void-packages/srcpkgs/netpbm/files/netpbm-security-code.patch

diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58.01/converter/other/jpegtopnm.c
--- netpbm-10.58.01/converter/other/jpegtopnm.c.security-code	2012-04-09 15:31:40.000000000 +0200
+++ netpbm-10.58.01/converter/other/jpegtopnm.c	2012-04-09 15:40:03.184620028 +0200
@@ -861,6 +861,8 @@ convertImage(FILE *
     /* Calculate output image dimensions so we can allocate space */
     jpeg_calc_output_dimensions(cinfoP);
 
+    overflow2(cinfoP->output_width, cinfoP->output_components);
+
     /* Start decompressor */
     jpeg_start_decompress(cinfoP);
 
diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58.01/converter/other/pnmtoddif.c
--- netpbm-10.58.01/converter/other/pnmtoddif.c.security-code	2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/other/pnmtoddif.c	2012-04-09 15:40:03.185620015 +0200
@@ -632,6 +632,7 @@ main(int argc, char *argv[]) {
     switch (PNM_FORMAT_TYPE(format)) {
     case PBM_TYPE:
         ip.bits_per_pixel = 1;
+        overflow_add(cols, 7);
         ip.bytes_per_line = (cols + 7) / 8;
         ip.spectral = 2;
         ip.components = 1;
@@ -647,6 +648,7 @@ main(int argc, char *argv[]) {
         ip.polarity = 2;
         break;
     case PPM_TYPE:
+        overflow2(cols, 3);
         ip.bytes_per_line = 3 * cols;
         ip.bits_per_pixel = 24;
         ip.spectral = 5;
diff -up netpbm-10.58.01/converter/other/pnmtorle.c.security-code netpbm-10.58.01/converter/other/pnmtorle.c
--- netpbm-10.58.01/converter/other/pnmtorle.c.security-code	2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/other/pnmtorle.c	2012-04-09 15:40:03.188619976 +0200
@@ -19,6 +19,8 @@
  * If you modify this software, you should include a notice giving the
  * name of the person performing the modification, the date of modification,
  * and the reason for such modification.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 /*
  * pnmtorle - A program which will convert pbmplus (ppm or pgm) images
diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.01/converter/other/rletopnm.c
--- netpbm-10.58.01/converter/other/rletopnm.c.security-code	2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/other/rletopnm.c	2012-04-09 15:40:03.189619963 +0200
@@ -19,6 +19,8 @@
  * If you modify this software, you should include a notice giving the
  * name of the person performing the modification, the date of modification,
  * and the reason for such modification.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 /*
  * rletopnm - A conversion program to convert from Utah's "rle" image format
diff -up netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code netpbm-10.58.01/converter/pbm/pbmtogem.c
--- netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code	2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtogem.c	2012-04-09 15:40:03.193619915 +0200
@@ -79,6 +79,7 @@ putinit (int const rows, int const cols)
   bitsperitem = 0;
   bitshift = 7;
   outcol = 0;
+  overflow_add(cols, 7);
   outmax = (cols + 7) / 8;
   outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
   lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
diff -up netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code netpbm-10.58.01/converter/pbm/pbmtogo.c
--- netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code	2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtogo.c	2012-04-09 15:40:03.193619915 +0200
@@ -158,6 +158,7 @@ main(int           argc,
     bitrow = pbm_allocrow(cols);
 
     /* Round cols up to the nearest multiple of 8. */
+    overflow_add(cols, 7);
     rucols = ( cols + 7 ) / 8;
     bytesperrow = rucols;       /* GraphOn uses bytes */
     rucols = rucols * 8;
diff -up netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code netpbm-10.58.01/converter/pbm/pbmtolj.c
--- netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code	2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtolj.c	2012-04-09 15:40:03.194619902 +0200
@@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv,
 static void
 allocateBuffers(unsigned int const cols) {
 
