pool/netpbm
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5e5269246d
netpbm/netpbm-security-code.patch
Petr Gajdos 3531121433 - version update to 10.98.2 
palmtopnm: Fix failure with bogus claim of invalid input on
    architectures that do not use two's complement negative numbers.
    Always broken.  (Ability to convert PackBits input was new in
    Netpbm 10.27 (March 2005).
    pnmgamma -srgbtobt709, -bt709tosrgb: fix bug; incorrect output.
    Always broken (These options were new in Netpbm 10.32 (February
    2006)).  Thanks Alexander Shpilkin <ashpilkin@gmail.com>.
    pamdice: Fix incorrect output file name with PAM input.  Always
    broken (pamdice was new in Netpbm 9.25 (March 2002).
    pamtopdbimg: Add -fixedtime.
    ppmfade: Use temporary files securely.
    pnmtosir: Set some possibly meaningless bits in output to zero
    so output is repeatable.
    pamx: Fix bug: top-justifies image in all cases where it should
    bottom-justify.  Always broken.  (pamx was new in Netpbm 10.34
    (June 2006).
    pnmtorle: Fix bug: -h works only on first image.
    pamsistoaglyph: Fix invalid memory reference and incorrect
    output on depth 1 input.  Always broken.  (pamsistoaglyph was
    new in Netpbm 10.47 (June 2009).  Thanks Scott Pakin.
    pambayer: Fix bogus colors at edges.  Always Broken (pambayer
    was new in Release 10.30 (October 2005)).
    libnetpbm, various programs: fix bug: bogus warning that a color
    specified on command line cannot be represented exactly with the
    maxval being used.  Introduced in Netpbm 10.83 (June 2018).
    pnmtopsnr: Fix typo in error message.  Always broken (pnmpsnr
    was new in Netpbm 9.6 (July 2000).
    ppmtoilbm: Remove -floyd (aka -fs) option, which hasn't worked
    in a long time if ever and is inappropriate function for this

OBS-URL: https://build.opensuse.org/package/show/graphics/netpbm?expand=0&rev=131
2022-05-30 14:58:55 +00:00

1535 lines
56 KiB
Diff
Raw Blame History

Index: netpbm-10.98.2/analyzer/pgmtexture.c
===================================================================
--- netpbm-10.98.2.orig/analyzer/pgmtexture.c
+++ netpbm-10.98.2/analyzer/pgmtexture.c
@@ -63,7 +63,7 @@ vector(unsigned int const nl,
unsigned int i;
assert(nh >= nl);
-
+ overflow_add(nh - nl, 1);
MALLOCARRAY(v, (unsigned) (nh - nl + 1));
if (v == NULL)
@@ -97,6 +97,7 @@ matrix (unsigned int const nrl,
assert(nrh >= nrl);
/* allocate pointers to rows */
+ overflow_add(nrh - nrl, 1);
MALLOCARRAY(m, (unsigned) (nrh - nrl + 1));
if (m == NULL)
pm_error("Unable to allocate memory for a matrix.");
@@ -104,7 +105,7 @@ matrix (unsigned int const nrl,
m -= ncl;
assert (nch >= ncl);
-
+ overflow_add(nch - ncl, 1);
/* allocate rows and set pointers to them */
for (i = nrl; i <= nrh; ++i) {
MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1));
Index: netpbm-10.98.2/converter/other/gemtopnm.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/gemtopnm.c
+++ netpbm-10.98.2/converter/other/gemtopnm.c
@@ -105,7 +105,7 @@ main(argc, argv)
type = PPM_TYPE;
pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 );
-
+ overflow_add(cols, padright);
{
/* allocate input row data structure */
int plane;
Index: netpbm-10.98.2/converter/other/jpegtopnm.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/jpegtopnm.c
+++ netpbm-10.98.2/converter/other/jpegtopnm.c
@@ -862,6 +862,8 @@ convertImage(FILE *
/* Calculate output image dimensions so we can allocate space */
jpeg_calc_output_dimensions(cinfoP);
+ overflow2(cinfoP->output_width, cinfoP->output_components);
+
/* Start decompressor */
jpeg_start_decompress(cinfoP);
Index: netpbm-10.98.2/converter/other/pbmtopgm.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/pbmtopgm.c
+++ netpbm-10.98.2/converter/other/pbmtopgm.c
@@ -60,6 +60,7 @@ main(int argc, char *argv[]) {
outrow = pgm_allocrow(cols) ;
+ overflow2(width, height);
maxval = MIN(PGM_OVERALLMAXVAL, width*height);
pgm_writepgminit(stdout, cols, rows, maxval, 0) ;
Index: netpbm-10.98.2/converter/other/pnmtoddif.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/pnmtoddif.c
+++ netpbm-10.98.2/converter/other/pnmtoddif.c
@@ -629,6 +629,7 @@ main(int argc, char *argv[]) {
switch (PNM_FORMAT_TYPE(format)) {
case PBM_TYPE:
ip.bits_per_pixel = 1;
+ overflow_add(cols, 7);
ip.bytes_per_line = (cols + 7) / 8;
ip.spectral = 2;
ip.components = 1;
@@ -644,6 +645,7 @@ main(int argc, char *argv[]) {
ip.polarity = 2;
break;
case PPM_TYPE:
+ overflow2(cols, 3);
ip.bytes_per_line = 3 * cols;
ip.bits_per_pixel = 24;
ip.spectral = 5;
Index: netpbm-10.98.2/converter/other/pnmtojpeg.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/pnmtojpeg.c
+++ netpbm-10.98.2/converter/other/pnmtojpeg.c
@@ -606,7 +606,11 @@ read_scan_script(j_compress_ptr const ci
want JPOOL_PERMANENT.
