File netpbm-security-code.patch of Package netpbm
Index: netpbm-11.9.3/analyzer/pgmtexture.c
===================================================================
--- netpbm-11.9.3.orig/analyzer/pgmtexture.c
+++ netpbm-11.9.3/analyzer/pgmtexture.c
@@ -96,7 +96,7 @@ vector(unsigned int const nl,
unsigned int i;
assert(nh >= nl); assert(nh <= UINT_MAX-1);
-
+ overflow_add(nh - nl, 1);
MALLOCARRAY(v, (unsigned) (nh - nl + 1));
if (v == NULL)
@@ -134,6 +134,7 @@ matrix (unsigned int const nrl,
assert(nrh >= nrl); assert(nrh <= UINT_MAX-1);
/* allocate pointers to rows */
+ overflow_add(nrh - nrl, 1);
MALLOCARRAY(matrix, (unsigned) (nrh - nrl + 1));
if (matrix == NULL)
pm_error("Unable to allocate memory for a matrix.");
@@ -141,7 +142,7 @@ matrix (unsigned int const nrl,
matrix -= ncl;
assert (nch >= ncl); assert(nch <= UINT_MAX-1);
-
+ overflow_add(nch - ncl, 1);
/* allocate rows and set pointers to them */
for (i = nrl; i <= nrh; ++i) {
MALLOCARRAY(matrix[i], (unsigned) (nch - ncl + 1));
Index: netpbm-11.9.3/converter/other/gemtopnm.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/gemtopnm.c
+++ netpbm-11.9.3/converter/other/gemtopnm.c
@@ -152,7 +152,7 @@ main(int argc, const char ** argv) {
type = PPM_TYPE;
pnm_writepnminit(stdout, cols, rows, MAXVAL, type, 0);
-
+ overflow_add(cols, padright);
{
/* allocate input row data structure */
unsigned int plane;
Index: netpbm-11.9.3/converter/other/jpegtopnm.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/jpegtopnm.c
+++ netpbm-11.9.3/converter/other/jpegtopnm.c
@@ -894,6 +894,8 @@ convertImage(FILE *
/* Calculate output image dimensions so we can allocate space */
jpeg_calc_output_dimensions(cinfoP);
+ overflow2(cinfoP->output_width, cinfoP->output_components);
+
/* Start decompressor */
jpeg_start_decompress(cinfoP);
Index: netpbm-11.9.3/converter/other/pbmtopgm.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/pbmtopgm.c
+++ netpbm-11.9.3/converter/other/pbmtopgm.c
@@ -88,6 +88,7 @@ main(int argc, const char ** argv) {
up = cmdline.convRows / 2; down = cmdline.convRows - up;
outrow = pgm_allocrow(cols) ;
+ overflow2(cmdline.convCols, cmdline.convRows);
maxval = MIN(PGM_OVERALLMAXVAL, cmdline.convCols * cmdline.convRows);
pgm_writepgminit(stdout, cols, rows, maxval, 0) ;
Index: netpbm-11.9.3/converter/other/pnmtoddif.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/pnmtoddif.c
+++ netpbm-11.9.3/converter/other/pnmtoddif.c
@@ -627,6 +627,7 @@ main(int argc, char *argv[]) {
switch (PNM_FORMAT_TYPE(format)) {
case PBM_TYPE:
ip.bits_per_pixel = 1;
+ overflow_add(cols, 7);
ip.bytes_per_line = (cols + 7) / 8;
ip.spectral = 2;
ip.components = 1;
@@ -642,6 +643,7 @@ main(int argc, char *argv[]) {
ip.polarity = 2;
break;
case PPM_TYPE:
+ overflow2(cols, 3);
ip.bytes_per_line = 3 * cols;
ip.bits_per_pixel = 24;
ip.spectral = 5;
Index: netpbm-11.9.3/converter/other/pnmtojpeg.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/pnmtojpeg.c
+++ netpbm-11.9.3/converter/other/pnmtojpeg.c
@@ -1066,6 +1066,7 @@ computeRescalingArray(JSAMPLE **
JSAMPLE * rescale;
long val;
+ overflow_add(maxval, 1);
MALLOCARRAY(rescale, maxval + 1);
if (!rescale)
Index: netpbm-11.9.3/converter/other/pnmtops.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/pnmtops.c
+++ netpbm-11.9.3/converter/other/pnmtops.c
@@ -298,17 +298,21 @@ parseCommandLine(int argc, const char **
validateCompDimension(width, psScaleFactor, "-width value");
validateCompDimension(height, psScaleFactor, "-height value");
+ overflow2(width, 72);
cmdlineP->width = width * psScaleFactor;
+ overflow2(height, 72);
cmdlineP->height = height * psScaleFactor;
if (imagewidthSpec) {
validateCompDimension(imagewidth, psScaleFactor, "-imagewidth value");
+ overflow2(imagewidth, 72);
cmdlineP->imagewidth = imagewidth * psScaleFactor;
}
else
cmdlineP->imagewidth = 0;
if (imageheightSpec) {
- validateCompDimension(imagewidth, psScaleFactor, "-imageheight value");
+ validateCompDimension(imageheight, psScaleFactor, "-imageheight value");
+ overflow2(imageheight, 72);
cmdlineP->imageheight = imageheight * psScaleFactor;
}
else
Index: netpbm-11.9.3/converter/other/pnmtorle.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/pnmtorle.c
+++ netpbm-11.9.3/converter/other/pnmtorle.c
@@ -19,6 +19,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* pnmtorle - A program which will convert pbmplus (ppm or pgm) images
