rpms/xv/devel xv-3.10a-xvcut.patch, NONE, 1.1 xv-3.10a-namemax.patch, 1.2, 1.3 xv.spec, 1.12, 1.13

[L. Gabriel Somlo]

Author: somlo

Update of /cvs/nonfree/rpms/xv/devel
In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv11636

Modified Files:
	xv-3.10a-namemax.patch xv.spec 
Added Files:
	xv-3.10a-xvcut.patch 
Log Message:
* Thu Mar 28 2013 Gabriel Somlo <somlo at cmu.edu> 3.10a.jumbopatch.20070520-18
- patch for cut/paste bug in 24+ bit mode (by Mark Brader <msb at vex.net>)
- further buffer overflow fix for overly long command line argument


xv-3.10a-xvcut.patch:
 xvcut.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- NEW FILE xv-3.10a-xvcut.patch ---
When a selection containing no more than 256 distinct colors is copied
from a 24-bit image, xv uses 8-bit color on the clipboard, presumably
in order to optimize clipboard size if the selection is large.
This patch fixes a bug that was causing the colormap it constructs
to be stored one place off the correct position in the data structure.

Signed-off-by: Mark Brader <msb at vex.net>
Acked-by: Gabriel Somlo <somlo at cmu.edu>

diff -NarU5 a/xvcut.c b/xvcut.c
--- a/xvcut.c	2013-03-28 12:36:30.515468841 -0400
+++ b/xvcut.c	2013-03-28 12:37:34.639145150 -0400
@@ -676,13 +676,13 @@
 	for (k=0; k<nc; k++,cm+=3) {
 	  if (pr==cm[0] && pg==cm[1] && pb==cm[2]) break;
 	}
 	if (k==nc) {
 	  nc++;
-	  cimg[CIMG_CMAP + nc*3    ] = pr;
-	  cimg[CIMG_CMAP + nc*3 + 1] = pg;
-	  cimg[CIMG_CMAP + nc*3 + 2] = pb;
+	  cimg[CIMG_CMAP + k*3    ] = pr;
+	  cimg[CIMG_CMAP + k*3 + 1] = pg;
+	  cimg[CIMG_CMAP + k*3 + 2] = pb;
 	}
 
 	*dp++ = (byte) k;
       }
     }

xv-3.10a-namemax.patch:
 xv.c     |    9 ++++++---
 xvtext.c |    2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

Index: xv-3.10a-namemax.patch
===================================================================
RCS file: /cvs/nonfree/rpms/xv/devel/xv-3.10a-namemax.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- xv-3.10a-namemax.patch	14 Mar 2013 14:33:52 -0000	1.2
+++ xv-3.10a-namemax.patch	28 Mar 2013 19:03:49 -0000	1.3
@@ -1,6 +1,12 @@
-diff -NarU5 xv-3.10a.orig/xv.c xv-3.10a/xv.c
---- xv-3.10a.orig/xv.c	2013-03-14 09:37:32.095682131 -0400
-+++ xv-3.10a/xv.c	2013-03-14 09:55:10.629312017 -0400
+Under several circumstances, overly large filenames (or overly long command
+line arguments) cause buffer overflows due to the lack of bounds checking in
+the original xv source code. This patch is a first pass attempt at fixing that.
+
+Signed-off-by: Gabriel Somlo <somlo at cmu.edu>
+
+diff -NarU5 a/xv.c b/xv.c
+--- a/xv.c	2013-03-28 12:59:56.364082302 -0400
++++ b/xv.c	2013-03-28 13:22:10.312576922 -0400
 @@ -62,11 +62,11 @@
  static double vexpand = 1.0;    /* '-expand' argument */
  static const char *maingeom = NULL;
@@ -14,7 +20,38 @@
  #  ifndef TV_FONTSET
  #    define TV_FONTSET "-*-fixed-medium-r-normal--%d-*"
  #  endif
-@@ -3998,11 +3998,11 @@
+@@ -2167,15 +2167,17 @@
+   else if (filenum == PADDED) {
+     /* need fullfname (used for window/icon name),
+        basefname(compute from fullfname) */
+ 
+     i = LoadPad(&pinfo, fullfname);
++    if (!i) goto FAILED;   /* shouldn't happen */
++
+     fullname = fullfname;
+     strcpy(filename, fullfname);
++    if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
+     strcpy(basefname, BaseName(fullfname));
+ 
+-    if (!i) goto FAILED;   /* shouldn't happen */
+ 
+     if (killpage) {      /* kill old page files, if any */
+       KillPageFiles(pageBaseName, numPages);
+       pageBaseName[0] = '\0';
+       numPages = 1;
+@@ -2236,10 +2238,11 @@
+ #else
+   else fullname = namelist[filenum];
+ #endif
+ 
+   strcpy(fullfname, fullname);
++  if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
+   strcpy(basefname, BaseName(fullname));
+ 
+ 
+   /* chop off trailing ".Z", ".z", or ".gz" from displayed basefname, if any */
+   if (strlen(basefname)>2 && strcmp(basefname+strlen(basefname)-2,".Z")==0)
+@@ -3998,11 +4001,11 @@
  
