLoadError(bname, "Error parsing colormap line"));
+ 
+-      for (j=0; j<39 && (c!=' ') && (c!='\t') && (c!='"') && c!=EOF; j++) {
++      for (j=0; j<79 && (c!=' ') && (c!='\t') && (c!='"') && c!=EOF; j++) {
+ 	color[j] = c;
+ 	c = XpmGetc(fp);
+       }
+@@ -236,13 +244,13 @@
+       else {      /* 'None' or unrecognized color spec */
+ 	int rgb;
+ 
+-	if (strcmp(color, "None") == 0) rgb = 0xb2c0dc;  /* infobg */
++	if (strcasecmp(color, "None") == 0) rgb = 0xb2c0dc;  /* infobg */
+ 	else {
+ 	  SetISTR(ISTR_INFO, "%s:  unknown color spec '%s'", bname, color);
+ 	  Timer(1000);
+ 	  rgb = 0x808080;
+ 	}
+-	
++
+ 	if (pinfo->type == PIC8) {
+ 	  pinfo->r[i] = (rgb>>16) & 0xff;
+ 	  pinfo->g[i] = (rgb>> 8) & 0xff;
+@@ -309,28 +317,29 @@
+ 	*i_sptr++ = mapentry->cv_rgb[2];
+       }
+     }  /* for ( j < w ) */
+-    (void)XpmGetc(fp);		/* Throw away the close " */
+-  
++    while (((c = XpmGetc(fp))!=EOF) &&	/* Throw away the close " and */
++	   (c != '"')) ;		/* erase all remaining pixels */
++
+     if (!(i%7)) WaitCursor();
+   }  /* for ( i < h ) */
+-  
++
+   pinfo->pic = pic;
+   pinfo->normw = pinfo->w = w;
+   pinfo->normh = pinfo->h = h;
+   pinfo->frmType = F_XPM;
+ 
+   if (DEBUG) printf("LoadXPM(): pinfo->colType is %d\n", pinfo->colType);
+-  
++
+   sprintf(pinfo->fullInfo, "Xpm v3 Pixmap (%ld bytes)", filesize);
+   sprintf(pinfo->shrtInfo, "%dx%d Xpm.", w, h);
+   pinfo->comment = (char *)NULL;
+-  
++
+   hash_destroy();
+   free(clmp);
+-  
++
+   if (fp != stdin)
+     fclose(fp);
+-  
++
+   return(1);
+ }
+ 
Index: files/patch-suse-2004-07-28
===================================================================
RCS file: files/patch-suse-2004-07-28
diff -N files/patch-suse-2004-07-28
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-suse-2004-07-28	5 Oct 2004 17:41:30 -0000
@@ -0,0 +1,195 @@
+--- xvbmp.c
++++ xvbmp.c	Wed Jul 28 15:16:05 2004
+@@ -32,7 +32,7 @@
+ static int   loadBMP1   PARM((FILE *, byte *, u_int, u_int));
+ static int   loadBMP4   PARM((FILE *, byte *, u_int, u_int, u_int));
+ static int   loadBMP8   PARM((FILE *, byte *, u_int, u_int, u_int));
+-static int   loadBMP24  PARM((FILE *, byte *, u_int, u_int));
++static int   loadBMP24  PARM((FILE *, byte *, u_int, u_int, u_int));
+ static u_int getshort   PARM((FILE *));
+ static u_int getint     PARM((FILE *));
+ static void  putshort   PARM((FILE *, int));
+@@ -127,7 +127,8 @@
+ 
+ 
+   /* error checking */
+-  if ((biBitCount!=1 && biBitCount!=4 && biBitCount!=8 && biBitCount!=24) || 
++  if ((biBitCount!=1 && biBitCount!=4 && biBitCount!=8 && 
++       biBitCount!=24 && biBitCount!=32) || 
+       biPlanes!=1 || biCompression>BI_RLE4) {
+ 
+     sprintf(buf,"Bogus BMP File!  (bitCount=%d, Planes=%d, Compression=%d)",
+@@ -137,7 +138,8 @@
+     goto ERROR;
+   }
+ 
+-  if (((biBitCount==1 || biBitCount==24) && biCompression != BI_RGB) ||
++  if (((biBitCount==1 || biBitCount==24 || biBitCount==32)
++       && biCompression != BI_RGB) ||
+       (biBitCount==4 && biCompression==BI_RLE8) ||
+       (biBitCount==8 && biCompression==BI_RLE4)) {