Index: netpbm-11.9.3/converter/other/pnmtosgi.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/pnmtosgi.c
+++ netpbm-11.9.3/converter/other/pnmtosgi.c
@@ -185,6 +185,7 @@ buildChannels(FILE * const ifP,
ScanElem * temp;
if (storage != STORAGE_VERBATIM) {
+ overflow2(channels, rows);
MALLOCARRAY_NOFAIL(table, channels * rows);
} else
table = NULL;
Index: netpbm-11.9.3/converter/other/rletopnm.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/rletopnm.c
+++ netpbm-11.9.3/converter/other/rletopnm.c
@@ -19,6 +19,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rletopnm - A conversion program to convert from Utah's "rle" image format
Index: netpbm-11.9.3/converter/other/sgitopnm.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/sgitopnm.c
+++ netpbm-11.9.3/converter/other/sgitopnm.c
@@ -375,10 +375,14 @@ readChannels(FILE * const ifP,
MALLOCARRAY_NOFAIL(image, head->ysize);
} else {
maxchannel = 3;
+ overflow2(head->ysize, maxchannel);
MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel);
}
- if (table)
+ if (table) {
+ overflow2(head->xsize, 2);
+ overflow_add(head->xsize*2, 2);
MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize));
+ }
for (channel = 0; channel < maxchannel; ++channel) {
unsigned int row;
Index: netpbm-11.9.3/converter/other/tifftopnm.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/tifftopnm.c
+++ netpbm-11.9.3/converter/other/tifftopnm.c
@@ -1358,7 +1358,9 @@ convertRasterByRows(pnmOut * const
if (UINT_MAX/cols < spp)
pm_error("Image is too wide/deep (%u x %u) for computations",
cols, spp);
- MALLOCARRAY(samplebuf, cols * spp);
+ /* samplebuf is unsigned int * !!! */
+ samplebuf = (unsigned int *) malloc3(cols , sizeof(unsigned int) , spp);
+
if (samplebuf == NULL)
pm_error("can't allocate memory for row buffer");
Index: netpbm-11.9.3/converter/other/xwdtopnm.c
===================================================================
--- netpbm-11.9.3.orig/converter/other/xwdtopnm.c
+++ netpbm-11.9.3/converter/other/xwdtopnm.c
@@ -222,6 +222,10 @@ processX10Header(X10WDFileHeader * cons
*colorsP = pnm_allocrow(2);
PNM_ASSIGN1((*colorsP)[0], 0);
PNM_ASSIGN1((*colorsP)[1], *maxvalP);
+ overflow_add(h10P->pixmap_width, 15);
+ if(h10P->pixmap_width < 0)
+ pm_error("assert: negative width");
+ overflow2((((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width), 8);
*padrightP =
(((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width) * 8;
*bitsPerItemP = 16;
@@ -671,6 +675,7 @@ processX11Header(const X11WDFileHeader *
"%u bits per pixel, which is too many for this program "
"to compute",
h11FixedP->pixmap_width, h11FixedP->bits_per_pixel);
+ overflow2(h11FixedP->bytes_per_line, 8);
*padrightP =
h11FixedP->bytes_per_line * 8 -
h11FixedP->pixmap_width * h11FixedP->bits_per_pixel;
Index: netpbm-11.9.3/converter/pbm/mdatopbm.c
===================================================================
--- netpbm-11.9.3.orig/converter/pbm/mdatopbm.c
+++ netpbm-11.9.3/converter/pbm/mdatopbm.c
@@ -283,10 +283,13 @@ main(int argc, const char **argv) {
pm_readlittleshort(ifP, &yy); nInCols = yy;
}
+ overflow2(nOutCols, 8);
nOutCols = 8 * nInCols;
nOutRows = nInRows;
- if (bScale)
+ if (bScale){
+ overflow2(nOutRows, 2);
nOutRows *= 2;
+ }
data = pbm_allocarray(nOutCols, nOutRows);
Index: netpbm-11.9.3/converter/pbm/mgrtopbm.c
===================================================================
--- netpbm-11.9.3.orig/converter/pbm/mgrtopbm.c
+++ netpbm-11.9.3/converter/pbm/mgrtopbm.c
@@ -105,6 +105,8 @@ readMgrHeader(FILE * const ifP,
interpHdrWidth (head, colsP);
interpHdrHeight(head, rowsP);
+ overflow_add(*colsP, pad);
+
*padrightP = ((*colsP + pad - 1) / pad) * pad - *colsP;
}
Index: netpbm-11.9.3/converter/pbm/pbmtogem.c
===================================================================
--- netpbm-11.9.3.orig/converter/pbm/pbmtogem.c
+++ netpbm-11.9.3/converter/pbm/pbmtogem.c
@@ -79,6 +79,7 @@ putinit (int const rows, int const cols)
bitsperitem = 0;
bitshift = 7;
outcol = 0;
+ overflow_add(cols, 7);
outmax = (cols + 7) / 8;
outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
Index: netpbm-11.9.3/converter/pbm/pbmtogo.c
===================================================================
--- netpbm-11.9.3.orig/converter/pbm/pbmtogo.c
+++ netpbm-11.9.3/converter/pbm/pbmtogo.c
@@ -158,6 +158,7 @@ main(int argc,
bitrow = pbm_allocrow(cols);
/* Round cols up to the nearest multiple of 8. */
+ overflow_add(cols, 7);
rucols = ( cols + 7 ) / 8;
