388 lines
16 KiB
Diff
388 lines
16 KiB
Diff
diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58.01/converter/other/jpegtopnm.c
|
|
--- netpbm-10.58.01/converter/other/jpegtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/other/jpegtopnm.c 2012-04-09 15:40:03.184620028 +0200
|
|
@@ -861,6 +861,8 @@ convertImage(FILE *
|
|
/* Calculate output image dimensions so we can allocate space */
|
|
jpeg_calc_output_dimensions(cinfoP);
|
|
|
|
+ overflow2(cinfoP->output_width, cinfoP->output_components);
|
|
+
|
|
/* Start decompressor */
|
|
jpeg_start_decompress(cinfoP);
|
|
|
|
diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58.01/converter/other/pnmtoddif.c
|
|
--- netpbm-10.58.01/converter/other/pnmtoddif.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/other/pnmtoddif.c 2012-04-09 15:40:03.185620015 +0200
|
|
@@ -632,6 +632,7 @@ main(int argc, char *argv[]) {
|
|
switch (PNM_FORMAT_TYPE(format)) {
|
|
case PBM_TYPE:
|
|
ip.bits_per_pixel = 1;
|
|
+ overflow_add(cols, 7);
|
|
ip.bytes_per_line = (cols + 7) / 8;
|
|
ip.spectral = 2;
|
|
ip.components = 1;
|
|
@@ -647,6 +648,7 @@ main(int argc, char *argv[]) {
|
|
ip.polarity = 2;
|
|
break;
|
|
case PPM_TYPE:
|
|
+ overflow2(cols, 3);
|
|
ip.bytes_per_line = 3 * cols;
|
|
ip.bits_per_pixel = 24;
|
|
ip.spectral = 5;
|
|
diff -up netpbm-10.58.01/converter/other/pnmtorle.c.security-code netpbm-10.58.01/converter/other/pnmtorle.c
|
|
--- netpbm-10.58.01/converter/other/pnmtorle.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/other/pnmtorle.c 2012-04-09 15:40:03.188619976 +0200
|
|
@@ -19,6 +19,8 @@
|
|
* If you modify this software, you should include a notice giving the
|
|
* name of the person performing the modification, the date of modification,
|
|
* and the reason for such modification.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
/*
|
|
* pnmtorle - A program which will convert pbmplus (ppm or pgm) images
|
|
diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.01/converter/other/rletopnm.c
|
|
--- netpbm-10.58.01/converter/other/rletopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/other/rletopnm.c 2012-04-09 15:40:03.189619963 +0200
|
|
@@ -19,6 +19,8 @@
|
|
* If you modify this software, you should include a notice giving the
|
|
* name of the person performing the modification, the date of modification,
|
|
* and the reason for such modification.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
/*
|
|
* rletopnm - A conversion program to convert from Utah's "rle" image format
|
|
diff -up netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code netpbm-10.58.01/converter/pbm/pbmtogem.c
|
|
--- netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/pbm/pbmtogem.c 2012-04-09 15:40:03.193619915 +0200
|
|
@@ -79,6 +79,7 @@ putinit (int const rows, int const cols)
|
|
bitsperitem = 0;
|
|
bitshift = 7;
|
|
outcol = 0;
|
|
+ overflow_add(cols, 7);
|
|
outmax = (cols + 7) / 8;
|
|
outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
|
|
lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
|
|
diff -up netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code netpbm-10.58.01/converter/pbm/pbmtogo.c
|
|
--- netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/pbm/pbmtogo.c 2012-04-09 15:40:03.193619915 +0200
|
|
@@ -158,6 +158,7 @@ main(int argc,
|
|
bitrow = pbm_allocrow(cols);
|
|
|
|
/* Round cols up to the nearest multiple of 8. */
|
|
+ overflow_add(cols, 7);
|
|
rucols = ( cols + 7 ) / 8;
|
|
bytesperrow = rucols; /* GraphOn uses bytes */
|
|
rucols = rucols * 8;
|
|
diff -up netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code netpbm-10.58.01/converter/pbm/pbmtolj.c
|
|
--- netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/pbm/pbmtolj.c 2012-04-09 15:40:03.194619902 +0200
|
|
@@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv,
|
|
static void
|
|
allocateBuffers(unsigned int const cols) {