*/
const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info);
- jpeg_scan_info * const scan_info =
+ const jpeg_scan_info * scan_info;
+
+ overflow2(nscans, sizeof(jpeg_scan_info));
+
+ scan_info =
(jpeg_scan_info *)
(*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
scan_info_size);
@@ -938,6 +942,8 @@ compute_rescaling_array(JSAMPLE ** const
const long half_maxval = maxval / 2;
long val;
+ overflow_add(maxval, 1);
+ overflow2(maxval+1, sizeof(JSAMPLE));
*rescale_p = (JSAMPLE *)
(cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE,
(size_t) (((long) maxval + 1L) *
@@ -1016,6 +1022,7 @@ convert_scanlines(struct jpeg_compress_s
*/
/* Allocate the libpnm output and compressor input buffers */
+ overflow2(cinfo_p->image_width, cinfo_p->input_components);
buffer = (*cinfo_p->mem->alloc_sarray)
((j_common_ptr) cinfo_p, JPOOL_IMAGE,
(unsigned int) cinfo_p->image_width * cinfo_p->input_components,
Index: netpbm-10.98.2/converter/other/pnmtops.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/pnmtops.c
+++ netpbm-10.98.2/converter/other/pnmtops.c
@@ -294,17 +294,21 @@ parseCommandLine(int argc, const char **
validateCompDimension(width, 72, "-width value");
validateCompDimension(height, 72, "-height value");
+ overflow2(width, 72);
cmdlineP->width = width * 72;
+ overflow2(height, 72);
cmdlineP->height = height * 72;
if (imagewidthSpec) {
validateCompDimension(imagewidth, 72, "-imagewidth value");
+ overflow2(imagewidth, 72);
cmdlineP->imagewidth = imagewidth * 72;
}
else
cmdlineP->imagewidth = 0;
if (imageheightSpec) {
- validateCompDimension(imagewidth, 72, "-imageheight value");
+ validateCompDimension(imageheight, 72, "-imageheight value");
+ overflow2(imageheight, 72);
cmdlineP->imageheight = imageheight * 72;
}
else
Index: netpbm-10.98.2/converter/other/pnmtorle.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/pnmtorle.c
+++ netpbm-10.98.2/converter/other/pnmtorle.c
@@ -19,6 +19,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* pnmtorle - A program which will convert pbmplus (ppm or pgm) images
Index: netpbm-10.98.2/converter/other/pnmtosgi.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/pnmtosgi.c
+++ netpbm-10.98.2/converter/other/pnmtosgi.c
@@ -185,6 +185,7 @@ buildChannels(FILE * const ifP,
ScanElem * temp;
if (storage != STORAGE_VERBATIM) {
+ overflow2(channels, rows);
MALLOCARRAY_NOFAIL(table, channels * rows);
} else
table = NULL;
Index: netpbm-10.98.2/converter/other/rletopnm.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/rletopnm.c
+++ netpbm-10.98.2/converter/other/rletopnm.c
@@ -19,6 +19,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rletopnm - A conversion program to convert from Utah's "rle" image format
Index: netpbm-10.98.2/converter/other/sgitopnm.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/sgitopnm.c
+++ netpbm-10.98.2/converter/other/sgitopnm.c
@@ -377,10 +377,14 @@ readChannels(FILE * const ifP,
MALLOCARRAY_NOFAIL(image, head->ysize);
} else {
maxchannel = 3;
+ overflow2(head->ysize, maxchannel);
MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel);
}
- if (table)
+ if (table) {
+ overflow2(head->xsize, 2);
+ overflow_add(head->xsize*2, 2);
MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize));
+ }
for (channel = 0; channel < maxchannel; ++channel) {
unsigned int row;
Index: netpbm-10.98.2/converter/other/sirtopnm.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/sirtopnm.c
+++ netpbm-10.98.2/converter/other/sirtopnm.c
@@ -69,6 +69,7 @@ char* argv[];
}
break;
case PPM_TYPE:
+ overflow3(cols, rows, 3);
picsize = cols * rows * 3;
planesize = cols * rows;
if ( !( sirarray = (unsigned char*) malloc( picsize ) ) )
Index: netpbm-10.98.2/converter/other/tifftopnm.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/tifftopnm.c
+++ netpbm-10.98.2/converter/other/tifftopnm.c
@@ -1372,7 +1372,9 @@ convertRasterByRows(pnmOut * const
if (scanbuf == NULL)
pm_error("can't allocate memory for scanline buffer");
- MALLOCARRAY(samplebuf, cols * spp);
+ /* samplebuf is unsigned int * !!! */
+ samplebuf = (unsigned int *) malloc3(cols , sizeof(unsigned int) , spp);
+
if (samplebuf == NULL)
pm_error("can't allocate memory for row buffer");
Index: netpbm-10.98.2/converter/other/xwdtopnm.c
===================================================================
--- netpbm-10.98.2.orig/converter/other/xwdtopnm.c
+++ netpbm-10.98.2/converter/other/xwdtopnm.c
@@ -210,6 +210,10 @@ processX10Header(X10WDFileHeader * cons
*colorsP = pnm_allocrow(2);
PNM_ASSIGN1((*colorsP)[0], 0);
PNM_ASSIGN1((*colorsP)[1], *maxvalP);
+ overflow_add(h10P->pixmap_width, 15);
+ if(h10P->pixmap_width < 0)
+ pm_error("assert: negative width");
+ overflow2((((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width), 8);
*padrightP =
(((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width) * 8;
*bits_per_itemP = 16;
@@ -638,6 +642,7 @@ processX11Header(X11WDFileHeader * cons
*colsP = h11FixedP->pixmap_width;
*rowsP = h11FixedP->pixmap_height;
+ overflow2(h11FixedP->bytes_per_line, 8);
*padrightP =
h11FixedP->bytes_per_line * 8 -
h11FixedP->pixmap_width * h11FixedP->bits_per_pixel;
Index: netpbm-10.98.2/converter/pbm/mdatopbm.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/mdatopbm.c
+++ netpbm-10.98.2/converter/pbm/mdatopbm.c
@@ -245,10 +245,13 @@ main(int argc, char **argv) {
pm_readlittleshort(infile, &yy); nInCols = yy;
}
+ overflow2(nOutCols, 8);
nOutCols = 8 * nInCols;
nOutRows = nInRows;
- if (bScale)
+ if (bScale) {
+ overflow2(nOutRows, 2);
nOutRows *= 2;
+ }
data = pbm_allocarray(nOutCols, nOutRows);
Index: netpbm-10.98.2/converter/pbm/mgrtopbm.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/mgrtopbm.c
+++ netpbm-10.98.2/converter/pbm/mgrtopbm.c
@@ -105,6 +105,8 @@ readMgrHeader(FILE * const ifP,
interpHdrWidth (head, colsP);
interpHdrHeight(head, rowsP);
+ overflow_add(*colsP, pad);
+
*padrightP = ((*colsP + pad - 1) / pad) * pad - *colsP;
}
Index: netpbm-10.98.2/converter/pbm/pbmtogem.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/pbmtogem.c
