void-packages/srcpkgs/netpbm/files/netpbm-security-code.patch

892 lines
37 KiB
Diff

diff -up netpbm-10.58.01/analyzer/pgmtexture.c.security-code netpbm-10.58.01/analyzer/pgmtexture.c
--- netpbm-10.58.01/analyzer/pgmtexture.c.security-code 2012-04-09 15:31:32.000000000 +0200
+++ netpbm-10.58.01/analyzer/pgmtexture.c 2012-04-09 15:40:03.183620040 +0200
@@ -97,7 +97,7 @@ vector(unsigned int const nl,
float * v;
assert(nh >= nl);
-
+ overflow_add(nh - nl, 1);
MALLOCARRAY(v, (unsigned) (nh - nl + 1));
if (v == NULL)
@@ -129,6 +129,7 @@ matrix (unsigned int const nrl,
assert(nrh >= nrl);
/* allocate pointers to rows */
+ overflow_add(nrh - nrl, 1);
MALLOCARRAY(m, (unsigned) (nrh - nrl + 1));
if (m == NULL)
pm_error("Unable to allocate memory for a matrix.");
@@ -136,7 +137,7 @@ matrix (unsigned int const nrl,
m -= ncl;
assert (nch >= ncl);
-
+ overflow_add(nch - ncl, 1);
/* allocate rows and set pointers to them */
for (i = nrl; i <= nrh; ++i) {
MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1));
diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58.01/converter/other/jpegtopnm.c
--- netpbm-10.58.01/converter/other/jpegtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200
+++ netpbm-10.58.01/converter/other/jpegtopnm.c 2012-04-09 15:40:03.184620028 +0200
@@ -861,6 +861,8 @@ convertImage(FILE *
/* Calculate output image dimensions so we can allocate space */
jpeg_calc_output_dimensions(cinfoP);
+ overflow2(cinfoP->output_width, cinfoP->output_components);
+
/* Start decompressor */
jpeg_start_decompress(cinfoP);
diff -up netpbm-10.58.01/converter/other/pbmtopgm.c.security-code netpbm-10.58.01/converter/other/pbmtopgm.c
--- netpbm-10.58.01/converter/other/pbmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/other/pbmtopgm.c 2012-04-09 15:40:03.184620028 +0200
@@ -47,6 +47,7 @@ main(int argc, char *argv[]) {
"than the image height (%u rows)", height, rows);
outrow = pgm_allocrow(cols) ;
+ overflow2(width, height);
maxval = MIN(PGM_OVERALLMAXVAL, width*height);
pgm_writepgminit(stdout, cols, rows, maxval, 0) ;
diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58.01/converter/other/pnmtoddif.c
--- netpbm-10.58.01/converter/other/pnmtoddif.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/other/pnmtoddif.c 2012-04-09 15:40:03.185620015 +0200
@@ -632,6 +632,7 @@ main(int argc, char *argv[]) {
switch (PNM_FORMAT_TYPE(format)) {
case PBM_TYPE:
ip.bits_per_pixel = 1;
+ overflow_add(cols, 7);
ip.bytes_per_line = (cols + 7) / 8;
ip.spectral = 2;
ip.components = 1;
@@ -647,6 +648,7 @@ main(int argc, char *argv[]) {
ip.polarity = 2;
break;
case PPM_TYPE:
+ overflow2(cols, 3);
ip.bytes_per_line = 3 * cols;
ip.bits_per_pixel = 24;
ip.spectral = 5;
diff -up netpbm-10.58.01/converter/other/pnmtorle.c.security-code netpbm-10.58.01/converter/other/pnmtorle.c
--- netpbm-10.58.01/converter/other/pnmtorle.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/other/pnmtorle.c 2012-04-09 15:40:03.188619976 +0200
@@ -19,6 +19,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* pnmtorle - A program which will convert pbmplus (ppm or pgm) images
diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.01/converter/other/rletopnm.c
--- netpbm-10.58.01/converter/other/rletopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/other/rletopnm.c 2012-04-09 15:40:03.189619963 +0200
@@ -19,6 +19,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rletopnm - A conversion program to convert from Utah's "rle" image format
diff -up netpbm-10.58.01/converter/other/sirtopnm.c.security-code netpbm-10.58.01/converter/other/sirtopnm.c
--- netpbm-10.58.01/converter/other/sirtopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/other/sirtopnm.c 2012-04-09 15:40:03.190619951 +0200
@@ -69,6 +69,7 @@ char* argv[];
}
break;
case PPM_TYPE:
+ overflow3(cols, rows, 3);
picsize = cols * rows * 3;
planesize = cols * rows;
if ( !( sirarray = (unsigned char*) malloc( picsize ) ) )
