-
644d7c59
by Peter Hutterer at 2017-01-26T11:59:25+10:00
autogen.sh: use exec instead of waiting for configure to finish
Syncs the invocation of configure with the one from the server.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
-
ed8f9c2e
by Emil Velikov at 2017-01-26T11:59:25+10:00
autogen.sh: use quoted string variables
Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent
fall-outs, when they contain space.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
e42ca7b4
by Mihail Konev at 2017-01-26T13:52:49+10:00
autogen: add default patch prefix
Signed-off-by: Mihail Konev <k.mvc@ya.ru>
-
bc1b4962
by Dave Bodenstab at 2018-09-22T12:47:34-07:00
Windows build fixes
https://bugs.freedesktop.org/show_bug.cgi?id=46475
https://bugs.freedesktop.org/attachment.cgi?id=57479
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
73a1e769
by Alan Coopersmith at 2018-10-06T11:52:24-07:00
After fdopen(), use fclose() instead of close() in error path
Found by Oracle's Parfait 2.2 static analyzer:
Error: File Leak
File Leak [file-ptr-leak]:
Leaked File fp
at line 94 of lib/libXpm/src/RdFToBuf.c in function 'XpmReadFileToBuffer
'.
fp initialized at line 86 with fdopen
fp leaks when len < 0 at line 92.
Introduced-by: commit 8b3024e6871ce50b34bf2dff924774bd654703bc
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-
c9f8faf1
by Alan Coopersmith at 2018-11-19T22:30:30-08:00
Update README for gitlab migration
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
0be2c671
by Alan Coopersmith at 2018-12-07T19:47:06-08:00
Update configure.ac bug URL for gitlab migration
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
7af7c5e2
by Fabrice Fontaine at 2019-05-03T07:59:09+02:00
Allow usage when fork() is not available
When fork() is not available, we need to define NO_ZPIPE so that
libXpm doesn't try to fork/exec to use a pipe to uncompress compressed
.xpm files. There is obviously a loss of functionality, but loading
uncompressed .xpm files should continue to work.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Retrieved from:
https://git.buildroot.net/buildroot/tree/package/x11r7/xlib_libXpm/0001-fork-check.patch]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-
e1d8f704
by Peter Hutterer at 2019-12-06T15:01:33+10:00
parse: avoid memleak on error with STRLCAT/STRLCPY
The original macro might exit the function without freeing `colorTable`.
Move the macros into a slightly less awful helper function and use goto
to clean up in case of error.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
5817fd4a
by Benjamin Tissoires at 2019-12-06T15:01:33+10:00
parse: simplify error paths in xpmParseColors()
We introduced a new label to handle the errors, we should use it
for the rest of the function.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-
b0fc4854
by Peter Hutterer at 2019-12-13T14:25:06+10:00
libXpm 3.5.13
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
e48e649e
by Walter Harms at 2019-12-24T17:20:09+01:00
add man pages based on doc/xpm.PS
More or less hand crafted man pages based on xpm.PS.
Prototypes are still in K&R, see also is a dud
Signed-off-by: Walter Harms <wharms@bfs.de>
-
83e5427f
by Walter Harms at 2019-12-25T20:40:04+01:00
update man pages
move from k&r to ansi prototypes
improve nroff coding
Signed-off-by: Walter Harms <wharms@bfs.de>
-
fa16fbda
by Alan Coopersmith at 2022-07-17T16:23:04-07:00
Build xz tarballs instead of bzip2
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
96124542
by Alan Coopersmith at 2022-07-17T16:25:38-07:00
Fix spelling/wording issues
Found by using:
codespell --builtin clear,rare,usage,informal,code,names
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
3433f433
by Alan Coopersmith at 2022-07-17T16:27:01-07:00
man: strip trailing whitespace
git diff -w shows no changes from this commit
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
7a138a52
by Alan Coopersmith at 2022-07-17T16:29:35-07:00
gitlab CI: add a basic build test
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
bfaebfdc
by Alan Coopersmith at 2022-08-26T18:40:58-07:00
man pages: Make file names consistent with their displayed names
Lets users view the pages using the name displayed on the pages
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
fb8590c9
by Alan Coopersmith at 2022-08-26T18:41:18-07:00
man pages: Fix shadow man pages
Shadow man pages have a .so line that needs to list the file to be
shown, not the name of the shadow page.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
2b7357e8
by Alan Coopersmith at 2022-08-27T10:12:39-07:00
man pages: Make function synopses more consistent with other pages
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
2d5fa4c2
by Alan Coopersmith at 2022-08-27T10:12:44-07:00
man pages: Add missing word 'function' where needed
A number of instances of 'The Xpm... function' were missing the word
"function", so read awkwardly.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
deb81a9a
by Alan Coopersmith at 2022-08-27T10:12:44-07:00
man pages: Fix typos
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
f0857c0d
by Alan Coopersmith at 2022-08-27T10:12:49-07:00
man pages: Correct Copyright/License notices
Since the text was copied from doc/xpm.PS.gz, the copyright and license
notices need to be copied from there as well.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
08bc174f
by Alan Coopersmith at 2022-11-19T12:23:53-08:00
libXpm 3.5.14
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
392cb8fb
by Alan Coopersmith at 2023-01-01T13:12:39-08:00
man pages: Fix typos and other minor editing
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
5d55a0be
by Alan Coopersmith at 2023-01-01T13:12:39-08:00
man pages: Replace "See Also" entries with more useful ones
"See Also" entries in man pages should list other man pages to
look at, not the alternate names for the current man page.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
aef0c8dd
by Alan Coopersmith at 2023-01-01T14:19:17-08:00
man pages: Apply standard man page style/formatting
Function & macro names in bold, argument names in italics.
