$NetBSD: patch-am,v 1.3 2004/09/16 19:28:56 minskim Exp $

--- extras/Xpm/lib/parse.c.orig	2001-10-27 22:32:10.000000000 -0500
+++ extras/Xpm/lib/parse.c
@@ -44,6 +44,24 @@
 #include <ctype.h>
 #include <string.h>
 
+#ifdef HAS_STRLCAT
+# define STRLCAT(dst, src, dstsize) { \
+  	if (strlcat(dst, src, dstsize) >= (dstsize)) \
+	    return (XpmFileInvalid); }
+# define STRLCPY(dst, src, dstsize) { \
+  	if (strlcpy(dst, src, dstsize) >= (dstsize)) \
+	    return (XpmFileInvalid); }
+#else
+# define STRLCAT(dst, src, dstsize) { \
+	if ((strlen(dst) + strlen(src)) < (dstsize)) \
+ 	    strcat(dst, src); \
+	else return (XpmFileInvalid); }
+# define STRLCPY(dst, src, dstsize) { \
+	if (strlen(src) < (dstsize)) \
+ 	    strcpy(dst, src); \
+	else return (XpmFileInvalid); }
+#endif
+
 LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
 			 unsigned int height, unsigned int ncolors,
 			 unsigned int cpp, XpmColor *colorTable,
@@ -66,7 +84,7 @@ xpmParseValues(data, width, height, ncol
     unsigned int *extensions;
 {
     unsigned int l;
-    char buf[BUFSIZ];
+    char buf[BUFSIZ + 1];
 
     if (!data->format) {		/* XPM 2 or 3 */
 
@@ -175,10 +193,10 @@ xpmParseColors(data, ncolors, cpp, color
     XpmColor **colorTablePtr;
     xpmHashTable *hashtable;
 {
-    unsigned int key = 0, l, a, b;
+    unsigned int key = 0, l, a, b, len;
     unsigned int curkey;		/* current color key */
     unsigned int lastwaskey;		/* key read */
-    char buf[BUFSIZ];
+    char buf[BUFSIZ+1];
     char curbuf[BUFSIZ];		/* current buffer */
     char **sptr, *s;
     XpmColor *color;
@@ -186,6 +204,8 @@ xpmParseColors(data, ncolors, cpp, color
     char **defaults;
     int ErrorStatus;
 
+    if (ncolors >= SIZE_MAX / sizeof(XpmColor))
+	return (XpmNoMemory);
     colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
     if (!colorTable)
 	return (XpmNoMemory);
@@ -197,6 +217,10 @@ xpmParseColors(data, ncolors, cpp, color
 	    /*
 	     * read pixel value
 	     */
+	    if (cpp >= SIZE_MAX - 1) {
+		xpmFreeColorTable(colorTable, ncolors);
+		return (XpmNoMemory);
+	    }
 	    color->string = (char *) XpmMalloc(cpp + 1);
 	    if (!color->string) {
 		xpmFreeColorTable(colorTable, ncolors);
@@ -234,13 +258,14 @@ xpmParseColors(data, ncolors, cpp, color
 		}
 		if (!lastwaskey && key < NKEYS) {	/* open new key */
 		    if (curkey) {	/* flush string */
-			s = (char *) XpmMalloc(strlen(curbuf) + 1);
+			len = strlen(curbuf) + 1;
+			s = (char *) XpmMalloc(len);
 			if (!s) {
 			    xpmFreeColorTable(colorTable, ncolors);
 			    return (XpmNoMemory);
 			}
 			defaults[curkey] = s;
-			strcpy(s, curbuf);
+			memcpy(s, curbuf, len);
 		    }
 		    curkey = key + 1;	/* set new key  */
 		    *curbuf = '\0';	/* reset curbuf */
@@ -251,9 +276,9 @@ xpmParseColors(data, ncolors, cpp, color
 			return (XpmFileInvalid);
 		    }
 		    if (!lastwaskey)
-			strcat(curbuf, " ");	/* append space */
+			STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */
 		    buf[l] = '\0';
-		    strcat(curbuf, buf);/* append buf */
+		    STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */
 		    lastwaskey = 0;
 		}
 	    }
@@ -261,12 +286,13 @@ xpmParseColors(data, ncolors, cpp, color
 		xpmFreeColorTable(colorTable, ncolors);
 		return (XpmFileInvalid);
 	    }
-	    s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1);
+	    len = strlen(curbuf) + 1;
+	    s = defaults[curkey] = (char *) XpmMalloc(len);
 	    if (!s) {
 		xpmFreeColorTable(colorTable, ncolors);
 		return (XpmNoMemory);
 	    }
-	    strcpy(s, curbuf);
+	    memcpy(s, curbuf, len);
 	}
     } else {				/* XPM 1 */
 	/* get to the beginning of the first string */
@@ -279,6 +305,10 @@ xpmParseColors(data, ncolors, cpp, color
 	    /*
 	     * read pixel value
 	     */
+	    if (cpp >= SIZE_MAX - 1) {
+		xpmFreeColorTable(colorTable, ncolors);
+		return (XpmNoMemory);
+	    }
 	    color->string = (char *) XpmMalloc(cpp + 1);
 	    if (!color->string) {
 		xpmFreeColorTable(colorTable, ncolors);
@@ -307,16 +337,17 @@ xpmParseColors(data, ncolors, cpp, color
 	    *curbuf = '\0';		/* init curbuf */
 	    while ((l = xpmNextWord(data, buf, BUFSIZ))) {
 		if (*curbuf != '\0')
-		    strcat(curbuf, " ");/* append space */
+		    STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
 		buf[l] = '\0';
-		strcat(curbuf, buf);	/* append buf */
+		STRLCAT(curbuf, buf, sizeof(curbuf));	/* append buf */
 	    }
-	    s = (char *) XpmMalloc(strlen(curbuf) + 1);
+	    len = strlen(curbuf) + 1;
+	    s = (char *) XpmMalloc(len);
 	    if (!s) {
 		xpmFreeColorTable(colorTable, ncolors);
 		return (XpmNoMemory);
 	    }
-	    strcpy(s, curbuf);
+	    memcpy(s, curbuf, len);
 	    color->c_color = s;
 	    *curbuf = '\0';		/* reset curbuf */
 	    if (a < ncolors - 1)
@@ -341,6 +372,9 @@ ParsePixels(data, width, height, ncolors
     unsigned int *iptr, *iptr2;
     unsigned int a, x, y;
 
+    if ((height > 0 && width >= SIZE_MAX / height) ||
+	width * height >= SIZE_MAX / sizeof(unsigned int)) 
+	return XpmNoMemory;
 #ifndef FOR_MSW
     iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);
 #else
@@ -364,6 +398,9 @@ ParsePixels(data, width, height, ncolors
 	{
 	    unsigned short colidx[256];
 
+	    if (ncolors > 256)
+		return (XpmFileInvalid);
+
 	    bzero((char *)colidx, 256 * sizeof(short));
 	    for (a = 0; a < ncolors; a++)
 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
@@ -442,6 +479,9 @@ if (cidx[f]) XpmFree(cidx[f]);}
 	    char *s;
 	    char buf[BUFSIZ];
 
+	    if (cpp >= sizeof(buf))
+		return (XpmFileInvalid);
+
 	    buf[cpp] = '\0';
 	    if (USE_HASHTABLE) {
 		xpmHashAtom *slot;