diff -up netpbm-10.58.01/converter/other/tifftopnm.c.security-code netpbm-10.58.01/converter/other/tifftopnm.c
--- netpbm-10.58.01/converter/other/tifftopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/other/tifftopnm.c 2012-04-09 15:40:03.191619939 +0200
@@ -1279,7 +1279,9 @@ convertRasterByRows(pnmOut * const
if (scanbuf == NULL)
pm_error("can't allocate memory for scanline buffer");
- MALLOCARRAY(samplebuf, cols * spp);
+ /* samplebuf is unsigned int * !!! */
+ samplebuf = (unsigned int *) malloc3(cols , sizeof(unsigned int) , spp);
+
if (samplebuf == NULL)
pm_error("can't allocate memory for row buffer");
diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.01/converter/other/xwdtopnm.c
--- netpbm-10.58.01/converter/other/xwdtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200
+++ netpbm-10.58.01/converter/other/xwdtopnm.c 2012-04-09 15:40:03.192619927 +0200
@@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * cons
*colorsP = pnm_allocrow(2);
PNM_ASSIGN1((*colorsP)[0], 0);
PNM_ASSIGN1((*colorsP)[1], *maxvalP);
+ overflow_add(h10P->pixmap_width, 15);
+ if(h10P->pixmap_width < 0)
+ pm_error("assert: negative width");
+ overflow2((((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width), 8);
*padrightP =
(((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width) * 8;
*bits_per_itemP = 16;
@@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * cons
*colsP = h11FixedP->pixmap_width;
*rowsP = h11FixedP->pixmap_height;
+ overflow2(h11FixedP->bytes_per_line, 8);
*padrightP =
h11FixedP->bytes_per_line * 8 -
h11FixedP->pixmap_width * h11FixedP->bits_per_pixel;
diff -up netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code netpbm-10.58.01/converter/pbm/mdatopbm.c
--- netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/mdatopbm.c 2012-04-09 15:40:03.192619927 +0200
@@ -245,10 +245,13 @@ main(int argc, char **argv) {
pm_readlittleshort(infile, &yy); nInCols = yy;
}
+ overflow2(nOutCols, 8);
nOutCols = 8 * nInCols;
nOutRows = nInRows;
- if (bScale)
+ if (bScale) {
+ overflow2(nOutRows, 2);
nOutRows *= 2;
+ }
data = pbm_allocarray(nOutCols, nOutRows);
diff -up netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code netpbm-10.58.01/converter/pbm/pbmtogem.c
--- netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtogem.c 2012-04-09 15:40:03.193619915 +0200
@@ -79,6 +79,7 @@ putinit (int const rows, int const cols)
bitsperitem = 0;
bitshift = 7;
outcol = 0;
+ overflow_add(cols, 7);
outmax = (cols + 7) / 8;
outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
diff -up netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code netpbm-10.58.01/converter/pbm/pbmtogo.c
--- netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtogo.c 2012-04-09 15:40:03.193619915 +0200
@@ -158,6 +158,7 @@ main(int argc,
bitrow = pbm_allocrow(cols);
/* Round cols up to the nearest multiple of 8. */
+ overflow_add(cols, 7);
rucols = ( cols + 7 ) / 8;
bytesperrow = rucols; /* GraphOn uses bytes */
rucols = rucols * 8;
diff -up netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code netpbm-10.58.01/converter/pbm/pbmtolj.c
--- netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtolj.c 2012-04-09 15:40:03.194619902 +0200
@@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv,
static void
allocateBuffers(unsigned int const cols) {
+ overflow_add(cols, 8);
rowBufferSize = (cols + 7) / 8;
+ overflow_add(rowBufferSize, 128);
+ overflow_add(rowBufferSize, rowBufferSize+128);
+ overflow_add(rowBufferSize+10, rowBufferSize/8);
packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
diff -up netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code netpbm-10.58.01/converter/pbm/pbmtomda.c
--- netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtomda.c 2012-04-09 15:40:03.195619889 +0200
@@ -179,6 +179,7 @@ int main(int argc, char **argv)
nOutRowsUnrounded = bScale ? nInRows/2 : nInRows;
+ overflow_add(nOutRowsUnrounded, 3);
nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4;
/* MDA wants rows a multiple of 4 */
nOutCols = nInCols / 8;
diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c
--- netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c 2012-04-09 15:40:03.196619876 +0200
@@ -441,6 +441,7 @@ main(int argc, char *argv[]) {
pm_error("main(): unrecognized parameter '%s'", argv[argn]);
}
+ overflow_add(Width, 7);
Pwidth=(Width+7)/8;
printer.fptr=out;
diff -up netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoxbm.c
--- netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmtoxbm.c 2012-04-09 15:40:03.196619876 +0200
@@ -335,6 +335,8 @@ convertRaster(FILE * const ifP,
unsigned char * bitrow;
unsigned int row;
+
+ overflow_add(cols, padright);
putinit(xbmVersion);
diff -up netpbm-10.58.01/converter/pbm/pbmto4425.c.security-code netpbm-10.58.01/converter/pbm/pbmto4425.c
--- netpbm-10.58.01/converter/pbm/pbmto4425.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pbmto4425.c 2012-04-09 15:40:03.198619851 +0200
@@ -2,6 +2,7 @@
#include "nstring.h"
#include "pbm.h"
+#include <string.h>
static char bit_table[2][3] = {
{1, 4, 0x10},
@@ -160,7 +161,7 @@ main(int argc, char * argv[]) {
xres = vmap_width * 2;
yres = vmap_height * 3;
- vmap = malloc(vmap_width * vmap_height * sizeof(char));
+ vmap = malloc3(vmap_width, vmap_height, sizeof(char));
if(vmap == NULL)
{
pm_error( "Cannot allocate memory" );
diff -up netpbm-10.58.01/converter/pbm/pktopbm.c.security-code netpbm-10.58.01/converter/pbm/pktopbm.c
--- netpbm-10.58.01/converter/pbm/pktopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/pktopbm.c 2012-04-09 15:40:03.198619851 +0200
@@ -277,6 +277,7 @@ main(int argc, char *argv[]) {
if (flagbyte == 7) { /* long form preamble */
integer packetlength = get32() ; /* character packet length */
car = get32() ; /* character number */
+ overflow_add(packetlength, pktopbm_pkloc);
endofpacket = packetlength + pktopbm_pkloc;
/* calculate end of packet */
if ((car >= MAXPKCHAR) || !filename[car]) {
diff -up netpbm-10.58.01/converter/pbm/thinkjettopbm.l.security-code netpbm-10.58.01/converter/pbm/thinkjettopbm.l
--- netpbm-10.58.01/converter/pbm/thinkjettopbm.l.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/converter/pbm/thinkjettopbm.l 2012-04-09 15:40:03.199619839 +0200
@@ -114,7 +114,9 @@ DIG [0-9]
<RASTERMODE>\033\*b{DIG}+W {
int l;
if (rowCount >= rowCapacity) {
+ overflow_add(rowCapacity, 100);
rowCapacity += 100;
+ overflow2(rowCapacity, sizeof *rows);
rows = realloc (rows, rowCapacity * sizeof *rows);
if (rows == NULL)
pm_error ("Out of memory.");
@@ -226,6 +228,8 @@ yywrap (void)
/*
* Quite simple since ThinkJet bit arrangement matches PBM
*/
+
+ overflow2(maxRowLength, 8);
pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0);
packed_bitrow = malloc(maxRowLength);
diff -up netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code netpbm-10.58.01/converter/pgm/lispmtopgm.c
--- netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/pgm/lispmtopgm.c 2012-04-09 15:40:03.199619839 +0200
@@ -58,6 +58,7 @@ main( argc, argv )
pm_error( "depth (%d bits) is too large", depth);
pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 );
+ overflow_add(cols, 7);
grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 );
for ( row = 0; row < rows; ++row )
@@ -102,7 +103,9 @@ getinit( file, colsP, rowsP, depthP, pad
if ( *depthP == 0 )
*depthP = 1; /* very old file */
-
+
+ overflow_add((int)colsP, 31);
+
*padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP;
if ( *colsP != (cols_32 - *padrightP) ) {
diff -up netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code netpbm-10.58.01/converter/pgm/psidtopgm.c
--- netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/pgm/psidtopgm.c 2012-04-09 15:40:03.200619827 +0200
@@ -78,6 +78,7 @@ main(int argc,
pm_error("bits/sample (%d) is too large.", bitspersample);