+ 
+@@ -159,7 +161,7 @@
+   }
+ 
+   /* load up colormap, if any */
+-  if (biBitCount!=24) {
++  if (biBitCount!=24 && biBitCount!=32) {
+     int i, cmaplen;
+ 
+     cmaplen = (biClrUsed) ? biClrUsed : 1 << biBitCount;
+@@ -197,7 +199,7 @@
+ 
+   /* create pic8 or pic24 */
+ 
+-  if (biBitCount==24) {
++  if (biBitCount==24 || biBitCount==32) {
+     pic24 = (byte *) calloc((size_t) biWidth * biHeight * 3, (size_t) 1);
+     if (!pic24) return (bmpError(bname, "couldn't malloc 'pic24'"));
+   }
+@@ -212,16 +214,18 @@
+   if      (biBitCount == 1) rv = loadBMP1(fp,pic8,biWidth,biHeight);
+   else if (biBitCount == 4) rv = loadBMP4(fp,pic8,biWidth,biHeight,
+ 					  biCompression);
+-  else if (biBitCount == 8) rv = loadBMP8(fp,pic8,biWidth,biHeight,
++  else if (biBitCount == 8) rv = loadBMP8(fp,pic8,biWidth,biHeight, 
+ 					  biCompression);
+-  else                      rv = loadBMP24(fp,pic24,biWidth,biHeight);
++  else                      rv = loadBMP24(fp,pic24,biWidth,biHeight,
++					   biBitCount);
++
+ 
+   if (rv) bmpError(bname, "File appears truncated.  Winging it.\n");
+ 
+   fclose(fp);
+ 
+ 
+-  if (biBitCount == 24) {
++  if (biBitCount == 24 || biBitCount == 32) {
+     pinfo->pic  = pic24;
+     pinfo->type = PIC24;
+   }
+@@ -264,12 +268,13 @@
+      u_int  w,h;
+ {
+   int   i,j,c,bitnum,padw;
+-  byte *pp;
++  byte *pp = pic8 + ((h - 1) * w);
++  size_t l = w*h;
+ 
+   c = 0;
+   padw = ((w + 31)/32) * 32;  /* 'w', padded to be a multiple of 32 */
+ 
+-  for (i=h-1; i>=0; i--) {
++  for (i=h-1; i>=0 && (pp - pic8 <= l); i--) {
+     pp = pic8 + (i * w);
+     if ((i&0x3f)==0) WaitCursor();
+     for (j=bitnum=0; j<padw; j++,bitnum++) {
+@@ -298,8 +303,8 @@
+      u_int  w,h,comp;
+ {
+   int   i,j,c,c1,x,y,nybnum,padw,rv;
+-  byte *pp;
+-  
++  byte *pp = pic8 + ((h - 1) * w);
++  size_t l = w*h;
+   
+   rv = 0;
+   c = c1 = 0;
+@@ -307,7 +312,7 @@
+   if (comp == BI_RGB) {   /* read uncompressed data */
+     padw = ((w + 7)/8) * 8; /* 'w' padded to a multiple of 8pix (32 bits) */
+     
+-    for (i=h-1; i>=0; i--) {
++    for (i=h-1; i>=0 && (pp - pic8 <= l); i--) {
+       pp = pic8 + (i * w);
+       if ((i&0x3f)==0) WaitCursor();
+       
+@@ -335,7 +340,7 @@
+       
+       if (c) {                                   /* encoded mode */
+ 	c1 = getc(fp);
+-	for (i=0; i<c; i++,x++,pp++) 
++	for (i=0; i<c && (pp - pic8 <= l); i++,x++,pp++) 
+ 	  *pp = (i&1) ? (c1 & 0x0f) : ((c1>>4)&0x0f);
+       }
+       
+@@ -355,7 +360,7 @@
+ 	}
+ 	
+ 	else {                                   /* absolute mode */
+-	  for (i=0; i<c; i++, x++, pp++) {
++	  for (i=0; i<c && (pp - pic8 <= l); i++, x++, pp++) {
+ 	    if ((i&1) == 0) c1 = getc(fp);
+ 	    *pp = (i&1) ? (c1 & 0x0f) : ((c1>>4)&0x0f);
+ 	  }
+@@ -384,14 +389,15 @@
+      u_int  w,h,comp;
+ {
+   int   i,j,c,c1,padw,x,y,rv;
+-  byte *pp;
++  byte *pp = pic8 + ((h - 1) * w);
++  size_t l = w*h;
+   
+   rv = 0;
+ 
+   if (comp == BI_RGB) {   /* read uncompressed data */
+     padw = ((w + 3)/4) * 4; /* 'w' padded to a multiple of 4pix (32 bits) */