bytesperrow = rucols; /* GraphOn uses bytes */
rucols = rucols * 8;
Index: netpbm-11.9.3/converter/pbm/pbmtolj.c
===================================================================
--- netpbm-11.9.3.orig/converter/pbm/pbmtolj.c
+++ netpbm-11.9.3/converter/pbm/pbmtolj.c
@@ -120,7 +120,11 @@ parseCommandLine(int argc, const char **
static void
allocateBuffers(unsigned int const cols) {
+ overflow_add(cols, 8);
rowBufferSize = (cols + 7) / 8;
+ overflow_add(rowBufferSize, 128);
+ overflow_add(rowBufferSize, rowBufferSize+128);
+ overflow_add(rowBufferSize+10, rowBufferSize/8);
packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
Index: netpbm-11.9.3/converter/pbm/pbmtomda.c
===================================================================
--- netpbm-11.9.3.orig/converter/pbm/pbmtomda.c
+++ netpbm-11.9.3/converter/pbm/pbmtomda.c
@@ -204,6 +204,7 @@ main(int argc, const char ** argv) {
nOutRowsUnrounded = cmdline.dscale ? nInRows/2 : nInRows;
+ overflow_add(nOutRowsUnrounded, 3);
nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4;
/* MDA wants rows a multiple of 4 */
nOutCols = nInCols / 8;
Index: netpbm-11.9.3/converter/pbm/pbmtoppa/pbm.c
===================================================================
--- netpbm-11.9.3.orig/converter/pbm/pbmtoppa/pbm.c
+++ netpbm-11.9.3/converter/pbm/pbmtoppa/pbm.c
@@ -157,6 +157,7 @@ pbm_readline(pbm_stat * const pbmSt
break;
case P4: {
int tmp, tmp2;
+ overflow_add(pbmStatP->width, 7);
tmp = (pbmStatP->width+7)/8;
tmp2 = fread(data,1,tmp,pbmStatP->fptr);
if (tmp2 == tmp) {
@@ -189,6 +190,7 @@ pbm_unreadline(pbm_stat * const pbmStatP
if (!pbmStatP->unread) {
pbmStatP->unread = 1;
+ overflow_add(pbmStatP->width, 7);
pbmStatP->revdata = malloc ((pbmStatP->width+7)/8);
memcpy(pbmStatP->revdata, data, (pbmStatP->width+7)/8);
--pbmStatP->current_line;
Index: netpbm-11.9.3/converter/pbm/pbmtoppa/pbmtoppa.c
===================================================================
--- netpbm-11.9.3.orig/converter/pbm/pbmtoppa/pbmtoppa.c
+++ netpbm-11.9.3/converter/pbm/pbmtoppa/pbmtoppa.c
@@ -456,6 +456,7 @@ main(int argc, char *argv[]) {
pm_error("main(): unrecognized parameter '%s'", argv[argn]);
}
+ overflow_add(Width, 7);
Pwidth = (Width+7)/8;
printer.fptr = ofP;
Index: netpbm-11.9.3/converter/pbm/thinkjettopbm.l
===================================================================
--- netpbm-11.9.3.orig/converter/pbm/thinkjettopbm.l
+++ netpbm-11.9.3/converter/pbm/thinkjettopbm.l
@@ -115,8 +115,10 @@ DIG [0-9]
<RASTERMODE>\033\*b{DIG}+W {
int l;
if (rowCount >= rowCapacity) {
+ overflow_add(rowCapacity, 100);
if (rowCapacity > INT_MAX-100)
pm_error("Too many rows to count");
+ overflow2(rowCapacity, sizeof *rows);
rowCapacity += 100;
REALLOCARRAY(rows, rowCapacity);
if (rows == NULL)
@@ -232,6 +234,8 @@ yywrap (void)
/*
* Quite simple since ThinkJet bit arrangement matches PBM
*/
+
+ overflow2(maxRowLength, 8);
pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0);
packed_bitrow = malloc(maxRowLength);
Index: netpbm-11.9.3/converter/pgm/lispmtopgm.c
===================================================================
--- netpbm-11.9.3.orig/converter/pgm/lispmtopgm.c
+++ netpbm-11.9.3/converter/pgm/lispmtopgm.c
@@ -167,6 +167,7 @@ main(int argc, const char * argv[]) {
pgm_writepgminit(stdout, cols, rows, maxval, 0);
+ overflow_add(cols, 7);
grayrow = pgm_allocrow(ROUNDUP(cols, 8));
for (row = 0; row < rows; ++row) {
Index: netpbm-11.9.3/converter/pgm/psidtopgm.c
===================================================================
--- netpbm-11.9.3.orig/converter/pgm/psidtopgm.c
+++ netpbm-11.9.3/converter/pgm/psidtopgm.c
@@ -81,6 +81,7 @@ main(int argc,
pgm_writepgminit(stdout, cols, rows, maxval, 0);
+ overflow_add(cols, 7);
grayrow = pgm_allocrow(ROUNDUP(cols, 8));
for (row = 0; row < rows; ++row) {
Index: netpbm-11.9.3/converter/ppm/ilbmtoppm.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/ilbmtoppm.c
+++ netpbm-11.9.3/converter/ppm/ilbmtoppm.c
@@ -617,6 +617,7 @@ decodeRow(FILE * const ifP,
rawtype * chP;
cols = bmhdP->w;
+ overflow_add(cols, 15);
bytes = ilbm_rowByteCt(cols);
for (plane = 0; plane < nPlanes; ++plane) {
@@ -711,6 +712,23 @@ decodeMask(FILE * const ifP,
Multipalette handling
****************************************************************************/
+static void *
+xmalloc2(x, y)
+ int x;
+ int y;
+{
+ void *mem;
+
+ overflow2(x,y);
+ if( x * y == 0 )
+ return NULL;
+
+ mem = malloc2(x,y);
