1660 lines
64 KiB
Diff
1660 lines
64 KiB
Diff
diff -up analyzer/pgmtexture.c.security-code analyzer/pgmtexture.c
|
|
--- analyzer/pgmtexture.c.security-code 2012-04-09 15:31:32.000000000 +0200
|
|
+++ analyzer/pgmtexture.c 2012-04-09 15:40:03.183620040 +0200
|
|
@@ -97,7 +97,7 @@ vector(unsigned int const nl,
|
|
float * v;
|
|
|
|
assert(nh >= nl);
|
|
-
|
|
+ overflow_add(nh - nl, 1);
|
|
MALLOCARRAY(v, (unsigned) (nh - nl + 1));
|
|
|
|
if (v == NULL)
|
|
@@ -129,6 +129,7 @@ matrix (unsigned int const nrl,
|
|
assert(nrh >= nrl);
|
|
|
|
/* allocate pointers to rows */
|
|
+ overflow_add(nrh - nrl, 1);
|
|
MALLOCARRAY(m, (unsigned) (nrh - nrl + 1));
|
|
if (m == NULL)
|
|
pm_error("Unable to allocate memory for a matrix.");
|
|
@@ -136,7 +137,7 @@ matrix (unsigned int const nrl,
|
|
m -= ncl;
|
|
|
|
assert (nch >= ncl);
|
|
-
|
|
+ overflow_add(nch - ncl, 1);
|
|
/* allocate rows and set pointers to them */
|
|
for (i = nrl; i <= nrh; ++i) {
|
|
MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1));
|
|
diff -up converter/other/gemtopnm.c.security-code converter/other/gemtopnm.c
|
|
--- converter/other/gemtopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/other/gemtopnm.c 2012-04-09 15:40:03.183620040 +0200
|
|
@@ -106,6 +106,7 @@ main(argc, argv)
|
|
|
|
pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 );
|
|
|
|
+ overflow_add(cols, padright);
|
|
{
|
|
/* allocate input row data structure */
|
|
int plane;
|
|
diff -up converter/other/jpegtopnm.c.security-code converter/other/jpegtopnm.c
|
|
--- converter/other/jpegtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200
|
|
+++ converter/other/jpegtopnm.c 2012-04-09 15:40:03.184620028 +0200
|
|
@@ -861,6 +861,8 @@ convertImage(FILE *
|
|
/* Calculate output image dimensions so we can allocate space */
|
|
jpeg_calc_output_dimensions(cinfoP);
|
|
|
|
+ overflow2(cinfoP->output_width, cinfoP->output_components);
|
|
+
|
|
/* Start decompressor */
|
|
jpeg_start_decompress(cinfoP);
|
|
|
|
diff -up converter/other/pbmtopgm.c.security-code converter/other/pbmtopgm.c
|
|
--- converter/other/pbmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/other/pbmtopgm.c 2012-04-09 15:40:03.184620028 +0200
|
|
@@ -47,6 +47,7 @@ main(int argc, char *argv[]) {
|
|
"than the image height (%u rows)", height, rows);
|
|
|
|
outrow = pgm_allocrow(cols) ;
|
|
+ overflow2(width, height);
|
|
maxval = MIN(PGM_OVERALLMAXVAL, width*height);
|
|
pgm_writepgminit(stdout, cols, rows, maxval, 0) ;
|
|
|
|
diff -up converter/other/pnmtoddif.c.security-code converter/other/pnmtoddif.c
|
|
--- converter/other/pnmtoddif.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/other/pnmtoddif.c 2012-04-09 15:40:03.185620015 +0200
|
|
@@ -632,6 +632,7 @@ main(int argc, char *argv[]) {
|
|
switch (PNM_FORMAT_TYPE(format)) {
|
|
case PBM_TYPE:
|
|
ip.bits_per_pixel = 1;
|
|
+ overflow_add(cols, 7);
|
|
ip.bytes_per_line = (cols + 7) / 8;
|
|
ip.spectral = 2;
|
|
ip.components = 1;
|
|
@@ -647,6 +648,7 @@ main(int argc, char *argv[]) {
|
|
ip.polarity = 2;
|
|
break;
|
|
case PPM_TYPE:
|
|
+ overflow2(cols, 3);
|
|
ip.bytes_per_line = 3 * cols;
|
|
ip.bits_per_pixel = 24;
|
|
ip.spectral = 5;
|
|
diff -up converter/other/pnmtojpeg.c.security-code converter/other/pnmtojpeg.c
|
|
--- converter/other/pnmtojpeg.c.security-code 2012-04-09 15:31:39.000000000 +0200
|
|
+++ converter/other/pnmtojpeg.c 2012-04-09 15:40:03.186620002 +0200
|
|
@@ -605,7 +605,11 @@ read_scan_script(j_compress_ptr const ci
|
|
want JPOOL_PERMANENT.