pgm_writepgminit(stdout, cols, rows, maxval, 0);
+ overflow_add(cols, 7);
grayrow = pgm_allocrow((cols + 7) / 8 * 8);
for (row = 0; row < rows; ++row) {
unsigned int col;
diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01/converter/ppm/ilbmtoppm.c
--- netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ilbmtoppm.c 2012-04-09 15:40:03.201619815 +0200
@@ -592,6 +592,7 @@ decode_row(FILE * const ifP,
rawtype *chp;
cols = bmhdP->w;
+ overflow_add(cols, 15);
bytes = RowBytes(cols);
for( plane = 0; plane < nPlanes; plane++ ) {
int mask;
@@ -679,6 +680,23 @@ decode_mask(FILE * const ifP,
Multipalette handling
****************************************************************************/
+static void *
+xmalloc2(x, y)
+ int x;
+ int y;
+{
+ void *mem;
+
+ overflow2(x,y);
+ if( x * y == 0 )
+ return NULL;
+
+ mem = malloc2(x,y);
+ if( mem == NULL )
+ pm_error("out of memory allocating %d bytes", x * y);
+ return mem;
+}
+
static void
multi_adjust(cmap, row, palchange)
@@ -2028,6 +2051,9 @@ read_pchg(FILE * const ifp,
cmap->mp_change[i] = NULL;
if( PCHG.StartLine < 0 ) {
int nch;
+ if(PCHG.MaxReg < PCHG.MinReg)
+ pm_error("assert: MinReg > MaxReg");
+ overflow_add(PCHG.MaxReg-PCHG.MinReg, 2);
nch = PCHG.MaxReg - PCHG.MinReg +1;
MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1);
for( i = 0; i < nch; i++ )
@@ -2104,6 +2130,7 @@ process_body( FILE * const ifp,
if( typeid == ID_ILBM ) {
int isdeep;
+ overflow_add(bmhdP->w, 15);
MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w));
*viewportmodesP |= fakeviewport; /* -isham/-isehb */
diff -up netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code netpbm-10.58.01/converter/ppm/imgtoppm.c
--- netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/imgtoppm.c 2012-04-09 15:40:03.202619802 +0200
@@ -84,6 +84,7 @@ main(int argc, char ** argv) {
len = atoi((char*) buf );
if ( fread( buf, len, 1, ifp ) != 1 )
pm_error( "bad colormap buf" );
+ overflow2(cmaplen, 3);
if ( cmaplen * 3 != len )
{
pm_message(
@@ -105,6 +106,7 @@ main(int argc, char ** argv) {
pm_error( "bad pixel data header" );
buf[8] = '\0';
len = atoi((char*) buf );
+ overflow2(cols, rows);
if ( len != cols * rows )
pm_message(
"pixel data length (%d) does not match image size (%d)",
diff -up netpbm-10.58.01/converter/ppm/Makefile.security-code netpbm-10.58.01/converter/ppm/Makefile
--- netpbm-10.58.01/converter/ppm/Makefile.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/Makefile 2012-04-09 15:40:03.202619802 +0200
@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg
PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
leaftoppm mtvtoppm neotoppm \
- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \
+ pcxtoppm pc1toppm pi1toppm pjtoppm \
ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \
ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \
ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \
diff -up netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code netpbm-10.58.01/converter/ppm/pcxtoppm.c
--- netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/pcxtoppm.c 2012-04-09 15:40:03.203619789 +0200
@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes,
/*
* clear the pixel buffer
*/
+ overflow2(bytesperline, 8);
npixels = (bytesperline * 8) / bitsperpixel;
p = pixels;
while (--npixels >= 0)
@@ -470,6 +471,7 @@ pcx_16col_to_ppm(FILE * const ifP,
}
/* BytesPerLine should be >= BitsPerPixel * cols / 8 */
+ overflow2(BytesPerLine, 8);
rawcols = BytesPerLine * 8 / BitsPerPixel;
if (headerCols > rawcols) {
pm_message("warning - BytesPerLine = %d, "
diff -up netpbm-10.58.01/converter/ppm/picttoppm.c.security-code netpbm-10.58.01/converter/ppm/picttoppm.c
--- netpbm-10.58.01/converter/ppm/picttoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/picttoppm.c 2012-04-09 15:40:03.205619763 +0200
@@ -1,3 +1,5 @@
+#error "Unfixable. Don't ship me"
+
/*
* picttoppm.c -- convert a MacIntosh PICT file to PPM format.
