This repository was archived by the owner on Jun 16, 2018. It is now read-only.
This repository was archived by the owner on Jun 16, 2018. It is now read-only.
Lots of potential overflows #12
Description
There are a lot of places where there are potential buffer overflows. Here are some to start with (from xv-20090131-grr-C++-comments.where)
xv.c: strcpy(fullname, namelist[filenum]); // 1 of 2 places fullname != const
xv.c: *tmp = '\0'; // 2 of 2 places fullname != const
xvevent.c: //fprintf(stderr, "RAC: orig window pos %d,%d\n", xwa.x, xwa.y);
xvevent.c: //fprintf(stderr, "RAC: image size now %d,%d\n", xwa.width, xwa.height);
xvevent.c: //fprintf(stderr, "RAC: moving window to %d,%d\n", xwa.x, xwa.y);
xvgif.c: xv_mktemp(pinfo->pagebname, "xvpgXXXXXX"); // a.k.a. close(mkstemp())
xvhips.c://extern char *calloc();
xvhips.c: pic = pinfo->pic = (byte *) malloc(h.rows * h.cols); // GRR POSSIBLE OVERFLOW / FIXME
xvmag.c: *pic0 = mag_malloc((size_t) mi->width * mi->height, "mag_expand_body#2"); // GRR POSSIBLE OVERFLOW / FIXME
xvmag.c: pixel0 = mag_malloc((size_t) 2 * mi->p_width * 17, "mag_expand_body#3"); // GRR POSSIBLE OVERFLOW / FIXME
xvmag.c: mag.a_size = (mag.p_width * mag.p_height + 15) / 16; /* x/2/8 */ // GRR POSSIBLE OVERFLOW / FIXME
xvmag.c: pixel0 = mag_malloc((size_t) 2 * mi->p_width * mi->p_height, // GRR POSSIBLE OVERFLOW / FIXME
xvmag.c: flag0 = mag_malloc((size_t) mi->p_width * mi->p_height, // GRR POSSIBLE OVERFLOW / FIXME
xvmag.c: mi->a = mag_malloc((size_t) mi->a_size, "mag_compress_data#4"); // GRR POSSIBLE OVERFLOW / FIXME
xvmaki.c: mi->vs = maki_malloc((size_t) bpl * mi->height, // GRR POSSIBLE OVERFLOW / FIXME
xvmaki.c: *pic = maki_malloc((size_t) mi->width * mi->height, // GRR POSSIBLE OVERFLOW / FIXME
xvmaki.c: mi->forma = maki_malloc((size_t) mi->width / 2 * mi->height, // GRR POSSIBLE OVERFLOW / FIXME
xvmaki.c: mi->formb = maki_malloc((size_t) mi->width / 2 * mi->height, // GRR POSSIBLE OVERFLOW / FIXME
xvmaki.c: mi->vs = maki_malloc((size_t) bpl * mi->height, // GRR POSSIBLE OVERFLOW / FIXME
xvmaki.c: mi->fa = maki_malloc((size_t) bpl * mi->height, "maki_make_flags#1"); // GRR POSSIBLE OVERFLOW / FIXME
xvpi.c: *pic = pi_malloc((size_t) max_cnt, "pi_expand"); // GRR POSSIBLE OVERFLOW / FIXME
xvpic.c: pi->data = pic_malloc(sizeof(data32) * pi->width * pi->height, // GRR POSSIBLE OVERFLOW / FIXME
xvpic.c: *xp = pic_malloc((size_t) pi->width * pi->height * 2, // GRR POSSIBLE OVERFLOW / FIXME
xvpic.c: *xp = pic_malloc((size_t) pi->width * pi->height, // GRR POSSIBLE OVERFLOW / FIXME
xvpic.c: *xp = pic_malloc((size_t) pi->width * pi->height * 3, // GRR POSSIBLE OVERFLOW / FIXME
xvpic.c: pi->data = pic_malloc(sizeof(data32) * pi->width * pi->height, // GRR POSSIBLE OVERFLOW / FIXME
xvpic2.c: *xp = pic2_new((size_t) pi->x_max * pi->y_max * 3, "pic2_make_xvpic"); // GRR POSSIBLE OVERFLOW / FIXME
xvpic2.c: p = pi->buf = (byte *) pic2_new((wid + 8) * sizeof(pixel) * 3 // GRR POSSIBLE OVERFLOW / FIXME
xvpng.c:// GRR FIXME: add .Xdefaults option to omit writing gamma (size, cumulative errors when editing)--alternatively, modify save box to include "omit" checkbox
xvpng.c: //fprintf(stderr, "Disabling MMX read support for combining rows.\n");
xvpng.c: //fprintf(stderr, "Disabling MMX read support for expanding interlacing.\n");
xvpng.c: //fprintf(stderr, "Disabling MMX read support for decoding row-filters.\n");
xvtiff.c:#endif // USE_LIBJPEG_FOR_TIFF_YCbCr_RGB_CONVERSION