Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libXpm for openSUSE:Factory checked in at 2023-10-05 20:02:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXpm (Old) and /work/SRC/openSUSE:Factory/.libXpm.new.28202 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXpm" Thu Oct 5 20:02:39 2023 rev:16 rq:1115069 version:3.5.17 Changes: -------- --- /work/SRC/openSUSE:Factory/libXpm/libXpm.changes 2023-04-20 15:14:02.821839478 +0200 +++ /work/SRC/openSUSE:Factory/.libXpm.new.28202/libXpm.changes 2023-10-05 20:02:50.474036979 +0200 @@ -1,0 +2,12 @@ +Tue Oct 3 20:43:14 UTC 2023 - Stefan Dirsch <sndir...@suse.com> + +- Update to 3.5.17 + * This release contains fixes for the libXpm issues reported in + security advisory here: + https://lists.x.org/archives/xorg-announce/2023-October/003424.html + * fixes CVE-2023-43788 libXpm: out of bounds read in + XpmCreateXpmImageFromBuffer() (boo#1215686) + * fixes CVE-2023-43789 libXpm: out of bounds read on XPM with + corrupted colormap (boo#1215687) + +------------------------------------------------------------------- Old: ---- libXpm-3.5.16.tar.xz libXpm-3.5.16.tar.xz.sig New: ---- libXpm-3.5.17.tar.xz libXpm-3.5.17.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXpm.spec ++++++ --- /var/tmp/diff_new_pack.YEALnp/_old 2023-10-05 20:02:51.718081923 +0200 +++ /var/tmp/diff_new_pack.YEALnp/_new 2023-10-05 20:02:51.722082067 +0200 @@ -18,7 +18,7 @@ %define lname libXpm4 Name: libXpm -Version: 3.5.16 +Version: 3.5.17 Release: 0 Summary: X Pixmap image file format library License: MIT ++++++ libXpm-3.5.16.tar.xz -> libXpm-3.5.17.tar.xz ++++++ ++++ 3695 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/ChangeLog new/libXpm-3.5.17/ChangeLog --- old/libXpm-3.5.16/ChangeLog 2023-04-17 22:13:06.000000000 +0200 +++ new/libXpm-3.5.17/ChangeLog 2023-10-03 18:12:21.000000000 +0200 @@ -1,3 +1,128 @@ +commit a154f12b6e56f131bd5880fc96f11615ff940b29 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Tue Oct 3 08:43:57 2023 -0700 + + libXpm 3.5.17 + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 91f887b41bf75648df725a4ed3be036da02e911e +Author: Yair Mizrahi <ya...@jfrog.com> +Date: Thu Sep 7 16:59:07 2023 -0700 + + Avoid CVE-2023-43787 (integer overflow in XCreateImage) + + This doesn't fix the CVE - that has to happen in libX11, this + just tries to avoid triggering it from libXpm, and saves time + in not pretending we can successfully create an X Image for + which the width * depth would overflow the signed int used to + store the bytes_per_line value. + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 00348988396c88150f6ddfea3d3195cbf01d60c2 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Thu Sep 7 16:55:25 2023 -0700 + + test: Add test case for CVE-2023-43787 (integer overflow in XCreateImage) + + Provided by Yair Mizrahi of the JFrog Vulnerability Research team + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 84fb14574c039f19ad7face87eb9acc31a50701c +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Wed Sep 6 17:34:33 2023 -0700 + + Avoid CVE-2023-43786: stack exhaustion in XPutImage() + + This doesn't fix the CVE - that has to happen in libX11, this + just tries to avoid triggering it from libXpm, and saves time + in not pretending we can successfully create an X11 pixmap with + dimensions larger than the unsigned 16-bit integers used in the + X11 protocol for the dimensions. + + Reported by Yair Mizrahi of the JFrog Vulnerability Research team + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit edb97396620f019f8d2e707ad3fbaf6bbbd5ed36 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Tue Sep 5 17:01:58 2023 -0700 + + test: Add test case for CVE-2023-43786 (stack exhaustion