|
|
|
|
+ overflow_add(cols, 8);
|
|
rowBufferSize = (cols + 7) / 8;
|
|
+ overflow_add(rowBufferSize, 128);
|
|
+ overflow_add(rowBufferSize, rowBufferSize+128);
|
|
+ overflow_add(rowBufferSize+10, rowBufferSize/8);
|
|
packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
|
|
deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
|
|
|
|
diff -up netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code netpbm-10.58.01/converter/pbm/pbmtomda.c
|
|
--- netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/pbm/pbmtomda.c 2012-04-09 15:40:03.195619889 +0200
|
|
@@ -179,6 +179,7 @@ int main(int argc, char **argv)
|
|
|
|
nOutRowsUnrounded = bScale ? nInRows/2 : nInRows;
|
|
|
|
+ overflow_add(nOutRowsUnrounded, 3);
|
|
nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4;
|
|
/* MDA wants rows a multiple of 4 */
|
|
nOutCols = nInCols / 8;
|
|
diff -up netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoxbm.c
|
|
--- netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/pbm/pbmtoxbm.c 2012-04-09 15:40:03.196619876 +0200
|
|
@@ -335,6 +335,8 @@ convertRaster(FILE * const ifP,
|
|
|
|
unsigned char * bitrow;
|
|
unsigned int row;
|
|
+
|
|
+ overflow_add(cols, padright);
|
|
|
|
putinit(xbmVersion);
|
|
|
|
diff -up netpbm-10.58.01/converter/ppm/Makefile.security-code netpbm-10.58.01/converter/ppm/Makefile
|
|
--- netpbm-10.58.01/converter/ppm/Makefile.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/ppm/Makefile 2012-04-09 15:40:03.202619802 +0200
|
|
@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg
|
|
|
|
PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
|
|
leaftoppm mtvtoppm neotoppm \
|
|
- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \
|
|
+ pcxtoppm pc1toppm pi1toppm pjtoppm \
|
|
ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \
|
|
ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \
|
|
ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \
|
|
diff -up netpbm-10.58.01/converter/ppm/picttoppm.c.security-code netpbm-10.58.01/converter/ppm/picttoppm.c
|
|
--- netpbm-10.58.01/converter/ppm/picttoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/ppm/picttoppm.c 2012-04-09 15:40:03.205619763 +0200
|
|
@@ -1,3 +1,5 @@
|
|
+#error "Unfixable. Don't ship me"
|
|
+
|
|
/*
|
|
* picttoppm.c -- convert a MacIntosh PICT file to PPM format.
|
|
*
|
|
diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01/converter/ppm/ppmtoeyuv.c
|
|
--- netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/ppm/ppmtoeyuv.c 2012-04-09 15:40:03.206619751 +0200
|
|
@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva
|
|
|
|
int index;
|
|
|
|
+ overflow_add(maxval, 1);
|
|
MALLOCARRAY_NOFAIL(mult299 , maxval+1);
|
|
MALLOCARRAY_NOFAIL(mult587 , maxval+1);
|
|
MALLOCARRAY_NOFAIL(mult114 , maxval+1);
|
|
diff -up netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoilbm.c
|
|
--- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2012-04-09 15:40:03.208619727 +0200
|
|
@@ -1220,6 +1220,7 @@ ppm_to_rgb8(ifP, cols, rows, maxval)
|
|
|
|
maskmethod = 0; /* no masking - RGB8 uses genlock bits */
|
|
compmethod = 4; /* RGB8 files are always compressed */
|
|
+ overflow2(cols, 4);
|
|
MALLOCARRAY_NOFAIL(compr_row, cols * 4);
|
|
|
|
if( maxval != 255 ) {
|
|
@@ -1308,6 +1309,7 @@ ppm_to_rgbn(ifP, cols, rows, maxval)
|
|
|
|
maskmethod = 0; /* no masking - RGBN uses genlock bits */
|
|
compmethod = 4; /* RGBN files are always compressed */
|
|
+ overflow2(cols, 2);
|
|
MALLOCARRAY_NOFAIL(compr_row, cols * 2);
|
|
|
|
if( maxval != 15 ) {
|
|
diff -up netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code netpbm-10.58.01/converter/ppm/ppmtomitsu.c
|
|
--- netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ netpbm-10.58.01/converter/ppm/ppmtomitsu.c 2012-04-09 15:40:03.210619702 +0200
|
|
@@ -685,6 +685,8 @@ main(int argc, char * argv[]) {
|
|
medias = MSize_User;
|
|
|
|
