Comment 6 for bug 13557

Hi!

> Ubuntu backported a fix for this hole to lesstif1. From their changelog:
>
> * SECURITY UPDATE: More Xpm vulnerabilities.
> * lib/Xm-2.1/Xpmcreate.c, lib/Xm-2.1/Xpmscan.c: Applied patch from
> freedesktop.org to avoid integer overflows.
> * lib/Xm/LTXpm.c: Backported patch to old lesstif1.
> * References:
> CAN-2005-0605
> https://bugs.freedesktop.org/show_bug.cgi?id=3D1920
> https://bugzilla.ubuntulinux.org/show_bug.cgi?id=3D7210

The change for lesstif1 was rather trivial since the variables
are declared correctly already. So the patch for the old lesstif1
reduces to

--- lesstif1-1-0.93.94.orig/lib/Xm/LTXpm.c
+++ lesstif1-1-0.93.94/lib/Xm/LTXpm.c
@@ -6305,6 +6305,9 @@
     ibpp = image->bits_per_pixel;
     offset = image->xoffset;

+ if (image->bitmap_unit < 0)
+ return (_LtXpmNoMemory);
+
     if ((image->bits_per_pixel | image->depth) == 1) {
        ibu = image->bitmap_unit;
        for (y = 0; y < height; y++)

Regards,

Martin

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org