+++ netpbm-10.98.2/converter/pbm/pbmtogem.c
@@ -79,6 +79,7 @@ putinit (int const rows, int const cols)
bitsperitem = 0;
bitshift = 7;
outcol = 0;
+ overflow_add(cols, 7);
outmax = (cols + 7) / 8;
outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
Index: netpbm-10.98.2/converter/pbm/pbmtogo.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/pbmtogo.c
+++ netpbm-10.98.2/converter/pbm/pbmtogo.c
@@ -158,6 +158,7 @@ main(int argc,
bitrow = pbm_allocrow(cols);
/* Round cols up to the nearest multiple of 8. */
+ overflow_add(cols, 7);
rucols = ( cols + 7 ) / 8;
bytesperrow = rucols; /* GraphOn uses bytes */
rucols = rucols * 8;
Index: netpbm-10.98.2/converter/pbm/pbmtolj.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/pbmtolj.c
+++ netpbm-10.98.2/converter/pbm/pbmtolj.c
@@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv,
static void
allocateBuffers(unsigned int const cols) {
+ overflow_add(cols, 8);
rowBufferSize = (cols + 7) / 8;
+ overflow_add(rowBufferSize, 128);
+ overflow_add(rowBufferSize, rowBufferSize+128);
+ overflow_add(rowBufferSize+10, rowBufferSize/8);
packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
Index: netpbm-10.98.2/converter/pbm/pbmtomda.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/pbmtomda.c
+++ netpbm-10.98.2/converter/pbm/pbmtomda.c
@@ -179,6 +179,7 @@ int main(int argc, char **argv)
nOutRowsUnrounded = bScale ? nInRows/2 : nInRows;
+ overflow_add(nOutRowsUnrounded, 3);
nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4;
/* MDA wants rows a multiple of 4 */
nOutCols = nInCols / 8;
Index: netpbm-10.98.2/converter/pbm/pbmtoppa/pbm.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/pbmtoppa/pbm.c
+++ netpbm-10.98.2/converter/pbm/pbmtoppa/pbm.c
@@ -154,6 +154,7 @@ pbm_readline(pbm_stat * const pbmSt
break;
case P4: {
int tmp, tmp2;
+ overflow_add(pbmStatP->width, 7);
tmp = (pbmStatP->width+7)/8;
tmp2 = fread(data,1,tmp,pbmStatP->fptr);
if (tmp2 == tmp) {
@@ -186,6 +187,7 @@ pbm_unreadline(pbm_stat * const pbmStatP
if (!pbmStatP->unread) {
pbmStatP->unread = 1;
+ overflow_add(pbmStatP->width, 7);
pbmStatP->revdata = malloc ((pbmStatP->width+7)/8);
memcpy(pbmStatP->revdata, data, (pbmStatP->width+7)/8);
--pbmStatP->current_line;
Index: netpbm-10.98.2/converter/pbm/pbmtoppa/pbmtoppa.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/pbmtoppa/pbmtoppa.c
+++ netpbm-10.98.2/converter/pbm/pbmtoppa/pbmtoppa.c
@@ -453,6 +453,7 @@ main(int argc, char *argv[]) {
pm_error("main(): unrecognized parameter '%s'", argv[argn]);
}
+ overflow_add(Width, 7);
Pwidth=(Width+7)/8;
printer.fptr=out;
Index: netpbm-10.98.2/converter/pbm/pbmtoxbm.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/pbmtoxbm.c
+++ netpbm-10.98.2/converter/pbm/pbmtoxbm.c
@@ -353,6 +353,8 @@ convertRaster(FILE * const ifP,
unsigned char * bitrow;
unsigned int row;
+ overflow_add(cols, padright);
+
putinit(xbmVersion);
bitrow = pbm_allocrow_packed(cols + padright);
Index: netpbm-10.98.2/converter/pbm/pbmto4425.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/pbmto4425.c
+++ netpbm-10.98.2/converter/pbm/pbmto4425.c
@@ -2,6 +2,7 @@
#include "nstring.h"
#include "pbm.h"
+#include <string.h>
static char bit_table[2][3] = {
{1, 4, 0x10},
@@ -160,7 +161,7 @@ main(int argc, char * argv[]) {
xres = vmap_width * 2;
yres = vmap_height * 3;
- vmap = malloc(vmap_width * vmap_height * sizeof(char));
+ vmap = malloc3(vmap_width, vmap_height, sizeof(char));
if(vmap == NULL)
{
pm_error( "Cannot allocate memory" );
Index: netpbm-10.98.2/converter/pbm/pktopbm.c
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/pktopbm.c
+++ netpbm-10.98.2/converter/pbm/pktopbm.c
@@ -280,6 +280,7 @@ main(int argc, char *argv[]) {
if (flagbyte == 7) { /* long form preamble */
integer packetlength = get32() ; /* character packet length */
car = get32() ; /* character number */
+ overflow_add(packetlength, pktopbm_pkloc);
endofpacket = packetlength + pktopbm_pkloc;
/* calculate end of packet */
if ((car >= MAXPKCHAR) || !filename[car]) {
Index: netpbm-10.98.2/converter/pbm/thinkjettopbm.l
===================================================================
--- netpbm-10.98.2.orig/converter/pbm/thinkjettopbm.l
+++ netpbm-10.98.2/converter/pbm/thinkjettopbm.l
@@ -114,7 +114,9 @@ DIG [0-9]
<RASTERMODE>\033\*b{DIG}+W {
int l;
if (rowCount >= rowCapacity) {
+ overflow_add(rowCapacity, 100);
rowCapacity += 100;
+ overflow2(rowCapacity, sizeof *rows);
rows = realloc (rows, rowCapacity * sizeof *rows);
if (rows == NULL)
pm_error ("Out of memory.");
@@ -226,6 +228,8 @@ yywrap (void)
/*
* Quite simple since ThinkJet bit arrangement matches PBM
*/
+
+ overflow2(maxRowLength, 8);
pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0);
packed_bitrow = malloc(maxRowLength);
Index: netpbm-10.98.2/converter/pgm/lispmtopgm.c
===================================================================
--- netpbm-10.98.2.orig/converter/pgm/lispmtopgm.c
+++ netpbm-10.98.2/converter/pgm/lispmtopgm.c
@@ -58,6 +58,7 @@ main( argc, argv )
pm_error( "depth (%d bits) is too large", depth);
pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 );
+ overflow_add(cols, 7);
grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 );
for ( row = 0; row < rows; ++row )
@@ -102,7 +103,9 @@ getinit( file, colsP, rowsP, depthP, pad
if ( *depthP == 0 )
*depthP = 1; /* very old file */
-
+
+ overflow_add((int)colsP, 31);
+
*padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP;
if ( *colsP != (cols_32 - *padrightP) ) {
Index: netpbm-10.98.2/converter/pgm/psidtopgm.c
===================================================================
--- netpbm-10.98.2.orig/converter/pgm/psidtopgm.c
+++ netpbm-10.98.2/converter/pgm/psidtopgm.c
@@ -78,6 +78,7 @@ main(int argc,
pm_error("bits/sample (%d) is too large.", bitspersample);
pgm_writepgminit(stdout, cols, rows, maxval, 0);
+ overflow_add(cols, 7);
grayrow = pgm_allocrow((cols + 7) / 8 * 8);
for (row = 0; row < rows; ++row) {
unsigned int col;
