From 155efa7c00aee28f7065fafcbe4a1b2bdd8f413a Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 27 Nov 2016 18:47:46 +0100
Subject: [PATCH] Fix out out boundary read on unknown colors

libXpm is vulnerable to an out of boundary read if an XPM file contains
a color with a symbolic name but without any default color value.

A caller must set XpmColorSymbols and a color with a NULL name in
the supplied XpmAttributes to XpmReadFileToImage (or other functions of
this type) in order to trigger this issue.
---
 src/create.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/create.c b/src/create.c
index d013da9..a750846 100644
--- a/src/create.c
+++ b/src/create.c
@@ -647,7 +647,8 @@ CreateColors(
 			while (def_index <= 5 && defaults[def_index] == NULL)
 			    ++def_index;
 		    }
-		    if (def_index >= 2 && defaults[def_index] != NULL &&
+		    if (def_index >= 2 && def_index <= 5 &&
+			defaults[def_index] != NULL &&
 			!xpmstrcasecmp(symbol->value, defaults[def_index]))
 			break;
 		}
-- 
2.10.2