in PutImage) + + Provided by Yair Mizrahi of the JFrog Vulnerability Research team + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 29 18:30:34 2023 -0700 + + Fix CVE-2023-43789: Out of bounds read on XPM with corrupted colormap + + Found with clang's libfuzzer + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit a21e7bcf0ca3d8c1605b2721a545440260870438 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 29 18:29:29 2023 -0700 + + test: Add test case for CVE-2023-43789 (corrupt colormap info) + + Generated by clang's -fsanitize/libfuzzer + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 29 17:50:39 2023 -0700 + + Fix CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer + + When the test case for CVE-2022-46285 was run with the Address Sanitizer + enabled, it found an out-of-bounds read in ParseComment() when reading + from a memory buffer instead of a file, as it continued to look for the + closing comment marker past the end of the buffer. + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 7f60f3428aa21d5d643eb75bfd9417cfabf48970 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Tue Sep 5 17:35:55 2023 -0700 + + Explicitly mark non-static symbols as export or hidden + + Hides private API from external linkage + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 2695ccda5df58af60ebb15bb17f1570437554adb +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat May 20 13:47:52 2023 -0700 + + test: use g_pattern_spec_match_string if available + + g_pattern_spec_match_string was introduced in glib 2.70 to replace + g_pattern_match_string which is deprecated in glib 2.70 and later. + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 4524c578581b427145ae136844fc655a89e94777 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Mon Mar 27 18:35:46 2023 -0700 + + Set close-on-exec when opening files + + Relies on platforms with O_CLOEXEC support following POSIX requirement + to not copy the close-on-exec flag to the new fd in dup2(), but to leave + it unset instead, since that's how fd's are passed to child processes + to handled compressed files. + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + commit f131de92d6c4e2f62934e85b012287276ecf009c Author: Matt Turner <matts...@gmail.com> Date: Mon Apr 17 15:22:35 2023 -0400 @@ -1666,6 +1791,9 @@ Removed inclusion of unnecessary kernel header on Linux. This may fail in an -ansi environment. +Notes: + Fixes CVE-2004-0687 (integer overflows) and CVE-2004-0688 (stack overflows) + commit 2773a7214e282f6f673483f5233b880505947c3f Author: Egbert Eich <e...@suse.de> Date: Fri Apr 23 18:42:32 2004 +0000 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/config.h.in new/libXpm-3.5.17/config.h.in --- old/libXpm-3.5.16/config.h.in 2023-04-17 22:13:03.000000000 +0200 +++ new/libXpm-3.5.17/config.h.in 2023-10-03 18:12:12.000000000 +0200 @@ -9,6 +9,9 @@ /* Define to 1 if you have the <dlfcn.h> header file. */ #undef HAVE_DLFCN_H +/* Define to 1 if you have the `g_pattern_spec_match_string' function. */ +#undef HAVE_G_PATTERN_SPEC_MATCH_STRING + /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/configure.ac new/libXpm-3.5.17/configure.ac --- old/libXpm-3.5.16/configure.ac 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/configure.ac 2023-10-03 18:11:58.000000000 +0200 @@ -1,7 +1,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXpm], [3.5.16], +AC_INIT([libXpm], [3.5.17], [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/issues/], [libXpm]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) @@ -103,6 +103,9 @@ AC_REQUIRE_AUX_FILE([tap-driver.sh]) XORG_ENABLE_UNIT_TESTS XORG_WITH_GLIB([2.46]) +if test "x$have_glib" = x"yes"; then + AC_CHECK_FUNCS([g_pattern_spec_match_string]) +fi