From 6e4c1e5a53c4cf622204dbc43a3afdabd0bab92e Mon Sep 17 00:00:00 2001 From: Jindrich Novy Date: Mon, 12 Jul 2010 07:16:21 +0000 Subject: [PATCH] - update to 10.47.17 - add couple of missign overflow checks --- .cvsignore | 2 +- netpbm-security-code.patch | 96 ++++++++++++++++++++++++++++++++++++++ netpbm.spec | 6 ++- sources | 2 +- 4 files changed, 103 insertions(+), 3 deletions(-) diff --git a/.cvsignore b/.cvsignore index 49a97ea..a9917c9 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -netpbm-10.47.16.tar.xz +netpbm-10.47.17.tar.xz diff --git a/netpbm-security-code.patch b/netpbm-security-code.patch index e8fbc29..806f605 100644 --- a/netpbm-security-code.patch +++ b/netpbm-security-code.patch @@ -878,6 +878,102 @@ diff -up netpbm-10.47.04/converter/ppm/ppmtomitsu.c.security netpbm-10.47.04/con medias.maxcols *= 2; medias.maxrows *= 2; } +diff -up netpbm-10.47.04/converter/ppm/ppmtompeg/iframe.c.security netpbm-10.47.04/converter/ppm/ppmtompeg/iframe.c +--- netpbm-10.47.04/converter/ppm/ppmtompeg/iframe.c.security 2009-10-21 13:39:09.000000000 +0200 ++++ netpbm-10.47.04/converter/ppm/ppmtompeg/iframe.c 2009-10-21 15:09:33.000000000 +0200 +@@ -800,7 +800,8 @@ BlockComputeSNR(MpegFrame * const curren + if (needs_init) { + int ysz = (Fsize_y>>3) * sizeof(int32 *); + int xsz = (Fsize_x>>3); +- ++ ++ overflow2((Fsize_y>>3), sizeof(int32 *)); + needs_init = FALSE; + for (y=0; y<3; y++) { + varDiff[y] = ratio[y] = total[y] = 0.0; +@@ -819,6 +820,7 @@ BlockComputeSNR(MpegFrame * const curren + fprintf(stderr, "Out of memory in BlockComputeSNR\n"); + exit(-1); + } ++ overflow2(xsz,4); + for (y = 0; y < ySize[0]>>3; y++) { + SignalY[y] = (int32 *) calloc(xsz,4); + SignalCr[y] = (int32 *) calloc(xsz,4); +diff -up netpbm-10.47.04/converter/ppm/ppmtompeg/parallel.c.security netpbm-10.47.04/converter/ppm/ppmtompeg/parallel.c +--- netpbm-10.47.04/converter/ppm/ppmtompeg/parallel.c.security 2009-10-21 13:39:10.000000000 +0200 ++++ netpbm-10.47.04/converter/ppm/ppmtompeg/parallel.c 2009-10-21 15:09:33.000000000 +0200 +@@ -2161,7 +2161,9 @@ DecodeServer(int const numInput + const char * error; + + /* should keep list of port numbers to notify when frames become ready */ +- ++ ++ overflow2(numInputFiles, sizeof(int)); ++ overflow2(numInputFiles, sizeof(boolean)); + ready = (boolean *) calloc(numInputFiles, sizeof(boolean)); + waitMachine = (int *) calloc(numInputFiles, sizeof(int)); + waitPort = (int *) malloc(numMachines*sizeof(int)); +diff -up netpbm-10.47.04/converter/ppm/ppmtompeg/psearch.c.security netpbm-10.47.04/converter/ppm/ppmtompeg/psearch.c +--- netpbm-10.47.04/converter/ppm/ppmtompeg/psearch.c.security 2009-10-21 13:39:10.000000000 +0200 ++++ netpbm-10.47.04/converter/ppm/ppmtompeg/psearch.c 2009-10-21 15:09:33.000000000 +0200 +@@ -216,7 +216,14 @@ SetSearchRange(int const pixelsP, int co + int const max_search = max(searchRangeP, searchRangeB); + + int index; +- ++ ++ overflow2(searchRangeP, 2); ++ overflow2(searchRangeB, 2); ++ overflow_add(searchRangeP*2, 3); ++ overflow_add(searchRangeB*2, 3); ++ overflow2(2*searchRangeB+3, sizeof(int)); ++ overflow2(2*searchRangeP+3, sizeof(int)); ++ + pmvHistogram = (int **) malloc((2*searchRangeP+3)*sizeof(int *)); + bbmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *)); + bfmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *)); +@@ -800,6 +807,9 @@ ShowPMVHistogram(fpointer) + int *columnTotals; + int rowTotal; + ++ overflow2(searchRangeP, 2); ++ overflow_add(searchRangeP*2, 3); ++ overflow2(searchRangeP*2+3, sizeof(int)); + columnTotals = (int *) calloc(2*searchRangeP+3, sizeof(int)); + + #ifdef COMPLETE_DISPLAY +@@ -847,6 +857,9 @@ ShowBBMVHistogram(fpointer) + + fprintf(fpointer, "B-frame Backwards:\n"); + ++ overflow2(searchRangeB, 2); ++ overflow_add(searchRangeB*2, 3); ++ overflow2(searchRangeB*2+3, sizeof(int)); + columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int)); + + #ifdef COMPLETE_DISPLAY +@@ -894,6 +907,9 @@ ShowBFMVHistogram(fpointer) + + fprintf(fpointer, "B-frame Forwards:\n"); + ++ overflow2(searchRangeB, 2); ++ overflow_add(searchRangeB*2, 3); ++ overflow2(searchRangeB*2+3, sizeof(int)); + columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int)); + + #ifdef COMPLETE_DISPLAY +diff -up netpbm-10.47.04/converter/ppm/ppmtompeg/rgbtoycc.c.security netpbm-10.47.04/converter/ppm/ppmtompeg/rgbtoycc.c +--- netpbm-10.47.04/converter/ppm/ppmtompeg/rgbtoycc.c.security 2009-10-21 13:39:10.000000000 +0200 ++++ netpbm-10.47.04/converter/ppm/ppmtompeg/rgbtoycc.c 2009-10-21 15:09:33.000000000 +0200 +@@ -72,6 +72,8 @@ compute_mult_tables(const pixval maxval) + } + table_maxval = maxval; + ++ overflow_add(table_maxval, 1); ++ overflow2(table_maxval+1, sizeof(float)); + mult299 = malloc((table_maxval+1)*sizeof(float)); + mult587 = malloc((table_maxval+1)*sizeof(float)); + mult114 = malloc((table_maxval+1)*sizeof(float)); diff -up netpbm-10.47.04/converter/ppm/ppmtopcx.c.security netpbm-10.47.04/converter/ppm/ppmtopcx.c --- netpbm-10.47.04/converter/ppm/ppmtopcx.c.security 2009-10-21 13:39:10.000000000 +0200 +++ netpbm-10.47.04/converter/ppm/ppmtopcx.c 2009-10-21 15:09:33.000000000 +0200 diff --git a/netpbm.spec b/netpbm.spec index e39f275..0ae2963 100644 --- a/netpbm.spec +++ b/netpbm.spec @@ -1,6 +1,6 @@ Summary: A library for handling different graphics file formats Name: netpbm -Version: 10.47.16 +Version: 10.47.17 Release: 1%{?dist} # See copyright_summary for details License: BSD and GPLv2 and IJG and MIT and Public Domain @@ -251,6 +251,10 @@ rm -rf $RPM_BUILD_ROOT %doc userguide/* %changelog +* Mon Jul 12 2010 Jindrich Novy 10.47.17-1 +- update to 10.47.17 +- add couple of missign overflow checks + * Fri Jun 18 2010 Jindrich Novy 10.47.16-1 - update to 10.47.16 - fixes pbmtext diff --git a/sources b/sources index ed202c2..5597529 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -41be70b9506fcb414821850732be7909 netpbm-10.47.16.tar.xz +993ad1befc3b2f2ba8c80d78f9323707 netpbm-10.47.17.tar.xz