+ if( mem == NULL )
+ pm_error("out of memory allocating %d bytes", x * y);
+ return mem;
+}
+
static void
multi_adjust(ColorMap * const cmapP,
Index: netpbm-11.9.3/converter/ppm/imgtoppm.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/imgtoppm.c
+++ netpbm-11.9.3/converter/ppm/imgtoppm.c
@@ -85,6 +85,7 @@ main(int argc, const char ** argv) {
len = atoi((char*) buf);
if (fread(buf, len, 1, ifP) != 1)
pm_error("bad colormap buf");
+ overflow2(cmaplen, 3);
if (len != cmaplen * 3) {
pm_message(
"cmaplen (%u) and colormap buf length (%u) do not match",
@@ -105,6 +106,7 @@ main(int argc, const char ** argv) {
pm_error("bad pixel data header");
buf[8] = '\0';
len = atoi((char*) buf);
+ overflow2(cols, rows);
if (len != cols * rows)
pm_message(
"pixel data length (%u) does not match image size (%u)",
Index: netpbm-11.9.3/converter/ppm/Makefile
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/Makefile
+++ netpbm-11.9.3/converter/ppm/Makefile
@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg
PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
leaftoppm mtvtoppm neotoppm \
- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \
+ pcxtoppm pc1toppm pi1toppm pjtoppm \
ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \
ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \
ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \
Index: netpbm-11.9.3/converter/ppm/pcxtoppm.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/pcxtoppm.c
+++ netpbm-11.9.3/converter/ppm/pcxtoppm.c
@@ -391,6 +391,7 @@ pcxPlanesToPixels(unsigned char * const
pm_error("can't handle more than 1 bit per pixel");
/* Clear the pixel buffer - initial value */
+ overflow2(bytesPerLine, 8);
for (i = 0; i < pixelCt; ++i)
pixels[i] = 0;
@@ -474,6 +475,7 @@ pcx16ColToPpm(FILE * const ifP,
bytesPerLine);
/* bytesPerLine should be >= bBitsPerPixel * cols / 8 */
+ overflow2(bytesPerLine, 8);
rawcols = bytesPerLine * 8 / bitsPerPixel;
if (headerCols > rawcols) {
Index: netpbm-11.9.3/converter/ppm/picttoppm.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/picttoppm.c
+++ netpbm-11.9.3/converter/ppm/picttoppm.c
@@ -1,3 +1,5 @@
+#error "Unfixable. Don't ship me"
+
/*
* picttoppm.c -- convert a MacIntosh PICT file to PPM format.
*
Index: netpbm-11.9.3/converter/ppm/ppmtoeyuv.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/ppmtoeyuv.c
+++ netpbm-11.9.3/converter/ppm/ppmtoeyuv.c
@@ -117,6 +117,7 @@ chrominanceBlue(pixel const p) {
static void
createMultiplicationTables(pixval const maxval) {
+ overflow_add(maxval, 1);
MALLOCARRAY_NOFAIL(mult299 , maxval+1);
MALLOCARRAY_NOFAIL(mult587 , maxval+1);
MALLOCARRAY_NOFAIL(mult114 , maxval+1);
Index: netpbm-11.9.3/converter/ppm/ppmtoilbm.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/ppmtoilbm.c
+++ netpbm-11.9.3/converter/ppm/ppmtoilbm.c
@@ -188,6 +188,7 @@ makeValTable(int const oldmaxval,
unsigned int i;
int * table;
+ overflow_add(oldmaxval, 1);
MALLOCARRAY_NOFAIL(table, oldmaxval + 1);
for (i = 0; i <= oldmaxval; ++i)
table[i] = ROUNDDIV(i * newmaxval, oldmaxval);
@@ -1626,6 +1627,7 @@ ppmToRgb8(FILE * const ifP,
maskmethod = 0; /* no masking - RGB8 uses genlock bits */
compmethod = 4; /* RGB8 files are always compressed */
+ overflow2(cols, 4);
MALLOCARRAY_NOFAIL(compr_row, cols * 4);
if( maxval != 255 ) {
@@ -1717,6 +1719,7 @@ ppmToRgbn(FILE * const ifP,
maskmethod = 0; /* no masking - RGBN uses genlock bits */
compmethod = 4; /* RGBN files are always compressed */
+ overflow2(cols, 2);
MALLOCARRAY_NOFAIL(compr_row, cols * 2);
if( maxval != 15 ) {
@@ -2278,10 +2281,12 @@ main(int argc, char ** argv) {
MALLOCARRAY_NOFAIL(coded_rowbuf, ilbm_rowByteCt(cols));
for (i = 0; i < ilbm_rowByteCt(cols); ++i)
coded_rowbuf[i] = 0;
- if (DO_COMPRESS)
+ if (DO_COMPRESS) {
+ overflow_add(cols,15);
pm_rlenc_allocoutbuf(&compr_rowbuf,
ilbm_rowByteCt(cols),
PM_RLE_PACKBITS);
+ }
}
switch (mode) {
Index: netpbm-11.9.3/converter/ppm/ppmtolj.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/ppmtolj.c
+++ netpbm-11.9.3/converter/ppm/ppmtolj.c
@@ -212,6 +212,7 @@ printRaster(FILE * const ifP,
pm_error("Image is uncomputably wide (%u columns)", cols);
}
+ overflow2(cols, 6);
obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char));
cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char));
Index: netpbm-11.9.3/converter/ppm/ppmtomitsu.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/ppmtomitsu.c
+++ netpbm-11.9.3/converter/ppm/ppmtomitsu.c