Index: netpbm-10.98.2/converter/ppm/ilbmtoppm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ilbmtoppm.c
+++ netpbm-10.98.2/converter/ppm/ilbmtoppm.c
@@ -608,6 +608,7 @@ decode_row(FILE * const ifP,
rawtype *chp;
cols = bmhdP->w;
+ overflow_add(cols, 15);
bytes = RowBytes(cols);
for( plane = 0; plane < nPlanes; plane++ ) {
int mask;
@@ -695,6 +696,23 @@ decode_mask(FILE * const ifP,
Multipalette handling
****************************************************************************/
+static void *
+xmalloc2(x, y)
+ int x;
+ int y;
+{
+ void *mem;
+
+ overflow2(x,y);
+ if( x * y == 0 )
+ return NULL;
+
+ mem = malloc2(x,y);
+ if( mem == NULL )
+ pm_error("out of memory allocating %d bytes", x * y);
+ return mem;
+}
+
static void
multi_adjust(ColorMap * const cmapP,
@@ -1363,6 +1381,10 @@ dcol_to_ppm(FILE * const ifP,
if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval )
pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval));
+ overflow_add(redmaxval, 1);
+ overflow_add(greenmaxval, 1);
+ overflow_add(bluemaxval, 1);
+
MALLOCARRAY_NOFAIL(redtable, redmaxval +1);
MALLOCARRAY_NOFAIL(greentable, greenmaxval +1);
MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1);
@@ -1802,7 +1824,9 @@ PCHG_ConvertSmall(PCHGHeader * const
ChangeCount32 = *data++;
remDataSize -= 2;
+ overflow_add(ChangeCount16, ChangeCount32);
changes = ChangeCount16 + ChangeCount32;
+ overflow_add(changes, 1);
for (i = 0; i < changes; ++i) {
if (totalchanges >= pchgP->TotalChanges) goto fail;
if (remDataSize < 2) goto fail;
@@ -2067,6 +2091,9 @@ read_pchg(FILE * const ifP,
cmap->mp_change[i] = NULL;
if( PCHG.StartLine < 0 ) {
int nch;
+ if(PCHG.MaxReg < PCHG.MinReg)
+ pm_error("assert: MinReg > MaxReg");
+ overflow_add(PCHG.MaxReg-PCHG.MinReg, 2);
nch = PCHG.MaxReg - PCHG.MinReg +1;
MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1);
for( i = 0; i < nch; i++ )
@@ -2143,6 +2170,7 @@ process_body( FILE * const ifP,
if (typeid == ID_ILBM) {
int isdeep;
+ overflow_add(bmhdP->w, 15);
MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w));
*viewportmodesP |= fakeviewport; /* -isham/-isehb */
Index: netpbm-10.98.2/converter/ppm/imgtoppm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/imgtoppm.c
+++ netpbm-10.98.2/converter/ppm/imgtoppm.c
@@ -84,6 +84,7 @@ main(int argc, char ** argv) {
len = atoi((char*) buf );
if ( fread( buf, len, 1, ifp ) != 1 )
pm_error( "bad colormap buf" );
+ overflow2(cmaplen, 3);
if ( cmaplen * 3 != len )
{
pm_message(
@@ -105,6 +106,7 @@ main(int argc, char ** argv) {
pm_error( "bad pixel data header" );
buf[8] = '\0';
len = atoi((char*) buf );
+ overflow2(cols, rows);
if ( len != cols * rows )
pm_message(
"pixel data length (%d) does not match image size (%d)",
Index: netpbm-10.98.2/converter/ppm/Makefile
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/Makefile
+++ netpbm-10.98.2/converter/ppm/Makefile
@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg
PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
leaftoppm mtvtoppm neotoppm \
- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \
+ pcxtoppm pc1toppm pi1toppm pjtoppm \
ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \
ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \
ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \
Index: netpbm-10.98.2/converter/ppm/pcxtoppm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/pcxtoppm.c
+++ netpbm-10.98.2/converter/ppm/pcxtoppm.c
@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes,
/*
* clear the pixel buffer
*/
+ overflow2(bytesperline, 8);
npixels = (bytesperline * 8) / bitsperpixel;
p = pixels;
while (--npixels >= 0)
@@ -470,6 +471,7 @@ pcx_16col_to_ppm(FILE * const ifP,
}
/* BytesPerLine should be >= BitsPerPixel * cols / 8 */
+ overflow2(BytesPerLine, 8);
rawcols = BytesPerLine * 8 / BitsPerPixel;
if (headerCols > rawcols) {
pm_message("warning - BytesPerLine = %d, "
Index: netpbm-10.98.2/converter/ppm/picttoppm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/picttoppm.c
+++ netpbm-10.98.2/converter/ppm/picttoppm.c
@@ -1,3 +1,5 @@
+#error "Unfixable. Don't ship me"
+
/*
* picttoppm.c -- convert a MacIntosh PICT file to PPM format.
*
Index: netpbm-10.98.2/converter/ppm/pjtoppm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/pjtoppm.c
+++ netpbm-10.98.2/converter/ppm/pjtoppm.c
@@ -168,14 +168,20 @@ main(int argc, const char ** argv) {
case 'V': /* send plane */
case 'W': /* send last plane */
if (row >= rowsX || image == NULL) {
- if (row >= rowsX)
+ if (row >= rowsX) {
+ overflow_add(rows, 100);
rowsX += 100;
+ }
if (image == NULL) {
- MALLOCARRAY(image, uintProduct(rowsX, planes));
- MALLOCARRAY(imlen, uintProduct(rowsX, planes));
+ image = (unsigned char **)
+ malloc3(rowsX , planes , sizeof(unsigned char *));
+ imlen = (int *) malloc3(rowsX , planes, sizeof(int));
} else {
- REALLOCARRAY(image, uintProduct(rowsX, planes));
- REALLOCARRAY(imlen, uintProduct(rowsX, planes));
+ overflow2(rows,planes);
+ image = (unsigned char **)
+ realloc2(image, rowsX * planes,
+ sizeof(unsigned char *));
+ imlen = (int *) realloc2(imlen, rowsX * planes, sizeof(int));
}
}
if (image == NULL || imlen == NULL)
@@ -263,8 +269,10 @@ main(int argc, const char ** argv) {
col += 2)
for (cmd = image[plane + row * planes][col],
val = image[plane + row * planes][col+1];
- cmd >= 0 && i < newcols; cmd--, i++)
+ cmd >= 0 && i < newcols; cmd--, i++) {
buf[i] = val;
+ overflow_add(i, 1);
+ }
cols = MAX(cols, i);
free(image[plane + row * planes]);
/*
@@ -275,6 +283,7 @@ main(int argc, const char ** argv) {
image[plane + row * planes] = realloc(buf, i);
}
}
+ overflow2(cols, 8);
cols *= 8;
}
Index: netpbm-10.98.2/converter/ppm/ppmtoeyuv.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtoeyuv.c
+++ netpbm-10.98.2/converter/ppm/ppmtoeyuv.c
@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva
int index;
+ overflow_add(maxval, 1);
MALLOCARRAY_NOFAIL(mult299 , maxval+1);
MALLOCARRAY_NOFAIL(mult587 , maxval+1);
MALLOCARRAY_NOFAIL(mult114 , maxval+1);
