diff -up netpbm-10.56.03/analyzer/pgmtexture.c.security-code netpbm-10.56.03/analyzer/pgmtexture.c --- netpbm-10.56.03/analyzer/pgmtexture.c.security-code 2011-11-09 09:17:48.000000000 +0100 +++ netpbm-10.56.03/analyzer/pgmtexture.c 2011-11-09 13:34:31.216370336 +0100 @@ -97,7 +97,7 @@ vector(unsigned int const nl, float * v; assert(nh >= nl); - + overflow_add(nh - nl, 1); MALLOCARRAY(v, (unsigned) (nh - nl + 1)); if (v == NULL) @@ -129,6 +129,7 @@ matrix (unsigned int const nrl, assert(nrh >= nrl); /* allocate pointers to rows */ + overflow_add(nrh - nrl, 1); MALLOCARRAY(m, (unsigned) (nrh - nrl + 1)); if (m == NULL) pm_error("Unable to allocate memory for a matrix."); @@ -136,7 +137,7 @@ matrix (unsigned int const nrl, m -= ncl; assert (nch >= ncl); - + overflow_add(nch - ncl, 1); /* allocate rows and set pointers to them */ for (i = nrl; i <= nrh; ++i) { MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1)); diff -up netpbm-10.56.03/converter/other/gemtopnm.c.security-code netpbm-10.56.03/converter/other/gemtopnm.c --- netpbm-10.56.03/converter/other/gemtopnm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/gemtopnm.c 2011-11-09 13:11:20.643591439 +0100 @@ -106,6 +106,7 @@ main(argc, argv) pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 ); + overflow_add(cols, padright); { /* allocate input row data structure */ int plane; diff -up netpbm-10.56.03/converter/other/jpegtopnm.c.security-code netpbm-10.56.03/converter/other/jpegtopnm.c --- netpbm-10.56.03/converter/other/jpegtopnm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/jpegtopnm.c 2011-11-09 13:11:20.644591445 +0100 @@ -861,6 +861,8 @@ convertImage(FILE * /* Calculate output image dimensions so we can allocate space */ jpeg_calc_output_dimensions(cinfoP); + overflow2(cinfoP->output_width, cinfoP->output_components); + /* Start decompressor */ jpeg_start_decompress(cinfoP); diff -up netpbm-10.56.03/converter/other/pbmtopgm.c.security-code netpbm-10.56.03/converter/other/pbmtopgm.c --- netpbm-10.56.03/converter/other/pbmtopgm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/pbmtopgm.c 2011-11-09 13:11:20.644591445 +0100 @@ -47,6 +47,7 @@ main(int argc, char *argv[]) { "than the image height (%u rows)", height, rows); outrow = pgm_allocrow(cols) ; + overflow2(width, height); maxval = MIN(PGM_OVERALLMAXVAL, width*height); pgm_writepgminit(stdout, cols, rows, maxval, 0) ; diff -up netpbm-10.56.03/converter/other/pnmtoddif.c.security-code netpbm-10.56.03/converter/other/pnmtoddif.c --- netpbm-10.56.03/converter/other/pnmtoddif.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/pnmtoddif.c 2011-11-09 13:11:20.645591451 +0100 @@ -632,6 +632,7 @@ main(int argc, char *argv[]) { switch (PNM_FORMAT_TYPE(format)) { case PBM_TYPE: ip.bits_per_pixel = 1; + overflow_add(cols, 7); ip.bytes_per_line = (cols + 7) / 8; ip.spectral = 2; ip.components = 1; @@ -647,6 +648,7 @@ main(int argc, char *argv[]) { ip.polarity = 2; break; case PPM_TYPE: + overflow2(cols, 3); ip.bytes_per_line = 3 * cols; ip.bits_per_pixel = 24; ip.spectral = 5; diff -up netpbm-10.56.03/converter/other/pnmtojpeg.c.security-code netpbm-10.56.03/converter/other/pnmtojpeg.c --- netpbm-10.56.03/converter/other/pnmtojpeg.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/pnmtojpeg.c 2011-11-09 13:11:20.646591457 +0100 @@ -605,7 +605,11 @@ read_scan_script(j_compress_ptr const ci want JPOOL_PERMANENT. */ const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info); - jpeg_scan_info * const scan_info = + const jpeg_scan_info * scan_info; + + overflow2(nscans, sizeof(jpeg_scan_info)); + + scan_info = (jpeg_scan_info *) (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE, scan_info_size); @@ -937,6 +941,8 @@ compute_rescaling_array(JSAMPLE ** const const long half_maxval = maxval / 2; long val; + overflow_add(maxval, 1); + overflow2(maxval+1, sizeof(JSAMPLE)); *rescale_p = (JSAMPLE *) (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE, (size_t) (((long) maxval + 1L) * @@ -1015,6 +1021,7 @@ convert_scanlines(struct jpeg_compress_s */ /* Allocate the libpnm output and compressor input buffers */ + overflow2(cinfo_p->image_width, cinfo_p->input_components); buffer = (*cinfo_p->mem->alloc_sarray) ((j_common_ptr) cinfo_p, JPOOL_IMAGE, (unsigned int) cinfo_p->image_width * cinfo_p->input_components, diff -up netpbm-10.56.03/converter/other/pnmtops.c.security-code netpbm-10.56.03/converter/other/pnmtops.c --- netpbm-10.56.03/converter/other/pnmtops.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/pnmtops.c 2011-11-09 14:27:34.229742326 +0100 @@ -256,17 +256,21 @@ parseCommandLine(int argc, const char ** validateCompDimension(width, 72, "-width value"); validateCompDimension(height, 72, "-height value"); + overflow2(width, 72); cmdlineP->width = width * 72; + overflow2(height, 72); cmdlineP->height = height * 72; if (imagewidthSpec) { validateCompDimension(imagewidth, 72, "-imagewidth value"); + overflow2(imagewidth, 72); cmdlineP->imagewidth = imagewidth * 72; } else cmdlineP->imagewidth = 0; if (imageheightSpec) { - validateCompDimension(imagewidth, 72, "-imageheight value"); + validateCompDimension(imageheight, 72, "-imageheight value"); + overflow2(imageheight, 72); cmdlineP->imageheight = imageheight * 72; } else diff -up netpbm-10.56.03/converter/other/pnmtorle.c.security-code netpbm-10.56.03/converter/other/pnmtorle.c --- netpbm-10.56.03/converter/other/pnmtorle.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/pnmtorle.c 2011-11-09 13:11:20.648591469 +0100 @@ -19,6 +19,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * pnmtorle - A program which will convert pbmplus (ppm or pgm) images diff -up netpbm-10.56.03/converter/other/pnmtosgi.c.security-code netpbm-10.56.03/converter/other/pnmtosgi.c --- netpbm-10.56.03/converter/other/pnmtosgi.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/pnmtosgi.c 2011-11-09 13:11:20.648591469 +0100 @@ -254,6 +254,7 @@ build_channels(FILE * const ifp, int con #endif if( storage != STORAGE_VERBATIM ) { + overflow2(channels, rows); MALLOCARRAY_NOFAIL(table, channels * rows); MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols)); } @@ -306,6 +307,8 @@ compress(ScanElem * temp, break; case STORAGE_RLE: tabrow = chan_no * rows + row; + overflow2(chan_no, rows); + overflow_add(chan_no* rows, row); len = rle_compress(temp, cols); /* writes result into rletemp */ channel[chan_no][row].length = len; MALLOCARRAY(p, len); diff -up netpbm-10.56.03/converter/other/rletopnm.c.security-code netpbm-10.56.03/converter/other/rletopnm.c --- netpbm-10.56.03/converter/other/rletopnm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/rletopnm.c 2011-11-09 13:11:20.649591475 +0100 @@ -19,6 +19,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rletopnm - A conversion program to convert from Utah's "rle" image format diff -up netpbm-10.56.03/converter/other/sgitopnm.c.security-code netpbm-10.56.03/converter/other/sgitopnm.c --- netpbm-10.56.03/converter/other/sgitopnm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/sgitopnm.c 2011-11-09 14:31:58.849972480 +0100 @@ -359,10 +359,14 @@ readChannels(FILE * const ifP, MALLOCARRAY_NOFAIL(image, head->ysize); } else { maxchannel = MIN(3, head->zsize); + overflow2(head->ysize, maxchannel); MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel); } - if (table) + if (table) { + overflow2(head->xsize, 2); + overflow_add(head->xsize*2, 2); MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize)); + } for (channel = 0; channel < maxchannel; ++channel) { unsigned int row; diff -up netpbm-10.56.03/converter/other/sirtopnm.c.security-code netpbm-10.56.03/converter/other/sirtopnm.c --- netpbm-10.56.03/converter/other/sirtopnm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/sirtopnm.c 2011-11-09 13:11:20.650591481 +0100 @@ -69,6 +69,7 @@ char* argv[]; } break; case PPM_TYPE: + overflow3(cols, rows, 3); picsize = cols * rows * 3; planesize = cols * rows; if ( !