*
diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01/converter/ppm/ppmtoeyuv.c
--- netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtoeyuv.c 2012-04-09 15:40:03.206619751 +0200
@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva
int index;
+ overflow_add(maxval, 1);
MALLOCARRAY_NOFAIL(mult299 , maxval+1);
MALLOCARRAY_NOFAIL(mult587 , maxval+1);
MALLOCARRAY_NOFAIL(mult114 , maxval+1);
diff -up netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoilbm.c
--- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2012-04-09 15:40:03.208619727 +0200
@@ -1220,6 +1220,7 @@ ppm_to_rgb8(ifP, cols, rows, maxval)
maskmethod = 0; /* no masking - RGB8 uses genlock bits */
compmethod = 4; /* RGB8 files are always compressed */
+ overflow2(cols, 4);
MALLOCARRAY_NOFAIL(compr_row, cols * 4);
if( maxval != 255 ) {
@@ -1308,6 +1309,7 @@ ppm_to_rgbn(ifP, cols, rows, maxval)
maskmethod = 0; /* no masking - RGBN uses genlock bits */
compmethod = 4; /* RGBN files are always compressed */
+ overflow2(cols, 2);
MALLOCARRAY_NOFAIL(compr_row, cols * 2);
if( maxval != 15 ) {
diff -up netpbm-10.58.01/converter/ppm/ppmtolj.c.security-code netpbm-10.58.01/converter/ppm/ppmtolj.c
--- netpbm-10.58.01/converter/ppm/ppmtolj.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtolj.c 2012-04-09 15:40:03.210619701 +0200
@@ -181,7 +181,8 @@ int main(int argc, char *argv[]) {
ppm_readppminit( ifp, &cols, &rows, &maxval, &format );
pixelrow = ppm_allocrow( cols );
-
+
+ overflow2(cols, 6);
obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char));
cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char));
if (mode == C_TRANS_MODE_DELTA)
diff -up netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code netpbm-10.58.01/converter/ppm/ppmtomitsu.c
--- netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtomitsu.c 2012-04-09 15:40:03.210619702 +0200
@@ -685,6 +685,8 @@ main(int argc, char * argv[]) {
medias = MSize_User;
if (dpi300) {
+ overflow2(medias.maxcols, 2);
+ overflow2(medias.maxrows, 2);
medias.maxcols *= 2;
medias.maxrows *= 2;
}
diff -up netpbm-10.58.01/converter/ppm/ppmtopj.c.security-code netpbm-10.58.01/converter/ppm/ppmtopj.c
--- netpbm-10.58.01/converter/ppm/ppmtopj.c.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtopj.c 2012-04-09 15:40:03.212619677 +0200
@@ -179,6 +179,7 @@ char *argv[];
pixels = ppm_readppm( ifp, &cols, &rows, &maxval );
pm_close( ifp );
+ overflow2(cols,2);
obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char));
cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char));
diff -up netpbm-10.58.01/converter/ppm/ppmtopjxl.c.security-code netpbm-10.58.01/converter/ppm/ppmtopjxl.c
--- netpbm-10.58.01/converter/ppm/ppmtopjxl.c.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtopjxl.c 2012-04-09 15:40:03.212619677 +0200
@@ -276,6 +276,8 @@ main(int argc, const char * argv[]) {
pm_error("image too large; reduce with ppmscale");
if (maxval > PCL_MAXVAL)
pm_error("color range too large; reduce with ppmcscale");
+ if (cols < 0 || rows < 0)
+ pm_error("negative size is not possible");
/* Figure out the colormap. */
pm_message("Computing colormap...");
@@ -296,6 +298,8 @@ main(int argc, const char * argv[]) {
case 0: /* direct mode (no palette) */
bpp = bitsperpixel(maxval); /* bits per pixel */
bpg = bpp; bpb = bpp;
+ overflow2(bpp, 3);
+ overflow_add(bpp*3, 7);
bpp = (bpp*3+7)>>3; /* bytes per pixel now */
bpr = (bpp<<3)-bpg-bpb;
bpp *= cols; /* bytes per row now */
@@ -305,9 +309,13 @@ main(int argc, const char * argv[]) {
case 3: case 7: pclindex++;
default:
bpp = 8/pclindex;
+ overflow_add(cols, bpp);
+ if(bpp == 0)
+ pm_error("assert: no bpp");
bpp = (cols+bpp-1)/bpp; /* bytes per row */
}
}
+ overflow2(bpp,2);
inrow = (char *)malloc((unsigned)bpp);
outrow = (char *)malloc((unsigned)bpp*2);
runcnt = (signed char *)malloc((unsigned)bpp);
diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58.01/converter/ppm/ppmtowinicon.c
--- netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtowinicon.c 2012-04-09 15:40:03.213619664 +0200
@@ -12,6 +12,7 @@
#include <math.h>
#include <string.h>
+#include <stdlib.h>
#include "pm_c_util.h"
#include "winico.h"
@@ -219,6 +220,7 @@ createAndBitmap (gray ** const ba, int c
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmap->xBytes = xBytes;
icBitmap->data = rowData;
+ overflow2(xBytes, rows);
icBitmap->size = xBytes * rows;
for (y=0;y<rows;y++) {
u1 * row;
@@ -347,6 +349,7 @@ create4Bitmap (pixel ** const pa, int co
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmap->xBytes = xBytes;
icBitmap->data = rowData;
+ overflow2(xBytes, rows);
icBitmap->size = xBytes * rows;
for (y=0;y<rows;y++) {
@@ -407,6 +410,7 @@ create8Bitmap (pixel ** const pa, int co
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmap->xBytes = xBytes;