@@ -68,6 +68,8 @@ mediaSize(const char * const media,
medias = MSize_User;
if (dpi300) {
+ overflow2(medias.maxcols, 2);
+ overflow2(medias.maxrows, 2);
medias.maxcols *= 2;
medias.maxrows *= 2;
}
Index: netpbm-11.9.3/converter/ppm/ppmtopcx.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/ppmtopcx.c
+++ netpbm-11.9.3/converter/ppm/ppmtopcx.c
@@ -409,6 +409,9 @@ writeRaster16Color(FILE * const ofP,
unsigned int row;
+ /* see bytesPerLine definition above */
+ overflow2(bitsPerPixel, cols);
+ overflow_add(bitsPerPixel * cols, 7);
MALLOCARRAY_NOFAIL(indexRow, cols);
MALLOCARRAY(planesrow, bytesPerLine);
Index: netpbm-11.9.3/converter/ppm/ppmtopjxl.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/ppmtopjxl.c
+++ netpbm-11.9.3/converter/ppm/ppmtopjxl.c
@@ -535,6 +535,8 @@ main(int argc, const char * argv[]) {
pm_error("image too large; reduce with ppmscale");
if (maxval > PCL_MAXVAL)
pm_error("color range too large; reduce with ppmcscale");
+ if (cols < 0 || rows < 0)
+ pm_error("negative size is not possible");
computeColormap(pixels, cols, rows, MAXCOLORS, &chv, &cht, &colorCt);
Index: netpbm-11.9.3/converter/ppm/ppmtowinicon.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/ppmtowinicon.c
+++ netpbm-11.9.3/converter/ppm/ppmtowinicon.c
@@ -14,6 +14,7 @@
#include <assert.h>
#include <math.h>
#include <string.h>
+#include <stdlib.h>
#include "pm_c_util.h"
#include "winico.h"
@@ -207,6 +208,7 @@ newAndBitmap(gray ** const ba,
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmapP->xBytes = xByteCt;
icBitmapP->data = rowData;
+ overflow2(xByteCt, rows);
icBitmapP->size = xByteCt * rows;
for (row = 0; row < rows; ++row) {
u1 * thisRow; /* malloc'ed */
@@ -416,6 +418,7 @@ newBitmap(unsigned int const bpp,
icBitmapP->xBytes = xByteCt;
icBitmapP->data = rowData;
+ overflow2(xByteCt, rows);
icBitmapP->size = xByteCt * rows;
unsigned int const assumedBpp = (pa == NULL) ? 1 : bpp;
@@ -706,6 +709,10 @@ addEntryToIcon(MS_Ico * const MSIcon
/* all the icons I looked at ignored this value */
entryP->ih = newInfoHeader(*entryP);
entryP->colors = paletteP->colors;
+ overflow2(4, entryP->color_count);
+ overflow_add(xorBitmapP->size, andBitmapP->size);
+ overflow_add(xorBitmapP->size + andBitmapP->size, 40);
+ overflow_add(xorBitmapP->size + andBitmapP->size + 40, 4 * entryP->color_count);
entryP->size_in_bytes =
xorBitmapP->size + andBitmapP->size + 40 + (4 * entryCols);
if (verbose)
Index: netpbm-11.9.3/converter/ppm/ppmtoxpm.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/ppmtoxpm.c
+++ netpbm-11.9.3/converter/ppm/ppmtoxpm.c
@@ -193,6 +193,7 @@ numstr(unsigned int const input,
unsigned int i;
/* Allocate memory for printed number. Abort if error. */
+ overflow_add(digitCt, 1);
MALLOCARRAY_NOFAIL(str, digitCt + 1);
i = input; /* initial value */
@@ -303,6 +304,7 @@ genCmap(colorhist_vector const chv,
unsigned int charsPerPixel;
unsigned int xpmMaxval;
+ if (includeTransparent) overflow_add(ncolors, 1);
MALLOCARRAY(cmap, cmapSize);
if (cmapP == NULL)
pm_error("Can't get memory for a %u-entry color map", cmapSize);
Index: netpbm-11.9.3/converter/ppm/qrttoppm.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/qrttoppm.c
+++ netpbm-11.9.3/converter/ppm/qrttoppm.c
@@ -51,6 +51,7 @@ main(int argc, const char ** argv) {
pixelrow = ppm_allocrow(cols);
+ overflow2(3, cols);
MALLOCARRAY(buf, 3 * cols);
if (!buf)
Index: netpbm-11.9.3/converter/ppm/sldtoppm.c
===================================================================
--- netpbm-11.9.3.orig/converter/ppm/sldtoppm.c
+++ netpbm-11.9.3/converter/ppm/sldtoppm.c
@@ -542,6 +542,8 @@ slider(slvecfn slvec,
/* Allocate image buffer and clear it to black. */
+ overflow_add(ixdots,1);
+ overflow_add(iydots,1);
pixcols = ixdots + 1;
pixrows = iydots + 1;
pixels = ppm_allocarray(pixcols, pixrows);
Index: netpbm-11.9.3/editor/pamcut.c
===================================================================
--- netpbm-11.9.3.orig/editor/pamcut.c
+++ netpbm-11.9.3/editor/pamcut.c
@@ -833,6 +833,8 @@ cutOneImage(FILE * const ifP
} else {
outpam = inpam; /* Initial value -- most fields should be same */
outpam.file = ofP;
+ overflow_add(rightcol, 1);
+ overflow_add(bottomrow, 1);
outpam.width = rightcol - leftcol + 1;
outpam.height = bottomrow - toprow + 1;
Index: netpbm-11.9.3/editor/pbmreduce.c
===================================================================
--- netpbm-11.9.3.orig/editor/pbmreduce.c
