Tue Jan 15 15:22:06 EST 2002

(KainX)

Fixed a whole slew of potential buffer overflows, hopefully including
the one recently posted to BUGTRAQ.


SVN revision: 5838

ChangeLog

@@ -2941,3 +2941,12 @@ Fri Aug 10 13:33:13 PDT 2001
 None of the libraries are now absolute requirements.  Everything that
 requires external support which Imlib2 itself doesn't specifically
 need can now be optionally built.
+
+_______________________________________________
+
+Tue Jan 15 15:22:06 EST 2002
+(KainX)
+
+Fixed a whole slew of potential buffer overflows, hopefully including
+the one recently posted to BUGTRAQ.
+

configure.in

@@ -2,7 +2,7 @@ dnl Process this file with autoconf to create configure.
 
 AC_INIT(src/Imlib2.h)
 AC_CANONICAL_SYSTEM
-AM_INIT_AUTOMAKE(imlib2, 1.0.4)
+AM_INIT_AUTOMAKE(imlib2, 1.0.5)
 
 AM_CONFIG_HEADER(config.h)
 

imlib2.spec

@@ -1,6 +1,6 @@
 Summary: Powerful image loading and rendering library
 Name: imlib2
-Version: 1.0.4
+Version: 1.0.5
 Release: 1
 Copyright: BSD
 Group: System Environment/Libraries

loaders/loader_gzbz2.c

@@ -56,32 +56,41 @@ char load (ImlibImage *im, ImlibProgressFunction progress,
 	   char progress_granularity, char immediate_load)
 {
    char                 file[4096], key[4096], *ptr;
-   char 		str_gz[4096];
+   char 		*str_gz;
    ImlibLoader	        *sub_loader;   
    
    if (im->data)
       return 0;
    if (!im->file)
       return 0;
-   strcpy(file, im->real_file);
+   strncpy(file, im->real_file, sizeof(file));
+   file[sizeof(file) - 1] = 0;
    if (!exists(file))    
       return 0;
    ptr = strrchr(file,'.');
    if (!ptr) return 0;
    *ptr = 0;
    if (getenv("TMPDIR"))
-      strcpy(key,getenv("TMPDIR"));
+     {
+       strncpy(key,getenv("TMPDIR"), sizeof(key));
+       key[sizeof(key) - 1] = 0;
+     }
    else  
-       { _getcwd2(&key[0],4096);   
+       { _getcwd2(key, sizeof(key));   
 #ifdef __EMX__       
          if (key[strlen(key)-1] == '/')  key[strlen(key)-1] = 0;
 #endif         
        }  
-   if ( (strlen(ptr+1)>=2) && (!strcmp(ptr+1,"gz")) )    
-      sprintf(str_gz,"gzip -d %s -c > %s/%s", im->real_file, key, pure_filename(file));
-   else 
-   if ( (strlen(ptr+1)>=3) && (!strcmp(ptr+1,"bz2")) )      
-      sprintf(str_gz,"bzip2 -d %s -c > %s/%s", im->real_file, key, pure_filename(file));
+   if ( (strlen(ptr+1)>=2) && (!strcmp(ptr+1,"gz")) )
+     {
+       str_gz = (char *) malloc(20 + strlen(im->real_file) + strlen(key) + strlen(file));
+       sprintf(str_gz,"gzip -d %s -c > %s/%s", im->real_file, key, pure_filename(file));
+     }
+   else if ( (strlen(ptr+1)>=3) && (!strcmp(ptr+1,"bz2")) )      
+     {
+       str_gz = (char *) malloc(20 + strlen(im->real_file) + strlen(key) + strlen(file));
+       sprintf(str_gz,"bzip2 -d %s -c > %s/%s", im->real_file, key, pure_filename(file));
+     }
    else   
       return 0; /* Eeek why we are here? */
 
@@ -89,6 +98,7 @@ char load (ImlibImage *im, ImlibProgressFunction progress,
    free(im->real_file);
    sprintf(str_gz,"%s/%s", key, pure_filename(file));
    im->real_file = strdup(str_gz);
+   free(str_gz);
    im->format = strdup(++ptr);
    sub_loader = __imlib_FindBestLoaderForFile(im->real_file);
    if (sub_loader)

src/dynamic_filters.c

@@ -146,12 +146,13 @@ pImlibExternalFilter __imlib_get_dynamic_filter( char *name )
 /* loader dir */
 char **__imlib_ListFilters(int *num_ret)
 {
-   char **list = NULL, **l, s[4096], *home;
+   char **list = NULL, **l, *s, *home;
    int num, i, pi = 0;
    