+    overflow_add(cols, 8);
     rowBufferSize = (cols + 7) / 8;
+    overflow_add(rowBufferSize, 128);
+    overflow_add(rowBufferSize, rowBufferSize+128);
+    overflow_add(rowBufferSize+10, rowBufferSize/8);
     packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
     deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
 
diff -up netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code netpbm-10.58.01/converter/pbm/pbmtomda.c
--- netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code	2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtomda.c	2012-04-09 15:40:03.195619889 +0200
@@ -179,6 +179,7 @@ int main(int argc, char **argv)
     
     nOutRowsUnrounded = bScale ? nInRows/2 : nInRows;
 
+    overflow_add(nOutRowsUnrounded, 3);
     nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4;
         /* MDA wants rows a multiple of 4 */   
     nOutCols = nInCols / 8;
diff -up netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoxbm.c
--- netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code	2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtoxbm.c	2012-04-09 15:40:03.196619876 +0200
@@ -335,6 +335,8 @@ convertRaster(FILE *          const ifP,
 
     unsigned char * bitrow;
     unsigned int row;
+    
+    overflow_add(cols, padright);
 
     putinit(xbmVersion);
 
diff -up netpbm-10.58.01/converter/ppm/Makefile.security-code netpbm-10.58.01/converter/ppm/Makefile
--- netpbm-10.58.01/converter/ppm/Makefile.security-code	2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/Makefile	2012-04-09 15:40:03.202619802 +0200
@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg
 
 PORTBINARIES =	411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
 		leaftoppm mtvtoppm neotoppm \
-		pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \
+		pcxtoppm pc1toppm pi1toppm pjtoppm \
 		ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \
 		ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \
 		ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \
diff -up netpbm-10.58.01/converter/ppm/picttoppm.c.security-code netpbm-10.58.01/converter/ppm/picttoppm.c
--- netpbm-10.58.01/converter/ppm/picttoppm.c.security-code	2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/picttoppm.c	2012-04-09 15:40:03.205619763 +0200
@@ -1,3 +1,5 @@
+#error "Unfixable. Don't ship me"
+
 /*
  * picttoppm.c -- convert a MacIntosh PICT file to PPM format.
  *
diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01/converter/ppm/ppmtoeyuv.c
--- netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code	2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtoeyuv.c	2012-04-09 15:40:03.206619751 +0200
@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva
 
     int index;
 
+    overflow_add(maxval, 1);
     MALLOCARRAY_NOFAIL(mult299   , maxval+1);
     MALLOCARRAY_NOFAIL(mult587   , maxval+1);
     MALLOCARRAY_NOFAIL(mult114   , maxval+1);
diff -up netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoilbm.c
--- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code	2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c	2012-04-09 15:40:03.208619727 +0200
@@ -1220,6 +1220,7 @@ ppm_to_rgb8(ifP, cols, rows, maxval)
 
     maskmethod = 0;     /* no masking - RGB8 uses genlock bits */
     compmethod = 4;     /* RGB8 files are always compressed */
+    overflow2(cols, 4);
     MALLOCARRAY_NOFAIL(compr_row, cols * 4);
 
     if( maxval != 255 ) {
@@ -1308,6 +1309,7 @@ ppm_to_rgbn(ifP, cols, rows, maxval)
 
     maskmethod = 0;     /* no masking - RGBN uses genlock bits */
     compmethod = 4;     /* RGBN files are always compressed */
+    overflow2(cols, 2);
     MALLOCARRAY_NOFAIL(compr_row, cols * 2);
 
     if( maxval != 15 ) {
diff -up netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code netpbm-10.58.01/converter/ppm/ppmtomitsu.c
--- netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code	2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtomitsu.c	2012-04-09 15:40:03.210619702 +0200
@@ -685,6 +685,8 @@ main(int argc, char * argv[]) {
         medias = MSize_User;
 
     if (dpi300) {
+        overflow2(medias.maxcols, 2);
+        overflow2(medias.maxrows, 2);
         medias.maxcols *= 2;
         medias.maxrows *= 2;
     }
diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/pnmgamma.c
--- netpbm-10.58.01/editor/pnmgamma.c.security-code	2012-04-09 15:31:34.000000000 +0200
+++ netpbm-10.58.01/editor/pnmgamma.c	2012-04-09 15:40:03.220619577 +0200
@@ -586,6 +586,7 @@ createGammaTables(enum transferFunction
                   xelval **             const btableP) {
 