In the man page body, bold function names followed by plain ()
for functions defined in this page, plain (3) for functions defined
in other man pages.
New paragraphs start with .PP, not just a blank line.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
4841039e
by Alan Coopersmith at 2023-01-07T09:42:50-08:00
configure: add --disable-open-zfile instead of requiring -DNO_ZPIPE
Documents the two compression options in the README, makes their
configure options reflect the interdependency of their implementation,
and makes the configure script report their configuration.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
501494c6
by Alan Coopersmith at 2023-01-08T14:50:03-08:00
test: Add unit tests using glib framework
Includes rudimentary tests for XpmReadFileToXpmImage, XpmReadFileToData,
XpmReadFileToBuffer, XpmCreateXpmImageFromData, XpmCreateXpmImageFromBuffer,
XpmWriteFileFromXpmImage, XpmWriteFileFromData, XpmWriteFileFromBuffer,
XpmAttributesSize, XpmGetErrorString, XpmLibraryVersion
Includes test cases for CVE-2004-0687
Tests .Z and .gz files if --enable-open-zfile is active
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
0ff2c6af
by Alan Coopersmith at 2023-01-10T08:55:37-08:00
cxpm: getc/ungetc wrappers should not adjust position when c == EOF
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
f7a167a4
by Alan Coopersmith at 2023-01-12T15:47:43-08:00
test: add test case for CVE-2022-46285 (unclosed comments)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
a3a7c6dc
by Alan Coopersmith at 2023-01-12T15:47:43-08:00
Fix CVE-2022-46285: Infinite loop on unclosed comments
When reading XPM images from a file with libXpm 3.5.14 or older, if a
comment in the file is not closed (i.e. a C-style comment starts with
"/*" and is missing the closing "*/"), the ParseComment() function will
loop forever calling getc() to try to read the rest of the comment,
failing to notice that it has returned EOF, which may cause a denial of
service to the calling program.
Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
f7fbbb92
by Alan Coopersmith at 2023-01-12T15:47:43-08:00
test: add test cases for CVE-2022-44617 (zero-width w/enormous height)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
f80fa6ae
by Alan Coopersmith at 2023-01-12T15:47:43-08:00
Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height
When reading XPM images from a file with libXpm 3.5.14 or older, if a
image has a width of 0 and a very large height, the ParsePixels() function
will loop over the entire height calling getc() and ungetc() repeatedly,
or in some circumstances, may loop seemingly forever, which may cause a
denial of service to the calling program when given a small crafted XPM
file to parse.
Closes: #2
Reported-by: Martin Ettl <ettl.martin78@googlemail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
515294bb
by Alan Coopersmith at 2023-01-12T15:47:43-08:00
Fix CVE-2022-4883: compression commands depend on $PATH
By default, on all platforms except MinGW, libXpm will detect if a
filename ends in .Z or .gz, and will when reading such a file fork off
an uncompress or gunzip command to read from via a pipe, and when
writing such a file will fork off a compress or gzip command to write
to via a pipe.
In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
to find the commands. If libXpm is called from a program running with
raised privileges, such as via setuid, then a malicious user could set
$PATH to include programs of their choosing to be run with those
privileges.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
c5ab17bc
by Matthieu Herrb at 2023-01-12T15:47:43-08:00
Prevent a double free in the error code path
xpmParseDataAndCreate() calls XDestroyImage() in the error path.