XORG_MEMORY_CHECK_FLAGS AC_CONFIG_FILES([Makefile diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/include/X11/xpm.h new/libXpm-3.5.17/include/X11/xpm.h --- old/libXpm-3.5.16/include/X11/xpm.h 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/include/X11/xpm.h 2023-10-03 18:11:58.000000000 +0200 @@ -73,6 +73,7 @@ # ifdef AMIGA # include "amigax.h" # else /* not AMIGA */ +# include <X11/Xfuncproto.h> # include <X11/Xlib.h> # include <X11/Xutil.h> # endif /* not AMIGA */ @@ -275,7 +276,12 @@ /* macros for forward declarations of functions with prototypes */ -#define FUNC(f, t, p) extern t f p +#ifndef _X_EXPORT +# define _X_EXPORT +# define _X_HIDDEN +#endif +#define FUNC(f, t, p) extern _X_EXPORT t f p +#define HFUNC(f, t, p) extern _X_HIDDEN t f p #define LFUNC(f, t, p) static t f p diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/m4/libtool.m4 new/libXpm-3.5.17/m4/libtool.m4 --- old/libXpm-3.5.16/m4/libtool.m4 2023-04-17 22:13:01.000000000 +0200 +++ new/libXpm-3.5.17/m4/libtool.m4 2023-10-03 18:12:05.000000000 +0200 @@ -1415,10 +1415,10 @@ x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; - powerpcle-*linux*|powerpc64le-*linux*) + powerpcle-*linux*) LD="${LD-ld} -m elf64lppc" ;; - powerpc-*linux*|powerpc64-*linux*) + powerpc-*linux*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) @@ -1719,11 +1719,6 @@ lt_cv_sys_max_cmd_len=8192; ;; - mint*) - # On MiNT this can take a long time and run out of memory. - lt_cv_sys_max_cmd_len=8192; - ;; - amigaos*) # On AmigaOS with pdksh, this test takes hours, literally. # So we just punt and use a minimum line length of 8192. @@ -2661,11 +2656,11 @@ version_type=darwin need_lib_prefix=no need_version=no - library_names_spec='$libname$release$versuffix$shared_ext $libname$release$major$shared_ext $libname$shared_ext' + library_names_spec='$libname$release$major$shared_ext $libname$shared_ext' soname_spec='$libname$release$major$shared_ext' shlibpath_overrides_runpath=yes shlibpath_var=DYLD_LIBRARY_PATH - shrext_cmds='`test .$module = .yes && echo .bundle || echo .dylib`' + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' m4_if([$1], [],[ sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' @@ -2691,14 +2686,7 @@ *) objformat=elf ;; esac fi - # Handle Gentoo/FreeBSD as it was Linux - case $host_vendor in - gentoo) - version_type=linux ;; - *) - version_type=freebsd-$objformat ;; - esac - + version_type=freebsd-$objformat case $version_type in freebsd-elf*) library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' @@ -2710,12 +2698,6 @@ library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix' need_version=yes ;; - linux) - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - need_lib_prefix=no - need_version=no - ;; esac shlibpath_var=LD_LIBRARY_PATH case $host_os in diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/CrPFrBuf.c new/libXpm-3.5.17/src/CrPFrBuf.c --- old/libXpm-3.5.16/src/CrPFrBuf.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/CrPFrBuf.c 2023-10-03 18:11:58.000000000 +0200 @@ -46,7 +46,7 @@ Pixmap *shapemask_return, XpmAttributes *attributes) { - XImage *ximage, *shapeimage; + XImage *ximage = NULL, *shapeimage = NULL; int ErrorStatus; /* initialize return values */ @@ -63,16 +63,34 @@ attributes); if (ErrorStatus < 0) /* fatal error */ - return (ErrorStatus); + goto cleanup; /* create the pixmaps and destroy images */ if (pixmap_return && ximage) { - xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); - XDestroyImage(ximage); + ErrorStatus = + xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); + if (ErrorStatus < 0) /* fatal error */ + goto cleanup; } if (shapemask_return && shapeimage) { - xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); + ErrorStatus = + xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); + } + + cleanup: + if (ximage != NULL) + XDestroyImage(ximage); + if (shapeimage != NULL) XDestroyImage(shapeimage); + if (ErrorStatus < 0) { + if (pixmap_return && *pixmap_return) { + XFreePixmap(display, *pixmap_return); + *pixmap_return = 0; + } + if (shapemask_return && *shapemask_return) { + XFreePixmap(display, *shapemask_return); + *shapemask_return = 0; + } } return (ErrorStatus); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/CrPFrDat.c new/libXpm-3.5.17/src/CrPFrDat.c --- old/libXpm-3.5.16/src/CrPFrDat.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/CrPFrDat.c 2023-10-03 18:11:58.000000000 +0200 @@ -46,7 +46,7 @@ Pixmap *shapemask_return, XpmAttributes *attributes) { - XImage *ximage, *shapeimage; + XImage *ximage = NULL, *shapeimage = NULL; int ErrorStatus; /* initialize return values */ @@ -63,19 +63,34 @@ attributes); if (ErrorStatus != XpmSuccess) - return (ErrorStatus); - - if (ErrorStatus < 0) /* fatal error */ - return (ErrorStatus); + goto cleanup; /* create the pixmaps and destroy images */ if (pixmap_return && ximage) { - xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); - XDestroyImage(ximage); + ErrorStatus = + xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); + if (ErrorStatus < 0) /* fatal error */ + goto cleanup; } if (shapemask_return && shapeimage) { - xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); + ErrorStatus = + xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); + } + + cleanup: + if (ximage != NULL) + XDestroyImage(ximage); + if (shapeimage != NULL) XDestroyImage(shapeimage); + if (ErrorStatus < 0) { + if (pixmap_return && *pixmap_return) { + XFreePixmap(display, *pixmap_return); + *pixmap_return = 0; + } + if (shapemask_return && *shapemask_return) { + XFreePixmap(display, *shapemask_return); + *shapemask_return = 0; + } } return (ErrorStatus); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/CrPFrI.c new/libXpm-3.5.17/src/CrPFrI.c --- old/libXpm-3.5.16/src/CrPFrI.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/CrPFrI.c 2023-10-03 18:11:58.000000000 +0200 @@ -36,8 +36,9 @@ #include <config.h> #endif #include "XpmI.h" +#include <stdint.h> -void +int xpmCreatePixmapFromImage( Display *display, Drawable d, @@ -47,6 +48,11 @@ GC gc; XGCValues values; + /* X Pixmaps are limited to unsigned 16-bit height/width */ + if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) { + return XpmNoMemory; + } + *pixmap_return = XCreatePixmap(display, d, ximage->width, ximage->height, ximage->depth); /* set fg and bg in case we have an XYBitmap */ @@ -59,4 +65,6 @@ ximage->width, ximage->height); XFreeGC(display, gc); + + return XpmSuccess; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/RdFToBuf.c new/libXpm-3.5.17/src/RdFToBuf.c --- old/libXpm-3.5.16/src/RdFToBuf.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/RdFToBuf.c 2023-10-03 18:11:58.000000000 +0200 @@ -72,7 +72,7 @@ *buffer_return = NULL; #ifndef VAX11C - fd = open(filename, O_RDONLY); + fd = open(filename, O_RDONLY | O_CLOEXEC); #else fd = open(filename, O_RDONLY, NULL); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/RdFToI.c new/libXpm-3.5.17/src/RdFToI.c --- old/libXpm-3.5.16/src/RdFToI.