File smalltalk-2.1.10-integer_and_buffer_overflow.patch of Package smalltalk

Overview Repositories Revisions Requests Users Attributes Meta

File smalltalk-2.1.10-integer_and_buffer_overflow.patch of Package smalltalk

--- packages/blox/tk/BloxTK.c
+++ packages/blox/tk/BloxTK.c
@@ -81,6 +81,29 @@
 #include <string.h>
 #endif
 
+#if defined(SCO) || defined(__USLC__)
+#include <stdint.h>	/* For SIZE_MAX */
+#endif
+#include <limits.h>
+#ifndef SIZE_MAX
+# ifdef ULONG_MAX
+#  define SIZE_MAX ULONG_MAX
+# else 
+#  define SIZE_MAX UINT_MAX
+# endif
+#endif
+
+#ifdef HAS_STRLCAT
+# define STRLCAT(dst, src, dstsize) { \
+  	if (strlcat(dst, src, dstsize) >= (dstsize)) \
+	    return (TCL_ERROR); }	/* File invalid */
+#else
+# define STRLCAT(dst, src, dstsize) { \
+	if ((strlen(dst) + strlen(src)) < (dstsize)) \
+ 	    strcat(dst, src); \
+	else return (TCL_ERROR); }	/* File invalid */
+#endif
+
 /* Smalltalk call-ins */
 static Tcl_Interp *tclInit (void);
 static void bloxIdle (void);
@@ -638,7 +661,7 @@
 xpmParseColors (XpmData * data, unsigned int ncolors, unsigned int cpp,
 		XpmColor ** colorTablePtr)
 {
-  unsigned int key, l, a, b;
+  unsigned int key, l, a, b, len;
   unsigned int curkey;		/* current color key */
   unsigned int lastwaskey;	/* key read */
   char buf[BUFSIZ + 1];
@@ -649,6 +672,8 @@
   XpmColor *colorTable;
   char **defaults;
 
+  if (ncolors >= SIZE_MAX / sizeof(XpmColor))
+    return (TCL_ERROR);		/* No memory */
   colorTable = (XpmColor *) malloc (ncolors * sizeof (XpmColor));
   if (!colorTable)
     return (TCL_ERROR);		/* No memory */
@@ -663,6 +688,11 @@
 	  /*
 	   * read pixel value
 	   */
+	  if (cpp >= SIZE_MAX - 1)
+	    {
+	      xpmFreeColorTable(colorTable, ncolors);
+	      return (TCL_ERROR);         /* No memory */
+	    }
 	  color->string = (char *) malloc (cpp + 1);
 	  if (!color->string)
 	    {
@@ -694,14 +724,15 @@
 		{		/* open new key */
 		  if (curkey)
 		    {		/* flush string */
-		      s = (char *) malloc (strlen (curbuf) + 1);
+		      len = strlen (curbuf) + 1;
+		      s = (char *) malloc (len);
 		      if (!s)
 			{
 			  xpmFreeColorTable (colorTable, ncolors);
 			  return (TCL_ERROR);	/* No memory */
 			}
 		      defaults[curkey] = s;
-		      strcpy (s, curbuf);
+		      memcpy(s, curbuf, len);
 		    }
 		  curkey = key + 1;	/* set new key  */
 		  *curbuf = '\0';	/* reset curbuf */
@@ -715,9 +746,9 @@
 		      return (TCL_ERROR);	/* File invalid */
 		    }
 		  if (!lastwaskey)
-		    strcat (curbuf, " ");	/* append space */
+		    STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */
 		  buf[l] = '\0';
-		  strcat (curbuf, buf);	/* append buf */
+		  STRLCAT(curbuf, buf, sizeof(curbuf)); /* append buf */
 		  lastwaskey = 0;
 		}
 	    }
@@ -726,13 +757,14 @@
 	      xpmFreeColorTable (colorTable, ncolors);
 	      return (TCL_ERROR);	/* File invalid */
 	    }
-	  s = defaults[curkey] = (char *) malloc (strlen (curbuf) + 1);
+	  len = strlen (curbuf) + 1;
+	  s = defaults[curkey] = (char *) malloc (len);
 	  if (!s)
 	    {
 	      xpmFreeColorTable (colorTable, ncolors);
 	      return (TCL_ERROR);	/* No memory */
 	    }
-	  strcpy (s, curbuf);
+	  memcpy(s, curbuf, len);
 	}
     }
   else
@@ -748,6 +780,11 @@
 	  /*
 	   * read pixel value
 	   */
+	  if (cpp >= SIZE_MAX - 1)
+	    { 
+	      xpmFreeColorTable (colorTable, ncolors);
+	      return (TCL_ERROR);	/* No memory */
+	    }
 	  color->string = (char *) malloc (cpp + 1);
 	  if (!color->string)
 	    {
@@ -766,17 +803,18 @@
 	  while (l = xpmNextWord (data, buf, BUFSIZ))
 	    {
 	      if (*curbuf != '\0')
-		strcat (curbuf, " ");	/* append space */
+		STRLCAT(curbuf, " ", sizeof(curbuf));	/* append space */
 	      buf[l] = '\0';
-	      strcat (curbuf, buf);	/* append buf */
+	      STRLCAT(curbuf, buf, sizeof(curbuf));	/* append buf */
 	    }
-	  s = (char *) malloc (strlen (curbuf) + 1);
+	  len = strlen (curbuf) + 1;
+	  s = (char *) malloc (len);
 	  if (!s)
 	    {
 	      xpmFreeColorTable (colorTable, ncolors);
 	      return (TCL_ERROR);	/* No memory */
 	    }
-	  strcpy (s, curbuf);
+	  memcpy(s, curbuf, len);
 	  color->c_color = s;
 	  *curbuf = '\0';	/* reset curbuf */
 	  if (a < ncolors - 1)
@@ -832,6 +870,9 @@
   unsigned int *iptr, *iptr2;
   unsigned int a, x, y;
 