|
|
*/
|
|
const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info);
|
|
- jpeg_scan_info * const scan_info =
|
|
+ const jpeg_scan_info * scan_info;
|
|
+
|
|
+ overflow2(nscans, sizeof(jpeg_scan_info));
|
|
+
|
|
+ scan_info =
|
|
(jpeg_scan_info *)
|
|
(*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
|
|
scan_info_size);
|
|
@@ -937,6 +941,8 @@ compute_rescaling_array(JSAMPLE ** const
|
|
const long half_maxval = maxval / 2;
|
|
long val;
|
|
|
|
+ overflow_add(maxval, 1);
|
|
+ overflow2(maxval+1, sizeof(JSAMPLE));
|
|
*rescale_p = (JSAMPLE *)
|
|
(cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE,
|
|
(size_t) (((long) maxval + 1L) *
|
|
@@ -1015,6 +1021,7 @@ convert_scanlines(struct jpeg_compress_s
|
|
*/
|
|
|
|
/* Allocate the libpnm output and compressor input buffers */
|
|
+ overflow2(cinfo_p->image_width, cinfo_p->input_components);
|
|
buffer = (*cinfo_p->mem->alloc_sarray)
|
|
((j_common_ptr) cinfo_p, JPOOL_IMAGE,
|
|
(unsigned int) cinfo_p->image_width * cinfo_p->input_components,
|
|
diff -up converter/other/pnmtops.c.security-code converter/other/pnmtops.c
|
|
--- converter/other/pnmtops.c.security-code 2012-04-09 15:31:40.000000000 +0200
|
|
+++ converter/other/pnmtops.c 2012-04-09 15:40:03.187619989 +0200
|
|
@@ -256,17 +256,21 @@ parseCommandLine(int argc, const char **
|
|
validateCompDimension(width, 72, "-width value");
|
|
validateCompDimension(height, 72, "-height value");
|
|
|
|
+ overflow2(width, 72);
|
|
cmdlineP->width = width * 72;
|
|
+ overflow2(height, 72);
|
|
cmdlineP->height = height * 72;
|
|
|
|
if (imagewidthSpec) {
|
|
validateCompDimension(imagewidth, 72, "-imagewidth value");
|
|
+ overflow2(imagewidth, 72);
|
|
cmdlineP->imagewidth = imagewidth * 72;
|
|
}
|
|
else
|
|
cmdlineP->imagewidth = 0;
|
|
if (imageheightSpec) {
|
|
- validateCompDimension(imagewidth, 72, "-imageheight value");
|
|
+ validateCompDimension(imageheight, 72, "-imageheight value");
|
|
+ overflow2(imageheight, 72);
|
|
cmdlineP->imageheight = imageheight * 72;
|
|
}
|
|
else
|
|
diff -up converter/other/pnmtorle.c.security-code converter/other/pnmtorle.c
|
|
--- converter/other/pnmtorle.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/other/pnmtorle.c 2012-04-09 15:40:03.188619976 +0200
|
|
@@ -19,6 +19,8 @@
|
|
* If you modify this software, you should include a notice giving the
|
|
* name of the person performing the modification, the date of modification,
|
|
* and the reason for such modification.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
/*
|
|
* pnmtorle - A program which will convert pbmplus (ppm or pgm) images
|
|
diff -up converter/other/pnmtosgi.c.security-code converter/other/pnmtosgi.c
|
|
--- converter/other/pnmtosgi.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/other/pnmtosgi.c 2012-04-09 15:40:03.188619976 +0200
|
|
@@ -254,6 +254,7 @@ build_channels(FILE * const ifp, int con
|
|
#endif
|
|
|
|
if( storage != STORAGE_VERBATIM ) {
|
|
+ overflow2(channels, rows);
|
|
MALLOCARRAY_NOFAIL(table, channels * rows);
|
|
MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols));
|
|
}
|
|
@@ -306,6 +307,8 @@ compress(ScanElem * temp,
|
|
break;
|
|
case STORAGE_RLE:
|
|
tabrow = chan_no * rows + row;
|
|