  /***********************************/
  static void setWinIconNames(name)
@@ -27,9 +64,9 @@
      strcpy(winname, winTitle);
      strcpy(iconname, winTitle);
    }
-diff -NarU5 xv-3.10a.orig/xvtext.c xv-3.10a/xvtext.c
---- xv-3.10a.orig/xvtext.c	2013-03-14 09:37:32.129684079 -0400
-+++ xv-3.10a/xvtext.c	2013-03-14 09:38:44.288818545 -0400
+diff -NarU5 a/xvtext.c b/xvtext.c
+--- a/xvtext.c	2013-03-28 12:59:56.400084367 -0400
++++ b/xvtext.c	2013-03-28 13:02:26.056666623 -0400
 @@ -51,11 +51,11 @@
  #  define TV_MSCODE   7
  


Index: xv.spec
===================================================================
RCS file: /cvs/nonfree/rpms/xv/devel/xv.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- xv.spec	14 Mar 2013 14:33:52 -0000	1.12
+++ xv.spec	28 Mar 2013 19:03:49 -0000	1.13
@@ -3,7 +3,7 @@
 
 Name: xv
 Version: %{vprog}.jumbopatch.%{vjumbo}
-Release: 17%{?dist}
+Release: 18%{?dist}
 Summary: Interactive image display program for X
 Summary(de.UTF-8): X-basierender Bild-Viewer für praktische sämtliche Grafiken
 Summary(es.UTF-8): Visualizador de imágenes para X para cuasi todos los formatos de imágenes
@@ -30,6 +30,7 @@
 Patch4: xv-wait.patch
 Patch5: xv-3.10a-libpng15.patch
 Patch6: xv-3.10a-namemax.patch
+Patch7: xv-3.10a-xvcut.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: libtiff-devel libpng-devel jasper-devel desktop-file-utils
 %if "%{?rhel}" != "4"
@@ -146,6 +147,9 @@
 # NAME_MAX buffer overflow fix
 %patch6 -p1
 
+# cut/paste fix for 24bit+ images
+%patch7 -p1
+
 # Include permission to distribute
 %{__install} -m 0644 -p %{SOURCE2} .
 
@@ -281,6 +285,10 @@
 %doc %{_docdir}/%{name}-%{vprog}/manuals/
 
 %changelog
+* Thu Mar 28 2013 Gabriel Somlo <somlo at cmu.edu> 3.10a.jumbopatch.20070520-18
+- patch for cut/paste bug in 24+ bit mode (by Mark Brader <msb at vex.net>)
+- further buffer overflow fix for overly long command line argument
+
 * Thu Mar 14 2013 Gabriel Somlo <somlo at cmu.edu> 3.10a.jumbopatch.20070520-17
 - additional fix for long filename buffer overflow