$NetBSD: patch-ag,v 1.2 2005/06/14 18:10:37 jlam Exp $

--- lib/create.c.orig	1998-03-19 14:51:00.000000000 -0500
+++ lib/create.c
@@ -43,6 +43,8 @@
  * Lorens Younes (d93-hyo@nada.kth.se) 4/96
  */
 
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
 #include "XpmI.h"
 #include <ctype.h>
 
@@ -517,7 +519,7 @@ CreateColors(display, attributes, colors
     /* variables stored in the XpmAttributes structure */
     Visual *visual;
     Colormap colormap;
-    XpmColorSymbol *colorsymbols;
+    XpmColorSymbol *colorsymbols = NULL;
     unsigned int numsymbols;
     XpmAllocColorFunc allocColor;
     void *closure;
@@ -525,7 +527,7 @@ CreateColors(display, attributes, colors
     char *colorname;
     unsigned int color, key;
     Bool pixel_defined;
-    XpmColorSymbol *symbol;
+    XpmColorSymbol *symbol = NULL;
     char **defaults;
     int ErrorStatus = XpmSuccess;
     char *s;
@@ -583,7 +585,7 @@ CreateColors(display, attributes, colors
 	     */
 	} else {
 #endif
-	    int i;
+	    unsigned int i;
 
 #ifndef AMIGA
 	    ncols = visual->map_entries;
@@ -743,12 +745,14 @@ FreeColors(display, colormap, pixels, n,
 
 
 /* function call in case of error */
+
 #undef RETURN
 #define RETURN(status) \
+do \
 { \
       ErrorStatus = status; \
       goto error; \
-}
+} while(0)
 
 int
 XpmCreateImageFromXpmImage(display, image,
@@ -765,7 +769,6 @@ XpmCreateImageFromXpmImage(display, imag
     unsigned int depth;
     int bitmap_format;
     XpmFreeColorsFunc freeColors;
-    void *closure;
 
     /* variables to return */
     XImage *ximage = NULL;
@@ -812,13 +815,12 @@ XpmCreateImageFromXpmImage(display, imag
 	freeColors = attributes->free_colors;
     else
 	freeColors = FreeColors;
-    if (attributes && (attributes->valuemask & XpmColorClosure))
-	closure = attributes->color_closure;
-    else
-	closure = NULL;
 
     ErrorStatus = XpmSuccess;
 
+    if (image->ncolors >= UINT_MAX / sizeof(Pixel)) 
+	return (XpmNoMemory);
+
     /* malloc pixels index tables */
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
     if (!image_pixels)
@@ -991,7 +993,13 @@ CreateXImage(display, visual, depth, for
 	return (XpmNoMemory);
 
 #if !defined(FOR_MSW) && !defined(AMIGA)
+    if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
+	XDestroyImage(*image_return);
+	return XpmNoMemory;
+    }
     /* now that bytes_per_line must have been set properly alloc data */
+    if((*image_return)->bytes_per_line == 0 ||  height == 0)
+	return XpmNoMemory;
     (*image_return)->data =
 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
 
@@ -1020,7 +1028,7 @@ CreateXImage(display, visual, depth, for
 LFUNC(_putbits, void, (register char *src, int dstoffset,
 		       register int numbits, register char *dst));
 
-LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register int nb));
+LFUNC(_XReverse_Bytes, int, (register unsigned char *bpt, register unsigned int nb));
 
 static unsigned char Const _reverse_byte[0x100] = {
     0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
@@ -1060,12 +1068,12 @@ static unsigned char Const _reverse_byte
 static int
 _XReverse_Bytes(bpt, nb)
     register unsigned char *bpt;
-    register int nb;
+    register unsigned int nb;
 {
     do {
 	*bpt = _reverse_byte[*bpt];
 	bpt++;
-    } while (--nb > 0);
+    } while (--nb > 0); /* is nb user-controled? */
     return 0;
 }
 
