From 123a01124f98861542e84f27b62bbc0e08571ac5 Mon Sep 17 00:00:00 2001
From: Jindrich Novy <jnovy@redhat.com>
Date: Wed, 13 Jun 2012 15:49:08 +0200
Subject: [PATCH] - fix ppmtopict buffer underflow - fix memory corruption in
 pnmtopclxl

---
 netpbm-pnmtopclxl.patch | 16 ++++++++++++++++
 netpbm-ppmtopict.patch  | 12 ++++++++++++
 netpbm.spec             | 11 ++++++++++-
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 netpbm-pnmtopclxl.patch
 create mode 100644 netpbm-ppmtopict.patch

diff --git a/netpbm-pnmtopclxl.patch b/netpbm-pnmtopclxl.patch
new file mode 100644
index 0000000..dc67040
--- /dev/null
+++ b/netpbm-pnmtopclxl.patch
@@ -0,0 +1,16 @@
+diff -up netpbm-10.58.01/converter/other/pnmtopclxl.c.pnmtopclxl netpbm-10.58.01/converter/other/pnmtopclxl.c
+--- netpbm-10.58.01/converter/other/pnmtopclxl.c.pnmtopclxl	2012-04-09 15:31:42.000000000 +0200
++++ netpbm-10.58.01/converter/other/pnmtopclxl.c	2012-06-13 15:39:17.566141565 +0200
+@@ -269,10 +269,10 @@ XY_RLEnew(size_t const size) {
+ 
+     MALLOCVAR(rleP);
+     if (rleP) {
+-        rleP->fbuf = malloc(size);
++        rleP->fbufsize = MAX(1024, size);
++        rleP->fbuf = malloc(rleP->fbufsize);
+ 
+         if (rleP->fbuf) {
+-            rleP->fbufsize = MAX(1024, size);
+             retval = rleP;
+         } else
+             retval = NULL;
diff --git a/netpbm-ppmtopict.patch b/netpbm-ppmtopict.patch
new file mode 100644
index 0000000..97b7d2b
--- /dev/null
+++ b/netpbm-ppmtopict.patch
@@ -0,0 +1,12 @@
+diff -up netpbm-10.58.01/converter/ppm/ppmtopict.c.ppmtopict netpbm-10.58.01/converter/ppm/ppmtopict.c
+--- netpbm-10.58.01/converter/ppm/ppmtopict.c.ppmtopict	2012-06-13 09:52:42.000000000 +0200
++++ netpbm-10.58.01/converter/ppm/ppmtopict.c	2012-06-13 11:33:11.134747363 +0200
+@@ -200,7 +200,7 @@ putRow(FILE * const ifP,
+        pixel *      const rowpixels,
+        char *       const packed) {
+ 
+-    unsigned int i;
++    int i;
+     unsigned int count;
+     unsigned int run;
+     unsigned int rep;
diff --git a/netpbm.spec b/netpbm.spec
index 4637b2f..f460d6d 100644
--- a/netpbm.spec
+++ b/netpbm.spec
@@ -1,7 +1,7 @@
 Summary: A library for handling different graphics file formats
 Name: netpbm
 Version: 10.58.01
-Release: 2%{?dist}
+Release: 3%{?dist}
 # See copyright_summary for details
 License: BSD and GPLv2 and IJG and MIT and Public Domain
 Group: System Environment/Libraries
@@ -31,6 +31,8 @@ Patch20: netpbm-noppmtompeg.patch
 Patch21: netpbm-cmuwtopbm.patch
 Patch22: netpbm-pamtojpeg2k.patch
 Patch23: netpbm-manfix.patch
+Patch24: netpbm-ppmtopict.patch
+Patch25: netpbm-pnmtopclxl.patch
 BuildRequires: libjpeg-devel, libpng-devel, libtiff-devel, flex
 BuildRequires: libX11-devel, python, jasper-devel, libxml2-devel
 
@@ -102,6 +104,8 @@ netpbm-doc.  You'll also need to install the netpbm-progs package.
 %patch21 -p1 -b .cmuwtopbmfix
 %patch22 -p1 -b .pamtojpeg2kfix
 %patch23 -p1 -b .manfix
+%patch24 -p1 -b .ppmtopict
+%patch25 -p1 -b .pnmtopclxl
 
 sed -i 's/STRIPFLAG = -s/STRIPFLAG =/g' config.mk.in
 rm -rf converter/other/jpeg2000/libjasper/
@@ -131,6 +135,7 @@ sed -i -e 's/^SUBDIRS = libjasper/SUBDIRS =/' converter/other/jpeg2000/Makefile
 EOF
 
 TOP=`pwd`
+
 make \
 	CC="%{__cc}" \
 	LDFLAGS="-L$TOP/pbm -L$TOP/pgm -L$TOP/pnm -L$TOP/ppm" \
@@ -245,6 +250,10 @@ rm -rf $RPM_BUILD_ROOT
 %doc userguide/*
 
 %changelog
+* Wed Jun 13 2012 Jindrich Novy <jnovy@redhat.com> 10.58.01-3
+- fix ppmtopict buffer underflow
+- fix memory corruption in pnmtopclxl
+
 * Sun May 06 2012 Jindrich Novy <jnovy@redhat.com> 10.58.01-2
 - rebuild against new libtiff