if (dpi300) {
|
|
+ overflow2(medias.maxcols, 2);
|
|
+ overflow2(medias.maxrows, 2);
|
|
medias.maxcols *= 2;
|
|
medias.maxrows *= 2;
|
|
}
|
|
diff -up netpbm-10.58.01/editor/pamcut.c.security-code netpbm-10.58.01/editor/pamcut.c
|
|
--- netpbm-10.58.01/editor/pamcut.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ netpbm-10.58.01/editor/pamcut.c 2012-04-09 15:40:03.218619602 +0200
|
|
@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP
|
|
|
|
outpam = inpam; /* Initial value -- most fields should be same */
|
|
outpam.file = ofP;
|
|
+ overflow_add(rightcol, 1);
|
|
+ overflow_add(bottomrow, 1);
|
|
outpam.width = rightcol - leftcol + 1;
|
|
outpam.height = bottomrow - toprow + 1;
|
|
|
|
diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/pnmgamma.c
|
|
--- netpbm-10.58.01/editor/pnmgamma.c.security-code 2012-04-09 15:31:34.000000000 +0200
|
|
+++ netpbm-10.58.01/editor/pnmgamma.c 2012-04-09 15:40:03.220619577 +0200
|
|
@@ -586,6 +586,7 @@ createGammaTables(enum transferFunction
|
|
xelval ** const btableP) {
|
|
|
|
/* Allocate space for the tables. */
|
|
+ overflow_add(maxval, 1);
|
|
MALLOCARRAY(*rtableP, maxval+1);
|
|
MALLOCARRAY(*gtableP, maxval+1);
|
|
MALLOCARRAY(*btableP, maxval+1);
|
|
diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor/pnmhisteq.c
|
|
--- netpbm-10.58.01/editor/pnmhisteq.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ netpbm-10.58.01/editor/pnmhisteq.c 2012-04-09 15:40:03.220619577 +0200
|
|
@@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const *
|
|
unsigned int pixelCount;
|
|
unsigned int * lumahist;
|
|
|
|
+ overflow_add(maxval, 1);
|
|
MALLOCARRAY(lumahist, maxval + 1);
|
|
if (lumahist == NULL)
|
|
pm_error("Out of storage allocating array for %u histogram elements",
|
|
diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pnmpad.c
|
|
--- netpbm-10.58.01/editor/pnmpad.c.security-code 2012-04-09 15:31:34.000000000 +0200
|
|
+++ netpbm-10.58.01/editor/pnmpad.c 2012-04-09 15:40:03.221619564 +0200
|
|
@@ -527,6 +527,8 @@ main(int argc, const char ** argv) {
|
|
|
|
computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad);
|
|
|
|
+ overflow_add(cols, lpad);
|
|
+ overflow_add(cols + lpad, rpad);
|
|
newcols = cols + lpad + rpad;
|
|
|
|
if (PNM_FORMAT_TYPE(format) == PBM_TYPE)
|
|
diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01/editor/specialty/pamoil.c
|
|
--- netpbm-10.58.01/editor/specialty/pamoil.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ netpbm-10.58.01/editor/specialty/pamoil.c 2012-04-09 15:40:03.224619526 +0200
|
|
@@ -112,6 +112,7 @@ main(int argc, char *argv[] ) {
|
|
tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type));
|
|
pm_close(ifp);
|
|
|
|
+ overflow_add(inpam.maxval, 1);
|
|
MALLOCARRAY(hist, inpam.maxval + 1);
|
|
if (hist == NULL)
|
|
pm_error("Unable to allocate memory for histogram.");
|
|
diff -up netpbm-10.58.01/lib/libpm.c.security-code netpbm-10.58.01/lib/libpm.c
|
|
--- netpbm-10.58.01/lib/libpm.c.security-code 2012-04-09 15:31:38.000000000 +0200
|
|
+++ netpbm-10.58.01/lib/libpm.c 2012-04-09 15:40:03.229619464 +0200
|
|
@@ -808,4 +808,53 @@ pm_parse_height(const char * const arg)
|
|
}
|
|
|
|
|
|
+/*
|
|
+ * Maths wrapping
|
|
+ */
|
|
+
|
|
+void __overflow2(int a, int b)
|
|
+{
|
|
+ if(a < 0 || b < 0)
|
|
+ pm_error("object too large");
|
|
+ if(b == 0)
|
|
+ return;
|
|
+ if(a > INT_MAX / b)
|
|
+ pm_error("object too large");
|
|
+}
|
|
+
|
|
+void overflow3(int a, int b, int c)
|
|
+{
|
|
+ overflow2(a,b);
|
|
+ overflow2(a*b, c);
|
|
+}
|
|
+
|
|
+void overflow_add(int a, int b)
|
|
+{
|
|
+ if( a > INT_MAX - b)
|
|
+ pm_error("object too large");
|
|
+}
|
|
+
|
|
+void *malloc2(int a, int b)
|
|
+{
|
|
+ overflow2(a, b);
|
|
+ if(a*b == 0)
|
|
+ pm_error("Zero byte allocation");
|
|
+ return malloc(a*b);
|
|
+}
|
|
+
|
|
+void *malloc3(int a, int b, int c)
|
|
+{
|
|
+ overflow3(a, b, c);
