--- /dev/null 2006-06-21 18:54:37.100867000 +0200 +++ netpbm-10.34/OPENLICENSE 2006-06-22 12:45:18.000000000 +0200 @@ -0,0 +1,163 @@ + The Open Software License + v. 1.1 + +This Open Software License (the "License") applies to any original work of +authorship (the "Original Work") whose owner (the "Licensor") has placed the +following notice immediately following the copyright notice for the Original +Work: + +Licensed under the Open Software License version 1.1 + +1) Grant of Copyright License. Licensor hereby grants You a world-wide, +royalty-free, non-exclusive, perpetual, non-sublicenseable license to do the +following: + +a) to reproduce the Original Work in copies; + +b) to prepare derivative works ("Derivative Works") based upon the Original +Work; + +c) to distribute copies of the Original Work and Derivative Works to the +public, with the proviso that copies of Original Work or Derivative Works that +You distribute shall be licensed under the Open Software License; + +d) to perform the Original Work publicly; and + +e) to display the Original Work publicly. + +2) Grant of Patent License. Licensor hereby grants You a world-wide, +royalty-free, non-exclusive, perpetual, non-sublicenseable license, under +patent claims owned or controlled by the Licensor that are embodied in the +Original Work as furnished by the Licensor ("Licensed Claims") to make, use, +sell and offer for sale the Original Work. Licensor hereby grants You a +world-wide, royalty-free, non-exclusive, perpetual, non-sublicenseable license +under the Licensed Claims to make, use, sell and offer for sale Derivative Works. + +3) Grant of Source Code License. The term "Source Code" means the preferred +form of the Original Work for making modifications to it and all available +documentation describing how to modify the Original Work. Licensor hereby +agrees to provide a machine-readable copy of the Source Code of the Original +Work along with each copy of the Original Work that Licensor distributes. +Licensor reserves the right to satisfy this obligation by placing a +machine-readable copy of the Source Code in an information repository reasonably +calculated to permit inexpensive and convenient access by You for as long as + Licensor continues to distribute the Original Work, and by publishing the +address of that information repository in a notice immediately following the +copyright notice that applies to the Original Work. + + +4) Exclusions From License Grant. Nothing in this License shall be deemed to +grant any rights to trademarks, copyrights, patents, trade secrets or any +other intellectual property of Licensor except as expressly stated herein. No +patent license is granted to make, use, sell or offer to sell embodiments of +any patent claims other than the Licensed Claims defined in Section 2. No +right is granted to the trademarks of Licensor even if such marks are included +in the Original Work. Nothing in this License shall be interpreted to prohibit +Licensor from licensing under different terms from this License any Original +Work that Licensor otherwise would have a right to license. + +5) External Deployment. The term "External Deployment" means the use or +distribution of the Original Work or Derivative Works in any way such that the +Original Work or Derivative Works may be used by anyone other than You, +whether the Original Work or Derivative Works are distributed to those persons +or made available as an application intended for use over a computer network. +As an express condition for the grants of license hereunder, You agree that +any External Deployment by You of a Derivative Work shall be deemed a +distribution and shall be licensed to all under the terms of this License, as +prescribed in section 1(c) herein. + +6) Attribution Rights. You must retain, in the Source Code of any Derivative +Works that You create, all copyright, patent or trademark notices from the +Source Code of the Original Work, as well as any notices of licensing and any +descriptive text identified therein as an "Attribution Notice." You must cause +the Source Code for any Derivative Works that You create to carry a prominent +Attribution Notice reasonably calculated to inform recipients that You have +modified the Original Work. + +7) Warranty and Disclaimer of Warranty. Licensor warrants that the copyright +in and to the Original Work is owned by the Licensor or that the Original Work +is distributed by Licensor under a valid current license from the copyright +owner. Except as expressly stated in the immediately proceeding sentence, the +Original Work is provided under this License on an "AS IS" BASIS and WITHOUT +WARRANTY, either express or implied, including, without limitation, the +warranties of NON-INFRINGEMENT, MERCHANTABILITY or FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY OF THE ORIGINAL WORK IS WITH YOU. +This DISCLAIMER OF WARRANTY constitutes an essential part of this License. No +license to Original Work is granted hereunder except under this disclaimer. + +8) Limitation of Liability. Under no circumstances and under no legal theory, +whether in tort (including negligence), contract, or otherwise, shall the +Licensor be liable to any person for any direct, indirect, special, incidental, +or consequential damages of any character arising as a result of this License +or the use of the Original Work including, without limitation, damages for +loss of goodwill, work stoppage, computer failure or malfunction, or any and +all other commercial damages or losses. This limitation of liability shall not +apply to liability for death or personal injury resulting from Licensor's +negligence to the extent applicable law prohibits such limitation. Some +jurisdictions do not allow the exclusion or limitation of incidental or +consequential damages, so this exclusion and limitation may not apply to You. + + +9) Acceptance and Termination. If You distribute copies of the Original Work +or a Derivative Work, You must make a reasonable effort under the circumstances +to obtain the express and volitional assent of recipients to the terms of this +License. Nothing else but this License (or another written agreement between +Licensor and You) grants You permission to create Derivative Works based upon +the Original Work or to exercise any of the rights granted in Sections 1 herein, +and any attempt to do so except under the terms of this License (or another +written agreement between Licensor and You) is expressly prohibited by U.S. +copyright law, the equivalent laws of other countries, and by international +treaty. Therefore, by exercising any of the rights granted to You in Sections +1 herein, You indicate Your acceptance of this License and all of its terms and +conditions. This License shall terminate immediately and you may no longer +exercise any of the rights granted to You by this License upon Your failure to +honor the proviso in Section 1(c) herein. + +10) Mutual Termination for Patent Action. This License shall terminate +automatically and You may no longer exercise any of the rights granted to You +by this License if You file a lawsuit in any court alleging that any OSI +Certified open source software that is licensed under any license containing +this "Mutual Termination for Patent Action" clause infringes any patent claims +that are essential to use that software. + +11) Jurisdiction, Venue and Governing Law. Any action or suit relating to this +License may be brought only in the courts of a jurisdiction wherein the Licensor +resides or in which Licensor conducts its primary business, and under the laws +of that jurisdiction excluding its conflict-of-law provisions. The application +of the United Nations Convention on Contracts for the International Sale of +Goods is expressly excluded. Any use of the Original Work outside the scope of +this License or after its termination shall be subject to the requirements and +penalties of the U.S. Copyright Act, 17 U.S.C. å¤ 101 et seq., the equivalent +laws of other countries, and international treaty. This section shall survive +the termination of this License. + +12) Attorneys Fees. In any action to enforce the terms of this License or +seeking damages relating thereto, the prevailing party shall be entitled to +recover its costs and expenses, including, without limitation, reasonable +attorneys' fees and costs incurred in connection with such action, including +any appeal of such action. This section shall survive the termination of this +License. + +13) Miscellaneous. This License represents the complete agreement concerning +the subject matter hereof. If any provision of this License is held to be +unenforceable, such provision shall be reformed only to the extent necessary +to make it enforceable. + +14) Definition of "You" in This License. "You" throughout