( sirarray = (unsigned char*) malloc( picsize ) ) ) diff -up netpbm-10.56.03/converter/other/tifftopnm.c.security-code netpbm-10.56.03/converter/other/tifftopnm.c --- netpbm-10.56.03/converter/other/tifftopnm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/tifftopnm.c 2011-11-09 13:11:20.651591487 +0100 @@ -1279,7 +1279,9 @@ convertRasterByRows(pnmOut * const if (scanbuf == NULL) pm_error("can't allocate memory for scanline buffer"); - MALLOCARRAY(samplebuf, cols * spp); + /* samplebuf is unsigned int * !!! */ + samplebuf = (unsigned int *) malloc3(cols , sizeof(unsigned int) , spp); + if (samplebuf == NULL) pm_error("can't allocate memory for row buffer"); diff -up netpbm-10.56.03/converter/other/xwdtopnm.c.security-code netpbm-10.56.03/converter/other/xwdtopnm.c --- netpbm-10.56.03/converter/other/xwdtopnm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/other/xwdtopnm.c 2011-11-09 13:11:20.653591497 +0100 @@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * cons *colorsP = pnm_allocrow(2); PNM_ASSIGN1((*colorsP)[0], 0); PNM_ASSIGN1((*colorsP)[1], *maxvalP); + overflow_add(h10P->pixmap_width, 15); + if(h10P->pixmap_width < 0) + pm_error("assert: negative width"); + overflow2((((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width), 8); *padrightP = (((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width) * 8; *bits_per_itemP = 16; @@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * cons *colsP = h11FixedP->pixmap_width; *rowsP = h11FixedP->pixmap_height; + overflow2(h11FixedP->bytes_per_line, 8); *padrightP = h11FixedP->bytes_per_line * 8 - h11FixedP->pixmap_width * h11FixedP->bits_per_pixel; diff -up netpbm-10.56.03/converter/pbm/mdatopbm.c.security-code netpbm-10.56.03/converter/pbm/mdatopbm.c --- netpbm-10.56.03/converter/pbm/mdatopbm.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/mdatopbm.c 2011-11-09 13:11:20.654591503 +0100 @@ -245,10 +245,13 @@ main(int argc, char **argv) { pm_readlittleshort(infile, &yy); nInCols = yy; } + overflow2(nOutCols, 8); nOutCols = 8 * nInCols; nOutRows = nInRows; - if (bScale) + if (bScale) { + overflow2(nOutRows, 2); nOutRows *= 2; + } data = pbm_allocarray(nOutCols, nOutRows); diff -up netpbm-10.56.03/converter/pbm/mgrtopbm.c.security-code netpbm-10.56.03/converter/pbm/mgrtopbm.c --- netpbm-10.56.03/converter/pbm/mgrtopbm.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/mgrtopbm.c 2011-11-09 13:11:20.655591509 +0100 @@ -65,6 +65,8 @@ readMgrHeader(FILE * const ifP, if (head.h_high < ' ' || head.l_high < ' ') pm_error("Invalid width field in MGR header"); + overflow_add(*colsP, pad); + *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' '); *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' '); *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP; diff -up netpbm-10.56.03/converter/pbm/pbmtoascii.c.security-code netpbm-10.56.03/converter/pbm/pbmtoascii.c diff -up netpbm-10.56.03/converter/pbm/pbmtogem.c.security-code netpbm-10.56.03/converter/pbm/pbmtogem.c --- netpbm-10.56.03/converter/pbm/pbmtogem.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtogem.c 2011-11-09 13:11:20.657591521 +0100 @@ -79,6 +79,7 @@ putinit (int const rows, int const cols) bitsperitem = 0; bitshift = 7; outcol = 0; + overflow_add(cols, 7); outmax = (cols + 7) / 8; outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); diff -up netpbm-10.56.03/converter/pbm/pbmtogo.c.security-code netpbm-10.56.03/converter/pbm/pbmtogo.c --- netpbm-10.56.03/converter/pbm/pbmtogo.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtogo.c 2011-11-09 13:11:20.657591521 +0100 @@ -158,6 +158,7 @@ main(int argc, bitrow = pbm_allocrow(cols); /* Round cols up to the nearest multiple of 8. */ + overflow_add(cols, 7); rucols = ( cols + 7 ) / 8; bytesperrow = rucols; /* GraphOn uses bytes */ rucols = rucols * 8; diff -up netpbm-10.56.03/converter/pbm/pbmtolj.c.security-code netpbm-10.56.03/converter/pbm/pbmtolj.c --- netpbm-10.56.03/converter/pbm/pbmtolj.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtolj.c 2011-11-09 13:11:20.658591527 +0100 @@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv, static void allocateBuffers(unsigned int const cols) { + overflow_add(cols, 8); rowBufferSize = (cols + 7) / 8; + overflow_add(rowBufferSize, 128); + overflow_add(rowBufferSize, rowBufferSize+128); + overflow_add(rowBufferSize+10, rowBufferSize/8); packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1; deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10; diff -up netpbm-10.56.03/converter/pbm/pbmtomacp.c.security-code netpbm-10.56.03/converter/pbm/pbmtomacp.c --- netpbm-10.56.03/converter/pbm/pbmtomacp.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtomacp.c 2011-11-09 13:11:20.658591527 +0100 @@ -101,6 +101,7 @@ char *argv[]; if( !lflg ) left = 0; + overflow_add(left, MAX_COLS - 1); if( rflg ) { if( right - left >= MAX_COLS ) right = left + MAX_COLS - 1; @@ -111,6 +112,8 @@ char *argv[]; if( !tflg ) top = 0; + overflow_add(top, MAX_LINES - 1); + if( bflg ) { if( bottom - top >= MAX_LINES ) bottom = top + MAX_LINES - 1; diff -up netpbm-10.56.03/converter/pbm/pbmtomda.c.security-code netpbm-10.56.03/converter/pbm/pbmtomda.c --- netpbm-10.56.03/converter/pbm/pbmtomda.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtomda.c 2011-11-09 13:11:20.659591533 +0100 @@ -179,6 +179,7 @@ int main(int argc, char **argv) nOutRowsUnrounded = bScale ? nInRows/2 : nInRows; + overflow_add(nOutRowsUnrounded, 3); nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4; /* MDA wants rows a multiple of 4 */ nOutCols = nInCols / 8; diff -up netpbm-10.56.03/converter/pbm/pbmtoppa/pbm.c.security-code netpbm-10.56.03/converter/pbm/pbmtoppa/pbm.c --- netpbm-10.56.03/converter/pbm/pbmtoppa/pbm.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtoppa/pbm.c 2011-11-09 13:11:20.659591533 +0100 @@ -105,6 +105,7 @@ int pbm_readline(pbm_stat* pbm,unsigned return 0; case P4: + overflow_add(pbm->width, 7); tmp=(pbm->width+7)/8; tmp2=fread(data,1,tmp,pbm->fptr); if(tmp2 == tmp) @@ -129,7 +130,8 @@ void pbm_unreadline (pbm_stat *pbm, void return; pbm->unread = 1; - pbm->revdata = malloc ((pbm->width+7)/8); + overflow_add(pbm->width, 7); + pbm->revdata = malloc((pbm->width+7)/8); memcpy (pbm->revdata, data, (pbm->width+7)/8); pbm->current_line--; } diff -up netpbm-10.56.03/converter/pbm/pbmtoppa/pbmtoppa.c.security-code netpbm-10.56.03/converter/pbm/pbmtoppa/pbmtoppa.c --- netpbm-10.56.03/converter/pbm/pbmtoppa/pbmtoppa.