|
|
+ if(a*b*c == 0)
|
|
+ pm_error("Zero byte allocation");
|
|
+ return malloc(a*b*c);
|
|
+}
|
|
+
|
|
+void *realloc2(void * a, int b, int c)
|
|
+{
|
|
+ overflow2(b, c);
|
|
+ if(b*c == 0)
|
|
+ pm_error("Zero byte allocation");
|
|
+ return realloc(a, b*c);
|
|
+}
|
|
|
|
diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h
|
|
--- netpbm-10.58.01/lib/pm.h.security-code 2012-04-09 15:31:38.000000000 +0200
|
|
+++ netpbm-10.58.01/lib/pm.h 2012-04-09 15:40:03.229619464 +0200
|
|
@@ -432,4 +432,11 @@ pm_parse_height(const char * const arg);
|
|
#endif
|
|
|
|
|
|
+void *malloc2(int, int);
|
|
+void *malloc3(int, int, int);
|
|
+#define overflow2(a,b) __overflow2(a,b)
|
|
+void __overflow2(int, int);
|
|
+void overflow3(int, int, int);
|
|
+void overflow_add(int, int);
|
|
+
|
|
#endif
|
|
diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other/pnmcolormap.c
|
|
--- netpbm-10.58.01/other/pnmcolormap.c.security-code 2012-04-09 15:31:32.000000000 +0200
|
|
+++ netpbm-10.58.01/other/pnmcolormap.c 2012-04-09 15:40:03.230619451 +0200
|
|
@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP
|
|
pamP->width = intsqrt;
|
|
else
|
|
pamP->width = intsqrt + 1;
|
|
+ overflow_add(intsqrt, 1);
|
|
}
|
|
{
|
|
unsigned int const intQuotient = colormap.size / pamP->width;
|
|
diff -up netpbm-10.58.01/urt/rle.h.security-code netpbm-10.58.01/urt/rle.h
|
|
--- netpbm-10.58.01/urt/rle.h.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ netpbm-10.58.01/urt/rle.h 2012-04-09 15:40:03.233619414 +0200
|
|
@@ -14,6 +14,9 @@
|
|
* If you modify this software, you should include a notice giving the
|
|
* name of the person performing the modification, the date of modification,
|
|
* and the reason for such modification.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
+ * Header declarations needed
|
|
*/
|
|
/*
|
|
* rle.h - Global declarations for Utah Raster Toolkit RLE programs.
|
|
@@ -160,6 +163,17 @@ rle_hdr /* End of typedef. *
|
|
*/
|
|
extern rle_hdr rle_dflt_hdr;
|
|
|
|
+/*
|
|
+ * Provided by pm library
|
|
+ */
|
|
+
|
|
+extern void overflow_add(int, int);
|
|
+#define overflow2(a,b) __overflow2(a,b)
|
|
+extern void __overflow2(int, int);
|
|
+extern void overflow3(int, int, int);
|
|
+extern void *malloc2(int, int);
|
|
+extern void *malloc3(int, int, int);
|
|
+extern void *realloc2(void *, int, int);
|
|
|
|
/* Declare RLE library routines. */
|
|
|
|
--- netpbm-10.58.01/lib/libpbm1.c.orig 2014-06-16 21:12:28.499230631 -0400
|
|
+++ netpbm-10.58.01/lib/libpbm1.c 2014-06-16 21:12:55.932519324 -0400
|
|
@@ -78,6 +78,7 @@
|
|
} else {
|
|
pm_filepos const bytesPerRow = (cols+7)/8;
|
|
pm_filepos const needRasterSize = rows * bytesPerRow;
|
|
+ overflow2(bytesPerRow, rows);
|
|
pm_check(fileP, checkType, needRasterSize, retvalP);
|
|
}
|
|
}
|
|
--- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.orig 2014-06-16 21:23:40.061473868 -0400
|
|
+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2014-06-16 21:23:44.701466379 -0400
|
|
@@ -185,6 +185,7 @@
|
|
unsigned int i;
|
|
int * table;
|
|
|
|
+ overflow_add(oldmaxval, 1);
|
|
MALLOCARRAY_NOFAIL(table, oldmaxval + 1);
|
|
for (i = 0; i <= oldmaxval; ++i)
|
|
table[i] = ROUNDDIV(i * newmaxval, oldmaxval);
|
|
--- netpbm-10.58.01/converter/other/sgitopnm.c.orig 2014-07-08 16:57:30.878754976 -0400
|
|
+++ netpbm-10.58.01/converter/other/sgitopnm.c 2014-07-08 17:07:52.727745725 -0400
|
|
@@ -372,10 +372,14 @@
|
|
MALLOCARRAY_NOFAIL(image, head->ysize);
|
|
} else {
|
|
maxchannel = 3;
|
|
+ overflow2(head->ysize, maxchannel);
|
|
MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel);
|
|
}
|
|
- if (table)
|
|
+ if (table) {
|
|
+ overflow2(head->xsize, 2);
|
|
+ overflow_add(head->xsize*2, 2);
|
|
MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize));
|
|
+ }
|
|
|
|
for (channel = 0; channel < maxchannel; ++channel) {
|
|
unsigned int row;
|