Reproducible with sxpm "zero-width.xpm", that file is in the test/
directory.
The same approach is needed in the bytes_per_line == 0 condition though
here it just plugs a memory leak.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
8178eb08
by Peter Hutterer at 2023-01-16T10:30:39-08:00
Use gzip -d instead of gunzip
GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
/usr/bin/gunzip with the correct built-in path, the actual gzip call
will use whichever gzip it finds first, making our patch pointless.
Fix this by explicitly calling gzip -d instead.
https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
[Part of the fix for CVE-2022-4883]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
ddd8339e
by Alan Coopersmith at 2023-01-17T08:19:26-08:00
libXpm 3.5.15
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
d9cbea1c
by Alan Coopersmith at 2023-01-17T18:45:46-08:00
test: skip compressed file tests when --disable-open-zfile is used
Reported-by: T.J. Townsend
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
9bc32a1a
by Alan Coopersmith at 2023-01-19T12:06:38-08:00
gitlab CI: build with each of --enable-open-zfile & --disable-open-zfile
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
71d7149c
by Alan Coopersmith at 2023-01-23T15:37:52-08:00
configure: correct error message to suggest --disable-open-zfile
When one of the compression helper programs is not found, the message
suggesting how to compile without it should say --disable-open-zfile,
not --disable-stat-zfile.
Fixes: 515294b ("Fix CVE-2022-4883: compression commands depend on $PATH")
Closes: #4
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
77e3b389
by Peter Hutterer at 2023-01-23T23:46:34+00:00
Fix a memleak in ParsePixels error code path
In this particular error path we have already allocated cidx[0..256]
with 256 instances of fresh and juicy memory. Freeing that is annoying,
but luckily there's a helpful FREE_CIDX macro that does exactly that.
Fixes f80fa6a:
Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height
Found by covscan
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
c52082c6
by Alan Coopersmith at 2023-02-05T12:14:43-08:00
open-zfile: Make compress & uncompress commands optional
If compress is not found, we disable writing to .Z files,
but leave the rest of the compression code active.
If uncompress is not found, we use gzip to read .Z files.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
45d8f4f2
by Alan Coopersmith at 2023-02-12T09:20:44-08:00
Require LT_INIT from libtool 2 instead of deprecated AC_PROG_LIBTOOL
AC_PROG_LIBTOOL was replaced by LT_INIT in libtool 2 in 2008,
so it's time to rely on it.
configure.ac:14: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
configure.ac:14: You should run autoupdate.
m4/libtool.m4:100: AC_PROG_LIBTOOL is expanded from...
configure.ac:14: the top level
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
25616112
by Alan Coopersmith at 2023-02-12T09:25:10-08:00
XpmCreateDataFromXpmImage: Fix misleading indentation
CrDatFrI.c: In function ‘XpmCreateDataFromXpmImage’:
CrDatFrI.c:245:13: warning: this ‘if’ clause does not guard... [-Wmisleading-indentation]
245 | if (header[l])
| ^~
In file included from CrDatFrI.c:40:
XpmI.h:80:22: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
80 | #define XpmFree(ptr) free(ptr)
| ^~~~
CrDatFrI.c:247:17: note: in expansion of macro ‘XpmFree’
247 | XpmFree(header);
| ^~~~~~~
CrDatFrI.c: In function ‘CreateColors’:
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
8e0e6351
by Alan Coopersmith at 2023-02-12T10:51:46-08:00
parse.c: Wrap FREE_CIDX definition in do { ... } while(0)
Makes it match the definition in create.c and eliminates
clang warnings:
create.c:2409:13: warning: empty _expression_ statement has no effect;
remove unnecessary ';' to silence this warning [-Wextra-semi-stmt]
FREE_CIDX;
^
create.c:2440:17: warning: empty _expression_ statement has no effect;
remove unnecessary ';' to silence this warning [-Wextra-semi-stmt]
FREE_CIDX;
^
create.c:2444:13: warning: empty _expression_ statement has no effect;
remove unnecessary ';' to silence this warning [-Wextra-semi-stmt]
FREE_CIDX;
^
create.c:2449:15: warning: empty _expression_ statement has no effect;
remove unnecessary ';' to silence this warning [-Wextra-semi-stmt]
FREE_CIDX;
^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
92030dd4
by Alan Coopersmith at 2023-02-12T13:22:57-08:00
parse.c: remove unused function xstrlcpy()
parse.c:74:1: warning: unused function 'xstrlcpy' [-Wunused-function]
xstrlcpy(char *dst, const char *src, size_t dstsize)