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtoppa/pbmtoppa.c 2011-11-09 13:11:20.660591539 +0100 @@ -441,6 +441,7 @@ main(int argc, char *argv[]) { pm_error("main(): unrecognized parameter '%s'", argv[argn]); } + overflow_add(Width, 7); Pwidth=(Width+7)/8; printer.fptr=out; diff -up netpbm-10.56.03/converter/pbm/pbmtoxbm.c.security-code netpbm-10.56.03/converter/pbm/pbmtoxbm.c --- netpbm-10.56.03/converter/pbm/pbmtoxbm.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtoxbm.c 2011-11-09 13:11:20.660591539 +0100 @@ -335,6 +335,8 @@ convertRaster(FILE * const ifP, unsigned char * bitrow; unsigned int row; + + overflow_add(cols, padright); putinit(xbmVersion); diff -up netpbm-10.56.03/converter/pbm/pbmtoybm.c.security-code netpbm-10.56.03/converter/pbm/pbmtoybm.c --- netpbm-10.56.03/converter/pbm/pbmtoybm.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtoybm.c 2011-11-09 13:36:51.894456270 +0100 @@ -113,6 +113,7 @@ main(int argc, const char *argv[]) { bitrow = pbm_allocrow(cols); /* Compute padding to round cols up to the nearest multiple of 16. */ + overflow_add(cols, 16); padright = ((cols + 15) / 16) * 16 - cols; putinit(cols, rows); diff -up netpbm-10.56.03/converter/pbm/pbmtozinc.c.security-code netpbm-10.56.03/converter/pbm/pbmtozinc.c --- netpbm-10.56.03/converter/pbm/pbmtozinc.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmtozinc.c 2011-11-09 13:11:20.661591545 +0100 @@ -65,6 +65,7 @@ main(int argc, char * argv[]) { bitrow = pbm_allocrow( cols ); /* Compute padding to round cols up to the nearest multiple of 16. */ + overflow_add(cols, 16); padright = ( ( cols + 15 ) / 16 ) * 16 - cols; printf( "USHORT %s[] = {\n",name); diff -up netpbm-10.56.03/converter/pbm/pbmto10x.c.security-code netpbm-10.56.03/converter/pbm/pbmto10x.c --- netpbm-10.56.03/converter/pbm/pbmto10x.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmto10x.c 2011-11-09 13:11:20.655591509 +0100 @@ -162,7 +162,7 @@ main(int argc, char * argv[]) { res_60x72(); pm_close(ifp); - exit(0); + return 0; } diff -up netpbm-10.56.03/converter/pbm/pbmto4425.c.security-code netpbm-10.56.03/converter/pbm/pbmto4425.c --- netpbm-10.56.03/converter/pbm/pbmto4425.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pbmto4425.c 2011-11-09 13:11:20.656591515 +0100 @@ -2,6 +2,7 @@ #include "nstring.h" #include "pbm.h" +#include static char bit_table[2][3] = { {1, 4, 0x10}, @@ -160,7 +161,7 @@ main(int argc, char * argv[]) { xres = vmap_width * 2; yres = vmap_height * 3; - vmap = malloc(vmap_width * vmap_height * sizeof(char)); + vmap = malloc3(vmap_width, vmap_height, sizeof(char)); if(vmap == NULL) { pm_error( "Cannot allocate memory" ); diff -up netpbm-10.56.03/converter/pbm/pktopbm.c.security-code netpbm-10.56.03/converter/pbm/pktopbm.c --- netpbm-10.56.03/converter/pbm/pktopbm.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/pktopbm.c 2011-11-09 13:11:20.661591545 +0100 @@ -277,6 +277,7 @@ main(int argc, char *argv[]) { if (flagbyte == 7) { /* long form preamble */ integer packetlength = get32() ; /* character packet length */ car = get32() ; /* character number */ + overflow_add(packetlength, pktopbm_pkloc); endofpacket = packetlength + pktopbm_pkloc; /* calculate end of packet */ if ((car >= MAXPKCHAR) || !filename[car]) { diff -up netpbm-10.56.03/converter/pbm/thinkjettopbm.l.security-code netpbm-10.56.03/converter/pbm/thinkjettopbm.l --- netpbm-10.56.03/converter/pbm/thinkjettopbm.l.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/thinkjettopbm.l 2011-11-09 13:11:20.662591551 +0100 @@ -114,7 +114,9 @@ DIG [0-9] \033\*b{DIG}+W { int l; if (rowCount >= rowCapacity) { + overflow_add(rowCapacity, 100); rowCapacity += 100; + overflow2(rowCapacity, sizeof *rows); rows = realloc (rows, rowCapacity * sizeof *rows); if (rows == NULL) pm_error ("Out of memory."); @@ -226,6 +228,8 @@ yywrap (void) /* * Quite simple since ThinkJet bit arrangement matches PBM */ + + overflow2(maxRowLength, 8); pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0); packed_bitrow = malloc(maxRowLength); diff -up netpbm-10.56.03/converter/pbm/ybmtopbm.c.security-code netpbm-10.56.03/converter/pbm/ybmtopbm.c --- netpbm-10.56.03/converter/pbm/ybmtopbm.c.security-code 2011-11-09 09:18:07.000000000 +0100 +++ netpbm-10.56.03/converter/pbm/ybmtopbm.c 2011-11-09 13:37:27.308618676 +0100 @@ -49,6 +49,7 @@ getinit(FILE * const ifP, pm_error("EOF / read error"); *depthP = 1; + overflow_add(*colsP, 15); *padrightP = ((*colsP + 15) / 16) * 16 - *colsP; } diff -up netpbm-10.56.03/converter/pgm/lispmtopgm.c.security-code netpbm-10.56.03/converter/pgm/lispmtopgm.c --- netpbm-10.56.03/converter/pgm/lispmtopgm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/pgm/lispmtopgm.c 2011-11-09 13:11:20.663591557 +0100 @@ -58,6 +58,7 @@ main( argc, argv ) pm_error( "depth (%d bits) is too large", depth); pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 ); + overflow_add(cols, 7); grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 ); for ( row = 0; row < rows; ++row ) @@ -102,7 +103,9 @@ getinit( file, colsP, rowsP, depthP, pad if ( *depthP == 0 ) *depthP = 1; /* very old file */ - + + overflow_add((int)colsP, 31); + *padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP; if ( *colsP != (cols_32 - *padrightP) ) { diff -up netpbm-10.56.03/converter/pgm/psidtopgm.c.security-code netpbm-10.56.03/converter/pgm/psidtopgm.c --- netpbm-10.56.03/converter/pgm/psidtopgm.c.security-code 2011-11-09 09:18:00.000000000 +0100 +++ netpbm-10.56.03/converter/pgm/psidtopgm.c 2011-11-09 13:11:20.663591557 +0100 @@ -78,6 +78,7 @@ main(int argc, pm_error("bits/sample (%d) is too large.", bitspersample); pgm_writepgminit(stdout, cols, rows, maxval, 0); + overflow_add(cols, 7); grayrow = pgm_allocrow((cols + 7) / 8 * 8); for (row = 0; row < rows; ++row) { unsigned int col; diff -up netpbm-10.56.03/converter/ppm/ilbmtoppm.c.security-code netpbm-10.56.03/converter/ppm/ilbmtoppm.c --- netpbm-10.56.03/converter/ppm/ilbmtoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/ilbmtoppm.c 2011-11-09 13:11:20.664591563 +0100 @@ -592,6 +592,7 @@ decode_row(FILE * const ifP, rawtype *chp; cols = bmhdP->w; + overflow_add(cols, 15); bytes = RowBytes(cols); for( plane = 0; plane < nPlanes; plane++ ) { int mask; @@ -679,6 +680,23 @@ decode_mask(FILE * const ifP, Multipalette handling ****************************************************************************/ +static void * +xmalloc2(x, y) + int x; + int y; +{ + void *mem; + + overflow2(x,y); + if( x * y == 0 ) + return NULL; + + mem = malloc2(x,y); + if( mem == NULL ) + pm_error("out of memory allocating %d bytes", x * y); + return mem; +} + static void multi_adjust(cmap, row, palchange) @@ -1341,6 +1359,9 @@ dcol_to_ppm(FILE * const ifP, if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval ) pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval)); + overflow_add(redmaxval, 