CAN-2005-3178, CAN-2005-0639 ? Index: xli-1.17.0+20061110/zoom.c =================================================================== --- xli-1.17.0+20061110.orig/zoom.c +++ xli-1.17.0+20061110/zoom.c @@ -52,28 +52,29 @@ Image *zoom(Image *oimage, unsigned int if (verbose) printf(" Zooming image Y axis by %d%%...", yzoom); if (changetitle) - sprintf(buf, "%s (Y zoom %d%%)", oimage->title, yzoom); + snprintf(buf, BUFSIZ, "%s (Y zoom %d%%)", oimage->title, yzoom); } else if (!yzoom) { if (verbose) printf(" Zooming image X axis by %d%%...", xzoom); if (changetitle) - sprintf(buf, "%s (X zoom %d%%)", oimage->title, xzoom); + snprintf(buf, BUFSIZ, "%s (X zoom %d%%)", oimage->title, xzoom); } else if (xzoom == yzoom) { if (verbose) printf(" Zooming image by %d%%...", xzoom); if (changetitle) - sprintf(buf, "%s (%d%% zoom)", oimage->title, xzoom); + snprintf(buf, BUFSIZ, "%s (%d%% zoom)", oimage->title, xzoom); } else { if (verbose) printf(" Zooming image X axis by %d%% and Y axis by %d%%...", xzoom, yzoom); if (changetitle) - sprintf(buf, "%s (X zoom %d%% Y zoom %d%%)", oimage->title, + snprintf(buf, BUFSIZ, "%s (X zoom %d%% Y zoom %d%%)", oimage->title, xzoom, yzoom); } + buf[BUFSIZ-1] = '\0'; if (!changetitle) strcpy(buf,oimage->title); Index: xli-1.17.0+20061110/reduce.c =================================================================== --- xli-1.17.0+20061110.orig/reduce.c +++ xli-1.17.0+20061110/reduce.c @@ -178,7 +178,8 @@ Image *reduce(Image *image, unsigned col /* get destination image */ depth = colorsToDepth(OutColors); new_image = newRGBImage(image->width, image->height, depth); - sprintf(buf, "%s (%d colors)", image->title, OutColors); + snprintf(buf, BUFSIZ, "%s (%d colors)", image->title, OutColors); + buf[BUFSIZ-1] = '\0'; new_image->title = dupString(buf); new_image->gamma = image->gamma; Index: xli-1.17.0+20061110/pbm.c =================================================================== --- xli-1.17.0+20061110.orig/pbm.c +++ xli-1.17.0+20061110/pbm.c @@ -108,8 +108,7 @@ static int pbmReadRawInt(ZFILE * zf, int return src; } -static int isPBM(ZFILE * zf, char *name, - unsigned int *width, unsigned int *height, unsigned int *maxval, +static int isPBM(ZFILE * zf, char *name, int *width, int *height, int *maxval, unsigned int verbose) { byte buf[4]; @@ -161,10 +160,10 @@ static int isPBM(ZFILE * zf, char *name, if (memToVal(buf, 2) == memToVal((byte *) "P2", 2)) { if (((*width = pbmReadInt(zf)) < 0) - || ((*height = pbmReadInt(zf)) < 0)) + || ((*height = pbmReadInt(zf)) < 0) + || ((*maxval = pbmReadInt(zf)) < 0)) return (NOTPBM); - *maxval = pbmReadInt(zf); if (verbose) { printf("%s is a %dx%d PGM image with %d levels\n", name, *width, *height, (*maxval + 1)); @@ -174,10 +173,10 @@ static int isPBM(ZFILE * zf, char *name, if (memToVal(buf, 2) == memToVal((byte *) "P5", 2)) { if (((*width = pbmReadInt(zf)) < 0) - || ((*height = pbmReadInt(zf)) < 0)) + || ((*height = pbmReadInt(zf)) < 0) + || ((*maxval = pbmReadInt(zf)) < 0)) return (NOTPBM); - *maxval = pbmReadInt(zf); if (verbose) printf("%s is a %dx%d Raw PGM image with %d levels\n", name, *width, *height, (*maxval + 1)); @@ -185,11 +184,11 @@ static int isPBM(ZFILE * zf, char *name, } if (memToVal(buf, 2) == memToVal((byte *) "P3", 2)) { - if (((*width = pbmReadInt(zf)) < 0) || - ((*height = pbmReadInt(zf)) < 0)) + if (((*width = pbmReadInt(zf)) < 0) + || ((*height = pbmReadInt(zf)) < 0) + || ((*maxval = pbmReadInt(zf)) < 0)) return (NOTPBM); - *maxval = pbmReadInt(zf); if (verbose) { printf("%s is a %dx%d PPM image with %d levels\n", name, *width, *height, (*maxval + 1)); @@ -198,11 +197,11 @@ static int isPBM(ZFILE * zf, char *name, } if (memToVal(buf, 2) == memToVal((byte *) "P6", 2)) { - if (((*width = pbmReadInt(zf)) < 0) || - ((*height = pbmReadInt(zf)) < 0)) + if (((*width = pbmReadInt(zf)) < 0) + || ((*height = pbmReadInt(zf)) < 0) + || ((*maxval = pbmReadInt(zf)) < 0)) return (NOTPBM); - *maxval = pbmReadInt(zf); if (verbose) { printf("%s is a %dx%d Raw PPM image with %d levels\n", name, *width, *height, (*maxval + 1)); @@ -215,7 +214,7 @@ static int isPBM(ZFILE * zf, char *name, int pbmIdent(char *fullname, char *name) { ZFILE *zf; - unsigned int width, height, maxval, ret; + int width, height, maxval, ret; if (!(zf = zopen(fullname))) return (0); @@ -234,7 +233,8 @@ Image *pbmLoad(char *fullname, ImageOpti Image *image = 0; int pbm_type; unsigned int x, y; - unsigned int width, height, maxval, fmaxval, depth, fdepth; + int width, height, maxval, fmaxval; + unsigned int depth, fdepth; unsigned int linelen; byte srcmask, destmask; byte *destptr = 0, *destline;