+++ netpbm-11.9.3/editor/pbmreduce.c
@@ -153,6 +153,7 @@ initializeFloydSteinberg(struct FS * co
unsigned int col;
struct pm_randSt randSt;
+ overflow_add(newcols, 2);
MALLOCARRAY(fsP->thiserr, newcols + 2);
MALLOCARRAY(fsP->nexterr, newcols + 2);
Index: netpbm-11.9.3/editor/pnmgamma.c
===================================================================
--- netpbm-11.9.3.orig/editor/pnmgamma.c
+++ netpbm-11.9.3/editor/pnmgamma.c
@@ -596,6 +596,7 @@ createGammaTables(enum transferFunction
xelval ** const btableP) {
/* Allocate space for the tables. */
+ overflow_add(maxval, 1);
MALLOCARRAY(*rtableP, maxval+1);
MALLOCARRAY(*gtableP, maxval+1);
MALLOCARRAY(*btableP, maxval+1);
Index: netpbm-11.9.3/editor/pnmhisteq.c
===================================================================
--- netpbm-11.9.3.orig/editor/pnmhisteq.c
+++ netpbm-11.9.3/editor/pnmhisteq.c
@@ -106,6 +106,7 @@ computeLuminosityHistogram(xel * const *
unsigned int pixelCount;
unsigned int * lumahist;
+ overflow_add(maxval, 1);
MALLOCARRAY(lumahist, maxval + 1);
if (lumahist == NULL)
pm_error("Out of storage allocating array for %u histogram elements",
Index: netpbm-11.9.3/editor/pnmpad.c
===================================================================
--- netpbm-11.9.3.orig/editor/pnmpad.c
+++ netpbm-11.9.3/editor/pnmpad.c
@@ -1127,6 +1127,8 @@ main(int argc, const char ** argv) {
computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad);
+ overflow_add(cols, lpad);
+ overflow_add(cols + lpad, rpad);
newcols = cols + lpad + rpad;
if (cmdline.reportonly)
Index: netpbm-11.9.3/editor/pnmremap.c
===================================================================
--- netpbm-11.9.3.orig/editor/pnmremap.c
+++ netpbm-11.9.3/editor/pnmremap.c
@@ -469,6 +469,7 @@ fserr_init(struct pam * const pamP,
unsigned int plane;
unsigned int const fserrSz = pamP->width + 2;
+ overflow_add(pamP->width, 2);
fserrP->width = pamP->width;
@@ -508,6 +509,7 @@ floydInitRow(struct pam * const pamP,
unsigned int col;
+ overflow_add(pamP->width, 2);
for (col = 0; col < pamP->width + 2; ++col) {
unsigned int plane;
for (plane = 0; plane < pamP->depth; ++plane)
Index: netpbm-11.9.3/editor/pnmshear.c
===================================================================
--- netpbm-11.9.3.orig/editor/pnmshear.c
+++ netpbm-11.9.3/editor/pnmshear.c
@@ -15,6 +15,7 @@
#include <assert.h>
#include <math.h>
#include <string.h>
+#include <limits.h>
#include "pm_c_util.h"
#include "mallocvar.h"
@@ -235,6 +236,11 @@ main(int argc, const char * argv[]) {
shearfac = tan(cmdline.angle);
+ if(rows * shearfac >= INT_MAX-1)
+ pm_error("image too large");
+
+ overflow_add(rows * shearfac, cols+1);
+
newcolsD = (double) rows * fabs(shearfac) + cols + 0.999999;
if (newcolsD > INT_MAX-2)
pm_error("angle is too close to +/-90 degrees; "
Index: netpbm-11.9.3/editor/specialty/pamoil.c
===================================================================
--- netpbm-11.9.3.orig/editor/specialty/pamoil.c
+++ netpbm-11.9.3/editor/specialty/pamoil.c
@@ -185,6 +185,7 @@ main(int argc, const char ** argv) {
tuples = pnm_readpam(ifP, &inpam, PAM_STRUCT_SIZE(tuple_type));
+ overflow_add(inpam.maxval, 1);
MALLOCARRAY(hist, inpam.maxval + 1);
if (hist == NULL)
pm_error("Unable to allocate memory for histogram.");
Index: netpbm-11.9.3/generator/pbmtext.c
===================================================================
--- netpbm-11.9.3.orig/generator/pbmtext.c
+++ netpbm-11.9.3/generator/pbmtext.c
@@ -1193,6 +1193,7 @@ computeMargins(struct CmdlineInfo const
*hmarginP = fontP->maxwidth;
} else {
*vmarginP = fontP->maxheight;
+ overflow2(2, fontP->maxwidth);
*hmarginP = 2 * fontP->maxwidth;
}
}
Index: netpbm-11.9.3/generator/pgmkernel.c
===================================================================
--- netpbm-11.9.3.orig/generator/pgmkernel.c
+++ netpbm-11.9.3/generator/pgmkernel.c
@@ -224,6 +224,7 @@ main(int argc, const char * argv[]) {
/* Output matrix is symmetric vertically and horizontally. */
+ overflow_add(cmdline.rows, 1);
arows = (cmdline.rows + 1) / 2;
/* Half the number of rows. Add 1 if odd. */
halfKernel = pgm_allocarray(cmdline.cols, arows);
Index: netpbm-11.9.3/lib/libpammap.c
===================================================================
--- netpbm-11.9.3.orig/lib/libpammap.c
+++ netpbm-11.9.3/lib/libpammap.c
@@ -111,6 +111,8 @@ allocTupleIntListItem(struct pam * const
if (pamP->depth > (UINT_MAX - sizeof(*retval)) / sizeof(sample))