this License, +whether in upper or lower case, means an individual or a legal entity exercising +rights under, and complying with all of the terms of, this License. For legal +entities, "You" includes any entity that controls, is controlled by, or is under +common control with you. For purposes of this definition, "control" means (i) +the power, direct or indirect, to cause the direction or management of such +entity, whether by contract or otherwise, or (ii) ownership of fifty percent +(50%) or more of the outstanding shares, or (iii) beneficial ownership of such +entity. + +15) Right to Use. You may use the Original Work in all ways not otherwise +restricted or conditioned by this License or by law, and Licensor promises not +to interfere with or be responsible for such uses by You. + +This license is Copyright (C) 2002 Lawrence E. Rosen. All rights reserved. +Permission is hereby granted to copy and distribute this license without +modification. This license may not be modified without the express written +permission of its copyright owner. --- netpbm-10.34/generator/pbmtext.c.security 2005-07-18 03:14:10.000000000 +0200 +++ netpbm-10.34/generator/pbmtext.c 2006-06-22 12:45:18.000000000 +0200 @@ -89,12 +89,14 @@ for (i = 1; i < argc; i++) { if (i > 1) { + overflow_add(totaltextsize, 1); totaltextsize += 1; text = realloc(text, totaltextsize); if (text == NULL) pm_error("out of memory allocating space for input text"); strcat(text, " "); } + overflow_add(totaltextsize, strlen(argv[i])); totaltextsize += strlen(argv[i]); text = realloc(text, totaltextsize); if (text == NULL) @@ -581,6 +583,7 @@ struct text input_text; if (cmdline_text) { + overflow_add(strlen(cmdline_text), 1); allocTextArray(&input_text, 1, strlen(cmdline_text)); strcpy(input_text.textArray[0], cmdline_text); fix_control_chars(input_text.textArray[0], fn); @@ -603,7 +606,9 @@ while (fgets(buf, sizeof(buf), stdin) != NULL) { fix_control_chars(buf, fn); if (lineCount >= maxlines) { + overflow2(maxlines, 2); maxlines *= 2; + overflow2(maxlines, sizeof(char *)); text_array = (char**) realloc((char*) text_array, maxlines * sizeof(char*)); if (text_array == NULL) @@ -689,6 +694,7 @@ hmargin = fontP->maxwidth; } else { vmargin = fontP->maxheight; + overflow2(2, fontP->maxwidth); hmargin = 2 * fontP->maxwidth; } } @@ -705,6 +711,12 @@ } else formattedText = inputText; + overflow2(2, vmargin); + overflow2(formattedText.lineCount, fontP->maxheight); + overflow2(formattedText.lineCount-1, cmdline.lspace); + overflow_add(vmargin * 2, formattedText.lineCount * fontP->maxheight); + overflow_add(vmargin * 2 + formattedText.lineCount * fontP->maxheight, (formattedText.lineCount-1) * cmdline.lspace); + rows = 2 * vmargin + formattedText.lineCount * fontP->maxheight + (formattedText.lineCount-1) * cmdline.lspace; @@ -712,6 +724,9 @@ compute_image_width(formattedText, fontP, cmdline.space, &maxwidth, &maxleftb); + overflow2(2, hmargin); + overflow_add(2*hmargin, maxwidth); + cols = 2 * hmargin + maxwidth; bits = pbm_allocarray(cols, rows); --- netpbm-10.34/generator/pgmkernel.c.security 2003-07-06 22:03:29.000000000 +0200 +++ netpbm-10.34/generator/pgmkernel.c 2006-06-22 12:45:18.000000000 +0200 @@ -68,7 +68,7 @@ kycenter = (fysize - 1) / 2.0; ixsize = fxsize + 0.999; iysize = fysize + 0.999; - MALLOCARRAY(fkernel, ixsize * iysize); + fkernel = (double *) malloc3 (ixsize, iysize, sizeof(double)); for (i = 0; i < iysize; i++) for (j = 0; j < ixsize; j++) { fkernel[i*ixsize+j] = 1.0 / (1.0 + w * sqrt((double) --- netpbm-10.34/generator/pgmcrater.c.security 2005-12-22 10:28:49.000000000 +0100 +++ netpbm-10.34/generator/pgmcrater.c 2006-06-22 12:45:18.000000000 +0200 @@ -131,7 +131,7 @@ /* Acquire the elevation array and initialize it to mean surface elevation. */ - MALLOCARRAY(aux, SCRX * SCRY); + aux = (unsigned short *) malloc3(SCRX, SCRY, sizeof(short)); if (aux == NULL) pm_error("out of memory allocating elevation array"); --- netpbm-10.34/generator/pbmpage.c.security 2005-08-27 19:27:19.000000000 +0200 +++ netpbm-10.34/generator/pbmpage.c 2006-06-22 12:45:18.000000000 +0200 @@ -170,6 +170,9 @@ /* We round the allocated row space up to a multiple of 8 so the ugly fast code below can work. */ + + overflow_add(bitmap.Width, 7); + pbmrow = pbm_allocrow(((bitmap.Width+7)/8)*8); bitmap_cursor = 0; --- netpbm-10.34/generator/ppmrainbow.security 2003-01-04 01:40:56.000000000 +0100 +++ netpbm-10.34/generator/ppmrainbow 2006-06-22 12:45:18.000000000 +0200 @@ -11,7 +11,7 @@ # set defaults $Twid = 600; $Thgt = 8; -$tmpdir = $ENV{"TMPDIR"} || "/tmp"; +$tmpdir = $ENV{"TMPDIR"} || ".tmp"; $norepeat = $FALSE; $verbose = $FALSE; --- netpbm-10.34/other/pnmcolormap.c.security 2005-12-21 05:35:06.000000000 +0100 +++ netpbm-10.34/other/pnmcolormap.c 2006-06-22 12:45:18.000000000 +0200 @@ -836,6 +836,7 @@ pamP->width = intsqrt; else pamP->width = intsqrt + 1; + overflow_add(intsqrt, 1); } { unsigned int const intQuotient = colormap.size / pamP->width; --- netpbm-10.34/doc/COPYRIGHT.PATENT.security 2004-05-01 01:54:22.000000000 +0200 +++ netpbm-10.34/doc/COPYRIGHT.PATENT 2006-06-22 12:45:18.000000000 +0200 @@ -33,6 +33,11 @@ all the above to be modified by "to the best of the Netpbm maintainer's knowledge." +These security fixes for netpbm are (c) Copyright 2002 Red Hat Inc. +Red Hat has not fixed those items with patent claims or commercial +use restrictions. These changes include NO WARRANTY and are provided +under the Open Software License v.1 (see file OPENLICENSE). + PATENTS --- netpbm-10.34/converter/pgm/psidtopgm.c.security 2005-08-27 20:38:40.000000000 +0200 +++ netpbm-10.34/converter/pgm/psidtopgm.c 2006-06-22 12:45:18.000000000 +0200 @@ -78,6 +78,7 @@ pm_error("bits/sample (%d) is too large.", bitspersample); pgm_writepgminit(stdout, cols, rows, maxval, 0); + overflow_add(cols, 7); grayrow = pgm_allocrow((cols + 7) / 8 * 8); for (row = 0; row < rows; ++row) { unsigned int col; --- netpbm-10.34/converter/pgm/lispmtopgm.c.security 2005-10-07 09:03:29.000000000 +0200 +++ netpbm-10.34/converter/pgm/lispmtopgm.c 2006-06-22 12:45:18.000000000 +0200 @@ -58,6 +58,7 @@ pm_error( "depth (%d bits) is too large", depth); pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 ); + overflow_add(cols, 7); grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 ); for ( row = 0; row < rows; ++row ) @@ -102,7 +103,9 @@ if ( *depthP == 0 ) *depthP = 1; /* very old file */ - + + overflow_add((int)colsP, 31); + *padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP; if ( *colsP != (cols_32 - *padrightP) ) { --- netpbm-10.34/converter/ppm/pjtoppm.c.security 2003-07-06 23:45:36.000000000 +0200 +++ netpbm-10.34/converter/ppm/pjtoppm.c 2006-06-22 12:45:18.000000000 +0200 @@ -127,19 +127,21 @@ case 'V': /* send plane */ case 'W': /* send last plane */ if (rows == -1 || r >= rows || image == NULL) { - if (rows == -1 || r >= rows) + if (rows == -1 || r >= rows) { + overflow_add(rows, 100); rows += 100; + } if (image == NULL) { - MALLOCARRAY(image, rows * planes); - MALLOCARRAY(imlen, rows * planes); + image = (unsigned char **) + malloc3(rows , planes , sizeof(unsigned char *)); + imlen = (int *) malloc3(rows , planes, sizeof(int)); } else { + overflow2(rows,planes); image = (unsigned char **) - realloc(image, - rows * planes * + realloc2(image, rows * planes, sizeof(unsigned char *)); - imlen = (int *) - realloc(imlen, rows * planes * sizeof(int)); + imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); } } if (image == NULL || imlen == NULL) @@ -212,8 +214,10 @@ for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2) for (cmd = image[p + r * planes][c], val = image[p + r * planes][c+1]; - cmd >= 0 && i < newcols; cmd--, i++) + cmd >= 0 && i < newcols; cmd--, i++) { buf[i] = val; + overflow_add(i, 1); + } cols = cols > i ? cols : i; free(image[p + r * planes]); /* @@ -224,6 +228,7 @@ image[p + r * planes] = (unsigned char *) realloc(buf, i); } } + overflow2(cols, 8); cols *= 8; } --- netpbm-10.34/converter/ppm/ppmtoicr.c.security 2003-02-22 23:05:03.000000000 +0100 +++ netpbm-10.34/converter/ppm/ppmtoicr.c 2006-06-22 12:45:18.000000000 +0200 @@ -169,7 +169,7 @@ if (rleflag) { pm_message("sending run-length encoded picture data ..." ); - testimage = (char*) malloc(rows*cols); + testimage = (char*) malloc2(rows, cols); p = testimage; for (i=0; i>3) * sizeof(int32 *); int xsz = (Fsize_x>>3); - + + overflow2((Fsize_y>>3), sizeof(int32 *)); needs_init = FALSE; for (y=0; y<3; y++) { varDiff[y] = ratio[y] = total[y] = 0.0; @@ -787,6 +788,7 @@ fprintf(stderr, "Out of memory in BlockComputeSNR\n"); exit(-1); } + overflow2(xsz,4); for (y = 0; y < ySize[0]>>3; y++) { SignalY[y] = (int32 *) calloc(xsz,4); SignalCr[y] = (int32 *) calloc(xsz,4); @@ -945,27 +947,27 @@ dctx = Fsize_x / DCTSIZE; dcty = Fsize_y / DCTSIZE; - dct = (Block **) malloc(sizeof(Block *) * dcty); + dct = (Block **) malloc2(sizeof(Block *), dcty); ERRCHK(dct, "malloc"); for (i = 0; i < dcty; i++) { - dct[i] = (Block *) malloc(sizeof(Block) * dctx); + dct[i] = (Block *) malloc2(sizeof(Block), dctx); ERRCHK(dct[i], "malloc"); } - dct_data = (dct_data_type **) malloc(sizeof(dct_data_type *) * dcty); + dct_data = (dct_data_type **) malloc2(sizeof(dct_data_type *), dcty); ERRCHK(dct_data, "malloc"); for (i = 0; i < dcty; i++) { - dct_data[i] = (dct_data_type *) malloc(sizeof(dct_data_type) * dctx); + dct_data[i] = (dct_data_type *) malloc2(sizeof(dct_data_type), dctx); ERRCHK(dct[i], "malloc"); } - dctr = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); - dctb = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); + dctr = (Block **) malloc2(sizeof(Block *), (dcty >> 1)); + dctb = (Block **) malloc2(sizeof(Block *), (dcty >> 1)); ERRCHK(dctr, "malloc"); ERRCHK(dctb, "malloc"); for (i = 0; i < (dcty >> 1); i++) { - dctr[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); - dctb[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); + dctr[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1)); + dctb[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1)); ERRCHK(dctr[i], "malloc"); ERRCHK(dctb[i], "malloc"); } --- netpbm-10.34/converter/ppm/ppmtopj.c.security 2005-10-07 09:01:27.000000000 +0200 +++ netpbm-10.34/converter/ppm/ppmtopj.c 2006-06-22 12:45:18.000000000 +0200 @@ -179,6 +179,7 @@ pixels = ppm_readppm( ifp, &cols, &rows, &maxval ); pm_close( ifp ); + overflow2(cols,2); obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char)); cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char)); --- netpbm-10.34/converter/ppm/imgtoppm.c.security 2002-09-06 18:30:03.000000000 +0200 +++ netpbm-10.34/converter/ppm/imgtoppm.c 2006-06-22 12:45:18.000000000 +0200 @@ -84,6 +84,7 @@ len = atoi((char*) buf ); if ( fread( buf, len, 1, ifp ) != 1 ) pm_error( "bad colormap buf" ); + overflow2(cmaplen, 3); if ( cmaplen * 3 != len ) { pm_message( @@ -105,6 +106,7 @@ pm_error( "bad pixel data header" ); buf[8] = '\0'; len = atoi((char*) buf ); + overflow2(cols, rows); if ( len != cols * rows ) pm_message( "pixel data length (%d) does not match image size (%d)", --- netpbm-10.34/converter/ppm/ximtoppm.c.security 2005-10-07 08:59:40.000000000 +0200 +++ netpbm-10.34/converter/ppm/ximtoppm.c 2006-06-22 12:45:18.000000000 +0200 @@ -111,6 +111,7 @@ header->bits_channel = atoi(a_head.bits_per_channel); header->alpha_flag = atoi(a_head.alpha_channel); if (strlen(a_head.author)) { + overflow_add(strlen(a_head.author),1); if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1, 1))) { pm_message("ReadXimHeader: can't calloc author string" ); @@ -120,6 +121,7 @@ strncpy(header->author, a_head.author, strlen(a_head.author)); } if (strlen(a_head.date)) { + overflow_add(strlen(a_head.date),1); if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){ pm_message("ReadXimHeader: can't calloc date string" ); return(0); @@ -128,6 +130,7 @@ strncpy(header->date, a_head.date, strlen(a_head.date)); } if (strlen(a_head.program)) { + overflow_add(strlen(a_head.program),1); if (!(header->program = calloc( (unsigned int)strlen(a_head.program) + 1, 1))) { pm_message("ReadXimHeader: can't calloc program string" ); @@ -154,6 +157,7 @@ if (header->nchannels == 3 && header->bits_channel == 8) header->ncolors = 0; else if (header->nchannels == 1 && header->bits_channel == 8) { + overflow2(header->ncolors, sizeof(Color)); header->colors = (Color *)calloc((unsigned int)header->ncolors, sizeof(Color)); if (header->colors == NULL) { --- netpbm-10.34/converter/ppm/pcxtoppm.c.security 2006-05-19 22:38:39.000000000 +0200 +++ netpbm-10.34/converter/ppm/pcxtoppm.c 2006-06-22 12:45:18.000000000 +0200 @@ -408,6 +408,7 @@ /* * clear the pixel buffer */ + overflow2(bytesperline, 8); npixels = (bytesperline * 8) / bitsperpixel; p = pixels; while (--npixels >= 0) @@ -469,6 +470,7 @@ } /* BytesPerLine should be >= BitsPerPixel * cols / 8 */ + overflow2(BytesPerLine, 8); rawcols = BytesPerLine * 8 / BitsPerPixel; if (headerCols > rawcols) { pm_message("warning - BytesPerLine = %d, " --- netpbm-10.34/converter/ppm/ppmtopict.c.security 2003-02-22 23:04:40.000000000 +0100 +++ netpbm-10.34/converter/ppm/ppmtopict.c 2006-06-22 12:45:18.000000000 +0200 @@ -245,6 +245,8 @@ putShort(stdout, 0); /* mode */ /* Finally, write out the data. */ + overflow_add(cols/MAX_COUNT, 1); + overflow_add(cols, cols/MAX_COUNT+1); packed = (char*) malloc((unsigned)(cols+cols/MAX_COUNT+1)); oc = 0; for (row = 0; row < rows; row++) --- netpbm-10.34/converter/ppm/ppmtomitsu.c.security 2005-12-22 09:54:51.000000000 +0100 +++ netpbm-10.34/converter/ppm/ppmtomitsu.c 2006-06-22 12:45:18.000000000 +0200 @@ -166,6 +166,8 @@ medias = MSize_User; if (dpi300) { + overflow2(medias.maxcols, 2); + overflow2(medias.maxrows, 2); medias.maxcols *= 2; medias.maxrows *= 2; } --- netpbm-10.34/converter/ppm/ppmtoilbm.c.security 2006-05-27 04:58:42.000000000 +0200 +++ netpbm-10.34/converter/ppm/ppmtoilbm.c 2006-06-22 12:56:24.000000000 +0200 @@ -1251,6 +1251,7 @@ maskmethod = 0; /* no masking - RGB8 uses genlock bits */ compmethod = 4; /* RGB8 files are always compressed */ + overflow2(cols, 4); MALLOCARRAY_NOFAIL(compr_row, cols * 4); if( maxval != 255 ) { @@ -1339,6 +1340,7 @@ maskmethod = 0; /* no masking - RGBN uses genlock bits */ compmethod = 4; /* RGBN files are always compressed */ + overflow2(cols, 2); MALLOCARRAY_NOFAIL(compr_row, cols * 2); if( maxval != 15 ) { @@ -1821,6 +1823,7 @@ int i; int *table; + overflow_add(oldmaxval, 1); MALLOCARRAY_NOFAIL(table, oldmaxval + 1); for(i = 0; i <= oldmaxval; i++ ) table[i] = (i * newmaxval + oldmaxval/2) / oldmaxval; @@ -2325,8 +2328,11 @@ MALLOCARRAY_NOFAIL(coded_rowbuf, RowBytes(cols)); for (i = 0; i < RowBytes(cols); ++i) coded_rowbuf[i] = 0; - if (DO_COMPRESS) + if (DO_COMPRESS) { + overflow2(cols,2); + overflow_add(cols*2,2); MALLOCARRAY_NOFAIL(compr_rowbuf, WORSTCOMPR(RowBytes(cols))); + } } switch (mode) { --- netpbm-10.34/converter/ppm/ilbmtoppm.c.security 2005-12-22 09:51:05.000000000 +0100 +++ netpbm-10.34/converter/ppm/ilbmtoppm.c 2006-06-22 12:45:18.000000000 +0200 @@ -595,6 +595,7 @@ rawtype *chp; cols = bmhdP->w; + overflow_add(cols, 15); bytes = RowBytes(cols); for( plane = 0; plane < nPlanes; plane++ ) { int mask; @@ -682,6 +683,23 @@ Multipalette handling ****************************************************************************/ +static void * +xmalloc2(x, y) + int x; + int y; +{ + void *mem; + + overflow2(x,y); + if( x * y == 0 ) + return NULL; + + mem = malloc2(x,y); + if( mem == NULL ) + pm_error("out of memory allocating %d bytes", x * y); + return mem; +} + static void multi_adjust(cmap, row, palchange) @@ -1294,6 +1312,9 @@ if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval ) pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval)); + overflow_add(redmaxval, 1); + overflow_add(greenmaxval, 1); + overflow_add(bluemaxval, 1); MALLOCARRAY_NOFAIL(redtable, redmaxval +1); MALLOCARRAY_NOFAIL(greentable, greenmaxval +1); MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1); @@ -1725,7 +1746,9 @@ ChangeCount32 = *data++; datasize -= 2; + overflow_add(ChangeCount16, ChangeCount32); changes = ChangeCount16 + ChangeCount32; + overflow_add(changes, 1); for( i = 0; i < changes; i++ ) { if( totalchanges >= PCHG->TotalChanges ) goto fail; if( datasize < 2 ) goto fail; @@ -1852,6 +1875,7 @@ if( datasize < 2 ) goto fail; changes = BIG_WORD(data); data += 2; datasize -= 2; + overflow_add(changes, 1); MALLOCARRAY_NOFAIL(cmap->mp_change[row], changes + 1); for( i = 0; i < changes; i++ ) { if( totalchanges >= PCHG->TotalChanges ) goto fail; @@ -1965,6 +1989,9 @@ cmap->mp_change[i] = NULL; if( PCHG.StartLine < 0 ) { int nch; + if(PCHG.MaxReg < PCHG.MinReg) + pm_error("assert: MinReg > MaxReg"); + overflow_add(PCHG.MaxReg-PCHG.MinReg, 2); nch = PCHG.MaxReg - PCHG.MinReg +1; MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1); for( i = 0; i < nch; i++ ) @@ -2041,6 +2068,7 @@ if( typeid == ID_ILBM ) { int isdeep; + overflow_add(bmhdP->w, 15); MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w)); *viewportmodesP |= fakeviewport; /* -isham/-isehb */ --- netpbm-10.34/converter/ppm/sldtoppm.c.security 2006-06-18 04:53:22.000000000 +0200 +++ netpbm-10.34/converter/ppm/sldtoppm.c 2006-06-22 12:45:18.000000000 +0200 @@ -306,7 +306,9 @@ } /* Allocate image buffer and clear it to black. */ - + + overflow_add(ixdots,1); + overflow_add(iydots,1); pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1); PPM_ASSIGN(rgbcolor, 0, 0, 0); ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0, --- netpbm-10.34/converter/ppm/ppmtolj.c.security 2005-11-27 07:59:21.000000000 +0100 +++ netpbm-10.34/converter/ppm/ppmtolj.c 2006-06-22 12:45:18.000000000 +0200 @@ -181,7 +181,8 @@ ppm_readppminit( ifp, &cols, &rows, &maxval, &format ); pixelrow = ppm_allocrow( cols ); - + + overflow2(cols, 6); obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char)); cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char)); if (mode == C_TRANS_MODE_DELTA) --- netpbm-10.34/converter/ppm/ppmtopcx.c.security 2005-08-27 20:25:49.000000000 +0200 +++ netpbm-10.34/converter/ppm/ppmtopcx.c 2006-06-22 12:45:18.000000000 +0200 @@ -418,6 +418,8 @@ else Planes = 1; } } + overflow2(BitsPerPixel, cols); + overflow_add(BitsPerPixel * cols, 7); BytesPerLine = ((cols * BitsPerPixel) + 7) / 8; MALLOCARRAY_NOFAIL(indexRow, cols); MALLOCARRAY_NOFAIL(planesrow, BytesPerLine); --- netpbm-10.34/converter/ppm/Makefile.security 2006-06-22 12:45:17.000000000 +0200 +++ netpbm-10.34/converter/ppm/Makefile 2006-06-22 12:45:18.000000000 +0200 @@ -11,7 +11,7 @@ PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ leaftoppm mtvtoppm neotoppm \ - pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ + pcxtoppm pc1toppm pi1toppm pjtoppm \ ppmtoacad ppmtoarbtxt \ ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \ ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ --- netpbm-10.34/converter/ppm/ppmtoxpm.c.security 2005-12-21 17:50:01.000000000 +0100 +++ netpbm-10.34/converter/ppm/ppmtoxpm.c 2006-06-22 12:45:18.000000000 +0200 @@ -195,6 +195,7 @@ unsigned int i; /* Allocate memory for printed number. Abort if error. */ + overflow_add(digits, 1); if (!(str = (char *) malloc(digits + 1))) pm_error("out of memory"); @@ -312,6 +313,7 @@ unsigned int charsPerPixel; unsigned int xpmMaxval; + if (includeTransparent) overflow_add(ncolors, 1); MALLOCARRAY(cmap, cmapSize); if (cmapP == NULL) pm_error("Out of memory allocating %u bytes for a color map.", --- netpbm-10.34/converter/ppm/ppmtopjxl.c.security 2005-12-22 09:54:12.000000000 +0100 +++ netpbm-10.34/converter/ppm/ppmtopjxl.c 2006-06-22 12:45:18.000000000 +0200 @@ -274,6 +274,8 @@ pm_error("image too large; reduce with ppmscale"); if (maxval > PCL_MAXVAL) pm_error("color range too large; reduce with ppmcscale"); + if (cols < 0 || rows < 0) + pm_error("negative size is not possible"); /* Figure out the colormap. */ fprintf( stderr, "(Computing colormap..." ); fflush( stderr ); @@ -294,6 +296,8 @@ case 0: /* direct mode (no palette) */ bpp = bitsperpixel(maxval); /* bits per pixel */ bpg = bpp; bpb = bpp; + overflow2(bpp, 3); + overflow_add(bpp*3, 7); bpp = (bpp*3+7)>>3; /* bytes per pixel now */ bpr = (bpp<<3)-bpg-bpb; bpp *= cols; /* bytes per row now */ @@ -303,9 +307,13 @@ case 3: case 7: pclindex++; default: bpp = 8/pclindex; + overflow_add(cols, bpp); + if(bpp == 0) + pm_error("assert: no bpp"); bpp = (cols+bpp-1)/bpp; /* bytes per row */ } + overflow2(bpp,2); if ((inrow = (char *)malloc((unsigned)bpp)) == NULL || (outrow = (char *)malloc((unsigned)bpp*2)) == NULL || (runcnt = (signed char *)malloc((unsigned)bpp)) == NULL) --- netpbm-10.34/converter/ppm/yuvtoppm.c.security 2003-07-06 22:32:09.000000000 +0200 +++ netpbm-10.34/converter/ppm/yuvtoppm.c 2006-06-22 12:45:18.000000000 +0200 @@ -72,6 +72,7 @@ ppm_writeppminit(stdout, cols, rows, (pixval) 255, 0); pixrow = ppm_allocrow(cols); + overflow_add(cols, 1); MALLOCARRAY(yuvbuf, (cols+1)/2); if (yuvbuf == NULL) pm_error("Unable to allocate YUV buffer for %d columns.", cols); --- netpbm-10.34/converter/ppm/picttoppm.c.security 2006-06-17 21:11:56.000000000 +0200 +++ netpbm-10.34/converter/ppm/picttoppm.c 2006-06-22 12:45:18.000000000 +0200 @@ -1,3 +1,5 @@ +#error "Unfixable. Don't ship me" + /* * picttoppm.c -- convert a MacIntosh PICT file to PPM format. * --- netpbm-10.34/converter/ppm/ppmtowinicon.c.security 2005-10-07 08:14:24.000000000 +0200 +++ netpbm-10.34/converter/ppm/ppmtowinicon.c 2006-06-22 12:45:18.000000000 +0200 @@ -12,6 +12,7 @@ #include #include +#include #include "winico.h" #include "ppm.h" @@ -218,6 +219,7 @@ MALLOCARRAY_NOFAIL(rowData, rows); icBitmap->xBytes = xBytes; icBitmap->data = rowData; + overflow2(xBytes, rows); icBitmap->size = xBytes * rows; for (y=0;yxBytes = xBytes; icBitmap->data = rowData; + overflow2(xBytes, rows); icBitmap->size = xBytes * rows; for (y=0;yxBytes = xBytes; icBitmap->data = rowData; + overflow2(xBytes, rows); icBitmap->size = xBytes * rows; for (y=0;ybitcount = bpp; entry->ih = createInfoHeader(entry, xorBitmap, andBitmap); entry->colors = palette->colors; + overflow2(4, entry->color_count); + overflow_add(xorBitmap->size, andBitmap->size); + overflow_add(xorBitmap->size + andBitmap->size, 40); + overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count); entry->size_in_bytes = xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count); if (verbose) --- netpbm-10.34/converter/ppm/xpmtoppm.c.security 2005-10-07 08:59:22.000000000 +0200 +++ netpbm-10.34/converter/ppm/xpmtoppm.c 2006-06-22 12:45:18.000000000 +0200 @@ -700,6 +700,7 @@ &ncolors, colorsP, &ptab); *transparentP = -1; /* No transparency in version 1 */ } + overflow2(*widthP, *heightP); totalpixels = *widthP * *heightP; MALLOCARRAY(*dataP, totalpixels); if (*dataP == NULL) --- netpbm-10.34/converter/ppm/ppmtoeyuv.c.security 2005-12-22 09:53:14.000000000 +0100 +++ netpbm-10.34/converter/ppm/ppmtoeyuv.c 2006-06-22 12:45:18.000000000 +0200 @@ -114,6 +114,7 @@ int index; + overflow_add(maxval, 1); MALLOCARRAY_NOFAIL(mult299 , maxval+1); MALLOCARRAY_NOFAIL(mult587 , maxval+1); MALLOCARRAY_NOFAIL(mult114 , maxval+1); --- netpbm-10.34/converter/pbm/mgrtopbm.c.security 2005-02-20 20:58:25.000000000 +0100 +++ netpbm-10.34/converter/pbm/mgrtopbm.c 2006-06-22 12:45:18.000000000 +0200 @@ -68,6 +68,8 @@ if (head.h_high < ' ' || head.l_high < ' ') pm_error("Invalid width field in MGR header"); + overflow_add(*colsP, pad); + *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' '); *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' '); *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP; --- netpbm-10.34/converter/pbm/pbmtoascii.c.security 2002-07-30 17:42:53.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtoascii.c 2006-06-22 12:45:18.000000000 +0200 @@ -115,9 +115,11 @@ pm_usage( usage ); pbm_readpbminit( ifp, &cols, &rows, &format ); + overflow_add(cols, gridx); ccols = ( cols + gridx - 1 ) / gridx; bitrow = pbm_allocrow( cols ); sig = (int*) pm_allocrow( ccols, sizeof(int) ); + overflow_add(ccols, 1); line = (char*) pm_allocrow( ccols + 1, sizeof(char) ); for ( row = 0; row < rows; row += gridy ) --- netpbm-10.34/converter/pbm/pbmtox10bm.c.security 2005-10-07 09:10:10.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtox10bm.c 2006-06-22 12:45:18.000000000 +0200 @@ -57,6 +57,7 @@ bitrow = pbm_allocrow( cols ); /* Compute padding to round cols up to the nearest multiple of 16. */ + overflow_add(cols, 15); padright = ( ( cols + 15 ) / 16 ) * 16 - cols; printf( "#define %s_width %d\n", name, cols ); --- netpbm-10.34/converter/pbm/pbmtoppa/pbmtoppa.c.security 2005-04-30 18:45:07.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtoppa/pbmtoppa.c 2006-06-22 12:45:18.000000000 +0200 @@ -441,6 +441,7 @@ pm_error("main(): unrecognized parameter '%s'", argv[argn]); } + overflow_add(Width, 7); Pwidth=(Width+7)/8; printer.fptr=out; --- netpbm-10.34/converter/pbm/pbmtoppa/pbm.c.security 2000-06-01 19:20:30.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtoppa/pbm.c 2006-06-22 12:45:18.000000000 +0200 @@ -105,6 +105,7 @@ return 0; case P4: + overflow_add(pbm->width, 7); tmp=(pbm->width+7)/8; tmp2=fread(data,1,tmp,pbm->fptr); if(tmp2 == tmp) @@ -129,7 +130,8 @@ return; pbm->unread = 1; - pbm->revdata = malloc ((pbm->width+7)/8); + overflow_add(pbm->width, 7); + pbm->revdata = malloc((pbm->width+7)/8); memcpy (pbm->revdata, data, (pbm->width+7)/8); pbm->current_line--; } --- netpbm-10.34/converter/pbm/ybmtopbm.c.security 1993-10-04 10:10:35.000000000 +0100 +++ netpbm-10.34/converter/pbm/ybmtopbm.c 2006-06-22 12:45:18.000000000 +0200 @@ -88,6 +88,7 @@ pm_error( "EOF / read error" ); *depthP = 1; + overflow_add(*colsP, 15); *padrightP = ( ( *colsP + 15 ) / 16 ) * 16 - *colsP; bitsperitem = 0; } --- netpbm-10.34/converter/pbm/pbmtolj.c.security 2005-07-21 18:04:48.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtolj.c 2006-06-22 12:45:18.000000000 +0200 @@ -119,7 +119,11 @@ static void allocateBuffers(unsigned int const cols) { + overflow_add(cols, 8); rowBufferSize = (cols + 7) / 8; + overflow_add(rowBufferSize, 128); + overflow_add(rowBufferSize, rowBufferSize+128); + overflow_add(rowBufferSize+10, rowBufferSize/8); packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1; deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10; --- netpbm-10.34/converter/pbm/pbmto4425.c.security 2005-10-07 09:13:08.