^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
e01d691a
by Alan Coopersmith at 2023-03-27T18:03:13-07:00
test: Use PACKAGE_BUGREPORT instead of hard-coded URL's
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
fd620b4f
by Alan Coopersmith at 2023-03-27T18:16:22-07:00
test: Add simple test cases for functions in src/rgb.c
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
8b9c4e4c
by Alan Coopersmith at 2023-03-27T18:21:12-07:00
xpmReadRgbNames: constify filename argument
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
f131de92
by Matt Turner at 2023-04-17T15:22:35-04:00
libXpm 3.5.16
Signed-off-by: Matt Turner <mattst88@gmail.com>
-
4524c578
by Alan Coopersmith at 2023-04-22T17:15:24+00:00
Set close-on-exec when opening files
Relies on platforms with O_CLOEXEC support following POSIX requirement
to not copy the close-on-exec flag to the new fd in dup2(), but to leave
it unset instead, since that's how fd's are passed to child processes
to handled compressed files.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
2695ccda
by Alan Coopersmith at 2023-05-20T13:47:55-07:00
test: use g_pattern_spec_match_string if available
g_pattern_spec_match_string was introduced in glib 2.70 to replace
g_pattern_match_string which is deprecated in glib 2.70 and later.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
7f60f342
by Alan Coopersmith at 2023-09-05T17:45:43-07:00
Explicitly mark non-static symbols as export or hidden
Hides private API from external linkage
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
2fa554b0
by Alan Coopersmith at 2023-09-22T14:06:32-07:00
Fix CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
When the test case for CVE-2022-46285 was run with the Address Sanitizer
enabled, it found an out-of-bounds read in ParseComment() when reading
from a memory buffer instead of a file, as it continued to look for the
closing comment marker past the end of the buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
a21e7bcf
by Alan Coopersmith at 2023-09-22T14:11:16-07:00
test: Add test case for CVE-2023-43789 (corrupt colormap info)
Generated by clang's -fsanitize/libfuzzer
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
7e21cb63
by Alan Coopersmith at 2023-09-22T14:11:24-07:00
Fix CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
Found with clang's libfuzzer
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
edb97396
by Alan Coopersmith at 2023-09-22T14:12:28-07:00
test: Add test case for CVE-2023-43786 (stack exhaustion in PutImage)
Provided by Yair Mizrahi of the JFrog Vulnerability Research team
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
84fb1457
by Alan Coopersmith at 2023-10-03T08:29:01-07:00
Avoid CVE-2023-43786: stack exhaustion in XPutImage()
This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X11 pixmap with
dimensions larger than the unsigned 16-bit integers used in the
X11 protocol for the dimensions.
Reported by Yair Mizrahi of the JFrog Vulnerability Research team
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
00348988
by Alan Coopersmith at 2023-10-03T08:29:01-07:00
test: Add test case for CVE-2023-43787 (integer overflow in XCreateImage)
Provided by Yair Mizrahi of the JFrog Vulnerability Research team
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
91f887b4
by Yair Mizrahi at 2023-10-03T08:29:01-07:00
Avoid CVE-2023-43787 (integer overflow in XCreateImage)
This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X Image for
which the width * depth would overflow the signed int used to
store the bytes_per_line value.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
a154f12b
by Alan Coopersmith at 2023-10-03T08:43:57-07:00
libXpm 3.5.17
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
ca752eb7
by Timo Aaltonen at 2023-10-04T14:28:41+03:00
Import NMU
-
0ce144ff
by Timo Aaltonen at 2023-10-04T14:28:52+03:00
control: Migrate to x11proto-dev.
-
0d2d089a
by root at 2023-10-04T14:28:52+03:00
Remove constraints unnecessary since buster
* Build-Depends: Drop versioned constraint on libx11-dev, libxext-dev, libxt-dev and xutils-dev.
Changes-By: deb-scrub-obsolete
-
ffc56dbb
by Timo Aaltonen at 2023-10-04T14:29:09+03:00
Merge branch 'upstream-unstable' into debian-unstable
-
4792cb0e
by Timo Aaltonen at 2023-10-04T14:29:48+03:00
version bump
-
57508fe3
by Timo Aaltonen at 2023-10-04T14:40:13+03:00
Update signing-key.
-
a5067bb9
by Timo Aaltonen at 2023-10-04T14:43:11+03:00
patches: All patches upstream, drop them.
-
d087dde6
by Timo Aaltonen at 2023-10-04T14:49:27+03:00
Remove a file changed from the tarball