pm_error("Depth %u is too large for computation", pamP->depth);
+ overflow2(pamP->depth, sizeof(sample));
+ overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample));
unsigned int const size =
sizeof(*retval) - sizeof(retval->tupleint.tuple)
+ pamP->depth * sizeof(sample);
Index: netpbm-11.9.3/lib/libpbm1.c
===================================================================
--- netpbm-11.9.3.orig/lib/libpbm1.c
+++ netpbm-11.9.3/lib/libpbm1.c
@@ -80,6 +80,7 @@ pbm_check(FILE * const fil
} else {
pm_filepos const bytesPerRow = (cols+7)/8;
pm_filepos const needRasterSize = rows * bytesPerRow;
+ overflow2(bytesPerRow, rows);
pm_check(fileP, checkType, needRasterSize, retvalP);
}
}
Index: netpbm-11.9.3/lib/libpm.c
===================================================================
--- netpbm-11.9.3.orig/lib/libpm.c
+++ netpbm-11.9.3/lib/libpm.c
@@ -901,6 +901,55 @@ pm_parse_height(const char * const arg)
return height;
}
+/*
+ * Maths wrapping
+ */
+
+void __overflow2(int a, int b)
+{
+ if(a < 0 || b < 0)
+ pm_error("object too large");
+ if(b == 0)
+ return;
+ if(a > INT_MAX / b)
+ pm_error("object too large");
+}
+
+void overflow3(int a, int b, int c)
+{
+ overflow2(a,b);
+ overflow2(a*b, c);
+}
+
+void overflow_add(int a, int b)
+{
+ if( a > INT_MAX - b)
+ pm_error("object too large");
+}
+
+void *malloc2(int a, int b)
+{
+ overflow2(a, b);
+ if(a*b == 0)
+ pm_error("Zero byte allocation");
+ return malloc(a*b);
+}
+
+void *malloc3(int a, int b, int c)
+{
+ overflow3(a, b, c);
+ if(a*b*c == 0)
+ pm_error("Zero byte allocation");
+ return malloc(a*b*c);
+}
+
+void *realloc2(void * a, int b, int c)
+{
+ overflow2(b, c);
+ if(b*c == 0)
+ pm_error("Zero byte allocation");
+ return realloc(a, b*c);
+}
unsigned int
Index: netpbm-11.9.3/lib/pm.h
===================================================================
--- netpbm-11.9.3.orig/lib/pm.h
+++ netpbm-11.9.3/lib/pm.h
@@ -443,4 +443,11 @@ pm_parse_maxval(const char * const arg);
#endif
+void *malloc2(int, int);
+void *malloc3(int, int, int);
+#define overflow2(a,b) __overflow2(a,b)
+void __overflow2(int, int);
+void overflow3(int, int, int);
+void overflow_add(int, int);
+
#endif
Index: netpbm-11.9.3/other/pnmcolormap.c
===================================================================
--- netpbm-11.9.3.orig/other/pnmcolormap.c
+++ netpbm-11.9.3/other/pnmcolormap.c
@@ -1132,6 +1132,7 @@ colormapToSquare(struct pam * const pamP
pamP->width = intsqrt;
else
pamP->width = intsqrt + 1;
+ overflow_add(intsqrt, 1);
}
{
unsigned int const intQuotient = colormap.size / pamP->width;
Index: netpbm-11.9.3/urt/rle_addhist.c
===================================================================
--- netpbm-11.9.3.orig/urt/rle_addhist.c
+++ netpbm-11.9.3/urt/rle_addhist.c
@@ -14,6 +14,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rle_addhist.c - Add to the HISTORY comment in header
@@ -58,14 +60,21 @@ newCommentLen(const char * const histoi
}
/* Add length of date and time in ASCII. */
+ overflow_add(length, strlen(timedate));
length += strlen(timedate);
/* Add length of padding, "on ", and length of history name plus "="*/
+ overflow_add(strlen(padding), 4);
+ overflow_add(strlen(histoire), strlen(padding) + 4);
+ overflow_add(length, strlen(histoire) + strlen(padding) + 4);
length += strlen(padding) + 3 + strlen(histoire) + 1;
- if (old && *old)
+ if (old && *old) {
+ overflow_add(length, strlen(old));
length += strlen(old); /* add length if there. */
+ }
+ overflow_add(length, 1);
++length; /* Add size of terminating NUL. */
return length;
Index: netpbm-11.9.3/urt/rle_getrow.c
===================================================================
--- netpbm-11.9.3.orig/urt/rle_getrow.c
+++ netpbm-11.9.3/urt/rle_getrow.c
@@ -17,6 +17,8 @@
*
* Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
* to have all "void" functions so declared.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rle_getrow.c - Read an RLE file in.
@@ -73,6 +75,7 @@ readComments(rle_hdr * const hdrP) {
char * commentHeap;
unsigned int i;
+ overflow_add(comlen, 1);
MALLOCARRAY(commentHeap, evenlen);
if (commentHeap == NULL) {
Index: netpbm-11.9.3/urt/rle_hdr.c
===================================================================
--- netpbm-11.9.3.orig/urt/rle_hdr.c
+++ netpbm-11.9.3/urt/rle_hdr.c
@@ -14,6 +14,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rle_hdr.c - Functions to manipulate rle_hdr structures.