     /* Allocate space for the tables. */
+    overflow_add(maxval, 1);
     MALLOCARRAY(*rtableP, maxval+1);
     MALLOCARRAY(*gtableP, maxval+1);
     MALLOCARRAY(*btableP, maxval+1);
diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor/pnmhisteq.c
--- netpbm-10.58.01/editor/pnmhisteq.c.security-code	2012-04-09 15:31:33.000000000 +0200
+++ netpbm-10.58.01/editor/pnmhisteq.c	2012-04-09 15:40:03.220619577 +0200
@@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const *
     unsigned int pixelCount;
     unsigned int * lumahist;
 
+    overflow_add(maxval, 1);
     MALLOCARRAY(lumahist, maxval + 1);
     if (lumahist == NULL)
         pm_error("Out of storage allocating array for %u histogram elements",
diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pnmpad.c
--- netpbm-10.58.01/editor/pnmpad.c.security-code	2012-04-09 15:31:34.000000000 +0200
+++ netpbm-10.58.01/editor/pnmpad.c	2012-04-09 15:40:03.221619564 +0200
@@ -527,6 +527,8 @@ main(int argc, const char ** argv) {
 
     computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad);
 
+    overflow_add(cols, lpad);
+    overflow_add(cols + lpad, rpad);
     newcols = cols + lpad + rpad;
 
     if (PNM_FORMAT_TYPE(format) == PBM_TYPE)
diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01/editor/specialty/pamoil.c
--- netpbm-10.58.01/editor/specialty/pamoil.c.security-code	2012-04-09 15:31:33.000000000 +0200
+++ netpbm-10.58.01/editor/specialty/pamoil.c	2012-04-09 15:40:03.224619526 +0200
@@ -112,6 +112,7 @@ main(int argc, char *argv[] ) {
     tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type));
     pm_close(ifp);
 
+    overflow_add(inpam.maxval, 1);
     MALLOCARRAY(hist, inpam.maxval + 1);
     if (hist == NULL)
         pm_error("Unable to allocate memory for histogram.");
diff -up netpbm-10.58.01/lib/libpm.c.security-code netpbm-10.58.01/lib/libpm.c
--- netpbm-10.58.01/lib/libpm.c.security-code	2012-04-09 15:31:38.000000000 +0200
+++ netpbm-10.58.01/lib/libpm.c	2012-04-09 15:40:03.229619464 +0200
@@ -808,4 +808,53 @@ pm_parse_height(const char * const arg)
 }
 
 
+/*
+ *	Maths wrapping
+ */
+ 
+void __overflow2(int a, int b)
+{
+	if(a < 0 || b < 0)
+		pm_error("object too large");
+	if(b == 0)
+		return;
+	if(a > INT_MAX / b)
+		pm_error("object too large");
+}
+
+void overflow3(int a, int b, int c)
+{
+	overflow2(a,b);
+	overflow2(a*b, c);
+}
+
+void overflow_add(int a, int b)
+{
+	if( a > INT_MAX - b)
+		pm_error("object too large");
+}
+
+void *malloc2(int a, int b)
+{
+	overflow2(a, b);
+	if(a*b == 0)
+		pm_error("Zero byte allocation");
+	return malloc(a*b);
+}
+
+void *malloc3(int a, int b, int c)
+{
+	overflow3(a, b, c);
+	if(a*b*c == 0)
+		pm_error("Zero byte allocation");
+	return malloc(a*b*c);
+}
+
+void *realloc2(void * a, int b, int c)
+{
+	overflow2(b, c);
+	if(b*c == 0)
+		pm_error("Zero byte allocation");
+	return realloc(a, b*c);
+}
 
diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h
--- netpbm-10.58.01/lib/pm.h.security-code	2012-04-09 15:31:38.000000000 +0200
+++ netpbm-10.58.01/lib/pm.h	2012-04-09 15:40:03.229619464 +0200
@@ -432,4 +432,11 @@ pm_parse_height(const char * const arg);
 #endif
 