+ overflow2(chan_no, rows);
|
|
+ overflow_add(chan_no* rows, row);
|
|
len = rle_compress(temp, cols); /* writes result into rletemp */
|
|
channel[chan_no][row].length = len;
|
|
MALLOCARRAY(p, len);
|
|
diff -up converter/other/rletopnm.c.security-code converter/other/rletopnm.c
|
|
--- converter/other/rletopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/other/rletopnm.c 2012-04-09 15:40:03.189619963 +0200
|
|
@@ -19,6 +19,8 @@
|
|
* If you modify this software, you should include a notice giving the
|
|
* name of the person performing the modification, the date of modification,
|
|
* and the reason for such modification.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
/*
|
|
* rletopnm - A conversion program to convert from Utah's "rle" image format
|
|
diff -up converter/other/sgitopnm.c.security-code converter/other/sgitopnm.c
|
|
--- converter/other/sgitopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/other/sgitopnm.c 2012-04-09 15:40:03.189619963 +0200
|
|
@@ -359,10 +359,14 @@ readChannels(FILE * const ifP,
|
|
MALLOCARRAY_NOFAIL(image, head->ysize);
|
|
} else {
|
|
maxchannel = MIN(3, head->zsize);
|
|
+ overflow2(head->ysize, maxchannel);
|
|
MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel);
|
|
}
|
|
- if (table)
|
|
+ if (table) {
|
|
+ overflow2(head->xsize, 2);
|
|
+ overflow_add(head->xsize*2, 2);
|
|
MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize));
|
|
+ }
|
|
|
|
for (channel = 0; channel < maxchannel; ++channel) {
|
|
unsigned int row;
|
|
diff -up converter/other/sirtopnm.c.security-code converter/other/sirtopnm.c
|
|
--- converter/other/sirtopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/other/sirtopnm.c 2012-04-09 15:40:03.190619951 +0200
|
|
@@ -69,6 +69,7 @@ char* argv[];
|
|
}
|
|
break;
|
|
case PPM_TYPE:
|
|
+ overflow3(cols, rows, 3);
|
|
picsize = cols * rows * 3;
|
|
planesize = cols * rows;
|
|
if ( !( sirarray = (unsigned char*) malloc( picsize ) ) )
|
|
diff -up converter/other/tifftopnm.c.security-code converter/other/tifftopnm.c
|
|
--- converter/other/tifftopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/other/tifftopnm.c 2012-04-09 15:40:03.191619939 +0200
|
|
@@ -1279,7 +1279,9 @@ convertRasterByRows(pnmOut * const
|
|
if (scanbuf == NULL)
|
|
pm_error("can't allocate memory for scanline buffer");
|
|
|
|
- MALLOCARRAY(samplebuf, cols * spp);
|
|
+ /* samplebuf is unsigned int * !!! */
|
|
+ samplebuf = (unsigned int *) malloc3(cols , sizeof(unsigned int) , spp);
|
|
+
|
|
if (samplebuf == NULL)
|
|
pm_error("can't allocate memory for row buffer");
|
|
|
|
diff -up converter/other/xwdtopnm.c.security-code converter/other/xwdtopnm.c
|
|
--- converter/other/xwdtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200
|
|
+++ converter/other/xwdtopnm.c 2012-04-09 15:40:03.192619927 +0200
|
|
@@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * cons
|
|
*colorsP = pnm_allocrow(2);
|
|
PNM_ASSIGN1((*colorsP)[0], 0);
|
|
PNM_ASSIGN1((*colorsP)[1], *maxvalP);
|
|
+ overflow_add(h10P->pixmap_width, 15);
|
|
+ if(h10P->pixmap_width < 0)
|
|
+ pm_error("assert: negative width");
|
|
+ overflow2((((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width), 8);
|
|
*padrightP =
|
|
