File xv-3.10a-overflow.dif of Package xv
!
! Avoid to count over the allocated array under a pointer
! in xvbmp.c as the new glibc will call abort() on a free()
! on that pointer.
! Use unsigned integers for comparison to detected wrong
! picture dimensions otherwise the new gcc will fool us
! with a false negative check.
!
--- xvbmp.c
+++ xvbmp.c 2008-05-27 12:37:34.384175224 +0200
@@ -191,6 +191,9 @@ int LoadBMP(fname, pinfo)
bPad -= 12;
}
+ if (biClrUsed > (1 << biBitCount))
+ biClrUsed = (1 << biBitCount);
+
/* load up colormap, if any */
if (biBitCount == 1 || biBitCount == 4 || biBitCount == 8) {
int i, cmaplen;
@@ -237,7 +240,7 @@ int LoadBMP(fname, pinfo)
if (biWidth == 0 || biHeight == 0 || npixels/biWidth != biHeight ||
count/3 != npixels)
return (bmpError(bname, "image dimensions too large"));
- pic24 = (byte *) calloc((size_t) count, (size_t) 1);
+ pic24 = (byte *) calloc((size_t) (count + 1), (size_t) 1);
if (!pic24) return (bmpError(bname, "couldn't malloc 'pic24'"));
}
else {
@@ -245,7 +248,7 @@ int LoadBMP(fname, pinfo)
if (biWidth == 0 || biHeight == 0 || npixels/biWidth != biHeight)
return (bmpError(bname, "image dimensions too large"));
- pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
+ pic8 = (byte *) calloc((size_t) (npixels + 1), (size_t) 1);
if (!pic8) return(bmpError(bname, "couldn't malloc 'pic8'"));
}
@@ -466,7 +469,7 @@ static int loadBMP8(fp, pic8, w, h, comp
rv = 0;
- pend = pic8 + w * h;
+ pend = pic8 + l;
if (comp == BI_RGB) { /* read uncompressed data */
padw = ((w + 3)/4) * 4; /* 'w' padded to a multiple of 4pix (32 bits) */
--- xvpbm.c
+++ xvpbm.c 2008-05-26 17:47:31.890952085 +0200
@@ -5,6 +5,7 @@
* WritePBM(fp,pic,ptype,w,h,r,g,b,numcols,style,raw,cmt,comment)
*/
+#include <stdint.h>
#include "copyright.h"
#include "xv.h"
@@ -234,12 +235,17 @@ static int loadpbm(fp, pinfo, raw)
byte *pic8;
byte *pix;
int i,j,bit,w,h,npixels;
+ uint64_t pixchk;
w = pinfo->w;
h = pinfo->h;
npixels = w * h;
- if (w <= 0 || h <= 0 || npixels/w != h)
+
+ pixchk = (uint64_t)w;
+ pixchk *= (uint64_t)h;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
return pbmError(bname, "image dimensions too large");
pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -305,13 +311,17 @@ static int loadpgm(fp, pinfo, raw, maxv)
{
byte *pix, *pic8;
int i,j,bitshift,w,h,npixels, holdmaxv;
-
+ uint64_t pixchk;
w = pinfo->w;
h = pinfo->h;
npixels = w * h;
- if (w <= 0 || h <= 0 || npixels/w != h)
+
+ pixchk = (uint64_t)w;
+ pixchk *= (uint64_t)h;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk)
return pbmError(bname, "image dimensions too large");
pic8 = (byte *) calloc((size_t) npixels, (size_t) 1);
@@ -389,13 +399,20 @@ static int loadppm(fp, pinfo, raw, maxv)
{
byte *pix, *pic24, scale[256];
int i,j,bitshift, w, h, npixels, bufsize, holdmaxv;
+ uint64_t bufchk, pixchk;
w = pinfo->w;
h = pinfo->h;
npixels = w * h;
bufsize = 3*npixels;
- if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels)
+
+ pixchk = (uint64_t)w;
+ bufchk = (uint64_t)npixels;
+ pixchk *= (uint64_t)h;
+ bufchk *= 3ULL;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk)
return pbmError(bname, "image dimensions too large");
/* allocate 24-bit image */
@@ -481,6 +498,7 @@ static int loadpam(fp, pinfo, raw, maxv)
{
byte *p, *pix, *pic24, *linebuf, scale[256], bgR, bgG, bgB, r, g, b, a;
int i, j, bitshift, w, h, npixels, bufsize, linebufsize, holdmaxv;
+ uint64_t bufchk, pixchk, lnbchk;
w = pinfo->w;
h = pinfo->h;
@@ -488,8 +506,16 @@ static int loadpam(fp, pinfo, raw, maxv)
npixels = w * h;
bufsize = 3*npixels;
linebufsize = 4*w;
- if (w <= 0 || h <= 0 || npixels/w != h || bufsize/3 != npixels ||
- linebufsize/4 != w)
+
+ pixchk = (uint64_t)w;
+ bufchk = (uint64_t)npixels;
+ lnbchk = (uint64_t)w;
+ pixchk *= (uint64_t)h;
+ bufchk *= 3ULL;
+ lnbchk *= 4ULL;
+
+ if (w <= 0 || h <= 0 || (uint64_t)npixels != pixchk || (uint64_t)bufsize != bufchk ||
+ (uint64_t)linebufsize != lnbchk)
return pbmError(bname, "image dimensions too large");
/* allocate 24-bit image */