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmto4425.c 2006-06-22 12:45:18.000000000 +0200 @@ -2,6 +2,7 @@ #include "nstring.h" #include "pbm.h" +#include static char bit_table[2][3] = { {1, 4, 0x10}, @@ -160,7 +161,7 @@ xres = vmap_width * 2; yres = vmap_height * 3; - vmap = malloc(vmap_width * vmap_height * sizeof(char)); + vmap = malloc3(vmap_width, vmap_height, sizeof(char)); if(vmap == NULL) { pm_error( "Cannot allocate memory" ); --- netpbm-10.34/converter/pbm/icontopbm.c.security 2005-10-07 09:14:45.000000000 +0200 +++ netpbm-10.34/converter/pbm/icontopbm.c 2006-06-22 12:45:18.000000000 +0200 @@ -11,6 +11,7 @@ */ #include +#include #include "nstring.h" #include "pbm.h" @@ -87,6 +88,11 @@ if ( *heightP <= 0 ) pm_error( "invalid height (must be positive): %d", *heightP ); + if ( *widthP > INT_MAX - 16 || *widthP < 0) + pm_error( "invalid width: %d", *widthP); + + overflow2(*widthP + 16, *heightP); + data_length = BitmapSize( *widthP, *heightP ); *dataP = (short unsigned int *) malloc( data_length ); if ( *dataP == NULL ) --- netpbm-10.34/converter/pbm/pbmtogem.c.security 2000-06-09 09:07:05.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtogem.c 2006-06-22 12:45:18.000000000 +0200 @@ -123,6 +123,7 @@ bitsperitem = 0; bitshift = 7; outcol = 0; + overflow_add(cols, 7); outmax = (cols + 7) / 8; outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); --- netpbm-10.34/converter/pbm/pbmtogo.c.security 2005-12-22 09:45:07.000000000 +0100 +++ netpbm-10.34/converter/pbm/pbmtogo.c 2006-06-22 12:45:18.000000000 +0200 @@ -91,6 +91,7 @@ bitrow = pbm_allocrow(cols); /* Round cols up to the nearest multiple of 8. */ + overflow_add(cols, 7); rucols = ( cols + 7 ) / 8; bytesperrow = rucols; /* GraphOn uses bytes */ rucols = rucols * 8; --- netpbm-10.34/converter/pbm/thinkjettopbm.l.security 2006-04-03 22:38:13.000000000 +0200 +++ netpbm-10.34/converter/pbm/thinkjettopbm.l 2006-06-22 12:45:18.000000000 +0200 @@ -106,7 +106,9 @@ \033\*b{DIG}+W { int l; if (rowCount >= rowCapacity) { + overflow_add(rowCapacity, 100); rowCapacity += 100; + overflow2(rowCapacity, sizeof *rows); rows = realloc (rows, rowCapacity * sizeof *rows); if (rows == NULL) pm_error ("Out of memory."); @@ -216,6 +218,8 @@ /* * Quite simple since ThinkJet bit arrangement matches PBM */ + + overflow2(maxRowLength, 8); pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0); packed_bitrow = malloc(maxRowLength); --- netpbm-10.34/converter/pbm/pbmtoxbm.c.security 2005-10-07 09:08:17.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtoxbm.c 2006-06-22 12:45:18.000000000 +0200 @@ -100,6 +100,7 @@ bitrow = pbm_allocrow(cols); /* Compute padding to round cols up to the nearest multiple of 8. */ + overflow_add(cols, 8); padright = ((cols + 7)/8) * 8 - cols; printf("#define %s_width %d\n", name, cols); --- netpbm-10.34/converter/pbm/mdatopbm.c.security 2005-08-15 09:01:25.000000000 +0200 +++ netpbm-10.34/converter/pbm/mdatopbm.c 2006-06-22 12:45:18.000000000 +0200 @@ -245,10 +245,13 @@ pm_readlittleshort(infile, &yy); nInCols = yy; } + overflow2(nOutCols, 8); nOutCols = 8 * nInCols; nOutRows = nInRows; - if (bScale) + if (bScale) { + overflow2(nOutRows, 2); nOutRows *= 2; + } data = pbm_allocarray(nOutCols, nOutRows); --- netpbm-10.34/converter/pbm/pbmtocmuwm.c.security 1993-10-04 10:10:46.000000000 +0100 +++ netpbm-10.34/converter/pbm/pbmtocmuwm.c 2006-06-22 12:45:18.000000000 +0200 @@ -43,6 +43,7 @@ bitrow = pbm_allocrow( cols ); /* Round cols up to the nearest multiple of 8. */ + overflow_add(cols, 7); padright = ( ( cols + 7 ) / 8 ) * 8 - cols; putinit( rows, cols ); --- netpbm-10.34/converter/pbm/pbmtomda.c.security 2005-08-15 09:01:50.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtomda.c 2006-06-22 12:45:18.000000000 +0200 @@ -179,6 +179,7 @@ nOutRowsUnrounded = bScale ? nInRows/2 : nInRows; + overflow_add(nOutRowsUnrounded, 3); nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4; /* MDA wants rows a multiple of 4 */ nOutCols = nInCols / 8; --- netpbm-10.34/converter/pbm/pbmtozinc.c.security 2005-10-07 09:08:07.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtozinc.c 2006-06-22 12:45:18.000000000 +0200 @@ -65,6 +65,7 @@ bitrow = pbm_allocrow( cols ); /* Compute padding to round cols up to the nearest multiple of 16. */ + overflow_add(cols, 16); padright = ( ( cols + 15 ) / 16 ) * 16 - cols; printf( "USHORT %s[] = {\n",name); --- netpbm-10.34/converter/pbm/pbmtoicon.c.security 2002-07-30 17:47:48.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtoicon.c 2006-06-22 12:45:18.000000000 +0200 @@ -42,6 +42,7 @@ bitrow = pbm_allocrow( cols ); /* Round cols up to the nearest multiple of 16. */ + overflow_add(cols, 15); pad = ( ( cols + 15 ) / 16 ) * 16 - cols; padleft = pad / 2; padright = pad - padleft; --- netpbm-10.34/converter/pbm/pbmtomacp.c.security 2002-09-06 18:04:22.000000000 +0200 +++ netpbm-10.34/converter/pbm/pbmtomacp.c 2006-06-22 12:45:18.000000000 +0200 @@ -104,6 +104,7 @@ if( !lflg ) left = 0; + overflow_add(left, MAX_COLS - 1); if( rflg ) { if( right - left >= MAX_COLS ) right = left + MAX_COLS - 1; @@ -114,6 +115,8 @@ if( !tflg ) top = 0; + overflow_add(top, MAX_LINES - 1); + if( bflg ) { if( bottom - top >= MAX_LINES ) bottom = top + MAX_LINES - 1; --- netpbm-10.34/converter/pbm/pbmtomgr.c.security 1993-10-04 10:10:50.000000000 +0100 +++ netpbm-10.34/converter/pbm/pbmtomgr.c 2006-06-22 12:45:18.000000000 +0200 @@ -43,6 +43,7 @@ bitrow = pbm_allocrow( cols ); /* Round cols up to the nearest multiple of 8. */ + overflow_add(cols, 7); padright = ( ( cols + 7 ) / 8 ) * 8 - cols; putinit( rows, cols ); --- netpbm-10.34/converter/pbm/pbmto10x.c.security 2004-03-20 05:23:36.000000000 +0100 +++ netpbm-10.34/converter/pbm/pbmto10x.c 2006-06-22 12:45:18.000000000 +0200 @@ -162,7 +162,7 @@ res_60x72(); pm_close(ifp); - exit(0); + return 0; } --- netpbm-10.34/converter/pbm/pbmtoybm.c.security 1993-10-04 10:10:43.000000000 +0100 +++ netpbm-10.34/converter/pbm/pbmtoybm.c 2006-06-22 12:45:18.000000000 +0200 @@ -45,6 +45,7 @@ bitrow = pbm_allocrow( cols ); /* Compute padding to round cols up to the nearest multiple of 16. */ + overflow_add(cols, 16); padright = ( ( cols + 15 ) / 16 ) * 16 - cols; putinit( cols, rows ); --- netpbm-10.34/converter/pbm/pktopbm.c.security 2005-12-22 09:48:08.000000000 +0100 +++ netpbm-10.34/converter/pbm/pktopbm.c 2006-06-22 12:45:18.000000000 +0200 @@ -277,6 +277,7 @@ if (flagbyte == 7) { /* long form preamble */ integer packetlength = get32() ; /* character packet length */ car = get32() ; /* character number */ + overflow_add(packetlength, pktopbm_pkloc); endofpacket = packetlength + pktopbm_pkloc; /* calculate end of packet */ if ((car >= MAXPKCHAR) || !filename[car]) { --- netpbm-10.34/converter/other/pngtopnm.c.security 2005-10-29 19:40:03.000000000 +0200 +++ netpbm-10.34/converter/other/pngtopnm.c 2006-06-22 12:45:18.000000000 +0200 @@ -985,19 +985,24 @@ pm_error ("couldn't allocate space for image"); } - if (info_ptr->bit_depth == 16) + if (info_ptr->bit_depth == 16) { + overflow2(2, info_ptr->width); linesize = 2 * info_ptr->width; - else + } else linesize = info_ptr->width; - if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) + if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { + overflow2(2, linesize); linesize *= 2; - else - if (info_ptr->color_type == PNG_COLOR_TYPE_RGB) + } else + if (info_ptr->color_type == PNG_COLOR_TYPE_RGB) { + overflow2(3, linesize); linesize *= 3; - else - if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) + } else + if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) { + overflow2(4, linesize); linesize *= 4; + } for (y = 0 ; y < info_ptr->height ; y++) { png_image[y] = malloc (linesize); --- netpbm-10.34/converter/other/tifftopnm.c.security 2006-01-05 18:05:31.000000000 +0100 +++ netpbm-10.34/converter/other/tifftopnm.c 2006-06-22 12:45:18.000000000 +0200 @@ -748,7 +748,8 @@ if (scanbuf == NULL) pm_error("can't allocate memory for scanline buffer"); - MALLOCARRAY(samplebuf, cols * spp); + /* samplebuf is unsigned int * !!! */ + samplebuf = (unsigned int *) malloc3(cols , sizeof(unsigned int) , spp); if (samplebuf == NULL) pm_error ("can't allocate memory for row buffer"); --- netpbm-10.34/converter/other/pnmtoddif.c.security 2002-07-30 19:09:13.000000000 +0200 +++ netpbm-10.34/converter/other/pnmtoddif.c 2006-06-22 12:45:18.000000000 +0200 @@ -484,6 +484,7 @@ switch (PNM_FORMAT_TYPE(format)) { case PBM_TYPE: ip.bits_per_pixel = 1; + overflow_add(cols, 7); ip.bytes_per_line = (cols + 7) / 8; ip.spectral = 2; ip.components = 1; @@ -499,6 +500,7 @@ ip.polarity = 2; break; case PPM_TYPE: + overflow2(cols, 3); ip.bytes_per_line = 3 * cols; ip.bits_per_pixel = 24; ip.spectral = 5; --- netpbm-10.34/converter/other/xwdtopnm.c.security 2006-02-22 01:28:19.000000000 +0100 +++ netpbm-10.34/converter/other/xwdtopnm.c 2006-06-22 12:45:18.000000000 +0200 @@ -214,6 +214,9 @@ *colorsP = pnm_allocrow( 2 ); PNM_ASSIGN1( (*colorsP)[0], 0 ); PNM_ASSIGN1( (*colorsP)[1], *maxvalP ); + overflow_add(h10P->pixmap_width, 