(((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width) * 8;
|
|
*bits_per_itemP = 16;
|
|
@@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * cons
|
|
|
|
*colsP = h11FixedP->pixmap_width;
|
|
*rowsP = h11FixedP->pixmap_height;
|
|
+ overflow2(h11FixedP->bytes_per_line, 8);
|
|
*padrightP =
|
|
h11FixedP->bytes_per_line * 8 -
|
|
h11FixedP->pixmap_width * h11FixedP->bits_per_pixel;
|
|
diff -up converter/pbm/mdatopbm.c.security-code converter/pbm/mdatopbm.c
|
|
--- converter/pbm/mdatopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/mdatopbm.c 2012-04-09 15:40:03.192619927 +0200
|
|
@@ -245,10 +245,13 @@ main(int argc, char **argv) {
|
|
pm_readlittleshort(infile, &yy); nInCols = yy;
|
|
}
|
|
|
|
+ overflow2(nOutCols, 8);
|
|
nOutCols = 8 * nInCols;
|
|
nOutRows = nInRows;
|
|
- if (bScale)
|
|
+ if (bScale) {
|
|
+ overflow2(nOutRows, 2);
|
|
nOutRows *= 2;
|
|
+ }
|
|
|
|
data = pbm_allocarray(nOutCols, nOutRows);
|
|
|
|
diff -up converter/pbm/mgrtopbm.c.security-code converter/pbm/mgrtopbm.c
|
|
--- converter/pbm/mgrtopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/mgrtopbm.c 2012-04-09 15:40:03.193619915 +0200
|
|
@@ -65,6 +65,8 @@ readMgrHeader(FILE * const ifP,
|
|
if (head.h_high < ' ' || head.l_high < ' ')
|
|
pm_error("Invalid width field in MGR header");
|
|
|
|
+ overflow_add(*colsP, pad);
|
|
+
|
|
*colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' ');
|
|
*rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' ');
|
|
*padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP;
|
|
diff -up converter/pbm/pbmtogem.c.security-code converter/pbm/pbmtogem.c
|
|
--- converter/pbm/pbmtogem.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtogem.c 2012-04-09 15:40:03.193619915 +0200
|
|
@@ -79,6 +79,7 @@ putinit (int const rows, int const cols)
|
|
bitsperitem = 0;
|
|
bitshift = 7;
|
|
outcol = 0;
|
|
+ overflow_add(cols, 7);
|
|
outmax = (cols + 7) / 8;
|
|
outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
|
|
lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
|
|
diff -up converter/pbm/pbmtogo.c.security-code converter/pbm/pbmtogo.c
|
|
--- converter/pbm/pbmtogo.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtogo.c 2012-04-09 15:40:03.193619915 +0200
|
|
@@ -158,6 +158,7 @@ main(int argc,
|
|
bitrow = pbm_allocrow(cols);
|
|
|
|
/* Round cols up to the nearest multiple of 8. */
|
|
+ overflow_add(cols, 7);
|
|
rucols = ( cols + 7 ) / 8;
|
|
bytesperrow = rucols; /* GraphOn uses bytes */
|
|
rucols = rucols * 8;
|
|
diff -up converter/pbm/pbmtolj.c.security-code converter/pbm/pbmtolj.c
|
|
--- converter/pbm/pbmtolj.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtolj.c 2012-04-09 15:40:03.194619902 +0200
|
|
@@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv,
|
|
static void
|
|
allocateBuffers(unsigned int const cols) {
|
|
|
|
+ overflow_add(cols, 8);
|
|
rowBufferSize = (cols + 7) / 8;
|
|
+ overflow_add(rowBufferSize, 128);
|
|
+ overflow_add(rowBufferSize, rowBufferSize+128);
|
|
+ overflow_add(rowBufferSize+10, rowBufferSize/8);
|
|
packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
|
|
deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
|
|
|
|
diff -up converter/pbm/pbmtomacp.c.security-code converter/pbm/pbmtomacp.c