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/RdFToI.c 2023-10-03 18:11:58.000000000 +0200 @@ -53,7 +53,7 @@ LFUNC(OpenReadFile, int, (const char *filename, xpmData *mdata)); LFUNC(xpmDataClose, void, (xpmData *mdata)); -FUNC(xpmPipeThrough, FILE*, (int fd, +HFUNC(xpmPipeThrough, FILE*, (int fd, const char *cmd, const char *arg1, const char *mode)); @@ -212,7 +212,7 @@ mdata->stream.file = (stdin); mdata->type = XPMFILE; } else { - int fd = open(filename, O_RDONLY); + int fd = open(filename, O_RDONLY | O_CLOEXEC); #if defined(NO_ZPIPE) if ( fd < 0 ) return XpmOpenFailed; @@ -229,11 +229,11 @@ return (XpmNoMemory); strcpy(compressfile, filename); strcpy(compressfile + len, ext = ".Z"); - fd = open(compressfile, O_RDONLY); + fd = open(compressfile, O_RDONLY | O_CLOEXEC); if ( fd < 0 ) { strcpy(compressfile + len, ext = ".gz"); - fd = open(compressfile, O_RDONLY); + fd = open(compressfile, O_RDONLY | O_CLOEXEC); if ( fd < 0 ) { XpmFree(compressfile); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/RdFToP.c new/libXpm-3.5.17/src/RdFToP.c --- old/libXpm-3.5.16/src/RdFToP.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/RdFToP.c 2023-10-03 18:11:58.000000000 +0200 @@ -46,7 +46,7 @@ Pixmap *shapemask_return, XpmAttributes *attributes) { - XImage *ximage, *shapeimage; + XImage *ximage = NULL, *shapeimage = NULL; int ErrorStatus; /* initialize return values */ @@ -62,16 +62,34 @@ attributes); if (ErrorStatus < 0) /* fatal error */ - return (ErrorStatus); + goto cleanup; /* create the pixmaps and destroy images */ if (pixmap_return && ximage) { - xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); - XDestroyImage(ximage); + ErrorStatus = + xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); + if (ErrorStatus < 0) /* fatal error */ + goto cleanup; } if (shapemask_return && shapeimage) { - xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); + ErrorStatus = + xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); + } + + cleanup: + if (ximage != NULL) + XDestroyImage(ximage); + if (shapeimage != NULL) XDestroyImage(shapeimage); + if (ErrorStatus < 0) { + if (pixmap_return && *pixmap_return) { + XFreePixmap(display, *pixmap_return); + *pixmap_return = 0; + } + if (shapemask_return && *shapemask_return) { + XFreePixmap(display, *shapemask_return); + *shapemask_return = 0; + } } return (ErrorStatus); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/WrFFrBuf.c new/libXpm-3.5.17/src/WrFFrBuf.c --- old/libXpm-3.5.16/src/WrFFrBuf.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/WrFFrBuf.c 2023-10-03 18:11:58.000000000 +0200 @@ -45,7 +45,7 @@ char *buffer) { size_t fcheck, len; - FILE *fp = fopen(filename, "w"); + FILE *fp = fopen(filename, "w" FOPEN_CLOEXEC); if (!fp) return XpmOpenFailed; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/WrFFrI.c new/libXpm-3.5.17/src/WrFFrI.c --- old/libXpm-3.5.16/src/WrFFrI.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/WrFFrI.c 2023-10-03 18:11:58.000000000 +0200 @@ -315,7 +315,7 @@ #ifndef NO_ZPIPE -FUNC(xpmPipeThrough, FILE*, (int fd, +HFUNC(xpmPipeThrough, FILE*, (int fd, const char* cmd, const char* arg1, const char* mode)); @@ -336,7 +336,7 @@ #ifndef NO_ZPIPE size_t len; #endif - int fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, 0644); + int fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0644); if ( fd < 0 ) return(XpmOpenFailed); #ifndef NO_ZPIPE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/XpmI.h new/libXpm-3.5.17/src/XpmI.h --- old/libXpm-3.5.16/src/XpmI.h 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/XpmI.h 2023-10-03 18:11:58.000000000 +0200 @@ -103,6 +103,13 @@ # endif #endif +#ifdef O_CLOEXEC +# define FOPEN_CLOEXEC "e" +#else +# define FOPEN_CLOEXEC "" +# define O_CLOEXEC 0 +#endif + #define XPMMAXCMTLEN BUFSIZ typedef struct { unsigned int type; @@ -144,7 +151,7 @@ const char *Eoa; /* string ending assignment */ } xpmDataType; -extern xpmDataType xpmDataTypes[]; +extern _X_HIDDEN xpmDataType xpmDataTypes[]; /* * rgb values and ascii names (from rgb text file) rgb values, @@ -158,7 +165,7 @@ /* Maximum number of rgb mnemonics allowed in rgb text