@@ -148,7 +150,7 @@ rle_hdr_cp(rle_hdr * const fromHdrP,
if (toHdrP->cmap) {
size_t const size =
toHdrP->ncmap * (1 << toHdrP->cmaplen) * sizeof(rle_map);
- toHdrP->cmap = malloc(size);
+ toHdrP->cmap = (rle_map *)malloc3( toHdrP->ncmap, 1<<toHdrP->cmaplen, sizeof(rle_map));
if (!toHdrP->cmap)
pm_error("Failed to allocate memory for %u color maps "
"of length %u", toHdrP->ncmap, 1 << toHdrP->cmaplen);
@@ -164,11 +166,16 @@ rle_hdr_cp(rle_hdr * const fromHdrP,
/* Count the comments. */
for (cp = toHdrP->comments, size = 0; *cp; ++cp)
+ {
+ overflow_add(size, 1);
++size;
+ }
/* Check if there are really any comments. */
if (size > 0) {
+ overflow_add(size, 1);
++size; /* Copy the NULL pointer, too. */
+ overflow2(size, sizeof(char *));
size *= sizeof(char *);
toHdrP->comments = malloc(size);
if (!toHdrP->comments)
Index: netpbm-11.9.3/urt/rle.h
===================================================================
--- netpbm-11.9.3.orig/urt/rle.h
+++ netpbm-11.9.3/urt/rle.h
@@ -14,6 +14,9 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ * Header declarations needed
*/
/*
* rle.h - Global declarations for Utah Raster Toolkit RLE programs.
@@ -152,6 +155,17 @@ rle_hdr /* End of typedef. *
*/
extern rle_hdr rle_dflt_hdr;
+/*
+ * Provided by pm library
+ */
+
+extern void overflow_add(int, int);
+#define overflow2(a,b) __overflow2(a,b)
+extern void __overflow2(int, int);
+extern void overflow3(int, int, int);
+extern void *malloc2(int, int);
+extern void *malloc3(int, int, int);
+extern void *realloc2(void *, int, int);
/* Declare RLE library routines. */
Index: netpbm-11.9.3/urt/rle_open_f.c
===================================================================
--- netpbm-11.9.3.orig/urt/rle_open_f.c
+++ netpbm-11.9.3/urt/rle_open_f.c
@@ -163,65 +163,7 @@ dealWithSubprocess(const char * const f
FILE ** const fpP,
bool * const noSubprocessP,
const char ** const errorP) {
-
-#ifdef NO_OPEN_PIPES
*noSubprocessP = TRUE;
-#else
- const char *cp;
-
- reapChildren(catchingChildrenP, pids);
-
- /* Real file, not stdin or stdout. If name ends in ".Z",
- * pipe from/to un/compress (depending on r/w mode).
- *
- * If it starts with "|", popen that command.
- */
-
- cp = file_name + strlen(file_name) - 2;
- /* Pipe case. */
- if (file_name[0] == '|') {
- pid_t thepid; /* PID from my_popen */
-
- *noSubprocessP = FALSE;
-
- *fpP = my_popen(file_name + 1, mode, &thepid);
- if (*fpP == NULL)
- *errorP = "%s: can't invoke <<%s>> for %s: ";
- else {
- /* One more child to catch, eventually. */
- if (*catchingChildrenP < MAX_CHILDREN)
- pids[(*catchingChildrenP)++] = thepid;
- }
- } else if (cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) {
- /* Compress case. */
- pid_t thepid; /* PID from my_popen. */
- const char * command;
-
- *noSubprocessP = FALSE;
-
- if (*mode == 'w')
- pm_asprintf(&command, "compress > %s", file_name);
- else if (*mode == 'a')
- pm_asprintf(&command, "compress >> %s", file_name);
- else
- pm_asprintf(&command, "compress -d < %s", file_name);
-
- *fpP = my_popen(command, mode, &thepid);
-
- if (*fpP == NULL)
- *errorP = "%s: can't invoke 'compress' program, "
- "trying to open %s for %s";
- else {
- /* One more child to catch, eventually. */
- if (*catchingChildrenP < MAX_CHILDREN)
- pids[(*catchingChildrenP)++] = thepid;
- }
- pm_strfree(command);
- } else {
- *noSubprocessP = TRUE;
- *errorP = NULL;
- }
-#endif
}
Index: netpbm-11.9.3/urt/rle_putcom.c
===================================================================
--- netpbm-11.9.3.orig/urt/rle_putcom.c
+++ netpbm-11.9.3/urt/rle_putcom.c
@@ -14,6 +14,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
* and the reason for such modification.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* rle_putcom.c - Add a picture comment to the header struct.
Index: netpbm-11.9.3/urt/Runput.c
===================================================================
--- netpbm-11.9.3.orig/urt/Runput.c
+++ netpbm-11.9.3/urt/Runput.c
@@ -17,6 +17,8 @@
*
* Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
* to have all "void" functions so declared.
+ *
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
*/
/*
* Runput.c - General purpose Run Length Encoding.
@@ -235,7 +237,7 @@ RunSetup(rle_hdr * const hdrP) {
rle_pixel * background;
int * bg_color;
- assert(hdrP->ncolors < UINT_MAX);
+ overflow_add(hdrP->ncolors,1);
MALLOCARRAY_NOFAIL(background, hdrP->ncolors + 1);
@@ -262,7 +264,7 @@ RunSetup(rle_hdr * const hdrP) {
unsigned char * h_cmap;
unsigned int i;
- MALLOCARRAY(h_cmap, nmap * 2);
+ h_cmap = (char *)malloc2( nmap, 2 );
if (!h_cmap) {
pm_error("Failed to allocate memory for color map of size %u, "
Index: netpbm-11.9.3/lib/libpam.c
===================================================================
--- netpbm-11.9.3.orig/lib/libpam.c
+++ netpbm-11.9.3/lib/libpam.c
@@ -258,7 +258,8 @@ allocPamRow(const struct pam * const pam
unsigned int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample);
tuple * tuplerow;
- tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple));
+ overflow_add(sizeof(tuple *), bytesPerTuple);
+ tuplerow = malloc2(pamP->width, (sizeof(tuple *) + bytesPerTuple));
if (tuplerow != NULL) {
/* Now we initialize the pointers to the individual tuples