|
|
--- converter/pbm/pbmtomacp.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtomacp.c 2012-04-09 15:40:03.195619889 +0200
|
|
@@ -101,6 +101,7 @@ char *argv[];
|
|
if( !lflg )
|
|
left = 0;
|
|
|
|
+ overflow_add(left, MAX_COLS - 1);
|
|
if( rflg )
|
|
{ if( right - left >= MAX_COLS )
|
|
right = left + MAX_COLS - 1;
|
|
@@ -111,6 +112,8 @@ char *argv[];
|
|
if( !tflg )
|
|
top = 0;
|
|
|
|
+ overflow_add(top, MAX_LINES - 1);
|
|
+
|
|
if( bflg )
|
|
{ if( bottom - top >= MAX_LINES )
|
|
bottom = top + MAX_LINES - 1;
|
|
diff -up converter/pbm/pbmtomda.c.security-code converter/pbm/pbmtomda.c
|
|
--- converter/pbm/pbmtomda.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtomda.c 2012-04-09 15:40:03.195619889 +0200
|
|
@@ -179,6 +179,7 @@ int main(int argc, char **argv)
|
|
|
|
nOutRowsUnrounded = bScale ? nInRows/2 : nInRows;
|
|
|
|
+ overflow_add(nOutRowsUnrounded, 3);
|
|
nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4;
|
|
/* MDA wants rows a multiple of 4 */
|
|
nOutCols = nInCols / 8;
|
|
diff -up converter/pbm/pbmtoppa/pbm.c.security-code converter/pbm/pbmtoppa/pbm.c
|
|
--- converter/pbm/pbmtoppa/pbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtoppa/pbm.c 2012-04-09 15:40:03.195619889 +0200
|
|
@@ -105,6 +105,7 @@ int pbm_readline(pbm_stat* pbm,unsigned
|
|
return 0;
|
|
|
|
case P4:
|
|
+ overflow_add(pbm->width, 7);
|
|
tmp=(pbm->width+7)/8;
|
|
tmp2=fread(data,1,tmp,pbm->fptr);
|
|
if(tmp2 == tmp)
|
|
@@ -129,7 +130,8 @@ void pbm_unreadline (pbm_stat *pbm, void
|
|
return;
|
|
|
|
pbm->unread = 1;
|
|
- pbm->revdata = malloc ((pbm->width+7)/8);
|
|
+ overflow_add(pbm->width, 7);
|
|
+ pbm->revdata = malloc((pbm->width+7)/8);
|
|
memcpy (pbm->revdata, data, (pbm->width+7)/8);
|
|
pbm->current_line--;
|
|
}
|
|
diff -up converter/pbm/pbmtoppa/pbmtoppa.c.security-code converter/pbm/pbmtoppa/pbmtoppa.c
|
|
--- converter/pbm/pbmtoppa/pbmtoppa.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtoppa/pbmtoppa.c 2012-04-09 15:40:03.196619876 +0200
|
|
@@ -441,6 +441,7 @@ main(int argc, char *argv[]) {
|
|
pm_error("main(): unrecognized parameter '%s'", argv[argn]);
|
|
}
|
|
|
|
+ overflow_add(Width, 7);
|
|
Pwidth=(Width+7)/8;
|
|
printer.fptr=out;
|
|
|
|
diff -up converter/pbm/pbmtoxbm.c.security-code converter/pbm/pbmtoxbm.c
|
|
--- converter/pbm/pbmtoxbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtoxbm.c 2012-04-09 15:40:03.196619876 +0200
|
|
@@ -335,6 +335,8 @@ convertRaster(FILE * const ifP,
|
|
|
|
unsigned char * bitrow;
|
|
unsigned int row;
|
|
+
|
|
+ overflow_add(cols, padright);
|
|
|
|
putinit(xbmVersion);
|
|
|
|
diff -up converter/pbm/pbmtoybm.c.security-code converter/pbm/pbmtoybm.c
|
|
--- converter/pbm/pbmtoybm.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtoybm.c 2012-04-09 15:40:03.197619863 +0200
|
|
@@ -113,6 +113,7 @@ main(int argc, const char *argv[]) {
|
|
bitrow = pbm_allocrow(cols);
|
|
|
|
/* Compute padding to round cols up to the nearest multiple of 16. */
|
|
+ overflow_add(cols, 16);
|
|
padright = ((cols + 15) / 16) * 16 - cols;
|
|
|
|
putinit(cols, rows);
|
|
diff -up converter/pbm/pbmtozinc.c.security-code converter/pbm/pbmtozinc.c
|
|