@@ -1204,18 +1212,18 @@ PutImagePixels(image, width, height, pix
     register char *src;
     register char *dst;
     register unsigned int *iptr;
-    register int x, y, i;
+    register unsigned int x, y;
     register char *data;
     Pixel pixel, px;
-    int nbytes, depth, ibu, ibpp;
+    int nbytes, depth, ibu, ibpp, i;
 
     data = image->data;
     iptr = pixelindex;
     depth = image->depth;
     if (depth == 1) {
 	ibu = image->bitmap_unit;
-	for (y = 0; y < height; y++)
-	    for (x = 0; x < width; x++, iptr++) {
+	for (y = 0; y < height; y++) /* how can we trust height */
+	    for (x = 0; x < width; x++, iptr++) { /* how can we trust width */
 		pixel = pixels[*iptr];
 		for (i = 0, px = pixel; i < sizeof(unsigned long);
 		     i++, px >>= 8)
@@ -1290,12 +1298,12 @@ PutImagePixels32(image, width, height, p
 {
     unsigned char *data;
     unsigned int *iptr;
-    int y;
+    unsigned int y;
     Pixel pixel;
 
 #ifdef WITHOUT_SPEEDUPS
 
-    int x;
+    unsigned int x;
     unsigned char *addr;
 
     data = (unsigned char *) image->data;
@@ -1332,7 +1340,7 @@ PutImagePixels32(image, width, height, p
 
 #else  /* WITHOUT_SPEEDUPS */
 
-    int bpl = image->bytes_per_line;
+    unsigned int bpl = image->bytes_per_line;
     unsigned char *data_ptr, *max_data;
 
     data = (unsigned char *) image->data;
@@ -1400,11 +1408,11 @@ PutImagePixels16(image, width, height, p
 {
     unsigned char *data;
     unsigned int *iptr;
-    int y;
+    unsigned int y;
 
 #ifdef WITHOUT_SPEEDUPS
 
-    int x;
+    unsigned int x;
     unsigned char *addr;
 
     data = (unsigned char *) image->data;
@@ -1428,7 +1436,7 @@ PutImagePixels16(image, width, height, p
 
     Pixel pixel;
 
-    int bpl = image->bytes_per_line;
+    unsigned int bpl = image->bytes_per_line;
     unsigned char *data_ptr, *max_data;
 
     data = (unsigned char *) image->data;
@@ -1481,11 +1489,11 @@ PutImagePixels8(image, width, height, pi
 {
     char *data;
     unsigned int *iptr;
-    int y;
+    unsigned int y;
 
 #ifdef WITHOUT_SPEEDUPS
 
-    int x;
+    unsigned int x;
 
     data = image->data;
     iptr = pixelindex;
@@ -1495,7 +1503,7 @@ PutImagePixels8(image, width, height, pi
 
 #else  /* WITHOUT_SPEEDUPS */
 
-    int bpl = image->bytes_per_line;
+    unsigned int bpl = image->bytes_per_line;
     char *data_ptr, *max_data;
 
     data = image->data;
@@ -1530,12 +1538,12 @@ PutImagePixels1(image, width, height, pi
 	PutImagePixels(image, width, height, pixelindex, pixels);
     else {
 	unsigned int *iptr;
-	int y;
+	unsigned int y;
 	char *data;
 
 #ifdef WITHOUT_SPEEDUPS
 
-	int x;
+	unsigned int x;
 
 	data = image->data;
 	iptr = pixelindex;
@@ -1755,10 +1763,12 @@ PutPixel1(ximage, x, y, pixel)
     register char *src;
     register char *dst;
     register int i;
-    register char *data;
     Pixel px;
     int nbytes;
 
+    if(x < 0 || y < 0)
+    	return 0;
+
     for (i=0, px=pixel; i<sizeof(unsigned long); i++, px>>=8)
 	((unsigned char *)&pixel)[i] = px;
     src = &ximage->data[XYINDEX(x, y, ximage)];
@@ -1788,9 +1798,11 @@ PutPixel(ximage, x, y, pixel)
     register char *src;
     register char *dst;
     register int i;
-    register char *data;
     Pixel px;
-    int nbytes, ibpp;
+    unsigned int nbytes, ibpp;
+
+    if(x < 0 || y < 0)
+    	return 0;
 
     ibpp = ximage->bits_per_pixel;
     if (ximage->depth == 4)
@@ -1823,6 +1835,9 @@ PutPixel32(ximage, x, y, pixel)
 {
     unsigned char *addr;
 
+    if(x < 0 || y < 0)
+    	return 0;
+
     addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
     *((unsigned long *)addr) = pixel;
     return 1;
@@ -1837,6 +1852,9 @@ PutPixel32MSB(ximage, x, y, pixel)
 {
     unsigned char *addr;
 