+  if ((height > 0 && width >= SIZE_MAX / height) ||
+    width * height >= SIZE_MAX / sizeof(unsigned int))
+    return (TCL_ERROR);		/* No memory */
   iptr2 = (unsigned int *) malloc (sizeof (unsigned int) * width * height);
   if (!iptr2)
     return (TCL_ERROR);		/* No memory */
@@ -844,19 +885,22 @@
     case (1):			/* Optimize for single character colors */
       {
 	unsigned int colrgb[256];
+	
+	if (ncolors > 256)
+	  return (TCL_ERROR);	/* File invalid */
 
 	memset (colrgb, 0, 256 * sizeof (int));
 	for (a = 0; a < 256; a++)
 	  colrgb[a] = -1;
 	for (a = 0; a < ncolors; a++)
-	  colrgb[(unsigned int) colorTable[a].string[0]] = colorTable[a].rgb;
+	  colrgb[(unsigned char)colorTable[a].string[0]] = colorTable[a].rgb;
 
 	for (y = 0; y < height; y++)
 	  {
 	    xpmNextString (data);
 	    for (x = 0; x < width; x++, iptr++)
 	      {
-		int rgb = colrgb[(unsigned int) *data->cptr++];
+		int rgb = colrgb[(unsigned char) *data->cptr++];
 
 		if (rgb != -1)
 		  *iptr = rgb;
@@ -884,7 +928,7 @@
 	memset (crgb, 0, 256 * sizeof (unsigned int *));	/* init */
 	for (a = 0; a < ncolors; a++)
 	  {
-	    char1 = colorTable[a].string[0];
+	    char1 = (unsigned char)colorTable[a].string[0];
 	    if (crgb[char1] == NULL)
 	      {			/* get new memory */
 		crgb[char1] = (unsigned int *)
@@ -898,7 +942,7 @@
 		for (a2 = 0; a2 < 256; a2++)
 		  crgb[char1][a2] = -1;
 	      }
-	    crgb[char1][(unsigned int) colorTable[a].string[1]] =
+	    crgb[char1][(unsigned char)colorTable[a].string[1]] =
 	      colorTable[a].rgb;
 	  }

Places

File smalltalk-2.1.10-integer_and_buffer_overflow.patch of Package smalltalk

Places