1); + overflow_add(greenmaxval, 1); + overflow_add(bluemaxval, 1); MALLOCARRAY_NOFAIL(redtable, redmaxval +1); MALLOCARRAY_NOFAIL(greentable, greenmaxval +1); MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1); @@ -1763,7 +1784,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, data ChangeCount32 = *data++; datasize -= 2; + overflow_add(ChangeCount16, ChangeCount32); changes = ChangeCount16 + ChangeCount32; + overflow_add(changes, 1); for( i = 0; i < changes; i++ ) { if( totalchanges >= PCHG->TotalChanges ) goto fail; if( datasize < 2 ) goto fail; @@ -2028,6 +2051,9 @@ read_pchg(FILE * const ifp, cmap->mp_change[i] = NULL; if( PCHG.StartLine < 0 ) { int nch; + if(PCHG.MaxReg < PCHG.MinReg) + pm_error("assert: MinReg > MaxReg"); + overflow_add(PCHG.MaxReg-PCHG.MinReg, 2); nch = PCHG.MaxReg - PCHG.MinReg +1; MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1); for( i = 0; i < nch; i++ ) @@ -2104,6 +2130,7 @@ process_body( FILE * const ifp, if( typeid == ID_ILBM ) { int isdeep; + overflow_add(bmhdP->w, 15); MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w)); *viewportmodesP |= fakeviewport; /* -isham/-isehb */ diff -up netpbm-10.56.03/converter/ppm/imgtoppm.c.security-code netpbm-10.56.03/converter/ppm/imgtoppm.c --- netpbm-10.56.03/converter/ppm/imgtoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/imgtoppm.c 2011-11-09 13:11:20.665591569 +0100 @@ -84,6 +84,7 @@ main(int argc, char ** argv) { len = atoi((char*) buf ); if ( fread( buf, len, 1, ifp ) != 1 ) pm_error( "bad colormap buf" ); + overflow2(cmaplen, 3); if ( cmaplen * 3 != len ) { pm_message( @@ -105,6 +106,7 @@ main(int argc, char ** argv) { pm_error( "bad pixel data header" ); buf[8] = '\0'; len = atoi((char*) buf ); + overflow2(cols, rows); if ( len != cols * rows ) pm_message( "pixel data length (%d) does not match image size (%d)", diff -up netpbm-10.56.03/converter/ppm/Makefile.security-code netpbm-10.56.03/converter/ppm/Makefile --- netpbm-10.56.03/converter/ppm/Makefile.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/Makefile 2011-11-09 14:33:40.386198300 +0100 @@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ leaftoppm mtvtoppm neotoppm \ - pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ + pcxtoppm pc1toppm pi1toppm pjtoppm \ ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \ ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \ ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ diff -up netpbm-10.56.03/converter/ppm/pcxtoppm.c.security-code netpbm-10.56.03/converter/ppm/pcxtoppm.c --- netpbm-10.56.03/converter/ppm/pcxtoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/pcxtoppm.c 2011-11-09 13:11:20.666591575 +0100 @@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes, /* * clear the pixel buffer */ + overflow2(bytesperline, 8); npixels = (bytesperline * 8) / bitsperpixel; p = pixels; while (--npixels >= 0) @@ -470,6 +471,7 @@ pcx_16col_to_ppm(FILE * const ifP, } /* BytesPerLine should be >= BitsPerPixel * cols / 8 */ + overflow2(BytesPerLine, 8); rawcols = BytesPerLine * 8 / BitsPerPixel; if (headerCols > rawcols) { pm_message("warning - BytesPerLine = %d, " diff -up netpbm-10.56.03/converter/ppm/picttoppm.c.security-code netpbm-10.56.03/converter/ppm/picttoppm.c --- netpbm-10.56.03/converter/ppm/picttoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/picttoppm.c 2011-11-09 13:11:20.668591585 +0100 @@ -1,3 +1,5 @@ +#error "Unfixable. Don't ship me" + /* * picttoppm.c -- convert a MacIntosh PICT file to PPM format. * diff -up netpbm-10.56.03/converter/ppm/pjtoppm.c.security-code netpbm-10.56.03/converter/ppm/pjtoppm.c --- netpbm-10.56.03/converter/ppm/pjtoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/pjtoppm.c 2011-11-09 13:11:20.669591591 +0100 @@ -127,19 +127,21 @@ main(argc, argv) case 'V': /* send plane */ case 'W': /* send last plane */ if (rows == -1 || r >= rows || image == NULL) { - if (rows == -1 || r >= rows) + if (rows == -1 || r >= rows) { + overflow_add(rows, 100); rows += 100; + } if (image == NULL) { - MALLOCARRAY(image, rows * planes); - MALLOCARRAY(imlen, rows * planes); + image = (unsigned char **) + malloc3(rows , planes , sizeof(unsigned char *)); + imlen = (int *) malloc3(rows , planes, sizeof(int)); } else { + overflow2(rows,planes); image = (unsigned char **) - realloc(image, - rows * planes * + realloc2(image, rows * planes, sizeof(unsigned char *)); - imlen = (int *) - realloc(imlen, rows * planes * sizeof(int)); + imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); } } if (image == NULL || imlen == NULL) @@ -212,8 +214,10 @@ main(argc, argv) for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2) for (cmd = image[p + r * planes][c], val = image[p + r * planes][c+1]; - cmd >= 0 && i < newcols; cmd--, i++) + cmd >= 0 && i < newcols; cmd--, i++) { buf[i] = val; + overflow_add(i, 1); + } cols = cols > i ? cols : i; free(image[p + r * planes]); /* @@ -224,6 +228,7 @@ main(argc, argv) image[p + r * planes] = (unsigned char *) realloc(buf, i); } } + overflow2(cols, 8); cols *= 8; } diff -up netpbm-10.56.03/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.56.03/converter/ppm/ppmtoeyuv.c --- netpbm-10.56.03/converter/ppm/ppmtoeyuv.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/ppmtoeyuv.c 2011-11-09 13:11:20.670591597 +0100 @@ -114,6 +114,7 @@ create_multiplication_tables(const pixva int index; + overflow_add(maxval, 1); MALLOCARRAY_NOFAIL(mult299 , maxval+1); MALLOCARRAY_NOFAIL(mult587 , maxval+1); MALLOCARRAY_NOFAIL(mult114 , maxval+1); diff -up netpbm-10.56.03/converter/ppm/ppmtoicr.c.security-code netpbm-10.56.03/converter/ppm/ppmtoicr.c --- netpbm-10.56.03/converter/ppm/ppmtoicr.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/ppmtoicr.c 2011-11-09 13:11:20.670591597 +0100 @@ -169,7 +169,7 @@ char* argv[]; if (rleflag) { pm_message("sending run-length encoded picture data ..." ); - testimage = (char*) malloc(rows*cols); + testimage = (char*) malloc2(rows, cols); p = testimage; for (i=0; i PCL_MAXVAL) pm_error("color range too large; reduce with ppmcscale"); + if (cols < 0 || rows < 0) + pm_error("negative size is not possible"); /* Figure out the colormap. */ pm_message("Computing colormap..."); @@ -296,6 +298,8 @@ main(int argc, const char * argv[]) { case 0: /* direct mode (no palette) */ bpp = bitsperpixel(maxval); /* bits per pixel */ bpg = bpp; bpb = bpp; + overflow2(bpp, 3); + overflow_add(bpp*3, 7); bpp = (bpp*3+7)>>3; /* bytes per pixel now */ bpr = (bpp<<3)-bpg-bpb; bpp *= cols; /* bytes per row now */ @@ -305,9 +309,13 @@ main(int argc, const char * argv[]) { case 3: case 7: pclindex++; default: bpp = 8/pclindex; + overflow_add(cols, bpp); + if(bpp == 0) + pm_error("assert: no bpp"); bpp = (cols+bpp-1)/bpp; /* bytes per row */ } } + overflow2(bpp,2); inrow = (char *)malloc((unsigned)bpp); outrow = (char *)malloc((unsigned)bpp*2); runcnt = (signed char *)malloc((unsigned)bpp); diff -up netpbm-10.56.03/converter/ppm/ppmtowinicon.c.security-code netpbm-10.56.03/converter/ppm/ppmtowinicon.c --- netpbm-10.56.03/converter/ppm/ppmtowinicon.