Index: netpbm-10.98.2/converter/ppm/ppmtoilbm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtoilbm.c
+++ netpbm-10.98.2/converter/ppm/ppmtoilbm.c
@@ -188,6 +188,7 @@ makeValTable(int const oldmaxval,
unsigned int i;
int * table;
+ overflow_add(oldmaxval, 1);
MALLOCARRAY_NOFAIL(table, oldmaxval + 1);
for (i = 0; i <= oldmaxval; ++i)
table[i] = ROUNDDIV(i * newmaxval, oldmaxval);
@@ -1625,6 +1626,7 @@ ppmToRgb8(FILE * const ifP,
maskmethod = 0; /* no masking - RGB8 uses genlock bits */
compmethod = 4; /* RGB8 files are always compressed */
+ overflow2(cols, 4);
MALLOCARRAY_NOFAIL(compr_row, cols * 4);
if( maxval != 255 ) {
@@ -1716,6 +1718,7 @@ ppmToRgbn(FILE * const ifP,
maskmethod = 0; /* no masking - RGBN uses genlock bits */
compmethod = 4; /* RGBN files are always compressed */
+ overflow2(cols, 2);
MALLOCARRAY_NOFAIL(compr_row, cols * 2);
if( maxval != 15 ) {
@@ -2277,8 +2280,10 @@ main(int argc, char ** argv) {
MALLOCARRAY_NOFAIL(coded_rowbuf, RowBytes(cols));
for (i = 0; i < RowBytes(cols); ++i)
coded_rowbuf[i] = 0;
- if (DO_COMPRESS)
+ if (DO_COMPRESS) {
+ overflow_add(cols,15);
pm_rlenc_allocoutbuf(&compr_rowbuf, RowBytes(cols), PM_RLE_PACKBITS);
+ }
}
switch (mode) {
Index: netpbm-10.98.2/converter/ppm/ppmtolj.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtolj.c
+++ netpbm-10.98.2/converter/ppm/ppmtolj.c
@@ -182,6 +182,7 @@ int main(int argc, char *argv[]) {
ppm_readppminit( ifp, &cols, &rows, &maxval, &format );
pixelrow = ppm_allocrow( cols );
+ overflow2(cols, 6);
obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char));
cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char));
if (mode == C_TRANS_MODE_DELTA)
Index: netpbm-10.98.2/converter/ppm/ppmtomitsu.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtomitsu.c
+++ netpbm-10.98.2/converter/ppm/ppmtomitsu.c
@@ -685,6 +685,8 @@ main(int argc, char * argv[]) {
medias = MSize_User;
if (dpi300) {
+ overflow2(medias.maxcols, 2);
+ overflow2(medias.maxrows, 2);
medias.maxcols *= 2;
medias.maxrows *= 2;
}
Index: netpbm-10.98.2/converter/ppm/ppmtopcx.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtopcx.c
+++ netpbm-10.98.2/converter/ppm/ppmtopcx.c
@@ -410,6 +410,9 @@ writeRaster16Color(FILE * const ofP,
unsigned int row;
+ /* see bytesPerLine definition above */
+ overflow2(bitsPerPixel, cols);
+ overflow_add(bitsPerPixel * cols, 7);
MALLOCARRAY_NOFAIL(indexRow, cols);
MALLOCARRAY(planesrow, bytesPerLine);
Index: netpbm-10.98.2/converter/ppm/ppmtopict.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtopict.c
+++ netpbm-10.98.2/converter/ppm/ppmtopict.c
@@ -450,6 +450,8 @@ main(int argc, const char ** argv) {
putShort(stdout, 0); /* mode */
/* Finally, write out the data. */
+ overflow_add(cols/MAX_COUNT, 1);
+ overflow_add(cols, cols/MAX_COUNT+1);
outBuf = malloc((unsigned)(cols+cols/MAX_COUNT+1));
for (row = 0, oc = 0; row < rows; ++row) {
unsigned int rowSize;
Index: netpbm-10.98.2/converter/ppm/ppmtopj.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtopj.c
+++ netpbm-10.98.2/converter/ppm/ppmtopj.c
@@ -179,6 +179,7 @@ char *argv[];
pixels = ppm_readppm( ifp, &cols, &rows, &maxval );
pm_close( ifp );
+ overflow2(cols,2);
obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char));
cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char));
Index: netpbm-10.98.2/converter/ppm/ppmtopjxl.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtopjxl.c
+++ netpbm-10.98.2/converter/ppm/ppmtopjxl.c
@@ -266,6 +266,8 @@ main(int argc, const char * argv[]) {
pm_error("image too large; reduce with ppmscale");
if (maxval > PCL_MAXVAL)
pm_error("color range too large; reduce with ppmcscale");
+ if (cols < 0 || rows < 0)
+ pm_error("negative size is not possible");
/* Figure out the colormap. */
pm_message("Computing colormap...");
@@ -286,6 +288,8 @@ main(int argc, const char * argv[]) {
case 0: /* direct mode (no palette) */
bpp = bitsperpixel(maxval); /* bits per pixel */
bpg = bpp; bpb = bpp;
+ overflow2(bpp, 3);
+ overflow_add(bpp*3, 7);
bpp = (bpp*3+7)>>3; /* bytes per pixel now */
bpr = (bpp<<3)-bpg-bpb;
bpp *= cols; /* bytes per row now */
@@ -295,9 +299,13 @@ main(int argc, const char * argv[]) {
case 3: case 7: pclindex++;
default:
bpp = 8/pclindex;
+ overflow_add(cols, bpp);
+ if(bpp == 0)
+ pm_error("assert: no bpp");
bpp = (cols+bpp-1)/bpp; /* bytes per row */
}
}
+ overflow2(bpp,2);
inrow = (char *)malloc((unsigned)bpp);
outrow = (char *)malloc((unsigned)bpp*2);
runcnt = (signed char *)malloc((unsigned)bpp);
Index: netpbm-10.98.2/converter/ppm/ppmtowinicon.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtowinicon.c
+++ netpbm-10.98.2/converter/ppm/ppmtowinicon.c
@@ -12,6 +12,7 @@
#include <math.h>
#include <string.h>
+#include <stdlib.h>
#include "pm_c_util.h"
#include "winico.h"
@@ -214,6 +215,7 @@ createAndBitmap (gray ** const ba, int c
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmap->xBytes = xBytes;
icBitmap->data = rowData;
+ overflow2(xBytes, rows);
icBitmap->size = xBytes * rows;
for (y=0;y<rows;y++) {
u1 * row;
@@ -342,6 +344,7 @@ create4Bitmap (pixel ** const pa, int co
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmap->xBytes = xBytes;
icBitmap->data = rowData;
+ overflow2(xBytes, rows);
icBitmap->size = xBytes * rows;
for (y=0;y<rows;y++) {
@@ -402,6 +405,7 @@ create8Bitmap (pixel ** const pa, int co
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmap->xBytes = xBytes;
icBitmap->data = rowData;
+ overflow2(xBytes, rows);
icBitmap->size = xBytes * rows;
for (y=0;y<rows;y++) {
@@ -709,6 +713,10 @@ addEntryToIcon(MS_Ico const MSIcon
entry->bitcount = bpp;
entry->ih = createInfoHeader(entry, xorBitmap, andBitmap);
entry->colors = palette->colors;
+ overflow2(4, entry->color_count);
+ overflow_add(xorBitmap->size, andBitmap->size);
+ overflow_add(xorBitmap->size + andBitmap->size, 40);
+ overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count);
entry->size_in_bytes =
xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count);
if (verbose)