 
+void *malloc2(int, int);
+void *malloc3(int, int, int);
+#define overflow2(a,b) __overflow2(a,b)
+void __overflow2(int, int);
+void overflow3(int, int, int);
+void overflow_add(int, int);
+
 #endif
diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other/pnmcolormap.c
--- netpbm-10.58.01/other/pnmcolormap.c.security-code	2012-04-09 15:31:32.000000000 +0200
+++ netpbm-10.58.01/other/pnmcolormap.c	2012-04-09 15:40:03.230619451 +0200
@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP
             pamP->width = intsqrt;
         else 
             pamP->width = intsqrt + 1;
+            overflow_add(intsqrt, 1);
     }
     {
         unsigned int const intQuotient = colormap.size / pamP->width;
diff -up netpbm-10.58.01/urt/rle.h.security-code netpbm-10.58.01/urt/rle.h
--- netpbm-10.58.01/urt/rle.h.security-code	2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/urt/rle.h	2012-04-09 15:40:03.233619414 +0200
@@ -14,6 +14,9 @@
  * If you modify this software, you should include a notice giving the
  * name of the person performing the modification, the date of modification,
  * and the reason for such modification.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ *  Header declarations needed
  */
 /* 
  * rle.h - Global declarations for Utah Raster Toolkit RLE programs.
@@ -160,6 +163,17 @@ rle_hdr             /* End of typedef. *
  */
 extern rle_hdr rle_dflt_hdr;
 
+/* 
+ * Provided by pm library
+ */
+ 
+extern void overflow_add(int, int);
+#define overflow2(a,b) __overflow2(a,b)
+extern void __overflow2(int, int);
+extern void overflow3(int, int, int);
+extern void *malloc2(int, int);
+extern void *malloc3(int, int, int);
+extern void *realloc2(void *, int, int);
 
 /* Declare RLE library routines. */
 
--- netpbm-10.58.01/lib/libpbm1.c.orig	2014-06-16 21:12:28.499230631 -0400
+++ netpbm-10.58.01/lib/libpbm1.c	2014-06-16 21:12:55.932519324 -0400
@@ -78,6 +78,7 @@
     } else {        
         pm_filepos const bytesPerRow    = (cols+7)/8;
         pm_filepos const needRasterSize = rows * bytesPerRow;
+        overflow2(bytesPerRow, rows);
         pm_check(fileP, checkType, needRasterSize, retvalP);
     }
 }
--- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.orig	2014-06-16 21:23:40.061473868 -0400
+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c	2014-06-16 21:23:44.701466379 -0400
@@ -185,6 +185,7 @@
     unsigned int i;
     int * table;
 
+    overflow_add(oldmaxval, 1);
     MALLOCARRAY_NOFAIL(table, oldmaxval + 1);
     for (i = 0; i <= oldmaxval; ++i)
         table[i] = ROUNDDIV(i * newmaxval, oldmaxval);
--- netpbm-10.58.01/converter/other/sgitopnm.c.orig	2014-07-08 16:57:30.878754976 -0400
+++ netpbm-10.58.01/converter/other/sgitopnm.c	2014-07-08 17:07:52.727745725 -0400
@@ -372,10 +372,14 @@
         MALLOCARRAY_NOFAIL(image, head->ysize);
     } else {
         maxchannel = 3;
+	overflow2(head->ysize, maxchannel);
         MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel);
     }
-    if (table)
+    if (table) {
+        overflow2(head->xsize, 2);
+        overflow_add(head->xsize*2, 2);
         MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize));
+    }
 
     for (channel = 0; channel < maxchannel; ++channel) {
         unsigned int row;