icBitmap->data = rowData;
+ overflow2(xBytes, rows);
icBitmap->size = xBytes * rows;
for (y=0;y<rows;y++) {
@@ -714,6 +718,10 @@ addEntryToIcon(MS_Ico const MSIcon
entry->bitcount = bpp;
entry->ih = createInfoHeader(entry, xorBitmap, andBitmap);
entry->colors = palette->colors;
+ overflow2(4, entry->color_count);
+ overflow_add(xorBitmap->size, andBitmap->size);
+ overflow_add(xorBitmap->size + andBitmap->size, 40);
+ overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count);
entry->size_in_bytes =
xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count);
if (verbose)
diff -up netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoxpm.c
--- netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code 2012-04-09 15:31:44.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/ppmtoxpm.c 2012-04-09 15:40:03.214619651 +0200
@@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int
unsigned int i;
/* Allocate memory for printed number. Abort if error. */
+ overflow_add(digits, 1);
if (!(str = (char *) malloc(digits + 1)))
pm_error("out of memory");
@@ -314,6 +315,7 @@ genCmap(colorhist_vector const chv,
unsigned int charsPerPixel;
unsigned int xpmMaxval;
+ if (includeTransparent) overflow_add(ncolors, 1);
MALLOCARRAY(cmap, cmapSize);
if (cmapP == NULL)
pm_error("Out of memory allocating %u bytes for a color map.",
diff -up netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code netpbm-10.58.01/converter/ppm/qrttoppm.c
--- netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code 2012-04-09 15:31:42.000000000 +0200
+++ netpbm-10.58.01/converter/ppm/qrttoppm.c 2012-04-09 15:40:03.215619638 +0200
@@ -46,7 +46,7 @@ main( argc, argv )
ppm_writeppminit( stdout, cols, rows, maxval, 0 );
pixelrow = ppm_allocrow( cols );
- buf = (unsigned char *) malloc( 3 * cols );
+ buf = (unsigned char *) malloc2( 3 , cols );
if ( buf == (unsigned char *) 0 )
pm_error( "out of memory" );
diff -up netpbm-10.58.01/editor/pamcut.c.security-code netpbm-10.58.01/editor/pamcut.c
--- netpbm-10.58.01/editor/pamcut.c.security-code 2012-04-09 15:31:33.000000000 +0200
+++ netpbm-10.58.01/editor/pamcut.c 2012-04-09 15:40:03.218619602 +0200
@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP
outpam = inpam; /* Initial value -- most fields should be same */
outpam.file = ofP;
+ overflow_add(rightcol, 1);
+ overflow_add(bottomrow, 1);
outpam.width = rightcol - leftcol + 1;
outpam.height = bottomrow - toprow + 1;
diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/pnmgamma.c
--- netpbm-10.58.01/editor/pnmgamma.c.security-code 2012-04-09 15:31:34.000000000 +0200
+++ netpbm-10.58.01/editor/pnmgamma.c 2012-04-09 15:40:03.220619577 +0200
@@ -586,6 +586,7 @@ createGammaTables(enum transferFunction
xelval ** const btableP) {
/* Allocate space for the tables. */
+ overflow_add(maxval, 1);
MALLOCARRAY(*rtableP, maxval+1);
MALLOCARRAY(*gtableP, maxval+1);
MALLOCARRAY(*btableP, maxval+1);
diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor/pnmhisteq.c
--- netpbm-10.58.01/editor/pnmhisteq.c.security-code 2012-04-09 15:31:33.000000000 +0200
+++ netpbm-10.58.01/editor/pnmhisteq.c 2012-04-09 15:40:03.220619577 +0200
@@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const *
unsigned int pixelCount;
unsigned int * lumahist;
+ overflow_add(maxval, 1);
MALLOCARRAY(lumahist, maxval + 1);
if (lumahist == NULL)
pm_error("Out of storage allocating array for %u histogram elements",
diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pnmpad.c
--- netpbm-10.58.01/editor/pnmpad.c.security-code 2012-04-09 15:31:34.000000000 +0200
+++ netpbm-10.58.01/editor/pnmpad.c 2012-04-09 15:40:03.221619564 +0200
@@ -527,6 +527,8 @@ main(int argc, const char ** argv) {
computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad);
+ overflow_add(cols, lpad);
+ overflow_add(cols + lpad, rpad);
newcols = cols + lpad + rpad;
if (PNM_FORMAT_TYPE(format) == PBM_TYPE)
diff -up netpbm-10.58.01/editor/pnmscalefixed.c.security-code netpbm-10.58.01/editor/pnmscalefixed.c
--- netpbm-10.58.01/editor/pnmscalefixed.c.security-code 2012-04-09 15:31:34.000000000 +0200
+++ netpbm-10.58.01/editor/pnmscalefixed.c 2012-04-09 15:40:03.223619538 +0200
@@ -214,6 +214,8 @@ compute_output_dimensions(const struct c
const int rows, const int cols,
int * newrowsP, int * newcolsP) {
+ overflow2(rows, cols);
+
if (cmdline.pixels) {
if (rows * cols <= cmdline.pixels) {
*newrowsP = rows;
@@ -265,6 +267,8 @@ compute_output_dimensions(const struct c
if (*newcolsP < 1) *newcolsP = 1;
if (*newrowsP < 1) *newrowsP = 1;
+
+ overflow2(*newcolsP, *newrowsP);
}
@@ -446,6 +450,9 @@ main(int argc, char **argv ) {
unfilled. We can address that by stretching, whereas the other
case would require throwing away some of the input.