15); + if(h10P->pixmap_width < 0) + pm_error("assert: negative width"); *padrightP = ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width; *bits_per_itemP = 16; @@ -223,9 +226,13 @@ *formatP = PGM_TYPE; *visualclassP = StaticGray; *maxvalP = ( 1 << h10P->display_planes ) - 1; + overflow_add(*maxvalP, 1); *colorsP = pnm_allocrow( *maxvalP + 1 ); for ( i = 0; i <= *maxvalP; ++i ) PNM_ASSIGN1( (*colorsP)[i], i ); + overflow_add(h10P->pixmap_width, 15); + if(h10P->pixmap_width < 0) + pm_error("assert: negative width"); *padrightP = ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width; *bits_per_itemP = 16; @@ -544,6 +551,7 @@ *colsP = h11FixedP->pixmap_width; *rowsP = h11FixedP->pixmap_height; + overflow2(h11FixedP->bytes_per_line, 8); *padrightP = h11FixedP->bytes_per_line * 8 / h11FixedP->bits_per_pixel - h11FixedP->pixmap_width; --- netpbm-10.34/converter/other/pnmtorle.c.security 2005-05-22 19:01:43.000000000 +0200 +++ netpbm-10.34/converter/other/pnmtorle.c 2006-06-22 12:45:18.000000000 +0200 @@ -19,6 +19,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * pnmtorle - A program which will convert pbmplus (ppm or pgm) images --- netpbm-10.34/converter/other/pnmtops.c.security 2006-02-25 18:37:25.000000000 +0100 +++ netpbm-10.34/converter/other/pnmtops.c 2006-06-22 12:45:18.000000000 +0200 @@ -184,16 +184,20 @@ cmdlineP->canturn = !noturn; cmdlineP->showpage = !noshowpage; + overflow2(width, 72); cmdlineP->width = width * 72; + overflow2(height, 72); cmdlineP->height = height * 72; - if (imagewidthSpec) + if (imagewidthSpec) { + overflow2(imagewidth, 72); cmdlineP->imagewidth = imagewidth * 72; - else + } else cmdlineP->imagewidth = 0; - if (imageheightSpec) + if (imageheightSpec) { + overflow2(imageheight, 72); cmdlineP->imageheight = imageheight * 72; - else + } else cmdlineP->imageheight = 0; if (!cmdlineP->psfilter && --- netpbm-10.34/converter/other/pnmtojpeg.c.security 2006-06-18 20:35:52.000000000 +0200 +++ netpbm-10.34/converter/other/pnmtojpeg.c 2006-06-22 12:45:18.000000000 +0200 @@ -587,6 +587,8 @@ const long half_maxval = maxval / 2; long val; + overflow_add(maxval, 1); + overflow2(maxval+1, sizeof(JSAMPLE)); *rescale_p = (JSAMPLE *) (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE, (size_t) (((long) maxval + 1L) * @@ -665,6 +667,7 @@ */ /* Allocate the libpnm output and compressor input buffers */ + overflow2(cinfo_p->image_width, cinfo_p->input_components); buffer = (*cinfo_p->mem->alloc_sarray) ((j_common_ptr) cinfo_p, JPOOL_IMAGE, (unsigned int) cinfo_p->image_width * cinfo_p->input_components, @@ -932,7 +935,11 @@ * want JPOOL_PERMANENT. */ const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info); - jpeg_scan_info * const scan_info = + const jpeg_scan_info * scan_info; + + overflow2(nscans, sizeof(jpeg_scan_info)); + + scan_info = (jpeg_scan_info *) (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE, scan_info_size); --- netpbm-10.34/converter/other/jpegtopnm.c.security 2005-10-07 08:57:11.000000000 +0200 +++ netpbm-10.34/converter/other/jpegtopnm.c 2006-06-22 12:45:18.000000000 +0200 @@ -828,6 +828,7 @@ /* Calculate output image dimensions so we can allocate space */ jpeg_calc_output_dimensions(cinfoP); + overflow2(cinfoP->output_width, cinfoP->output_components); jpegbuffer = ((*cinfoP->mem->alloc_sarray) ((j_common_ptr) cinfoP, JPOOL_IMAGE, cinfoP->output_width * cinfoP->output_components, --- netpbm-10.34/converter/other/pbmtopgm.c.security 2005-12-03 18:42:41.000000000 +0100 +++ netpbm-10.34/converter/other/pbmtopgm.c 2006-06-22 12:45:18.000000000 +0200 @@ -47,6 +47,7 @@ "than the image height (%u rows)", height, rows); outrow = pgm_allocrow(cols) ; + overflow2(width, height); maxval = MIN(PGM_OVERALLMAXVAL, width*height); pgm_writepgminit(stdout, cols, rows, maxval, 0) ; --- netpbm-10.34/converter/other/pnmtosgi.c.security 2003-07-10 06:04:07.000000000 +0200 +++ netpbm-10.34/converter/other/pnmtosgi.c 2006-06-22 12:45:18.000000000 +0200 @@ -213,6 +213,22 @@ } } +static void * +xmalloc2(int x, int y) +{ + void *mem; + + overflow2(x,y); + if( x * y == 0 ) + return NULL; + + mem = malloc2(x, y); + if( mem == NULL ) + pm_error("out of memory allocating %d bytes", x * y); + return mem; +} + + static void put_big_short(short s) { @@ -250,6 +266,7 @@ #endif if( storage != STORAGE_VERBATIM ) { + overflow2(channels, rows); MALLOCARRAY_NOFAIL(table, channels * rows); MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols)); } @@ -303,6 +320,8 @@ break; case STORAGE_RLE: tabrow = chan_no * rows + row; + overflow2(chan_no, rows); + overflow_add(chan_no* rows, row); len = rle_compress(temp, cols); /* writes result into rletemp */ channel[chan_no][row].length = len; MALLOCARRAY(p, len); --- netpbm-10.34/converter/other/rletopnm.c.security 2005-11-13 22:40:02.000000000 +0100 +++ netpbm-10.34/converter/other/rletopnm.c 2006-06-22 12:45:18.000000000 +0200 @@ -19,6 +19,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rletopnm - A conversion program to convert from Utah's "rle" image format --- netpbm-10.34/converter/other/sirtopnm.c.security 2002-01-04 18:22:45.000000000 +0100 +++ netpbm-10.34/converter/other/sirtopnm.c 2006-06-22 12:45:18.000000000 +0200 @@ -69,6 +69,7 @@ } break; case PPM_TYPE: + overflow3(cols, rows, 3); picsize = cols * rows * 3; planesize = cols * rows; if ( !( sirarray = (unsigned char*) malloc( picsize ) ) ) --- netpbm-10.34/converter/other/gemtopnm.c.security 2005-08-27 19:30:45.000000000 +0200 +++ netpbm-10.34/converter/other/gemtopnm.c 2006-06-22 12:45:18.000000000 +0200 @@ -106,6 +106,7 @@ pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 ); + overflow_add(cols, padright); { /* allocate input row data structure */ int plane; --- netpbm-10.34/converter/other/sgitopnm.c.security 2005-08-27 19:33:09.000000000 +0200 +++ netpbm-10.34/converter/other/sgitopnm.c 2006-06-22 12:45:18.000000000 +0200 @@ -252,13 +252,17 @@ if (ochan < 0) { maxchannel = (head->zsize < 3) ? head->zsize : 3; + overflow2(head->ysize, maxchannel); MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel); } else { maxchannel = ochan + 1; MALLOCARRAY_NOFAIL(image, head->ysize); } - if ( table ) + if ( table ) { + overflow2(head->xsize, 2); + overflow_add(head->xsize*2, 2); MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize)); + } for( channel = 0; channel < maxchannel; channel++ ) { #ifdef DEBUG --- netpbm-10.34/analyzer/pgmhist.c.security 2003-07-06 21:23:19.000000000 +0200 +++ netpbm-10.34/analyzer/pgmhist.c 2006-06-22 12:45:18.000000000 +0200 @@ -45,6 +45,7 @@ grayrow = pgm_allocrow( cols ); /* Build histogram. */ + overflow_add(maxval, 1); MALLOCARRAY(hist, maxval + 1); MALLOCARRAY(rcount, maxval + 1); if ( hist == NULL || rcount == NULL ) --- netpbm-10.34/analyzer/pgmtexture.c.security 2005-12-22 10:17:08.000000000 +0100 +++ netpbm-10.34/analyzer/pgmtexture.c 2006-06-22 12:45:18.000000000 +0200 @@ -79,6 +79,9 @@ { float *v; + if(nh < nl) + pm_error("assert: h < l"); + overflow_add(nh - nl, 1); MALLOCARRAY(v, (unsigned) (nh - nl + 1)); if (v == NULL) pm_error("Unable to allocate memory for a vector."); @@ -95,6 +98,9 @@ float **m; /* allocate pointers to rows */ + if(nrh < nrl) + pm_error("assert: h < l"); + overflow_add(nrh - nrl, 1); MALLOCARRAY(m, (unsigned) (nrh - nrl + 1)); if (m == NULL) pm_error("Unable to allocate memory for a matrix."); @@ -102,6 +108,9 @@ m -= ncl; /* allocate rows and set pointers to them */ + if(nch < ncl) + pm_error("assert: h < l"); + overflow_add(nch - ncl, 1); for (i = nrl; i <= nrh; i++) { MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1)); --- netpbm-10.34/lib/libpbm1.c.security 2005-02-05 19:41:54.000000000 +0100 +++ netpbm-10.34/lib/libpbm1.c 2006-06-22 12:45:18.000000000 +0200 @@ -56,6 +56,7 @@ pm_message("pm_filepos passed to pm_check() is %u bytes", sizeof(pm_filepos)); #endif + overflow2(bytes_per_row, rows); pm_check(file, check_type, need_raster_size, retval_p); } } --- netpbm-10.34/lib/pm.h.security 2006-05-19 22:39:07.000000000 +0200 +++ netpbm-10.34/lib/pm.h 2006-06-22 12:45:18.000000000 +0200 @@ -340,4 +340,10 @@ #endif +void *malloc2(int, int); +void *malloc3(int, int, int); +void overflow2(int, int); +void overflow3(int, int, int); +void overflow_add(int, int); + #endif --- netpbm-10.34/lib/libpammap.c.security 2005-12-03 18:01:03.000000000 +0100 +++ netpbm-10.34/lib/libpammap.c 2006-06-22 12:45:18.000000000 +0200 @@ -102,6 +102,8 @@ */ struct tupleint_list_item * retval; + overflow2(pamP->depth, sizeof(sample)); + overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample)); unsigned int const size = sizeof(*retval) - sizeof(retval->tupleint.tuple) + pamP->depth * sizeof(sample); --- netpbm-10.34/lib/libpam.c.security 2006-04-23 03:50:53.000000000 +0200 +++ netpbm-10.34/lib/libpam.c 2006-06-22 12:45:18.000000000 +0200 @@ -221,7 +221,8 @@ int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample); tuple * tuplerow; - tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple)); + overflow_add(sizeof(tuple *), bytesPerTuple); + tuplerow = malloc2(pamP->width, sizeof(tuple *) + bytesPerTuple); if (tuplerow != NULL) { /* Now we initialize the pointers to the individual tuples --- netpbm-10.34/lib/libpm.c.security 2006-06-18 19:46:31.000000000 +0200 +++ netpbm-10.34/lib/libpm.c 2006-06-22 12:45:18.000000000 +0200 @@ -36,6 +36,7 @@ /* This makes the the x64() functions available on AIX */ #include +#include #include #include #include @@ -205,7 +206,7 @@ if (rowIndex == NULL) pm_error("out of memory allocating row index (%u rows) for an array", rows); - rowheap = malloc(rows * cols * size); + rowheap = malloc3(rows, cols, size); if (rowheap == NULL) { /* We couldn't get the whole heap in one block, so try fragmented format. @@ -1483,4 +1484,53 @@ } +/* + * Maths wrapping + */ + +void overflow2(int a, int b) +{ + if(a < 0 || b < 0) + pm_error("object too large"); + if(b == 0) + return; + if(a > INT_MAX / b) + pm_error("object too large"); +} + +void overflow3(int a, int b, int c) +{ + overflow2(a,b); + overflow2(a*b, c); +} + +void overflow_add(int a, int b) +{ + if( a > INT_MAX - b) + pm_error("object too large"); +} + +void *malloc2(int a, int b) +{ + overflow2(a, b); + if(a*b == 0) + pm_error("Zero byte allocation"); + return malloc(a*b); +} + +void *malloc3(int a, int b, int c) +{ + overflow3(a, b, c); + if(a*b*c == 0) + pm_error("Zero byte allocation"); + return malloc(a*b*c); +} + +void *realloc2(void * a, int b, int c) +{ + overflow2(b, c); + if(b*c == 0) + pm_error("Zero byte allocation"); + return realloc(a, b*c); +} --- netpbm-10.34/lib/libpbmvms.c.security 2005-08-27 19:24:54.000000000 +0200 +++ netpbm-10.34/lib/libpbmvms.c 2006-06-22 12:45:18.000000000 +0200 @@ -1,3 +1,5 @@ +#warning "NOT AUDITED" + /*************************************************************************** This file contains library routines needed to build Netpbm for VMS. However, as of 2000.05.26, when these were split out of libpbm1.c --- netpbm-10.34/editor/pbmreduce.c.security 2003-07-06 21:41:49.000000000 +0200 +++ netpbm-10.34/editor/pbmreduce.c 2006-06-22 12:45:18.000000000 +0200 @@ -93,6 +93,7 @@ if ( halftone == QT_FS ) { /* Initialize Floyd-Steinberg. */ + overflow_add(newcols, 2); MALLOCARRAY(thiserr, newcols + 2); MALLOCARRAY(nexterr, newcols + 2); if ( thiserr == NULL || nexterr == NULL ) --- netpbm-10.34/editor/pnmindex.csh.security 2000-09-14 07:37:35.000000000 +0200 +++ netpbm-10.34/editor/pnmindex.csh 2006-06-22 12:45:18.000000000 +0200 @@ -1,5 +1,8 @@ #!/bin/csh -f # +echo "Unsafe code, needs debugging, do not ship" +exit 1 +# # pnmindex - build a visual index of a bunch of anymaps # # Copyright (C) 1991 by Jef Poskanzer. --- netpbm-10.34/editor/pnmscalefixed.c.security 2002-07-30 19:52:49.000000000 +0200 +++ netpbm-10.34/editor/pnmscalefixed.c 2006-06-22 12:45:18.000000000 +0200 @@ -209,6 +209,8 @@ const int rows, const int cols, int * newrowsP, int * newcolsP) { + overflow2(rows, cols); + if (cmdline.pixels) { if (rows * cols <= cmdline.pixels) { *newrowsP = rows; @@ -260,6 +262,8 @@ if (*newcolsP < 1) *newcolsP = 1; if (*newrowsP < 1) *newrowsP = 1; + + overflow2(*newcolsP, *newrowsP); } @@ -441,6 +445,9 @@ unfilled. We can address that by stretching, whereas the other case would require throwing away some of the input. */ + + overflow2(newcols, SCALE); + overflow2(newrows, SCALE); sxscale = SCALE * newcols / cols; syscale = SCALE * newrows / rows; --- netpbm-10.34/editor/pnmcut.c.security 2002-07-30 19:47:37.000000000 +0200 +++ netpbm-10.34/editor/pnmcut.c 2006-06-22 12:45:18.000000000 +0200 @@ -373,6 +373,7 @@ toprow, leftcol, bottomrow, rightcol); } + overflow_add(rightcol, 1); output_cols = rightcol-leftcol+1; output_row = pnm_allocrow(output_cols); --- netpbm-10.34/editor/pamoil.c.security 2005-08-15 09:05:44.000000000 +0200 +++ netpbm-10.34/editor/pamoil.c 2006-06-22 12:45:18.000000000 +0200 @@ -112,6 +112,7 @@ tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type)); pm_close(ifp); + overflow_add(inpam.maxval, 1); MALLOCARRAY(hist, inpam.maxval + 1); if (hist == NULL) pm_error("Unable to allocate memory for histogram."); --- netpbm-10.34/editor/pnmremap.c.security 2006-02-25 19:18:47.000000000 +0100 +++ netpbm-10.34/editor/pnmremap.c 2006-06-22 12:45:18.000000000 +0200 @@ -284,6 +284,7 @@ unsigned int const fserrSize = pamP->width + 2; + overflow_add(pamP->width, 2); MALLOCARRAY(fserrP->thiserr, pamP->depth); if (fserrP->thiserr == NULL) pm_error("Out of memory allocating Floyd-Steinberg structures " @@ -327,6 +328,7 @@ int col; + overflow_add(pamP->width, 2); for (col = 0; col < pamP->width + 2; ++col) { unsigned int plane; for (plane = 0; plane < pamP->depth; ++plane) --- netpbm-10.34/editor/pnmpad.c.security 2005-05-22 20:30:30.000000000 +0200 +++ netpbm-10.34/editor/pnmpad.c 2006-06-22 12:45:18.000000000 +0200 @@ -358,6 +358,8 @@ computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad); + overflow_add(cols, lpad); + overflow_add(cols + lpad, rpad); newcols = cols + lpad + rpad; xelrow = pnm_allocrow(newcols); bgrow = pnm_allocrow(newcols); --- netpbm-10.34/editor/pamcut.c.security 2006-01-30 18:22:43.000000000 +0100 +++ netpbm-10.34/editor/pamcut.c 2006-06-22 12:45:18.000000000 +0200 @@ -514,6 +514,8 @@ outpam.width = rightcol-leftcol+1; outpam.height = bottomrow-toprow+1; + overflow_add(rightcol, 1); + overflow_add(toprow, 1); pnm_writepaminit(&outpam); /* Write out top padding */ --- netpbm-10.34/editor/pbmlife.c.security 1993-10-04 10:10:37.000000000 +0100 +++ netpbm-10.34/editor/pbmlife.c 2006-06-22 12:45:18.000000000 +0200 @@ -54,7 +54,7 @@ prevrow = thisrow; thisrow = nextrow; nextrow = temprow; - if ( row < rows - 1 ) + if ( row <= rows ) pbm_readpbmrow( ifp, nextrow, cols, format ); for ( col = 0; col < cols; ++col ) --- netpbm-10.34/editor/pnmpaste.c.security 2005-12-22 10:24:24.000000000 +0100 +++ netpbm-10.34/editor/pnmpaste.c 2006-06-22 12:45:18.000000000 +0200 @@ -101,11 +101,16 @@ "y is too large -- the second anymap has only %d rows", rows2 ); + overflow_add(x, cols2); + overflow_add(y, rows2); if ( x < 0 ) x += cols2; if ( y < 0 ) y += rows2; + overflow_add(x, cols1); + overflow_add(y, rows1); + if ( x + cols1 > cols2 ) pm_error( "x + width is too large by %d pixels", x + cols1 - cols2 ); if ( y + rows1 > rows2 ) --- netpbm-10.34/editor/pbmclean.c.security 2006-02-02 01:13:33.000000000 +0100 +++ netpbm-10.34/editor/pbmclean.c 2006-06-22 12:45:18.000000000 +0200 @@ -150,7 +150,7 @@ inrow[0] = inrow[1]; inrow[1] = inrow[2]; inrow[2] = shuffle ; - if (row+1 < rows) { + if (row <= rows) { /* Read the "next" row in from the file. Allocate buffer if needed */ if (inrow[2] == NULL) inrow[2] = pbm_allocrow(cols); --- netpbm-10.34/editor/ppmdither.c.security 2003-07-06 21:54:02.000000000 +0200 +++ netpbm-10.34/editor/ppmdither.c 2006-06-22 12:45:18.000000000 +0200 @@ -111,6 +111,9 @@ (dith_dim * sizeof(int *)) + /* pointers */ (dith_dim * dith_dim * sizeof(int)); /* data */ + overflow2(dith_dim, sizeof(int *)); + overflow3(dith_dim, dith_dim, sizeof(int)); + overflow_add(dith_dim * sizeof(int *), dith_dim * dith_dim * sizeof(int)); dith_mat = (unsigned int **) malloc(dith_mat_sz); if (dith_mat == NULL) @@ -165,7 +168,8 @@ if (dith_nb < 2) pm_error("too few shades for blue, minimum of 2"); - MALLOCARRAY(*colormapP, dith_nr * dith_ng * dith_nb); + overflow2(dith_nr, dith_ng); + *colormapP = malloc3(dith_nr * dith_ng, dith_nb, sizeof(pixel)); if (*colormapP == NULL) pm_error("Unable to allocate space for the color lookup table " "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb); --- netpbm-10.34/editor/pnmgamma.c.security 2006-02-18 23:34:16.000000000 +0100 +++ netpbm-10.34/editor/pnmgamma.c 2006-06-22 12:45:18.000000000 +0200 @@ -586,6 +586,7 @@ xelval ** const btableP) { /* Allocate space for the tables. */ + overflow_add(maxval, 1); MALLOCARRAY(*rtableP, maxval+1); MALLOCARRAY(*gtableP, maxval+1); MALLOCARRAY(*btableP, maxval+1); --- netpbm-10.34/editor/pnmhisteq.c.security 2005-09-11 00:59:13.000000000 +0200 +++ netpbm-10.34/editor/pnmhisteq.c 2006-06-22 12:45:18.000000000 +0200 @@ -102,6 +102,7 @@ unsigned int pixelCount; unsigned int * lumahist; + overflow_add(maxval, 1); MALLOCARRAY(lumahist, maxval + 1); if (lumahist == NULL) pm_error("Out of storage allocating array for %u histogram elements", --- netpbm-10.34/editor/pnmshear.c.security 2005-08-15 08:17:16.000000000 +0200 +++ netpbm-10.34/editor/pnmshear.c 2006-06-22 12:45:18.000000000 +0200 @@ -14,6 +14,7 @@ #include #include +#include #include "pnm.h" #include "shhopt.h" @@ -196,6 +197,11 @@ if ( shearfac < 0.0 ) shearfac = -shearfac; + if(rows * shearfac >= INT_MAX-1) + pm_error("image too large"); + + overflow_add(rows * shearfac, cols+1); + newcols = rows * shearfac + cols + 0.999999; pnm_writepnminit( stdout, newcols, rows, newmaxval, newformat, 0 ); --- netpbm-10.34/editor/pbmpscale.c.security 2005-08-15 09:06:55.000000000 +0200 +++ netpbm-10.34/editor/pbmpscale.c 2006-06-22 12:45:18.000000000 +0200 @@ -109,6 +109,7 @@ inrow[0] = inrow[1] = inrow[2] = NULL; pbm_readpbminit(ifd, &columns, &rows, &format) ; + overflow2(columns, scale); outrow = pbm_allocrow(columns*scale) ; MALLOCARRAY(flags, columns); if (flags == NULL) --- netpbm-10.34/urt/scanargs.c.security 2003-01-08 20:38:25.000000000 +0100 +++ netpbm-10.34/urt/scanargs.c 2006-06-22 12:45:18.000000000 +0200 @@ -38,6 +38,8 @@ * * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire * to have all "void" functions so declared. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ #include "rle.h" @@ -65,8 +67,8 @@ /* * Storage allocation macros */ -#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) ) -#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) ) +#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) ) +#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) ) #if defined(c_plusplus) && !defined(USE_PROTOTYPES) #define USE_PROTOTYPES --- netpbm-10.34/urt/rle.h.security 2005-12-24 05:46:05.000000000 +0100 +++ netpbm-10.34/urt/rle.h 2006-06-22 12:45:18.000000000 +0200 @@ -14,6 +14,9 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox + * Header declarations needed */ /* * rle.h - Global declarations for Utah Raster Toolkit RLE programs. @@ -166,6 +169,16 @@ */ extern rle_hdr rle_dflt_hdr; +/* + * Provided by pm library + */ + +extern void overflow_add(int, int); +extern void overflow2(int, int); +extern void overflow3(int, int, int); +extern void *malloc2(int, int); +extern void *malloc3(int, int, int); +extern void *realloc2(void *, int, int); /* Declare RLE library routines. */ --- netpbm-10.34/urt/rle_open_f.c.security 2005-10-17 00:16:48.000000000 +0200 +++ netpbm-10.34/urt/rle_open_f.c 2006-06-22 12:45:18.000000000 +0200 @@ -6,6 +6,9 @@ * University of Michigan * Date: 11/14/89 * Copyright (c) 1990, University of Michigan + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox + * Killed of crazy unsafe pipe/compress stuff */ #define _XOPEN_SOURCE /* Make sure fdopen() is in stdio.h */ @@ -188,7 +191,7 @@ cp = file_name + strlen( (char*) file_name ) - 2; /* Pipe case. */ - if ( *file_name == '|' ) + if ( *file_name == '|' && 0 /* BOLLOCKS ARE WE DOING THIS ANY MORE */) { int thepid; /* PID from my_popen */ if ( (fp = my_popen( file_name + 1, mode, &thepid )) == NULL ) @@ -203,9 +206,10 @@ } /* Compress case. */ - else if ( cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) + else if ( /* SMOKING SOMETHING */ 0 && cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) { int thepid; /* PID from my_popen. */ + overflow_add(20, strlen(file_name)); combuf = (char *)malloc( 20 + strlen( file_name ) ); if ( combuf == NULL ) { --- netpbm-10.34/urt/rle_addhist.c.security 2005-10-17 00:15:58.000000000 +0200 +++ netpbm-10.34/urt/rle_addhist.c 2006-06-22 12:45:18.000000000 +0200 @@ -14,6 +14,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rle_addhist.c - Add to the HISTORY comment in header @@ -76,13 +78,19 @@ return; length = 0; - for (i = 0; argv[i]; ++i) + for (i = 0; argv[i]; ++i) { + overflow_add(length, strlen(argv[i])); + overflow_add(length+1, strlen(argv[i])); length += strlen(argv[i]) +1; /* length of each arg plus space. */ + } time(&temp); timedate = ctime(&temp); length += strlen(timedate); /* length of date and time in ASCII. */ + overflow_add(strlen(padding), 4); + overflow_add(strlen(histoire), strlen(padding) + 4); + overflow_add(length, strlen(histoire) + strlen(padding) + 4); length += strlen(padding) + 3 + strlen(histoire) + 1; /* length of padding, "on " and length of history name plus "="*/ if (in_hdr) /* if we are interested in the old comments... */ @@ -90,9 +98,12 @@ else old = NULL; - if (old && *old) + if (old && *old) { + overflow_add(length, strlen(old)); length += strlen(old); /* add length if there. */ + } + overflow_add(length, 1); ++length; /*Cater for the null. */ MALLOCARRAY(newc, length); --- netpbm-10.34/urt/rle_hdr.c.security 2005-10-17 00:16:33.000000000 +0200 +++ netpbm-10.34/urt/rle_hdr.c 2006-06-22 12:45:18.000000000 +0200 @@ -14,6 +14,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rle_hdr.c - Functions to manipulate rle_hdr structures. @@ -79,7 +81,10 @@ /* Fill in with copies of the strings. */ if ( the_hdr->cmd != pgmname ) { - char *tmp = (char *)malloc( strlen( pgmname ) + 1 ); + char *tmp ; + + overflow_add(strlen(pgmname), 1); + tmp = malloc( strlen( pgmname ) + 1 ); RLE_CHECK_ALLOC( pgmname, tmp, 0 ); strcpy( tmp, pgmname ); the_hdr->cmd = tmp; @@ -87,7 +92,9 @@ if ( the_hdr->file_name != fname ) { - char *tmp = (char *)malloc( strlen( fname ) + 1 ); + char *tmp; + overflow_add(strlen(fname), 1); + tmp = malloc( strlen( fname ) + 1 ); RLE_CHECK_ALLOC( pgmname, tmp, 0 ); strcpy( tmp, fname ); the_hdr->file_name = tmp; @@ -152,6 +159,7 @@ if ( to_hdr->bg_color ) { int size = to_hdr->ncolors * sizeof(int); + overflow2(to_hdr->ncolors, sizeof(int)); to_hdr->bg_color = (int *)malloc( size ); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" ); memcpy( to_hdr->bg_color, from_hdr->bg_color, size ); @@ -160,7 +168,7 @@ if ( to_hdr->cmap ) { int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map); - to_hdr->cmap = (rle_map *)malloc( size ); + to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<cmaplen, sizeof(rle_map)); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" ); memcpy( to_hdr->cmap, from_hdr->cmap, size ); } @@ -173,11 +181,16 @@ int size = 0; CONST_DECL char **cp; for ( cp=to_hdr->comments; *cp; cp++ ) + { + overflow_add(size, 1); size++; /* Count the comments. */ + } /* Check if there are really any comments. */ if ( size ) { + overflow_add(size, 1); size++; /* Copy the NULL pointer, too. */ + overflow2(size, sizeof(char *)); size *= sizeof(char *); to_hdr->comments = (CONST_DECL char **)malloc( size ); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" ); --- netpbm-10.34/urt/README.security 2000-06-02 22:53:04.000000000 +0200 +++ netpbm-10.34/urt/README 2006-06-22 12:45:18.000000000 +0200 @@ -18,3 +18,8 @@ defines stdout as a variable, so that wouldn't compile. So I changed it to NULL and added a line to rle_hdr_init to set that field to 'stdout' dynamically. 2000.06.02 BJH. + +Redid the code to check for maths overflows and other crawly horrors. +Removed pipe through and compress support (unsafe) + +Alan Cox --- netpbm-10.34/urt/Runput.c.security 2005-10-16 23:36:29.000000000 +0200 +++ netpbm-10.34/urt/Runput.c 2006-06-22 12:45:18.000000000 +0200 @@ -17,6 +17,8 @@ * * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire * to have all "void" functions so declared. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * Runput.c - General purpose Run Length Encoding. @@ -202,9 +204,11 @@ if ( the_hdr->background != 0 ) { register int i; - register rle_pixel *background = - (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); + register rle_pixel *background; register int *bg_color; + + overflow_add(the_hdr->ncolors,1); + background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); /* * If even number of bg color bytes, put out one more to get to * 16 bit boundary. @@ -224,7 +228,7 @@ /* Big-endian machines are harder */ register int i, nmap = (1 << the_hdr->cmaplen) * the_hdr->ncmap; - register char *h_cmap = (char *)malloc( nmap * 2 ); + register char *h_cmap = (char *)malloc2( nmap, 2 ); if ( h_cmap == NULL ) { fprintf( stderr, --- netpbm-10.34/urt/rle_getrow.c.security 2005-10-16 23:47:53.000000000 +0200 +++ netpbm-10.34/urt/rle_getrow.c 2006-06-22 12:45:18.000000000 +0200 @@ -17,6 +17,8 @@ * * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire * to have all "void" functions so declared. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rle_getrow.c - Read an RLE file in. @@ -168,6 +170,7 @@ register char * cp; VAXSHORT( comlen, infile ); /* get comment length */ + overflow_add(comlen, 1); evenlen = (comlen + 1) & ~1; /* make it even */ if ( evenlen ) { --- netpbm-10.34/urt/rle_putcom.c.security 2005-10-07 18:01:42.000000000 +0200 +++ netpbm-10.34/urt/rle_putcom.c 2006-06-22 12:45:18.000000000 +0200 @@ -14,6 +14,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rle_putcom.c - Add a picture comment to the header struct. @@ -98,12 +100,14 @@ const char * v; const char ** old_comments; int i; - for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) + for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) { + overflow_add(i, 1); if (match(value, *cp) != NULL) { v = *cp; *cp = value; return v; } + } /* Not found */ /* Can't realloc because somebody else might be pointing to this * comments block. Of course, if this were true, then the