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/ppmtowinicon.c 2011-11-09 13:11:20.678591645 +0100 @@ -12,6 +12,7 @@ #include #include +#include #include "pm_c_util.h" #include "winico.h" @@ -219,6 +220,7 @@ createAndBitmap (gray ** const ba, int c MALLOCARRAY_NOFAIL(rowData, rows); icBitmap->xBytes = xBytes; icBitmap->data = rowData; + overflow2(xBytes, rows); icBitmap->size = xBytes * rows; for (y=0;yxBytes = xBytes; icBitmap->data = rowData; + overflow2(xBytes, rows); icBitmap->size = xBytes * rows; for (y=0;yxBytes = xBytes; icBitmap->data = rowData; + overflow2(xBytes, rows); icBitmap->size = xBytes * rows; for (y=0;ybitcount = bpp; entry->ih = createInfoHeader(entry, xorBitmap, andBitmap); entry->colors = palette->colors; + overflow2(4, entry->color_count); + overflow_add(xorBitmap->size, andBitmap->size); + overflow_add(xorBitmap->size + andBitmap->size, 40); + overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count); entry->size_in_bytes = xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count); if (verbose) diff -up netpbm-10.56.03/converter/ppm/ppmtoxpm.c.security-code netpbm-10.56.03/converter/ppm/ppmtoxpm.c --- netpbm-10.56.03/converter/ppm/ppmtoxpm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/ppmtoxpm.c 2011-11-09 13:11:20.679591651 +0100 @@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int unsigned int i; /* Allocate memory for printed number. Abort if error. */ + overflow_add(digits, 1); if (!(str = (char *) malloc(digits + 1))) pm_error("out of memory"); @@ -314,6 +315,7 @@ genCmap(colorhist_vector const chv, unsigned int charsPerPixel; unsigned int xpmMaxval; + if (includeTransparent) overflow_add(ncolors, 1); MALLOCARRAY(cmap, cmapSize); if (cmapP == NULL) pm_error("Out of memory allocating %u bytes for a color map.", diff -up netpbm-10.56.03/converter/ppm/qrttoppm.c.security-code netpbm-10.56.03/converter/ppm/qrttoppm.c --- netpbm-10.56.03/converter/ppm/qrttoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/qrttoppm.c 2011-11-09 13:11:20.679591651 +0100 @@ -46,7 +46,7 @@ main( argc, argv ) ppm_writeppminit( stdout, cols, rows, maxval, 0 ); pixelrow = ppm_allocrow( cols ); - buf = (unsigned char *) malloc( 3 * cols ); + buf = (unsigned char *) malloc2( 3 , cols ); if ( buf == (unsigned char *) 0 ) pm_error( "out of memory" ); diff -up netpbm-10.56.03/converter/ppm/sldtoppm.c.security-code netpbm-10.56.03/converter/ppm/sldtoppm.c --- netpbm-10.56.03/converter/ppm/sldtoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/sldtoppm.c 2011-11-09 13:11:20.680591657 +0100 @@ -455,6 +455,8 @@ slider(slvecfn slvec, /* Allocate image buffer and clear it to black. */ + overflow_add(ixdots,1); + overflow_add(iydots,1); pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1); PPM_ASSIGN(rgbcolor, 0, 0, 0); ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0, diff -up netpbm-10.56.03/converter/ppm/ximtoppm.c.security-code netpbm-10.56.03/converter/ppm/ximtoppm.c --- netpbm-10.56.03/converter/ppm/ximtoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/ximtoppm.c 2011-11-09 13:11:20.681591662 +0100 @@ -117,6 +117,7 @@ ReadXimHeader(FILE * const in_fp, header->bits_channel = atoi(a_head.bits_per_channel); header->alpha_flag = atoi(a_head.alpha_channel); if (strlen(a_head.author)) { + overflow_add(strlen(a_head.author),1); if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1, 1))) { pm_message("ReadXimHeader: can't calloc author string" ); @@ -126,6 +127,7 @@ ReadXimHeader(FILE * const in_fp, strncpy(header->author, a_head.author, strlen(a_head.author)); } if (strlen(a_head.date)) { + overflow_add(strlen(a_head.date),1); if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){ pm_message("ReadXimHeader: can't calloc date string" ); return(0); @@ -134,6 +136,7 @@ ReadXimHeader(FILE * const in_fp, strncpy(header->date, a_head.date, strlen(a_head.date)); } if (strlen(a_head.program)) { + overflow_add(strlen(a_head.program),1); if (!(header->program = calloc( (unsigned int)strlen(a_head.program) + 1, 1))) { pm_message("ReadXimHeader: can't calloc program string" ); @@ -160,6 +163,7 @@ ReadXimHeader(FILE * const in_fp, if (header->nchannels == 3 && header->bits_channel == 8) header->ncolors = 0; else if (header->nchannels == 1 && header->bits_channel == 8) { + overflow2(header->ncolors, sizeof(Color)); header->colors = (Color *)calloc((unsigned int)header->ncolors, sizeof(Color)); if (header->colors == NULL) { diff -up netpbm-10.56.03/converter/ppm/xpmtoppm.c.security-code netpbm-10.56.03/converter/ppm/xpmtoppm.c --- netpbm-10.56.03/converter/ppm/xpmtoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/xpmtoppm.c 2011-11-09 13:11:20.682591667 +0100 @@ -759,6 +759,7 @@ ReadXPMFile(FILE * const stream, int * c &ncolors, colorsP, &ptab); *transparentP = -1; /* No transparency in version 1 */ } + overflow2(*widthP, *heightP); totalpixels = *widthP * *heightP; MALLOCARRAY(*dataP, totalpixels); if (*dataP == NULL) diff -up netpbm-10.56.03/converter/ppm/yuvtoppm.c.security-code netpbm-10.56.03/converter/ppm/yuvtoppm.c --- netpbm-10.56.03/converter/ppm/yuvtoppm.c.security-code 2011-11-09 09:18:06.000000000 +0100 +++ netpbm-10.56.03/converter/ppm/yuvtoppm.c 2011-11-09 13:11:20.682591667 +0100 @@ -72,6 +72,7 @@ main(argc, argv) ppm_writeppminit(stdout, cols, rows, (pixval) 255, 0); pixrow = ppm_allocrow(cols); + overflow_add(cols, 1); MALLOCARRAY(yuvbuf, (cols+1)/2); if (yuvbuf == NULL) pm_error("Unable to allocate YUV buffer for %d columns.", cols); diff -up netpbm-10.56.03/editor/pamcut.c.security-code netpbm-10.56.03/editor/pamcut.c --- netpbm-10.56.03/editor/pamcut.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/pamcut.c 2011-11-09 13:11:20.683591673 +0100 @@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP outpam = inpam; /* Initial value -- most fields should be same */ outpam.file = ofP; + overflow_add(rightcol, 1); + overflow_add(bottomrow, 1); outpam.width = rightcol - leftcol + 1; outpam.height = bottomrow - toprow + 1; diff -up netpbm-10.56.03/editor/pbmpscale.c.security-code netpbm-10.56.03/editor/pbmpscale.c diff -up netpbm-10.56.03/editor/pbmreduce.c.security-code netpbm-10.56.03/editor/pbmreduce.c --- netpbm-10.56.03/editor/pbmreduce.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/pbmreduce.c 2011-11-09 13:11:20.685591685 +0100 @@ -94,6 +94,7 @@ main( argc, argv ) if (halftone == QT_FS) { unsigned int col; /* Initialize Floyd-Steinberg. */ + overflow_add(newcols, 2); MALLOCARRAY(thiserr, newcols + 2); MALLOCARRAY(nexterr, newcols + 2); if (thiserr == NULL || nexterr == NULL) diff -up netpbm-10.56.03/editor/pnmgamma.c.security-code netpbm-10.56.03/editor/pnmgamma.c --- netpbm-10.56.03/editor/pnmgamma.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/pnmgamma.c 2011-11-09 13:11:20.685591685 +0100 @@ -586,6 +586,7 @@ createGammaTables(enum transferFunction xelval ** const btableP) { /* Allocate space for the tables. */ + overflow_add(maxval, 1); MALLOCARRAY(*rtableP, maxval+1); MALLOCARRAY(*gtableP, maxval+1); MALLOCARRAY(*btableP, maxval+1); diff -up netpbm-10.56.03/editor/pnmhisteq.c.security-code netpbm-10.56.03/editor/pnmhisteq.c --- netpbm-10.56.03/editor/pnmhisteq.