+ 
+-    for (i=h-1; i>=0; i--) {
++    for (i=h-1; i>=0 && (pp - pic8 <= l); i--) {
+       pp = pic8 + (i * w);
+       if ((i&0x3f)==0) WaitCursor();
+ 
+@@ -412,7 +418,7 @@
+ 
+       if (c) {                                   /* encoded mode */
+ 	c1 = getc(fp);
+-	for (i=0; i<c; i++,x++,pp++) *pp = c1;
++	for (i=0; i<c && (pp - pic8 <= l); i++,x++,pp++) *pp = c1;
+       }
+ 
+       else {    /* c==0x00  :  escape codes */
+@@ -431,7 +437,7 @@
+ 	}
+ 
+ 	else {                                   /* absolute mode */
+-	  for (i=0; i<c; i++, x++, pp++) {
++	  for (i=0; i<c && (pp - pic8 <= l); i++, x++, pp++) {
+ 	    c1 = getc(fp);
+ 	    *pp = c1;
+ 	  }
+@@ -454,19 +460,21 @@
+ 
+ 
+ /*******************************************/
+-static int loadBMP24(fp, pic24, w, h)
++static int loadBMP24(fp, pic24, w, h, bits)
+      FILE *fp;
+      byte *pic24;
+-     u_int  w,h;
++     u_int  w,h, bits;
+ {
+   int   i,j,padb,rv;
+-  byte *pp;
++  byte *pp = pic24 + ((h - 1) * w * 3);
++  size_t l = w*h*3;
+ 
+   rv = 0;
+ 
+   padb = (4 - ((w*3) % 4)) & 0x03;  /* # of pad bytes to read at EOscanline */
++  if (bits==32) padb = 0;
+ 
+-  for (i=h-1; i>=0; i--) {
++  for (i=h-1; i>=0 && (pp - pic24 <= l); i--) {
+     pp = pic24 + (i * w * 3);
+     if ((i&0x3f)==0) WaitCursor();
+     
+@@ -474,6 +482,7 @@
+       pp[2] = getc(fp);   /* blue */
+       pp[1] = getc(fp);   /* green */
+       pp[0] = getc(fp);   /* red */
++      if (bits==32) getc(fp);
+       pp += 3;
+     }
+ 
Index: files/patch-suse-2004-08-24
===================================================================
RCS file: files/patch-suse-2004-08-24
diff -N files/patch-suse-2004-08-24
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-suse-2004-08-24	5 Oct 2004 17:41:30 -0000
@@ -0,0 +1,138 @@
+--- xvbmp.c
++++ xvbmp.c	Tue Aug 24 12:42:52 2004
+@@ -129,7 +129,9 @@
+   /* error checking */
+   if ((biBitCount!=1 && biBitCount!=4 && biBitCount!=8 && 
+        biBitCount!=24 && biBitCount!=32) || 
+-      biPlanes!=1 || biCompression>BI_RLE4) {
++       biPlanes!=1 || biCompression>BI_RLE4 ||
++       biWidth<= 0 || biHeight <= 0 ||
++       (biClrUsed && biClrUsed > (1 << biBitCount))) {
+ 
+     sprintf(buf,"Bogus BMP File!  (bitCount=%d, Planes=%d, Compression=%d)",
+ 	    biBitCount, biPlanes, biCompression);
+@@ -159,6 +161,9 @@
+     
+     bPad = bfOffBits - (biSize + 14);
+   }
++
++  if (biClrUsed > (1 << biBitCount))
++    biClrUsed = (1 << biBitCount);
+ 
+   /* load up colormap, if any */
+   if (biBitCount!=24 && biBitCount!=32) {
+--- xviris.c
++++ xviris.c	Tue Aug 24 13:01:42 2004
+@@ -267,6 +267,12 @@
+ 
+     rlebuflen = 2 * xsize + 10;
+     tablen    = ysize * zsize;
++
++    if (rlebuflen <= 0 || tablen <= 0 || (tablen * sizeof(long)) < 0) {
++      loaderr = "Bogus IRIS File!";
++      return (byte *)NULL;
++    }
++
+     starttab  = (u_long *) malloc((size_t) tablen * sizeof(long));
+     lengthtab = (u_long *) malloc((size_t) tablen * sizeof(long));
+     rledat    = (byte *)   malloc((size_t) rlebuflen);
