Version in base suite: 3.5.17-1

Base version: libxpm_3.5.17-1
Target version: libxpm_3.5.17-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libxpm/libxpm_3.5.17-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libxpm/libxpm_3.5.17-1+deb13u1.dsc

 libxpm-3.5.17/debian/changelog |    6 ++++++
 src/data.c                     |    3 +++
 src/parse.c                    |   19 ++++++++++++++-----
 3 files changed, 23 insertions(+), 5 deletions(-)

diff -u libxpm-3.5.17/debian/changelog libxpm-3.5.17/debian/changelog
--- libxpm-3.5.17/debian/changelog
+++ libxpm-3.5.17/debian/changelog
@@ -1,3 +1,9 @@
+libxpm (1:3.5.17-1+deb13u1) trixie; urgency=medium
+
+  * CVE-2026-4367 (Closes: #1134690)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Mon, 08 Jun 2026 22:27:18 +0200
+
 libxpm (1:3.5.17-1) unstable; urgency=high
 
   [ Timo Aaltonen ]
only in patch2:
unchanged:
--- libxpm-3.5.17.orig/src/data.c
+++ libxpm-3.5.17/src/data.c
@@ -210,6 +210,9 @@
 	    while ((c = *data->cptr++) && c != data->Bos && c != '\0')
 		if (data->Bcmt && c == data->Bcmt[0])
 		    ParseComment(data);
+
+	    if (c == '\0')
+		return XpmFileInvalid;
 	} else if (data->Bcmt) {	/* XPM2 natural */
 	    while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0')
 		ParseComment(data);
only in patch2:
unchanged:
--- libxpm-3.5.17.orig/src/parse.c
+++ libxpm-3.5.17/src/parse.c
@@ -221,7 +221,9 @@
 
     if (!data->format) {		/* XPM 2 or 3 */
 	for (a = 0, color = colorTable; a < ncolors; a++, color++) {
-	    xpmNextString(data);	/* skip the line */
+	    ErrorStatus = xpmNextString(data);         /* skip the line */
+	    if (ErrorStatus != XpmSuccess)
+		goto error;
 
 	    /*
 	     * read pixel value
@@ -319,7 +321,9 @@
 	/* get to the beginning of the first string */
 	data->Bos = '"';
 	data->Eos = '\0';
-	xpmNextString(data);
+	ErrorStatus = xpmNextString(data);
+	if (ErrorStatus != XpmSuccess)
+	    goto error;
 	data->Eos = '"';
 	for (a = 0, color = colorTable; a < ncolors; a++, color++) {
 
@@ -359,7 +363,9 @@
 	    /*
 	     * read color values
 	     */
-	    xpmNextString(data);	/* get to the next string */
+	    ErrorStatus = xpmNextString(data);	/* get to the next string */
+	    if (ErrorStatus != XpmSuccess)
+		goto error;
 	    *curbuf = '\0';		/* init curbuf */
 	    while ((l = xpmNextWord(data, buf, BUFSIZ))) {
 		if (*curbuf != '\0') {
@@ -383,8 +389,11 @@
 	    memcpy(s, curbuf, len);
 	    color->c_color = s;
 	    *curbuf = '\0';		/* reset curbuf */
-	    if (a < ncolors - 1)	/* can we trust ncolors -> leave data's bounds */
-		xpmNextString(data);	/* get to the next string */
+	    if (a < ncolors - 1) {	/* can we trust ncolors -> leave data's bounds */
+		ErrorStatus = xpmNextString(data);	/* get to the next string */
+		if (ErrorStatus != XpmSuccess)
+		    goto error;
+	    }
 	}
     }
     *colorTablePtr = colorTable;