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/pnmhisteq.c 2011-11-09 13:11:20.686591691 +0100 @@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const * unsigned int pixelCount; unsigned int * lumahist; + overflow_add(maxval, 1); MALLOCARRAY(lumahist, maxval + 1); if (lumahist == NULL) pm_error("Out of storage allocating array for %u histogram elements", diff -up netpbm-10.56.03/editor/pnmindex.csh.security-code netpbm-10.56.03/editor/pnmindex.csh --- netpbm-10.56.03/editor/pnmindex.csh.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/pnmindex.csh 2011-11-09 13:11:20.686591691 +0100 @@ -1,5 +1,8 @@ #!/bin/csh -f # +echo "Unsafe code, needs debugging, do not ship" +exit 1 +# # pnmindex - build a visual index of a bunch of anymaps # # Copyright (C) 1991 by Jef Poskanzer. diff -up netpbm-10.56.03/editor/pnmpad.c.security-code netpbm-10.56.03/editor/pnmpad.c --- netpbm-10.56.03/editor/pnmpad.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/pnmpad.c 2011-11-09 13:11:20.687591697 +0100 @@ -527,6 +527,8 @@ main(int argc, const char ** argv) { computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad); + overflow_add(cols, lpad); + overflow_add(cols + lpad, rpad); newcols = cols + lpad + rpad; if (PNM_FORMAT_TYPE(format) == PBM_TYPE) diff -up netpbm-10.56.03/editor/pnmremap.c.security-code netpbm-10.56.03/editor/pnmremap.c --- netpbm-10.56.03/editor/pnmremap.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/pnmremap.c 2011-11-09 13:11:20.688591703 +0100 @@ -409,7 +409,7 @@ initFserr(struct pam * const pamP, unsigned int plane; unsigned int const fserrSize = pamP->width + 2; - + overflow_add(pamP->width, 2); fserrP->width = pamP->width; MALLOCARRAY(fserrP->thiserr, pamP->depth); @@ -445,6 +445,7 @@ floydInitRow(struct pam * const pamP, st int col; + overflow_add(pamP->width, 2); for (col = 0; col < pamP->width + 2; ++col) { unsigned int plane; for (plane = 0; plane < pamP->depth; ++plane) diff -up netpbm-10.56.03/editor/pnmscalefixed.c.security-code netpbm-10.56.03/editor/pnmscalefixed.c --- netpbm-10.56.03/editor/pnmscalefixed.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/pnmscalefixed.c 2011-11-09 13:11:20.689591709 +0100 @@ -214,6 +214,8 @@ compute_output_dimensions(const struct c const int rows, const int cols, int * newrowsP, int * newcolsP) { + overflow2(rows, cols); + if (cmdline.pixels) { if (rows * cols <= cmdline.pixels) { *newrowsP = rows; @@ -265,6 +267,8 @@ compute_output_dimensions(const struct c if (*newcolsP < 1) *newcolsP = 1; if (*newrowsP < 1) *newrowsP = 1; + + overflow2(*newcolsP, *newrowsP); } @@ -446,6 +450,9 @@ main(int argc, char **argv ) { unfilled. We can address that by stretching, whereas the other case would require throwing away some of the input. */ + + overflow2(newcols, SCALE); + overflow2(newrows, SCALE); sxscale = SCALE * newcols / cols; syscale = SCALE * newrows / rows; diff -up netpbm-10.56.03/editor/pnmshear.c.security-code netpbm-10.56.03/editor/pnmshear.c --- netpbm-10.56.03/editor/pnmshear.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/pnmshear.c 2011-11-09 13:11:20.689591709 +0100 @@ -15,6 +15,7 @@ #include #include #include +#include #include "pm_c_util.h" #include "ppm.h" @@ -236,6 +237,11 @@ main(int argc, char * argv[]) { shearfac = fabs(tan(cmdline.angle)); + if(rows * shearfac >= INT_MAX-1) + pm_error("image too large"); + + overflow_add(rows * shearfac, cols+1); + newcols = rows * shearfac + cols + 0.999999; pnm_writepnminit(stdout, newcols, rows, newmaxval, newformat, 0); diff -up netpbm-10.56.03/editor/ppmdither.c.security-code netpbm-10.56.03/editor/ppmdither.c --- netpbm-10.56.03/editor/ppmdither.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/ppmdither.c 2011-11-09 13:28:52.043380984 +0100 @@ -355,7 +355,11 @@ dithMatrix(unsigned int const dithPower) unsigned int const dithMatSize = (dithDim * sizeof(*dithMat)) + /* pointers */ (dithDim * dithDim * sizeof(**dithMat)); /* data */ - + + overflow2(dithDim, sizeof(*dithMat)); + overflow3(dithDim, dithDim, sizeof(**dithMat)); + overflow_add(dithDim * sizeof(*dithMat), dithDim * dithDim * sizeof(**dithMat)); + dithMat = malloc(dithMatSize); if (dithMat == NULL) diff -up netpbm-10.56.03/editor/specialty/pamoil.c.security-code netpbm-10.56.03/editor/specialty/pamoil.c --- netpbm-10.56.03/editor/specialty/pamoil.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/editor/specialty/pamoil.c 2011-11-09 13:11:20.690591715 +0100 @@ -112,6 +112,7 @@ main(int argc, char *argv[] ) { tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type)); pm_close(ifp); + overflow_add(inpam.maxval, 1); MALLOCARRAY(hist, inpam.maxval + 1); if (hist == NULL) pm_error("Unable to allocate memory for histogram."); diff -up netpbm-10.56.03/generator/pbmpage.c.security-code netpbm-10.56.03/generator/pbmpage.c diff -up netpbm-10.56.03/generator/pbmtext.c.security-code netpbm-10.56.03/generator/pbmtext.c --- netpbm-10.56.03/generator/pbmtext.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/generator/pbmtext.c 2011-11-09 13:18:31.716118581 +0100 @@ -96,12 +96,14 @@ parseCommandLine(int argc, const char ** for (i = 1; i < argc; ++i) { if (i > 1) { + overflow_add(totaltextsize, 1); totaltextsize += 1; text = realloc(text, totaltextsize); if (text == NULL) pm_error("out of memory allocating space for input text"); strcat(text, " "); } + overflow_add(totaltextsize, strlen(argv[i])); totaltextsize += strlen(argv[i]); text = realloc(text, totaltextsize); if (text == NULL) @@ -712,6 +714,7 @@ getText(const char cmdline_text pm_error("A line of input text is longer than %u characters." "Cannot process.", (unsigned)sizeof(buf)-1); if (lineCount >= maxlines) { + overflow2(maxlines, 2); maxlines *= 2; REALLOCARRAY(text_array, maxlines); if (text_array == NULL) @@ -832,6 +835,7 @@ main(int argc, const char *argv[]) { hmargin = fontP->maxwidth; } else { vmargin = fontP->maxheight; + overflow2(2, fontP->maxwidth); hmargin = 2 * fontP->maxwidth; } } diff -up netpbm-10.56.03/generator/pgmcrater.c.security-code netpbm-10.56.03/generator/pgmcrater.c --- netpbm-10.56.03/generator/pgmcrater.