Index: netpbm-10.98.2/converter/ppm/ppmtoxpm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ppmtoxpm.c
+++ netpbm-10.98.2/converter/ppm/ppmtoxpm.c
@@ -198,6 +198,7 @@ genNumstr(unsigned int const input, int
unsigned int i;
/* Allocate memory for printed number. Abort if error. */
+ overflow_add(digits, 1);
if (!(str = (char *) malloc(digits + 1)))
pm_error("out of memory");
@@ -315,6 +316,7 @@ genCmap(colorhist_vector const chv,
unsigned int charsPerPixel;
unsigned int xpmMaxval;
+ if (includeTransparent) overflow_add(ncolors, 1);
MALLOCARRAY(cmap, cmapSize);
if (cmapP == NULL)
pm_error("Out of memory allocating %u bytes for a color map.",
Index: netpbm-10.98.2/converter/ppm/qrttoppm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/qrttoppm.c
+++ netpbm-10.98.2/converter/ppm/qrttoppm.c
@@ -46,7 +46,7 @@ main( argc, argv )
ppm_writeppminit( stdout, cols, rows, maxval, 0 );
pixelrow = ppm_allocrow( cols );
- buf = (unsigned char *) malloc( 3 * cols );
+ buf = (unsigned char *) malloc2( 3 , cols );
if ( buf == (unsigned char *) 0 )
pm_error( "out of memory" );
Index: netpbm-10.98.2/converter/ppm/sldtoppm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/sldtoppm.c
+++ netpbm-10.98.2/converter/ppm/sldtoppm.c
@@ -506,6 +506,8 @@ slider(slvecfn slvec,
/* Allocate image buffer and clear it to black. */
+ overflow_add(ixdots,1);
+ overflow_add(iydots,1);
pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1);
PPM_ASSIGN(rgbcolor, 0, 0, 0);
ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0,
Index: netpbm-10.98.2/converter/ppm/ximtoppm.c
===================================================================
--- netpbm-10.98.2.orig/converter/ppm/ximtoppm.c
+++ netpbm-10.98.2/converter/ppm/ximtoppm.c
@@ -147,6 +147,7 @@ ReadXimHeader(FILE * const in_fp,
if (header->nchannels == 3 && header->bits_channel == 8)
header->ncolors = 0;
else if (header->nchannels == 1 && header->bits_channel == 8) {
+ overflow2(header->ncolors, sizeof(Color));
header->colors = (Color *)calloc((unsigned int)header->ncolors,
sizeof(Color));
if (header->colors == NULL) {
Index: netpbm-10.98.2/editor/pamcut.c
===================================================================
--- netpbm-10.98.2.orig/editor/pamcut.c
+++ netpbm-10.98.2/editor/pamcut.c
@@ -799,6 +799,8 @@ cutOneImage(FILE * const ifP
outpam = inpam; /* Initial value -- most fields should be same */
outpam.file = ofP;
+ overflow_add(rightcol, 1);
+ overflow_add(bottomrow, 1);
outpam.width = rightcol - leftcol + 1;
outpam.height = bottomrow - toprow + 1;
Index: netpbm-10.98.2/editor/pbmreduce.c
===================================================================
--- netpbm-10.98.2.orig/editor/pbmreduce.c
+++ netpbm-10.98.2/editor/pbmreduce.c
@@ -153,6 +153,7 @@ initializeFloydSteinberg(struct FS * co
unsigned int col;
struct pm_randSt randSt;
+ overflow_add(newcols, 2);
MALLOCARRAY(fsP->thiserr, newcols + 2);
MALLOCARRAY(fsP->nexterr, newcols + 2);
Index: netpbm-10.98.2/editor/pnmgamma.c
===================================================================
--- netpbm-10.98.2.orig/editor/pnmgamma.c
+++ netpbm-10.98.2/editor/pnmgamma.c
@@ -596,6 +596,7 @@ createGammaTables(enum transferFunction
xelval ** const btableP) {
/* Allocate space for the tables. */
+ overflow_add(maxval, 1);
MALLOCARRAY(*rtableP, maxval+1);
MALLOCARRAY(*gtableP, maxval+1);
MALLOCARRAY(*btableP, maxval+1);
Index: netpbm-10.98.2/editor/pnmhisteq.c
===================================================================
--- netpbm-10.98.2.orig/editor/pnmhisteq.c
+++ netpbm-10.98.2/editor/pnmhisteq.c
@@ -107,6 +107,7 @@ computeLuminosityHistogram(xel * const *
unsigned int pixelCount;
unsigned int * lumahist;
+ overflow_add(maxval, 1);
MALLOCARRAY(lumahist, maxval + 1);
if (lumahist == NULL)
pm_error("Out of storage allocating array for %u histogram elements",
Index: netpbm-10.98.2/editor/pnmindex.csh
===================================================================
--- netpbm-10.98.2.orig/editor/pnmindex.csh
+++ netpbm-10.98.2/editor/pnmindex.csh
@@ -1,5 +1,8 @@
#!/bin/csh -f
#
+echo "Unsafe code, needs debugging, do not ship"
+exit 1
+#
# pnmindex - build a visual index of a bunch of anymaps
#
# Copyright (C) 1991 by Jef Poskanzer.
Index: netpbm-10.98.2/editor/pnmpad.c
===================================================================
--- netpbm-10.98.2.orig/editor/pnmpad.c
+++ netpbm-10.98.2/editor/pnmpad.c
@@ -654,6 +654,8 @@ main(int argc, const char ** argv) {
computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad);
+ overflow_add(cols, lpad);
+ overflow_add(cols + lpad, rpad);
newcols = cols + lpad + rpad;
if (cmdline.reportonly)
Index: netpbm-10.98.2/editor/pnmremap.c
===================================================================
--- netpbm-10.98.2.orig/editor/pnmremap.c
+++ netpbm-10.98.2/editor/pnmremap.c
@@ -469,7 +469,7 @@ fserr_init(struct pam * const pamP,
unsigned int plane;
unsigned int const fserrSize = pamP->width + 2;
-
+ overflow_add(pamP->width, 2);
fserrP->width = pamP->width;
MALLOCARRAY(fserrP->thiserr, pamP->depth);
@@ -508,6 +508,7 @@ floydInitRow(struct pam * const pamP,
unsigned int col;
+ overflow_add(pamP->width, 2);
for (col = 0; col < pamP->width + 2; ++col) {
unsigned int plane;
for (plane = 0; plane < pamP->depth; ++plane)
Index: netpbm-10.98.2/editor/pnmscalefixed.c
===================================================================
--- netpbm-10.98.2.orig/editor/pnmscalefixed.c
+++ netpbm-10.98.2/editor/pnmscalefixed.c
@@ -214,6 +214,8 @@ compute_output_dimensions(const struct c
const int rows, const int cols,
int * newrowsP, int * newcolsP) {
+ overflow2(rows, cols);
+
if (cmdline.pixels) {
if (rows * cols <= cmdline.pixels) {
*newrowsP = rows;
@@ -265,6 +267,8 @@ compute_output_dimensions(const struct c
if (*newcolsP < 1) *newcolsP = 1;
if (*newrowsP < 1) *newrowsP = 1;
+
+ overflow2(*newcolsP, *newrowsP);
}
@@ -446,6 +450,9 @@ main(int argc, char **argv ) {
unfilled. We can address that by stretching, whereas the other
case would require throwing away some of the input.