--- converter/pbm/pbmtozinc.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmtozinc.c 2012-04-09 15:40:03.197619863 +0200
|
|
@@ -65,6 +65,7 @@ main(int argc, char * argv[]) {
|
|
bitrow = pbm_allocrow( cols );
|
|
|
|
/* Compute padding to round cols up to the nearest multiple of 16. */
|
|
+ overflow_add(cols, 16);
|
|
padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
|
|
|
|
printf( "USHORT %s[] = {\n",name);
|
|
diff -up converter/pbm/pbmto10x.c.security-code converter/pbm/pbmto10x.c
|
|
--- converter/pbm/pbmto10x.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmto10x.c 2012-04-09 15:40:03.197619863 +0200
|
|
@@ -162,7 +162,7 @@ main(int argc, char * argv[]) {
|
|
res_60x72();
|
|
|
|
pm_close(ifp);
|
|
- exit(0);
|
|
+ return 0;
|
|
}
|
|
|
|
|
|
diff -up converter/pbm/pbmto4425.c.security-code converter/pbm/pbmto4425.c
|
|
--- converter/pbm/pbmto4425.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pbmto4425.c 2012-04-09 15:40:03.198619851 +0200
|
|
@@ -2,6 +2,7 @@
|
|
|
|
#include "nstring.h"
|
|
#include "pbm.h"
|
|
+#include <string.h>
|
|
|
|
static char bit_table[2][3] = {
|
|
{1, 4, 0x10},
|
|
@@ -160,7 +161,7 @@ main(int argc, char * argv[]) {
|
|
xres = vmap_width * 2;
|
|
yres = vmap_height * 3;
|
|
|
|
- vmap = malloc(vmap_width * vmap_height * sizeof(char));
|
|
+ vmap = malloc3(vmap_width, vmap_height, sizeof(char));
|
|
if(vmap == NULL)
|
|
{
|
|
pm_error( "Cannot allocate memory" );
|
|
diff -up converter/pbm/pktopbm.c.security-code converter/pbm/pktopbm.c
|
|
--- converter/pbm/pktopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/pktopbm.c 2012-04-09 15:40:03.198619851 +0200
|
|
@@ -277,6 +277,7 @@ main(int argc, char *argv[]) {
|
|
if (flagbyte == 7) { /* long form preamble */
|
|
integer packetlength = get32() ; /* character packet length */
|
|
car = get32() ; /* character number */
|
|
+ overflow_add(packetlength, pktopbm_pkloc);
|
|
endofpacket = packetlength + pktopbm_pkloc;
|
|
/* calculate end of packet */
|
|
if ((car >= MAXPKCHAR) || !filename[car]) {
|
|
diff -up converter/pbm/thinkjettopbm.l.security-code converter/pbm/thinkjettopbm.l
|
|
--- converter/pbm/thinkjettopbm.l.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/thinkjettopbm.l 2012-04-09 15:40:03.199619839 +0200
|
|
@@ -114,7 +114,9 @@ DIG [0-9]
|
|
<RASTERMODE>\033\*b{DIG}+W {
|
|
int l;
|
|
if (rowCount >= rowCapacity) {
|
|
+ overflow_add(rowCapacity, 100);
|
|
rowCapacity += 100;
|
|
+ overflow2(rowCapacity, sizeof *rows);
|
|
rows = realloc (rows, rowCapacity * sizeof *rows);
|
|
if (rows == NULL)
|
|
pm_error ("Out of memory.");
|
|
@@ -226,6 +228,8 @@ yywrap (void)
|
|
/*
|
|
* Quite simple since ThinkJet bit arrangement matches PBM
|
|
*/
|
|
+
|
|
+ overflow2(maxRowLength, 8);
|
|
pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0);
|
|
|
|
packed_bitrow = malloc(maxRowLength);
|
|
diff -up converter/pbm/ybmtopbm.c.security-code converter/pbm/ybmtopbm.c
|
|
--- converter/pbm/ybmtopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ converter/pbm/ybmtopbm.c 2012-04-09 15:40:03.199619839 +0200
|
|
@@ -49,6 +49,7 @@ getinit(FILE * const ifP,
|
|
pm_error("EOF / read error");
|
|
|
|
*depthP = 1;
|
|
+ overflow_add(*colsP, 15);
|
|
*padrightP = ((*colsP + 15) / 16) * 16 - *colsP;
|
|
}
|
|
|
|