*/
+
+ overflow2(newcols, SCALE);
+ overflow2(newrows, SCALE);
sxscale = SCALE * newcols / cols;
syscale = SCALE * newrows / rows;
diff -up netpbm-10.58.01/editor/ppmdither.c.security-code netpbm-10.58.01/editor/ppmdither.c
--- netpbm-10.58.01/editor/ppmdither.c.security-code 2012-04-09 15:31:33.000000000 +0200
+++ netpbm-10.58.01/editor/ppmdither.c 2012-04-09 15:40:03.224619526 +0200
@@ -355,7 +355,11 @@ dithMatrix(unsigned int const dithPower)
unsigned int const dithMatSize =
(dithDim * sizeof(*dithMat)) + /* pointers */
(dithDim * dithDim * sizeof(**dithMat)); /* data */
-
+
+ overflow2(dithDim, sizeof(*dithMat));
+ overflow3(dithDim, dithDim, sizeof(**dithMat));
+ overflow_add(dithDim * sizeof(*dithMat), dithDim * dithDim * sizeof(**dithMat));
+
dithMat = malloc(dithMatSize);
if (dithMat == NULL)
diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01/editor/specialty/pamoil.c
--- netpbm-10.58.01/editor/specialty/pamoil.c.security-code 2012-04-09 15:31:33.000000000 +0200
+++ netpbm-10.58.01/editor/specialty/pamoil.c 2012-04-09 15:40:03.224619526 +0200
@@ -112,6 +112,7 @@ main(int argc, char *argv[] ) {
tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type));
pm_close(ifp);
+ overflow_add(inpam.maxval, 1);
MALLOCARRAY(hist, inpam.maxval + 1);
if (hist == NULL)
pm_error("Unable to allocate memory for histogram.");
diff -up netpbm-10.58.01/lib/libpm.c.security-code netpbm-10.58.01/lib/libpm.c
--- netpbm-10.58.01/lib/libpm.c.security-code 2012-04-09 15:31:38.000000000 +0200
+++ netpbm-10.58.01/lib/libpm.c 2012-04-09 15:40:03.229619464 +0200
@@ -808,4 +808,53 @@ pm_parse_height(const char * const arg)
}
+/*
+ * Maths wrapping
+ */
+
+void __overflow2(int a, int b)
+{
+ if(a < 0 || b < 0)
+ pm_error("object too large");
+ if(b == 0)
+ return;
+ if(a > INT_MAX / b)
+ pm_error("object too large");
+}
+
+void overflow3(int a, int b, int c)
+{
+ overflow2(a,b);
+ overflow2(a*b, c);
+}
+
+void overflow_add(int a, int b)
+{
+ if( a > INT_MAX - b)
+ pm_error("object too large");
+}
+
+void *malloc2(int a, int b)
+{
+ overflow2(a, b);
+ if(a*b == 0)
+ pm_error("Zero byte allocation");
+ return malloc(a*b);
+}
+
+void *malloc3(int a, int b, int c)
+{
+ overflow3(a, b, c);
+ if(a*b*c == 0)
+ pm_error("Zero byte allocation");
+ return malloc(a*b*c);
+}
+
+void *realloc2(void * a, int b, int c)
+{
+ overflow2(b, c);
+ if(b*c == 0)
+ pm_error("Zero byte allocation");
+ return realloc(a, b*c);
+}
diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h
--- netpbm-10.58.01/lib/pm.h.security-code 2012-04-09 15:31:38.000000000 +0200
+++ netpbm-10.58.01/lib/pm.h 2012-04-09 15:40:03.229619464 +0200
@@ -432,4 +432,11 @@ pm_parse_height(const char * const arg);
#endif
+void *malloc2(int, int);
+void *malloc3(int, int, int);
+#define overflow2(a,b) __overflow2(a,b)
+void __overflow2(int, int);
+void overflow3(int, int, int);
+void overflow_add(int, int);
+
#endif
diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other/pnmcolormap.c
--- netpbm-10.58.01/other/pnmcolormap.c.security-code 2012-04-09 15:31:32.000000000 +0200
+++ netpbm-10.58.01/other/pnmcolormap.c 2012-04-09 15:40:03.230619451 +0200