*/
+
+ overflow2(newcols, SCALE);
+ overflow2(newrows, SCALE);
sxscale = SCALE * newcols / cols;
syscale = SCALE * newrows / rows;
Index: netpbm-10.98.2/editor/pnmshear.c
===================================================================
--- netpbm-10.98.2.orig/editor/pnmshear.c
+++ netpbm-10.98.2/editor/pnmshear.c
@@ -15,6 +15,7 @@
#include <assert.h>
#include <math.h>
#include <string.h>
+#include <limits.h>
#include "pm_c_util.h"
#include "mallocvar.h"
@@ -235,6 +236,11 @@ main(int argc, const char * argv[]) {
shearfac = tan(cmdline.angle);
+ if(rows * shearfac >= INT_MAX-1)
+ pm_error("image too large");
+
+ overflow_add(rows * shearfac, cols+1);
+
newcolsD = (double) rows * fabs(shearfac) + cols + 0.999999;
if (newcolsD > INT_MAX-2)
pm_error("angle is too close to +/-90 degrees; "
Index: netpbm-10.98.2/editor/ppmdither.c
===================================================================
--- netpbm-10.98.2.orig/editor/ppmdither.c
+++ netpbm-10.98.2/editor/ppmdither.c
@@ -355,7 +355,11 @@ dithMatrix(unsigned int const dithPower)
unsigned int const dithMatSize =
(dithDim * sizeof(*dithMat)) + /* pointers */
(dithDim * dithDim * sizeof(**dithMat)); /* data */
-
+
+ overflow2(dithDim, sizeof(*dithMat));
+ overflow3(dithDim, dithDim, sizeof(**dithMat));
+ overflow_add(dithDim * sizeof(*dithMat), dithDim * dithDim * sizeof(**dithMat));
+
dithMat = malloc(dithMatSize);
if (dithMat == NULL)
Index: netpbm-10.98.2/editor/specialty/pamoil.c
===================================================================
--- netpbm-10.98.2.orig/editor/specialty/pamoil.c
+++ netpbm-10.98.2/editor/specialty/pamoil.c
@@ -112,6 +112,7 @@ main(int argc, char *argv[] ) {
tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type));
pm_close(ifp);
+ overflow_add(inpam.maxval, 1);
MALLOCARRAY(hist, inpam.maxval + 1);
if (hist == NULL)
pm_error("Unable to allocate memory for histogram.");
Index: netpbm-10.98.2/generator/pbmtext.c
===================================================================
--- netpbm-10.98.2.orig/generator/pbmtext.c
+++ netpbm-10.98.2/generator/pbmtext.c
@@ -1144,6 +1144,7 @@ getText(PM_WCHAR const cmdli
"Cannot process",
lineCount, (unsigned int) MAXLINECHARS);
if (lineCount >= maxlines) {
+ overflow2(maxlines, 2);
maxlines *= 2;
REALLOCARRAY(textArray, maxlines);
if (textArray == NULL)
@@ -1184,6 +1185,7 @@ computeMargins(struct CmdlineInfo const
*hmarginP = fontP->maxwidth;
} else {
*vmarginP = fontP->maxheight;
+ overflow2(2, fontP->maxwidth);
*hmarginP = 2 * fontP->maxwidth;
}
}
Index: netpbm-10.98.2/generator/pgmkernel.c
===================================================================
--- netpbm-10.98.2.orig/generator/pgmkernel.c
+++ netpbm-10.98.2/generator/pgmkernel.c
@@ -214,6 +214,7 @@ main(int argc, const char * argv[]) {
/* Output matrix is symmetric vertically and horizontally. */
+ overflow_add(cmdline.rows, 1);
arows = (cmdline.rows + 1) / 2;
/* Half the number of rows. Add 1 if odd. */
halfKernel = pgm_allocarray(cmdline.cols, arows);
Index: netpbm-10.98.2/lib/libpammap.c
===================================================================
--- netpbm-10.98.2.orig/lib/libpammap.c
+++ netpbm-10.98.2/lib/libpammap.c
@@ -108,6 +108,8 @@ allocTupleIntListItem(struct pam * const
*/
struct tupleint_list_item * retval;
+ overflow2(pamP->depth, sizeof(sample));
+ overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample));
unsigned int const size =
sizeof(*retval) - sizeof(retval->tupleint.tuple)
+ pamP->depth * sizeof(sample);
Index: netpbm-10.98.2/lib/libpbm1.c
===================================================================
--- netpbm-10.98.2.orig/lib/libpbm1.c
+++ netpbm-10.98.2/lib/libpbm1.c
@@ -79,6 +79,7 @@ pbm_check(FILE * const fil
} else {
pm_filepos const bytesPerRow = (cols+7)/8;
pm_filepos const needRasterSize = rows * bytesPerRow;
+ overflow2(bytesPerRow, rows);
pm_check(fileP, checkType, needRasterSize, retvalP);
}
}
Index: netpbm-10.98.2/lib/libpm.c
===================================================================
--- netpbm-10.98.2.orig/lib/libpm.c
+++ netpbm-10.98.2/lib/libpm.c
@@ -892,4 +892,53 @@ pm_parse_height(const char * const arg)
}
+/*
+ * Maths wrapping
+ */
+
+void __overflow2(int a, int b)
+{
+ if(a < 0 || b < 0)
+ pm_error("object too large");
+ if(b == 0)
+ return;
+ if(a > INT_MAX / b)
+ pm_error("object too large");
+}
+
+void overflow3(int a, int b, int c)
+{
+ overflow2(a,b);
+ overflow2(a*b, c);
+}
+
+void overflow_add(int a, int b)
+{
+ if( a > INT_MAX - b)
+ pm_error("object too large");
+}
+
+void *malloc2(int a, int b)
+{
+ overflow2(a, b);
+ if(a*b == 0)
+ pm_error("Zero byte allocation");
+ return malloc(a*b);
+}
+
+void *malloc3(int a, int b, int c)
+{
+ overflow3(a, b, c);
+ if(a*b*c == 0)
+ pm_error("Zero byte allocation");
+ return malloc(a*b*c);
+}
+
+void *realloc2(void * a, int b, int c)
+{
+ overflow2(b, c);
+ if(b*c == 0)
+ pm_error("Zero byte allocation");
+ return realloc(a, b*c);
+}
Index: netpbm-10.98.2/lib/pm.h
===================================================================
--- netpbm-10.98.2.orig/lib/pm.h
+++ netpbm-10.98.2/lib/pm.h
@@ -445,4 +445,11 @@ pm_parse_height(const char * const arg);
#endif
+void *malloc2(int, int);
+void *malloc3(int, int, int);
+#define overflow2(a,b) __overflow2(a,b)
+void __overflow2(int, int);
+void overflow3(int, int, int);
+void overflow_add(int, int);
+
#endif
Index: netpbm-10.98.2/other/pnmcolormap.c
===================================================================
--- netpbm-10.98.2.orig/other/pnmcolormap.c
+++ netpbm-10.98.2/other/pnmcolormap.c
@@ -1002,6 +1002,7 @@ colormapToSquare(struct pam * const pamP
pamP->width = intsqrt;
else
pamP->width = intsqrt + 1;
+ overflow_add(intsqrt, 1);
}
{
unsigned int const intQuotient = colormap.size / pamP->width;
Index: netpbm-10.98.2/urt/rle_addhist.c
===================================================================
--- netpbm-10.98.2.orig/urt/rle_addhist.c
+++ netpbm-10.98.2/urt/rle_addhist.c
@@ -14,6 +14,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rle_addhist.c - Add to the HISTORY comment in header
@@ -70,13 +72,19 @@ rle_addhist(char * argv[],
return;
length = 0;
- for (i = 0; argv[i]; ++i)
+ for (i = 0; argv[i]; ++i) {
+ overflow_add(length, strlen(argv[i]));
+ overflow_add(length+1, strlen(argv[i]));
length += strlen(argv[i]) +1; /* length of each arg plus space. */
+ }
time(&temp);
timedate = ctime(&temp);
length += strlen(timedate); /* length of date and time in ASCII. */
+ overflow_add(strlen(padding), 4);
+ overflow_add(strlen(histoire), strlen(padding) + 4);
+ overflow_add(length, strlen(histoire) + strlen(padding) + 4);
length += strlen(padding) + 3 + strlen(histoire) + 1;
/* length of padding, "on " and length of history name plus "="*/
if (in_hdr) /* if we are interested in the old comments... */
@@ -84,9 +92,12 @@ rle_addhist(char * argv[],
else
old = NULL;
- if (old && *old)
+ if (old && *old) {
+ overflow_add(length, strlen(old));
length += strlen(old); /* add length if there. */
+ }
+ overflow_add(length, 1);
++length; /*Cater for the null. */
MALLOCARRAY(newc, length);
Index: netpbm-10.98.2/urt/rle_getrow.c
===================================================================
--- netpbm-10.98.2.orig/urt/rle_getrow.c
+++ netpbm-10.98.2/urt/rle_getrow.c
@@ -17,6 +17,8 @@
*
* Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
* to have all "void" functions so declared.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rle_getrow.c - Read an RLE file in.