diff -up converter/pgm/lispmtopgm.c.security-code converter/pgm/lispmtopgm.c
|
|
--- converter/pgm/lispmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/pgm/lispmtopgm.c 2012-04-09 15:40:03.199619839 +0200
|
|
@@ -58,6 +58,7 @@ main( argc, argv )
|
|
pm_error( "depth (%d bits) is too large", depth);
|
|
|
|
pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 );
|
|
+ overflow_add(cols, 7);
|
|
grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 );
|
|
|
|
for ( row = 0; row < rows; ++row )
|
|
@@ -102,7 +103,9 @@ getinit( file, colsP, rowsP, depthP, pad
|
|
|
|
if ( *depthP == 0 )
|
|
*depthP = 1; /* very old file */
|
|
-
|
|
+
|
|
+ overflow_add((int)colsP, 31);
|
|
+
|
|
*padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP;
|
|
|
|
if ( *colsP != (cols_32 - *padrightP) ) {
|
|
diff -up converter/pgm/psidtopgm.c.security-code converter/pgm/psidtopgm.c
|
|
--- converter/pgm/psidtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/pgm/psidtopgm.c 2012-04-09 15:40:03.200619827 +0200
|
|
@@ -78,6 +78,7 @@ main(int argc,
|
|
pm_error("bits/sample (%d) is too large.", bitspersample);
|
|
|
|
pgm_writepgminit(stdout, cols, rows, maxval, 0);
|
|
+ overflow_add(cols, 7);
|
|
grayrow = pgm_allocrow((cols + 7) / 8 * 8);
|
|
for (row = 0; row < rows; ++row) {
|
|
unsigned int col;
|
|
diff -up converter/ppm/ilbmtoppm.c.security-code converter/ppm/ilbmtoppm.c
|
|
--- converter/ppm/ilbmtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/ilbmtoppm.c 2012-04-09 15:40:03.201619815 +0200
|
|
@@ -592,6 +592,7 @@ decode_row(FILE * const ifP,
|
|
rawtype *chp;
|
|
|
|
cols = bmhdP->w;
|
|
+ overflow_add(cols, 15);
|
|
bytes = RowBytes(cols);
|
|
for( plane = 0; plane < nPlanes; plane++ ) {
|
|
int mask;
|
|
@@ -679,6 +680,23 @@ decode_mask(FILE * const ifP,
|
|
Multipalette handling
|
|
****************************************************************************/
|
|
|
|
+static void *
|
|
+xmalloc2(x, y)
|
|
+ int x;
|
|
+ int y;
|
|
+{
|
|
+ void *mem;
|
|
+
|
|
+ overflow2(x,y);
|
|
+ if( x * y == 0 )
|
|
+ return NULL;
|
|
+
|
|
+ mem = malloc2(x,y);
|
|
+ if( mem == NULL )
|
|
+ pm_error("out of memory allocating %d bytes", x * y);
|
|
+ return mem;
|
|
+}
|
|
+
|
|
|
|
static void
|
|
multi_adjust(cmap, row, palchange)
|
|
@@ -1341,6 +1359,9 @@ dcol_to_ppm(FILE * const ifP,
|
|
if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval )
|
|
pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval));
|
|
|
|
+ overflow_add(redmaxval, 1);
|
|
+ overflow_add(greenmaxval, 1);
|
|
+ overflow_add(bluemaxval, 1);
|
|
MALLOCARRAY_NOFAIL(redtable, redmaxval +1);
|
|
MALLOCARRAY_NOFAIL(greentable, greenmaxval +1);
|
|
MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1);
|
|
@@ -1763,7 +1784,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, data
|
|
ChangeCount32 = *data++;
|
|
datasize -= 2;
|
|
|
|
+ overflow_add(ChangeCount16, ChangeCount32);
|
|
changes = ChangeCount16 + ChangeCount32;
|
|
+ overflow_add(changes, 1);
|
|
for( i = 0; i < changes; i++ ) {
|
|
if( totalchanges >= PCHG->TotalChanges ) goto fail;
|
|
if( datasize < 2 ) goto fail;
|
|
@@ -2028,6 +2051,9 @@ read_pchg(FILE * const ifp,
|
|
cmap->mp_change[i] = NULL;
|
|
if( PCHG.StartLine < 0 ) {
|
|
int nch;
|
|