+    if(x < 0 || y < 0)
+    	return 0;
+
     addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
     addr[0] = pixel >> 24;
     addr[1] = pixel >> 16;
@@ -1854,6 +1872,9 @@ PutPixel32LSB(ximage, x, y, pixel)
 {
     unsigned char *addr;
 
+    if(x < 0 || y < 0)
+    	return 0;
+
     addr = &((unsigned char *)ximage->data) [ZINDEX32(x, y, ximage)];
     addr[3] = pixel >> 24;
     addr[2] = pixel >> 16;
@@ -1871,6 +1892,9 @@ PutPixel16MSB(ximage, x, y, pixel)
 {
     unsigned char *addr;
     
+    if(x < 0 || y < 0)
+    	return 0;
+
     addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
     addr[0] = pixel >> 8;
     addr[1] = pixel;
@@ -1886,6 +1910,9 @@ PutPixel16LSB(ximage, x, y, pixel)
 {
     unsigned char *addr;
     
+    if(x < 0 || y < 0)
+    	return 0;
+
     addr = &((unsigned char *)ximage->data) [ZINDEX16(x, y, ximage)];
     addr[1] = pixel >> 8;
     addr[0] = pixel;
@@ -1899,6 +1926,9 @@ PutPixel8(ximage, x, y, pixel)
     int y;
     unsigned long pixel;
 {
+    if(x < 0 || y < 0)
+    	return 0;
+
     ximage->data[ZINDEX8(x, y, ximage)] = pixel;
     return 1;
 }
@@ -1910,6 +1940,9 @@ PutPixel1MSB(ximage, x, y, pixel)
     int y;
     unsigned long pixel;
 {
+    if(x < 0 || y < 0)
+    	return 0;
+
     if (pixel & 1)
 	ximage->data[ZINDEX1(x, y, ximage)] |= 0x80 >> (x & 7);
     else
@@ -1924,6 +1957,9 @@ PutPixel1LSB(ximage, x, y, pixel)
     int y;
     unsigned long pixel;
 {
+    if(x < 0 || y < 0)
+    	return 0;
+
     if (pixel & 1)
 	ximage->data[ZINDEX1(x, y, ximage)] |= 1 << (x & 7);
     else
@@ -1953,7 +1989,6 @@ xpmParseDataAndCreate(display, data, ima
     unsigned int depth;
     int bitmap_format;
     XpmFreeColorsFunc freeColors;
-    void *closure;
 
     /* variables to return */
     XImage *ximage = NULL;
@@ -2011,10 +2046,6 @@ xpmParseDataAndCreate(display, data, ima
 	freeColors = attributes->free_colors;
     else
 	freeColors = FreeColors;
-    if (attributes && (attributes->valuemask & XpmColorClosure))
-	closure = attributes->color_closure;
-    else
-	closure = NULL;
 
     cmts = info && (info->valuemask & XpmReturnComments);
 
@@ -2063,6 +2094,9 @@ xpmParseDataAndCreate(display, data, ima
 	xpmGetCmt(data, &colors_cmt);
 
     /* malloc pixels index tables */
+    if (ncolors >= UINT_MAX / sizeof(Pixel)) 
+	RETURN(XpmNoMemory);
+
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
     if (!image_pixels)
 	RETURN(XpmNoMemory);
@@ -2173,7 +2207,7 @@ xpmParseDataAndCreate(display, data, ima
      * free the hastable
      */
     if (ErrorStatus != XpmSuccess)
-	RETURN(ErrorStatus)
+	RETURN(ErrorStatus);
     else if (USE_HASHTABLE)
 	xpmHashTableFree(&hashtable);
 
@@ -2364,11 +2398,11 @@ if (cidx[f]) XpmFree(cidx[f]);}
 
 	    /* array of pointers malloced by need */
 	    unsigned short *cidx[256];
-	    int char1;
+	    unsigned int char1;
 
 	    bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
 	    for (a = 0; a < ncolors; a++) {
-		char1 = colorTable[a].string[0];
+		char1 = (unsigned char) colorTable[a].string[0];
 		if (cidx[char1] == NULL) { /* get new memory */
 		    cidx[char1] = (unsigned short *)
 			XpmCalloc(256, sizeof(unsigned short));