file. */ #define MAX_RGBNAMES 1024 -extern const char *xpmColorKeys[]; +extern _X_HIDDEN const char *xpmColorKeys[]; #define TRANSPARENT_COLOR "None" /* this must be a string! */ @@ -167,31 +174,31 @@ /* XPM internal routines */ -FUNC(xpmParseData, int, (xpmData *data, XpmImage *image, XpmInfo *info)); -FUNC(xpmParseDataAndCreate, int, (Display *display, xpmData *data, +HFUNC(xpmParseData, int, (xpmData *data, XpmImage *image, XpmInfo *info)); +HFUNC(xpmParseDataAndCreate, int, (Display *display, xpmData *data, XImage **image_return, XImage **shapeimage_return, XpmImage *image, XpmInfo *info, XpmAttributes *attributes)); -FUNC(xpmFreeColorTable, void, (XpmColor *colorTable, int ncolors)); +HFUNC(xpmFreeColorTable, void, (XpmColor *colorTable, int ncolors)); -FUNC(xpmInitAttributes, void, (XpmAttributes *attributes)); +HFUNC(xpmInitAttributes, void, (XpmAttributes *attributes)); -FUNC(xpmInitXpmImage, void, (XpmImage *image)); +HFUNC(xpmInitXpmImage, void, (XpmImage *image)); -FUNC(xpmInitXpmInfo, void, (XpmInfo *info)); +HFUNC(xpmInitXpmInfo, void, (XpmInfo *info)); -FUNC(xpmSetInfoMask, void, (XpmInfo *info, XpmAttributes *attributes)); -FUNC(xpmSetInfo, void, (XpmInfo *info, XpmAttributes *attributes)); -FUNC(xpmSetAttributes, void, (XpmAttributes *attributes, XpmImage *image, +HFUNC(xpmSetInfoMask, void, (XpmInfo *info, XpmAttributes *attributes)); +HFUNC(xpmSetInfo, void, (XpmInfo *info, XpmAttributes *attributes)); +HFUNC(xpmSetAttributes, void, (XpmAttributes *attributes, XpmImage *image, XpmInfo *info)); #if !defined(FOR_MSW) && !defined(AMIGA) -FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d, +HFUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d, XImage *ximage, Pixmap *pixmap_return)); -FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap, +HFUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap, XImage **ximage_return, unsigned int *width, unsigned int *height)); @@ -211,10 +218,10 @@ xpmHashAtom *atomTable; } xpmHashTable; -FUNC(xpmHashTableInit, int, (xpmHashTable *table)); -FUNC(xpmHashTableFree, void, (xpmHashTable *table)); -FUNC(xpmHashSlot, xpmHashAtom *, (xpmHashTable *table, char *s)); -FUNC(xpmHashIntern, int, (xpmHashTable *table, char *tag, void *data)); +HFUNC(xpmHashTableInit, int, (xpmHashTable *table)); +HFUNC(xpmHashTableFree, void, (xpmHashTable *table)); +HFUNC(xpmHashSlot, xpmHashAtom *, (xpmHashTable *table, char *s)); +HFUNC(xpmHashIntern, int, (xpmHashTable *table, char *tag, void *data)); #if defined(_MSC_VER) && defined(_M_X64) #define HashAtomData(i) ((void *)(long long)i) @@ -227,45 +234,45 @@ /* I/O utility */ -FUNC(xpmNextString, int, (xpmData *mdata)); -FUNC(xpmNextUI, int, (xpmData *mdata, unsigned int *ui_return)); -FUNC(xpmGetString, int, (xpmData *mdata, char **sptr, unsigned int *l)); +HFUNC(xpmNextString, int, (xpmData *mdata)); +HFUNC(xpmNextUI, int, (xpmData *mdata, unsigned int *ui_return)); +HFUNC(xpmGetString, int, (xpmData *mdata, char **sptr, unsigned int *l)); #define xpmGetC(mdata) \ ((!mdata->type || mdata->type == XPMBUFFER) ? \ (*mdata->cptr++) : (getc(mdata->stream.file))) -FUNC(xpmNextWord, unsigned int, +HFUNC(xpmNextWord, unsigned int, (xpmData *mdata, char *buf, unsigned int buflen)); -FUNC(xpmGetCmt, int, (xpmData *mdata, char **cmt)); -FUNC(xpmParseHeader, int, (xpmData *mdata)); -FUNC(xpmParseValues, int, (xpmData *data, unsigned int *width, +HFUNC(xpmGetCmt, int, (xpmData *mdata, char **cmt)); +HFUNC(xpmParseHeader, int, (xpmData *mdata)); +HFUNC(xpmParseValues, int, (xpmData *data, unsigned int *width, unsigned int *height, unsigned int *ncolors, unsigned int *cpp, unsigned int *x_hotspot, unsigned int *y_hotspot, unsigned int *hotspot, unsigned int *extensions)); -FUNC(xpmParseColors, int, (xpmData *data, unsigned int ncolors, +HFUNC(xpmParseColors, int, (xpmData *data, unsigned int ncolors, unsigned int cpp, XpmColor **colorTablePtr, xpmHashTable *hashtable)); -FUNC(xpmParseExtensions, int, (xpmData *data, XpmExtension **extensions, +HFUNC(xpmParseExtensions, int, (xpmData *data, XpmExtension **extensions, unsigned int *nextensions)); /* RGB utility */ -FUNC(xpmReadRgbNames, int, (const char *rgb_fname, xpmRgbName *rgbn)); -FUNC(xpmGetRgbName, char *, (xpmRgbName *rgbn, int rgbn_max, +HFUNC(xpmReadRgbNames, int, (const char *rgb_fname, xpmRgbName *rgbn)); +HFUNC(xpmGetRgbName, char *, (xpmRgbName *rgbn, int rgbn_max, int red, int green, int blue)); -FUNC(xpmFreeRgbNames, void, (xpmRgbName *rgbn, int rgbn_max)); +HFUNC(xpmFreeRgbNames, void, (xpmRgbName *rgbn, int rgbn_max)); #ifdef FOR_MSW -FUNC(xpmGetRGBfromName,int, (char *name, int *r, int *g, int *b)); +HFUNC(xpmGetRGBfromName,int, (char *name, int *r, int *g, int *b)); #endif #ifndef AMIGA -FUNC(xpm_xynormalizeimagebits, void, (register unsigned char *bp, +HFUNC(xpm_xynormalizeimagebits, void, (register unsigned char *bp, register XImage *img)); -FUNC(xpm_znormalizeimagebits, void, (register unsigned char *bp, +HFUNC(xpm_znormalizeimagebits, void, (register unsigned char *bp, register XImage *img)); /* @@ -313,7 +320,7 @@ #endif /* not AMIGA */ #ifdef NEED_STRDUP -FUNC(xpmstrdup, char *, (char *s1)); +HFUNC(xpmstrdup, char *, (char *s1)); #else #undef xpmstrdup #define xpmstrdup strdup @@ -321,14 +328,14 @@ #endif #ifdef NEED_STRCASECMP -FUNC(xpmstrcasecmp, int, (char *s1, char *s2)); +HFUNC(xpmstrcasecmp, int, (char *s1, char *s2)); #else #undef xpmstrcasecmp #define xpmstrcasecmp strcasecmp #include <strings.h> #endif -FUNC(xpmatoui, unsigned int, +HFUNC(xpmatoui, unsigned int, (char *p, unsigned int l, unsigned int *ui_return)); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/create.c new/libXpm-3.5.17/src/create.c --- old/libXpm-3.5.16/src/create.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/create.c 2023-10-03 18:11:58.000000000 +0200 @@ -997,6 +997,11 @@ *image_return = NULL; return XpmNoMemory; } + if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) { + XDestroyImage(*image_return); + *image_return = NULL; + return XpmNoMemory; + } /* now that bytes_per_line must have been set properly alloc data */ if((*image_return)->bytes_per_line == 0 || height == 0) { XDestroyImage(*image_return); @@ -1652,7 +1657,7 @@ Pixmap *shapemask_return, XpmAttributes *attributes) { - XImage *ximage, *shapeimage; + XImage *ximage = NULL, *shapeimage = NULL; int ErrorStatus; /* initialize return values */ @@ -1668,16 +1673,34 @@ &shapeimage : NULL), attributes); if (ErrorStatus < 0) - return (ErrorStatus); + goto cleanup; /* create the pixmaps and destroy images */ if (pixmap_return && ximage) { - xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); - XDestroyImage(ximage); + ErrorStatus = + xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); + if (ErrorStatus < 0) /* fatal error */ + goto cleanup; } if (shapemask_return && shapeimage) { - xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); + ErrorStatus = + xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); + } + + cleanup: + if (ximage != NULL) + XDestroyImage(ximage); + if (shapeimage != NULL) XDestroyImage(shapeimage); + if (ErrorStatus < 0) { + if (pixmap_return && *pixmap_return) { + XFreePixmap(display, *pixmap_return); + *pixmap_return = 0; + } + if (shapemask_return && *shapemask_return) { + XFreePixmap(display, *shapemask_return); + *shapemask_return = 0; + } } return (ErrorStatus); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/data.c new/libXpm-3.5.17/src/data.c --- old/libXpm-3.5.16/src/data.