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/generator/pgmcrater.c 2011-11-09 13:11:20.692591727 +0100 @@ -130,7 +130,7 @@ static void gencraters() /* Acquire the elevation array and initialize it to mean surface elevation. */ - MALLOCARRAY(aux, SCRX * SCRY); + aux = (unsigned short *) malloc3(SCRX, SCRY, sizeof(short)); if (aux == NULL) pm_error("out of memory allocating elevation array"); diff -up netpbm-10.56.03/generator/pgmkernel.c.security-code netpbm-10.56.03/generator/pgmkernel.c --- netpbm-10.56.03/generator/pgmkernel.c.security-code 2011-11-09 09:17:50.000000000 +0100 +++ netpbm-10.56.03/generator/pgmkernel.c 2011-11-09 13:11:20.692591727 +0100 @@ -68,7 +68,7 @@ main ( argc, argv ) kycenter = (fysize - 1) / 2.0; ixsize = fxsize + 0.999; iysize = fysize + 0.999; - MALLOCARRAY(fkernel, ixsize * iysize); + fkernel = (double *) malloc3 (ixsize, iysize, sizeof(double)); for (i = 0; i < iysize; i++) for (j = 0; j < ixsize; j++) { fkernel[i*ixsize+j] = 1.0 / (1.0 + w * sqrt((double) diff -up netpbm-10.56.03/lib/libpam.c.security-code netpbm-10.56.03/lib/libpam.c --- netpbm-10.56.03/lib/libpam.c.security-code 2011-11-09 09:17:53.000000000 +0100 +++ netpbm-10.56.03/lib/libpam.c 2011-11-09 13:36:03.778913243 +0100 @@ -220,7 +220,8 @@ allocPamRow(const struct pam * const pam unsigned int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample); tuple * tuplerow; - tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple)); + overflow_add(sizeof(tuple *), bytesPerTuple); + tuplerow = malloc2(pamP->width, (sizeof(tuple *) + bytesPerTuple)); if (tuplerow != NULL) { /* Now we initialize the pointers to the individual tuples diff -up netpbm-10.56.03/lib/libpammap.c.security-code netpbm-10.56.03/lib/libpammap.c --- netpbm-10.56.03/lib/libpammap.c.security-code 2011-11-09 09:17:53.000000000 +0100 +++ netpbm-10.56.03/lib/libpammap.c 2011-11-09 13:11:20.694591739 +0100 @@ -104,6 +104,8 @@ allocTupleIntListItem(struct pam * const */ struct tupleint_list_item * retval; + overflow2(pamP->depth, sizeof(sample)); + overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample)); unsigned int const size = sizeof(*retval) - sizeof(retval->tupleint.tuple) + pamP->depth * sizeof(sample); diff -up netpbm-10.56.03/lib/libpbm1.c.security-code netpbm-10.56.03/lib/libpbm1.c --- netpbm-10.56.03/lib/libpbm1.c.security-code 2011-11-09 09:17:53.000000000 +0100 +++ netpbm-10.56.03/lib/libpbm1.c 2011-11-09 13:11:20.695591745 +0100 @@ -77,6 +77,7 @@ pbm_check(FILE * file, const enum pm_che pm_message("pm_filepos passed to pm_check() is %u bytes", sizeof(pm_filepos)); #endif + overflow2(bytes_per_row, rows); pm_check(file, check_type, need_raster_size, retval_p); } } diff -up netpbm-10.56.03/lib/libpm.c.security-code netpbm-10.56.03/lib/libpm.c --- netpbm-10.56.03/lib/libpm.c.security-code 2011-11-09 09:17:53.000000000 +0100 +++ netpbm-10.56.03/lib/libpm.c 2011-11-09 13:11:20.695591745 +0100 @@ -787,4 +787,53 @@ pm_parse_height(const char * const arg) } +/* + * Maths wrapping + */ + +void __overflow2(int a, int b) +{ + if(a < 0 || b < 0) + pm_error("object too large"); + if(b == 0) + return; + if(a > INT_MAX / b) + pm_error("object too large"); +} + +void overflow3(int a, int b, int c) +{ + overflow2(a,b); + overflow2(a*b, c); +} + +void overflow_add(int a, int b) +{ + if( a > INT_MAX - b) + pm_error("object too large"); +} + +void *malloc2(int a, int b) +{ + overflow2(a, b); + if(a*b == 0) + pm_error("Zero byte allocation"); + return malloc(a*b); +} + +void *malloc3(int a, int b, int c) +{ + overflow3(a, b, c); + if(a*b*c == 0) + pm_error("Zero byte allocation"); + return malloc(a*b*c); +} + +void *realloc2(void * a, int b, int c) +{ + overflow2(b, c); + if(b*c == 0) + pm_error("Zero byte allocation"); + return realloc(a, b*c); +} diff -up netpbm-10.56.03/lib/pm.h.security-code netpbm-10.56.03/lib/pm.h --- netpbm-10.56.03/lib/pm.h.security-code 2011-11-09 09:17:53.000000000 +0100 +++ netpbm-10.56.03/lib/pm.h 2011-11-09 13:11:20.696591750 +0100 @@ -411,4 +411,11 @@ pm_parse_height(const char * const arg); #endif +void *malloc2(int, int); +void *malloc3(int, int, int); +#define overflow2(a,b) __overflow2(a,b) +void __overflow2(int, int); +void overflow3(int, int, int); +void overflow_add(int, int); + #endif diff -up netpbm-10.56.03/other/pnmcolormap.c.security-code netpbm-10.56.03/other/pnmcolormap.c --- netpbm-10.56.03/other/pnmcolormap.c.security-code 2011-11-09 09:17:48.000000000 +0100 +++ netpbm-10.56.03/other/pnmcolormap.c 2011-11-09 13:11:20.696591750 +0100 @@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP pamP->width = intsqrt; else pamP->width = intsqrt + 1; + overflow_add(intsqrt, 1); } { unsigned int const intQuotient = colormap.size / pamP->width; diff -up netpbm-10.56.03/urt/README.security-code netpbm-10.56.03/urt/README --- netpbm-10.56.03/urt/README.security-code 2011-11-09 09:18:08.000000000 +0100 +++ netpbm-10.56.03/urt/README 2011-11-09 13:11:20.697591755 +0100 @@ -18,3 +18,8 @@ in its initializer in the original. But defines stdout as a variable, so that wouldn't compile. So I changed it to NULL and added a line to rle_hdr_init to set that field to 'stdout' dynamically. 2000.06.02 BJH. + +Redid the code to check for maths overflows and other crawly horrors. +Removed pipe through and compress support (unsafe) + +Alan Cox diff -up netpbm-10.56.03/urt/rle_addhist.c.security-code netpbm-10.56.03/urt/rle_addhist.c --- netpbm-10.56.03/urt/rle_addhist.c.security-code 2011-11-09 09:18:08.000000000 +0100 +++ netpbm-10.56.03/urt/rle_addhist.c 2011-11-09 13:11:20.697591755 +0100 @@ -14,6 +14,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rle_addhist.c - Add to the HISTORY comment in header @@ -76,13 +78,19 @@ rle_addhist(char * argv[], return; length = 0; - for (i = 0; argv[i]; ++i) + for (i = 0; argv[i]; ++i) { + overflow_add(length, strlen(argv[i])); + overflow_add(length+1, strlen(argv[i])); length += strlen(argv[i]) +1; /* length of each arg plus space. */ + } time(&temp); timedate = ctime(&temp); length += strlen(timedate); /* length of date and time in ASCII. */ + overflow_add(strlen(padding), 4); + overflow_add(strlen(histoire), strlen(padding) + 4); + overflow_add(length, strlen(histoire) + strlen(padding) + 4); length += strlen(padding) + 3 + strlen(histoire) + 1; /* length of padding, "on " and length of history name plus "="*/ if (in_hdr) /* if we are interested in the old comments... */ @@ -90,9 +98,12 @@ rle_addhist(char * argv[], else old = NULL; - if (old && *old) + if (old && *old) { + overflow_add(length, strlen(old)); length += strlen(old); /* add length if there. */ + } + overflow_add(length, 1); ++length; /*Cater for the null. */ MALLOCARRAY(newc, length); diff -up netpbm-10.56.03/urt/rle_getrow.c.security-code netpbm-10.56.03/urt/rle_getrow.c --- netpbm-10.56.03/urt/rle_getrow.c.security-code 2011-11-09 09:18:08.000000000 +0100 +++ netpbm-10.56.03/urt/rle_getrow.c 2011-11-09 13:11:20.698591761 +0100 @@ -17,6 +17,8 @@ * * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire * to have all "void" functions so declared. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rle_getrow.c - Read an RLE file in. @@ -168,6 +170,7 @@ rle_get_setup(rle_hdr * const the_hdr) { register char * cp; VAXSHORT( comlen, infile ); /* get comment length */ + overflow_add(comlen, 1); evenlen = (comlen + 1) & ~1; /* make it even */ if ( evenlen ) { diff -up netpbm-10.56.03/urt/rle_hdr.c.security-code netpbm-10.56.03/urt/rle_hdr.c --- netpbm-10.56.03/urt/rle_hdr.c.security-code 2011-11-09 09:18:08.000000000 +0100 +++ netpbm-10.56.03/urt/rle_hdr.c 2011-11-09 13:11:20.699591767 +0100 @@ -14,6 +14,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rle_hdr.c - Functions to manipulate rle_hdr structures. @@ -79,7 +81,10 @@ int img_num; /* Fill in with copies of the strings. */ if ( the_hdr->cmd != pgmname ) { - char *tmp = (char *)malloc( strlen( pgmname ) + 1 ); + char *tmp ; + + overflow_add(strlen(pgmname), 1); + tmp = malloc( strlen( pgmname ) + 1 ); RLE_CHECK_ALLOC( pgmname, tmp, 0 ); strcpy( tmp, pgmname ); the_hdr->cmd = tmp; @@ -87,7 +92,9 @@ int img_num; if ( the_hdr->file_name != fname ) { - char *tmp = (char *)malloc( strlen( fname ) + 1 ); + char *tmp; + overflow_add(strlen(fname), 1); + tmp = malloc( strlen( fname ) + 1 ); RLE_CHECK_ALLOC( pgmname, tmp, 0 ); strcpy( tmp, fname ); the_hdr->file_name = tmp; @@ -152,6 +159,7 @@ rle_hdr *from_hdr, *to_hdr; if ( to_hdr->bg_color ) { int size = to_hdr->ncolors * sizeof(int); + overflow2(to_hdr->ncolors, sizeof(int)); to_hdr->bg_color = (int *)malloc( size ); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" ); memcpy( to_hdr->bg_color, from_hdr->bg_color, size ); @@ -160,7 +168,7 @@ rle_hdr *from_hdr, *to_hdr; if ( to_hdr->cmap ) { int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map); - to_hdr->cmap = (rle_map *)malloc( size ); + to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<cmaplen, sizeof(rle_map)); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" ); memcpy( to_hdr->cmap, from_hdr->cmap, size ); } @@ -173,11 +181,16 @@ rle_hdr *from_hdr, *to_hdr; int size = 0; CONST_DECL char **cp; for ( cp=to_hdr->comments; *cp; cp++ ) + { + overflow_add(size, 1); size++; /* Count the comments. */ + } /* Check if there are really any comments. */ if ( size ) { + overflow_add(size, 1); size++; /* Copy the NULL pointer, too. */ + overflow2(size, sizeof(char *)); size *= sizeof(char *); to_hdr->comments = (CONST_DECL char **)malloc( size ); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" ); diff -up netpbm-10.56.03/urt/rle.h.security-code netpbm-10.56.03/urt/rle.h --- netpbm-10.56.03/urt/rle.h.security-code 2011-11-09 09:18:08.000000000 +0100 +++ netpbm-10.56.03/urt/rle.h 2011-11-09 13:11:20.699591767 +0100 @@ -14,6 +14,9 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox + * Header declarations needed */ /* * rle.h - Global declarations for Utah Raster Toolkit RLE programs. @@ -166,6 +169,17 @@ rle_hdr /* End of typedef. * */ extern rle_hdr rle_dflt_hdr; +/* + * Provided by pm library + */ + +extern void overflow_add(int, int); +#define overflow2(a,b) __overflow2(a,b) +extern void __overflow2(int, int); +extern void overflow3(int, int, int); +extern void *malloc2(int, int); +extern void *malloc3(int, int, int); +extern void *realloc2(void *, int, int); /* Declare RLE library routines. */ diff -up netpbm-10.56.03/urt/rle_open_f.c.security-code netpbm-10.56.03/urt/rle_open_f.c --- netpbm-10.56.03/urt/rle_open_f.c.security-code 2011-11-09 09:18:08.000000000 +0100 +++ netpbm-10.56.03/urt/rle_open_f.c 2011-11-09 13:32:23.239619714 +0100 @@ -162,65 +162,7 @@ dealWithSubprocess(const char * const f FILE ** const fpP, bool * const noSubprocessP, const char ** const errorP) { - -#ifdef NO_OPEN_PIPES *noSubprocessP = TRUE; -#else - const char *cp; - - reapChildren(catchingChildrenP, pids); - - /* Real file, not stdin or stdout. If name ends in ".Z", - * pipe from/to un/compress (depending on r/w mode). - * - * If it starts with "|", popen that command. - */ - - cp = file_name + strlen(file_name) - 2; - /* Pipe case. */ - if (file_name[0] == '|') { - pid_t thepid; /* PID from my_popen */ - - *noSubprocessP = FALSE; - - *fpP = my_popen(file_name + 1, mode, &thepid); - if (*fpP == NULL) - *errorP = "%s: can't invoke <<%s>> for %s: "; - else { - /* One more child to catch, eventually. */ - if (*catchingChildrenP < MAX_CHILDREN) - pids[(*catchingChildrenP)++] = thepid; - } - } else if (cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) { - /* Compress case. */ - pid_t thepid; /* PID from my_popen. */ - const char * command; - - *noSubprocessP = FALSE; - - if (*mode == 'w') - pm_asprintf(&command, "compress > %s", file_name); - else if (*mode == 'a') - pm_asprintf(&command, "compress >> %s", file_name); - else - pm_asprintf(&command, "compress -d < %s", file_name); - - *fpP = my_popen(command, mode, &thepid); - - if (*fpP == NULL) - *errorP = "%s: can't invoke 'compress' program, " - "trying to open %s for %s"; - else { - /* One more child to catch, eventually. */ - if (*catchingChildrenP < MAX_CHILDREN) - pids[(*catchingChildrenP)++] = thepid; - } - pm_strfree(command); - } else { - *noSubprocessP = TRUE; - *errorP = NULL; - } -#endif } diff -up netpbm-10.56.03/urt/rle_putcom.c.security-code netpbm-10.56.03/urt/rle_putcom.c --- netpbm-10.56.03/urt/rle_putcom.c.security-code 2011-11-09 09:18:08.000000000 +0100 +++ netpbm-10.56.03/urt/rle_putcom.c 2011-11-09 13:11:20.701591779 +0100 @@ -14,6 +14,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rle_putcom.c - Add a picture comment to the header struct. @@ -98,12 +100,14 @@ rle_putcom(const char * const value, const char * v; const char ** old_comments; int i; - for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) + for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) { + overflow_add(i, 1); if (match(value, *cp) != NULL) { v = *cp; *cp = value; return v; } + } /* Not found */ /* Can't realloc because somebody else might be pointing to this * comments block. Of course, if this were true, then the diff -up netpbm-10.56.03/urt/Runput.c.security-code netpbm-10.56.03/urt/Runput.c --- netpbm-10.56.03/urt/Runput.c.security-code 2011-11-09 09:18:08.000000000 +0100 +++ netpbm-10.56.03/urt/Runput.c 2011-11-09 13:11:20.701591779 +0100 @@ -17,6 +17,8 @@ * * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire * to have all "void" functions so declared. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * Runput.c - General purpose Run Length Encoding. @@ -202,9 +204,11 @@ RunSetup(rle_hdr * the_hdr) if ( the_hdr->background != 0 ) { register int i; - register rle_pixel *background = - (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); + register rle_pixel *background; register int *bg_color; + + overflow_add(the_hdr->ncolors,1); + background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); /* * If even number of bg color bytes, put out one more to get to * 16 bit boundary. @@ -224,7 +228,7 @@ RunSetup(rle_hdr * the_hdr) /* Big-endian machines are harder */ register int i, nmap = (1 << the_hdr->cmaplen) * the_hdr->ncmap; - register char *h_cmap = (char *)malloc( nmap * 2 ); + register char *h_cmap = (char *)malloc2( nmap, 2 ); if ( h_cmap == NULL ) { fprintf( stderr, diff -up netpbm-10.56.03/urt/scanargs.c.security-code netpbm-10.56.03/urt/scanargs.c --- netpbm-10.56.03/urt/scanargs.c.security-code 2011-11-09 09:18:08.000000000 +0100 +++ netpbm-10.56.03/urt/scanargs.c 2011-11-09 13:11:20.702591785 +0100 @@ -38,6 +38,8 @@ * * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire * to have all "void" functions so declared. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ #include "rle.h" @@ -65,8 +67,8 @@ typedef int *ptr; /* * Storage allocation macros */ -#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) ) -#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) ) +#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) ) +#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) ) #if defined(c_plusplus) && !defined(USE_PROTOTYPES) #define USE_PROTOTYPES