    *num_ret = 0;
    /* get the user's home dir */
    home = __imlib_FileHomeDir(getuid());
+   s = (char *) malloc(strlen(home) + 1 + sizeof(USER_LOADERS_PATH) + 7 + 1);
    sprintf(s, "%s/" USER_LOADERS_PATH "/filter", home);
    /* list the dir contents of their loader dir */
    l = __imlib_FileDir(s, &num);
@@ -163,6 +164,7 @@ char **__imlib_ListFilters(int *num_ret)
       list = malloc(sizeof(char *) * *num_ret);
       for (i = 0; i < num; i++)
       {
+         s = (char *) realloc(s, strlen(home) + 1 + sizeof(USER_LOADERS_PATH) + 8 + strlen(l[i]) + 1);
 	 sprintf(s, "%s/" USER_LOADERS_PATH "/filter/%s", home, l[i]);
 	 list[i] = strdup(s);
       }
@@ -170,6 +172,7 @@ char **__imlib_ListFilters(int *num_ret)
       __imlib_FileFreeDirList(l, num);
    }
    /* same for system loader path */
+   s = (char *) realloc(s, sizeof(SYS_LOADERS_PATH) + 7 + 1);
    sprintf(s, SYS_LOADERS_PATH "/filter");
 #ifndef __EMX__   
    l = __imlib_FileDir(s, &num);
@@ -182,6 +185,7 @@ char **__imlib_ListFilters(int *num_ret)
       list = realloc(list, sizeof(char *) * *num_ret);
       for (i = 0; i < num; i++)
       {
+         s = (char *) realloc(s, sizeof(SYS_LOADERS_PATH) + 8 + strlen(l[i]) + 1);
 	 sprintf(s, SYS_LOADERS_PATH "/filter/%s", l[i]);
 #ifndef __EMX__	 
 	 list[pi + i] = strdup(s);
@@ -192,7 +196,8 @@ char **__imlib_ListFilters(int *num_ret)
       __imlib_FileFreeDirList(l, num);
    }
    free(home);
-   
+   free(s);
+
    /* List currently contains *everything in there* we need to weed out
     * the .so, .la, .a versions of the same loader or whatever else.
     * lt_dlopen can take an extension-less name and do the Right Thing

src/image.c

@@ -629,12 +629,13 @@ __imlib_ProduceLoader(char *file)
 char **
 __imlib_ListLoaders(int *num_ret)
 {
-   char **list = NULL, **l, s[4096], *home;
+   char **list = NULL, **l, *s, *home;
    int num, i, pi = 0;
 
    *num_ret = 0;
    /* get the user's home dir */
    home = __imlib_FileHomeDir(getuid());
+   s = (char *) malloc(strlen(home) + 1 + sizeof(USER_LOADERS_PATH) + 6 + 1);
    sprintf(s, "%s/" USER_LOADERS_PATH "/image", home);
    /* list the dir contents of their loader dir */
    l = __imlib_FileDir(s, &num);
@@ -647,7 +648,8 @@ __imlib_ListLoaders(int *num_ret)
 
       for (i = 0; i < num; i++)
       {
-	   sprintf(s, "%s/" USER_LOADERS_PATH "/image/%s", home, l[i]);
+         s = (char *) realloc(s, strlen(home) + 1 + sizeof(USER_LOADERS_PATH) + 7 + strlen(l[i]) + 1);
+	 sprintf(s, "%s/" USER_LOADERS_PATH "/image/%s", home, l[i]);
 #ifndef __EMX__
 	 list[pi + i] = strdup(s);
 #else
@@ -658,6 +660,7 @@ __imlib_ListLoaders(int *num_ret)
       __imlib_FileFreeDirList(l, num);
    }
    /* same for system loader path */
+   s = (char *) realloc(s, sizeof(SYS_LOADERS_PATH) + 6 + 1);
    sprintf(s, SYS_LOADERS_PATH "/image");
 #ifndef __EMX__   
    l = __imlib_FileDir(s, &num);
@@ -671,6 +674,7 @@ __imlib_ListLoaders(int *num_ret)
 
       for (i = 0; i < num; i++)
       {
+         s = (char *) realloc(s, sizeof(SYS_LOADERS_PATH) + 7 + strlen(l[i]) + 1);
          sprintf(s, SYS_LOADERS_PATH "/image/%s", l[i]);
 #ifndef __EMX__
 	 list[pi + i] = strdup(s);
@@ -681,6 +685,7 @@ __imlib_ListLoaders(int *num_ret)
       __imlib_FileFreeDirList(l, num);
    }
    free(home);
+   free(s);
 
    /* List currently contains *everything in there* we need to weed out
     * the .so, .la, .a versions of the same loader or whatever else.
@@ -778,7 +783,7 @@ __imlib_RescanLoaders(void)
    static time_t last_modified_home_time = 0;
    static time_t last_modified_system_time = 0;
    time_t current_time;
-   char s[4096], *home;
+   char *s, *home;
    char do_reload = 0;
 
    /* dont stat the dir and rescan if we checked in the last 5 seconds */
@@ -808,6 +813,7 @@ __imlib_RescanLoaders(void)
    }
    /* ok - was the users own loaders dir contents modified ? */
    home = __imlib_FileHomeDir(getuid());
+   s = (char *) malloc(strlen(home) + 1 + sizeof(USER_LOADERS_PATH) + 7 + 1);
    sprintf(s, "%s/" USER_LOADERS_PATH "/image/", home);
    free(home);
    if (__imlib_FileIsDir(s))
@@ -820,6 +826,7 @@ __imlib_RescanLoaders(void)
          last_modified_home_time = current_time;
       }
    }
+   free(s);
    /* if we dont ned to reload the loaders - get out now */
    if (!do_reload)
       return;