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/data.c 2023-10-03 18:11:58.000000000 +0200 @@ -108,7 +108,7 @@ n++; s2++; } while (c == *s2 && *s2 != '\0' && c); - if (*s2 == '\0') { + if (*s2 == '\0' || c == '\0') { /* this is the end of the comment */ notend = 0; data->cptr--; @@ -259,13 +259,13 @@ int c; if (!data->type || data->type == XPMBUFFER) { - while (isspace(c = *data->cptr) && c != data->Eos) + while ((c = *data->cptr) && isspace(c) && (c != data->Eos)) data->cptr++; do { c = *data->cptr++; *buf++ = c; n++; - } while (!isspace(c) && c != data->Eos && n < buflen); + } while (c && !isspace(c) && (c != data->Eos) && (n < buflen)); n--; data->cptr--; } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/src/rgb.c new/libXpm-3.5.17/src/rgb.c --- old/libXpm-3.5.16/src/rgb.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/src/rgb.c 2023-10-03 18:11:58.000000000 +0200 @@ -66,7 +66,7 @@ xpmRgbName *rgb; /* Open the rgb text file. Abort if error. */ - if ((rgbf = fopen(rgb_fname, "r")) == NULL) + if ((rgbf = fopen(rgb_fname, "r" FOPEN_CLOEXEC)) == NULL) return 0; /* Loop reading each line in the file. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/test/TestAllFiles.h new/libXpm-3.5.17/test/TestAllFiles.h --- old/libXpm-3.5.16/test/TestAllFiles.h 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/test/TestAllFiles.h 2023-10-03 18:11:58.000000000 +0200 @@ -32,6 +32,12 @@ #include "config.h" +/* g_pattern_spec_match_string is available in glib 2.70 and later, + to replace the deprecated g_pattern_match_string */ +#ifdef HAVE_G_PATTERN_SPEC_MATCH_STRING +#define g_pattern_match_string g_pattern_spec_match_string +#endif + #define DEFAULT_TIMEOUT 10 /* maximum seconds for each file */ static sigjmp_buf jump_env; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/test/XpmRead.c new/libXpm-3.5.17/test/XpmRead.c --- old/libXpm-3.5.16/test/XpmRead.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/test/XpmRead.c 2023-10-03 18:11:58.000000000 +0200 @@ -33,6 +33,10 @@ #include "TestAllFiles.h" +#ifndef O_CLOEXEC +# define O_CLOEXEC 0 +#endif + #ifndef g_assert_no_errno /* defined in glib 2.66 & later */ #define g_assert_no_errno(n) g_assert_cmpint(n, >=, 0) #endif @@ -147,7 +151,7 @@ g_assert_nonnull(buffer); /* Read file ourselves and verify the data matches */ - g_assert_no_errno(fd = open(filepath, O_RDONLY)); + g_assert_no_errno(fd = open(filepath, O_RDONLY | O_CLOEXEC)); while ((rd = read(fd, readbuf, sizeof(readbuf))) > 0) { g_assert_cmpmem(b, rd, readbuf, rd); b += rd; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/test/XpmWrite.c new/libXpm-3.5.17/test/XpmWrite.c --- old/libXpm-3.5.16/test/XpmWrite.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/test/XpmWrite.c 2023-10-03 18:11:58.000000000 +0200 @@ -38,6 +38,10 @@ #include "TestAllFiles.h" #include "CompareXpmImage.h" +#ifndef O_CLOEXEC +# define O_CLOEXEC 0 +#endif + #ifndef g_assert_no_errno /* defined in glib 2.66 & later */ #define g_assert_no_errno(n) g_assert_cmpint(n, >=, 0) #endif @@ -295,7 +299,7 @@ ssize_t rd; /* Read file ourselves and verify the data matches */ - g_assert_no_errno(fd = open(newfilepath, O_RDONLY)); + g_assert_no_errno(fd = open(newfilepath, O_RDONLY | O_CLOEXEC)); while ((rd = read(fd, readbuf, sizeof(readbuf))) > 0) { g_assert_cmpmem(b, rd, readbuf, rd); b += rd; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXpm-3.5.16/test/rgb.c new/libXpm-3.5.17/test/rgb.c --- old/libXpm-3.5.16/test/rgb.c 2023-04-17 22:12:57.000000000 +0200 +++ new/libXpm-3.5.17/test/rgb.c 2023-10-03 18:11:58.000000000 +0200 @@ -23,7 +23,7 @@ #include "config.h" -#include "../src/XpmI.h" +#include "../src/rgb.c" #include <glib.h> /*