+--- xvpcx.c
++++ xvpcx.c	Tue Aug 24 13:12:15 2004
+@@ -222,7 +222,14 @@
+   byte *image;
+   
+   /* note:  overallocation to make life easier... */
+-  image = (byte *) malloc((size_t) (pinfo->h + 1) * pinfo->w + 16);
++  int count = (pinfo->h + 1) * pinfo->w + 16;
++
++  if (count <= 0 || pinfo->h <= 0 || pinfo->w <= 0) {
++    pcxError(fname, "Bogus PCX file!!");
++    return (0);
++  }
++
++  image = (byte *) malloc((size_t) count);
+   if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()");
+   
+   xvbzero((char *) image, (size_t) ((pinfo->h+1) * pinfo->w + 16));
+@@ -250,17 +257,25 @@
+ {
+   byte *pix, *pic24, scale[256];
+   int   c, i, j, w, h, maxv, cnt, planes, bperlin, nbytes;
++  int count;
+   
+   w = pinfo->w;  h = pinfo->h;
+   
+   planes = (int) hdr[PCX_PLANES];
+   bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8);
+   
++  count = w*h*planes;
++
++  if (count <= 0 || planes <= 0 || w <= 0 || h <= 0) {
++    pcxError(fname, "Bogus PCX file!!");
++    return (0);
++  }
++
+   /* allocate 24-bit image */
+-  pic24 = (byte *) malloc((size_t) w*h*planes);
++  pic24 = (byte *) malloc((size_t) count);
+   if (!pic24) FatalError("couldn't malloc 'pic24'");
+   
+-  xvbzero((char *) pic24, (size_t) w*h*planes);
++  xvbzero((char *) pic24, (size_t) count);
+   
+   maxv = 0;
+   pix = pinfo->pic = pic24;
+@@ -268,6 +283,12 @@
+   j = 0;      /* bytes per line, in this while loop */
+   nbytes = bperlin*h*planes;
+  
++  if (nbytes < 0) {
++    pcxError(fname, "Bogus PCX file!!");
++    free(pic24);
++    return (0);
++  }
++
+   while (nbytes > 0 && (c = getc(fp)) != EOF) {
+     if ((c & 0xC0) == 0xC0) {   /* have a rep. count */
+       cnt = c & 0x3F;
+--- xvpm.c
++++ xvpm.c	Tue Aug 24 13:16:43 2004
+@@ -119,6 +119,9 @@
+ 
+   isize = pm_isize(&thePic);
+ 
++  if (isize <= 0)
++    return pmError(bname, "Bogus PM file!!");
++
+   if (DEBUG) 
+     fprintf(stderr,"%s: LoadPM() - loading a %dx%d %s pic, %d planes\n",
+ 	    cmd, w, h, (thePic.pm_form==PM_I) ? "PM_I" : "PM_C", 
+@@ -135,6 +138,8 @@
+     return( pmError(bname, "file read error") );
+   }
+ 
++  if (thePic.pm_cmtsize+1 <= 0)
++    return pmError(bname, "Bogus PM file!!");
+ 
+   /* alloc and read in comment, if any */
+   if (thePic.pm_cmtsize>0) {
+@@ -155,6 +160,9 @@
+     int  *intptr;
+     byte *pic24, *picptr;
+ 
++    if (w <= 0 || h <= 0 || w*h*3 <= 0)
++      return pmError(bname, "Bogus PM file!!");
++
+     if ((pic24 = (byte *) malloc((size_t) w*h*3))==NULL) {
+       if (thePic.pm_cmt) free(thePic.pm_cmt);
+       return( pmError(bname, "unable to malloc 24-bit picture") );
+@@ -189,6 +197,9 @@
+ 
+   else if (thePic.pm_form == PM_C && thePic.pm_np>1) {
+     byte *pic24, *picptr, *rptr, *gptr, *bptr;
++
++    if (w <= 0 || h <= 0 || w*h*3 <= 0)
++      return pmError(bname, "Bogus PM file!!");
+ 
+     if ((pic24 = (byte *) malloc((size_t) w*h*3))==NULL) {
+       if (thePic.pm_cmt) free(thePic.pm_cmt);
>Release-Note:
>Audit-Trail:
>Unformatted:



More information about the freebsd-ports-bugs mailing list