@@ -164,6 +166,7 @@ rle_get_setup(rle_hdr * const the_hdr) {
char * cp;
VAXSHORT(comlen, infile); /* get comment length */
+ overflow_add(comlen, 1);
evenlen = (comlen + 1) & ~1; /* make it even */
if (evenlen) {
MALLOCARRAY(comment_buf, evenlen);
Index: netpbm-10.98.2/urt/rle_hdr.c
===================================================================
--- netpbm-10.98.2.orig/urt/rle_hdr.c
+++ netpbm-10.98.2/urt/rle_hdr.c
@@ -14,6 +14,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rle_hdr.c - Functions to manipulate rle_hdr structures.
@@ -148,7 +150,7 @@ rle_hdr_cp(rle_hdr * const fromHdrP,
if (toHdrP->cmap) {
size_t const size =
toHdrP->ncmap * (1 << toHdrP->cmaplen) * sizeof(rle_map);
- toHdrP->cmap = malloc(size);
+ toHdrP->cmap = (rle_map *)malloc3( toHdrP->ncmap, 1<<toHdrP->cmaplen, sizeof(rle_map));
if (!toHdrP->cmap)
pm_error("Failed to allocate memory for %u color maps "
"of length %u", toHdrP->ncmap, 1 << toHdrP->cmaplen);
@@ -164,11 +166,16 @@ rle_hdr_cp(rle_hdr * const fromHdrP,
/* Count the comments. */
for (cp = toHdrP->comments, size = 0; *cp; ++cp)
+ {
+ overflow_add(size, 1);
++size;
+ }
/* Check if there are really any comments. */
if (size > 0) {
+ overflow_add(size, 1);
++size; /* Copy the NULL pointer, too. */
+ overflow2(size, sizeof(char *));
size *= sizeof(char *);
toHdrP->comments = malloc(size);
if (!toHdrP->comments)
Index: netpbm-10.98.2/urt/rle.h
===================================================================
--- netpbm-10.98.2.orig/urt/rle.h
+++ netpbm-10.98.2/urt/rle.h
@@ -14,6 +14,9 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ * Header declarations needed
*/
/*
* rle.h - Global declarations for Utah Raster Toolkit RLE programs.
@@ -152,6 +155,17 @@ rle_hdr /* End of typedef. *
*/
extern rle_hdr rle_dflt_hdr;
+/*
+ * Provided by pm library
+ */
+
+extern void overflow_add(int, int);
+#define overflow2(a,b) __overflow2(a,b)
+extern void __overflow2(int, int);
+extern void overflow3(int, int, int);
+extern void *malloc2(int, int);
+extern void *malloc3(int, int, int);
+extern void *realloc2(void *, int, int);
/* Declare RLE library routines. */
Index: netpbm-10.98.2/urt/rle_open_f.c
===================================================================
--- netpbm-10.98.2.orig/urt/rle_open_f.c
+++ netpbm-10.98.2/urt/rle_open_f.c
@@ -163,65 +163,7 @@ dealWithSubprocess(const char * const f
FILE ** const fpP,
bool * const noSubprocessP,
const char ** const errorP) {
-
-#ifdef NO_OPEN_PIPES
*noSubprocessP = TRUE;
-#else
- const char *cp;
-
- reapChildren(catchingChildrenP, pids);
-
- /* Real file, not stdin or stdout. If name ends in ".Z",
- * pipe from/to un/compress (depending on r/w mode).
- *
- * If it starts with "|", popen that command.
- */
-
- cp = file_name + strlen(file_name) - 2;
- /* Pipe case. */
- if (file_name[0] == '|') {
- pid_t thepid; /* PID from my_popen */
-
- *noSubprocessP = FALSE;
-
- *fpP = my_popen(file_name + 1, mode, &thepid);
- if (*fpP == NULL)
- *errorP = "%s: can't invoke <<%s>> for %s: ";
- else {
- /* One more child to catch, eventually. */
- if (*catchingChildrenP < MAX_CHILDREN)
- pids[(*catchingChildrenP)++] = thepid;
- }
- } else if (cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) {
- /* Compress case. */
- pid_t thepid; /* PID from my_popen. */
- const char * command;
-
- *noSubprocessP = FALSE;
-
- if (*mode == 'w')
- pm_asprintf(&command, "compress > %s", file_name);
- else if (*mode == 'a')
- pm_asprintf(&command, "compress >> %s", file_name);
- else
- pm_asprintf(&command, "compress -d < %s", file_name);
-
- *fpP = my_popen(command, mode, &thepid);
-
- if (*fpP == NULL)
- *errorP = "%s: can't invoke 'compress' program, "
- "trying to open %s for %s";
- else {
- /* One more child to catch, eventually. */
- if (*catchingChildrenP < MAX_CHILDREN)
- pids[(*catchingChildrenP)++] = thepid;
- }
- pm_strfree(command);
- } else {
- *noSubprocessP = TRUE;
- *errorP = NULL;
- }
-#endif
}
Index: netpbm-10.98.2/urt/rle_putcom.c
===================================================================
--- netpbm-10.98.2.orig/urt/rle_putcom.c
+++ netpbm-10.98.2/urt/rle_putcom.c
@@ -14,6 +14,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rle_putcom.c - Add a picture comment to the header struct.
@@ -98,12 +100,14 @@ rle_putcom(const char * const value,
const char * v;
const char ** old_comments;
int i;
- for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp)
+ for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) {
+ overflow_add(i, 1);
if (match(value, *cp) != NULL) {
v = *cp;
*cp = value;
return v;
}
+ }
/* Not found */
/* Can't realloc because somebody else might be pointing to this
* comments block. Of course, if this were true, then the
Index: netpbm-10.98.2/urt/Runput.c
===================================================================
--- netpbm-10.98.2.orig/urt/Runput.c
+++ netpbm-10.98.2/urt/Runput.c
@@ -17,6 +17,8 @@
*
* Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
* to have all "void" functions so declared.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* Runput.c - General purpose Run Length Encoding.
@@ -202,9 +204,10 @@ RunSetup(rle_hdr * the_hdr)
if ( the_hdr->background != 0 )
{
int i;
- rle_pixel *background =
- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
+ rle_pixel *background;
int *bg_color;
+ overflow_add(the_hdr->ncolors,1);
+ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
/*
* If even number of bg color bytes, put out one more to get to
* 16 bit boundary.
@@ -224,7 +227,7 @@ RunSetup(rle_hdr * the_hdr)
/* Big-endian machines are harder */
int i, nmap = (1 << the_hdr->cmaplen) *
the_hdr->ncmap;
- char *h_cmap = (char *)malloc( nmap * 2 );
+ char *h_cmap = (char *)malloc2( nmap, 2 );
if ( h_cmap == NULL )
{
fprintf( stderr,
Index: netpbm-10.98.2/lib/libpam.c
===================================================================
--- netpbm-10.98.2.orig/lib/libpam.c
+++ netpbm-10.98.2/lib/libpam.c
@@ -230,7 +230,8 @@ allocPamRow(const struct pam * const pam
unsigned int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample);
tuple * tuplerow;
- tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple));
+ overflow_add(sizeof(tuple *), bytesPerTuple);
+ tuplerow = malloc2(pamP->width, (sizeof(tuple *) + bytesPerTuple));
if (tuplerow != NULL) {
/* Now we initialize the pointers to the individual tuples
Reference in New Issue View Git Blame Copy Permalink