@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP
pamP->width = intsqrt;
else
pamP->width = intsqrt + 1;
+ overflow_add(intsqrt, 1);
}
{
unsigned int const intQuotient = colormap.size / pamP->width;
diff -up netpbm-10.58.01/urt/rle.h.security-code netpbm-10.58.01/urt/rle.h
--- netpbm-10.58.01/urt/rle.h.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/urt/rle.h 2012-04-09 15:40:03.233619414 +0200
@@ -14,6 +14,9 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ * Header declarations needed
*/
/*
* rle.h - Global declarations for Utah Raster Toolkit RLE programs.
@@ -160,6 +163,17 @@ rle_hdr /* End of typedef. *
*/
extern rle_hdr rle_dflt_hdr;
+/*
+ * Provided by pm library
+ */
+
+extern void overflow_add(int, int);
+#define overflow2(a,b) __overflow2(a,b)
+extern void __overflow2(int, int);
+extern void overflow3(int, int, int);
+extern void *malloc2(int, int);
+extern void *malloc3(int, int, int);
+extern void *realloc2(void *, int, int);
/* Declare RLE library routines. */
diff -up netpbm-9.58.01/urt/rle_putcom.c.security-code netpbm-10.58.01/urt/rle_putcom.c
--- netpbm-10.58.01/urt/rle_putcom.c.security-code 2012-04-09 15:31:45.000000000 +0200
+++ netpbm-10.58.01/urt/rle_putcom.c 2012-04-09 15:40:03.234619402 +0200
@@ -14,6 +14,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rle_putcom.c - Add a picture comment to the header struct.
@@ -98,12 +100,14 @@ rle_putcom(const char * const value,
const char * v;
const char ** old_comments;
int i;
- for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp)
+ for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) {
+ overflow_add(i, 1);
if (match(value, *cp) != NULL) {
v = *cp;
*cp = value;
return v;
}
+ }
/* Not found */
/* Can't realloc because somebody else might be pointing to this
* comments block. Of course, if this were true, then the
--- netpbm-10.58.01/lib/libpbm1.c.orig 2014-06-16 21:12:28.499230631 -0400
+++ netpbm-10.58.01/lib/libpbm1.c 2014-06-16 21:12:55.932519324 -0400
@@ -78,6 +78,7 @@
} else {
pm_filepos const bytesPerRow = (cols+7)/8;
pm_filepos const needRasterSize = rows * bytesPerRow;
+ overflow2(bytesPerRow, rows);
pm_check(fileP, checkType, needRasterSize, retvalP);
}
}
--- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.orig 2014-06-16 21:23:40.061473868 -0400
+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2014-06-16 21:23:44.701466379 -0400
@@ -185,6 +185,7 @@
unsigned int i;
int * table;
+ overflow_add(oldmaxval, 1);
MALLOCARRAY_NOFAIL(table, oldmaxval + 1);
for (i = 0; i <= oldmaxval; ++i)
table[i] = ROUNDDIV(i * newmaxval, oldmaxval);
--- netpbm-10.58.01/converter/other/sgitopnm.c.orig 2014-07-08 16:57:30.878754976 -0400
+++ netpbm-10.58.01/converter/other/sgitopnm.c 2014-07-08 17:07:52.727745725 -0400
@@ -372,10 +372,14 @@
MALLOCARRAY_NOFAIL(image, head->ysize);
} else {
maxchannel = 3;
+ overflow2(head->ysize, maxchannel);
MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel);
}
- if (table)
+ if (table) {
+ overflow2(head->xsize, 2);
+ overflow_add(head->xsize*2, 2);
MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize));
+ }
for (channel = 0; channel < maxchannel; ++channel) {
unsigned int row;