+ if(PCHG.MaxReg < PCHG.MinReg)
|
|
+ pm_error("assert: MinReg > MaxReg");
|
|
+ overflow_add(PCHG.MaxReg-PCHG.MinReg, 2);
|
|
nch = PCHG.MaxReg - PCHG.MinReg +1;
|
|
MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1);
|
|
for( i = 0; i < nch; i++ )
|
|
@@ -2104,6 +2130,7 @@ process_body( FILE * const ifp,
|
|
if( typeid == ID_ILBM ) {
|
|
int isdeep;
|
|
|
|
+ overflow_add(bmhdP->w, 15);
|
|
MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w));
|
|
*viewportmodesP |= fakeviewport; /* -isham/-isehb */
|
|
|
|
diff -up converter/ppm/imgtoppm.c.security-code converter/ppm/imgtoppm.c
|
|
--- converter/ppm/imgtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/imgtoppm.c 2012-04-09 15:40:03.202619802 +0200
|
|
@@ -84,6 +84,7 @@ main(int argc, char ** argv) {
|
|
len = atoi((char*) buf );
|
|
if ( fread( buf, len, 1, ifp ) != 1 )
|
|
pm_error( "bad colormap buf" );
|
|
+ overflow2(cmaplen, 3);
|
|
if ( cmaplen * 3 != len )
|
|
{
|
|
pm_message(
|
|
@@ -105,6 +106,7 @@ main(int argc, char ** argv) {
|
|
pm_error( "bad pixel data header" );
|
|
buf[8] = '\0';
|
|
len = atoi((char*) buf );
|
|
+ overflow2(cols, rows);
|
|
if ( len != cols * rows )
|
|
pm_message(
|
|
"pixel data length (%d) does not match image size (%d)",
|
|
diff -up converter/ppm/Makefile.security-code converter/ppm/Makefile
|
|
--- converter/ppm/Makefile.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/Makefile 2012-04-09 15:40:03.202619802 +0200
|
|
@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg
|
|
|
|
PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
|
|
leaftoppm mtvtoppm neotoppm \
|
|
- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \
|
|
+ pcxtoppm pc1toppm pi1toppm pjtoppm \
|
|
ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \
|
|
ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \
|
|
ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \
|
|
diff -up converter/ppm/pcxtoppm.c.security-code converter/ppm/pcxtoppm.c
|
|
--- converter/ppm/pcxtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/pcxtoppm.c 2012-04-09 15:40:03.203619789 +0200
|
|
@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes,
|
|
/*
|
|
* clear the pixel buffer
|
|
*/
|
|
+ overflow2(bytesperline, 8);
|
|
npixels = (bytesperline * 8) / bitsperpixel;
|
|
p = pixels;
|
|
while (--npixels >= 0)
|
|
@@ -470,6 +471,7 @@ pcx_16col_to_ppm(FILE * const ifP,
|
|
}
|
|
|
|
/* BytesPerLine should be >= BitsPerPixel * cols / 8 */
|
|
+ overflow2(BytesPerLine, 8);
|
|
rawcols = BytesPerLine * 8 / BitsPerPixel;
|
|
if (headerCols > rawcols) {
|
|
pm_message("warning - BytesPerLine = %d, "
|
|
diff -up converter/ppm/picttoppm.c.security-code converter/ppm/picttoppm.c
|
|
--- converter/ppm/picttoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/picttoppm.c 2012-04-09 15:40:03.205619763 +0200
|
|
@@ -1,3 +1,5 @@
|
|
+#error "Unfixable. Don't ship me"
|
|
+
|
|
/*
|
|
* picttoppm.c -- convert a MacIntosh PICT file to PPM format.
|
|
*
|
|
diff -up converter/ppm/pjtoppm.c.security-code converter/ppm/pjtoppm.c
|
|
--- converter/ppm/pjtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/pjtoppm.c 2012-04-09 15:40:03.206619751 +0200
|
|
@@ -127,19 +127,21 @@ main(argc, argv)
|
|
case 'V': /* send plane */
|
|
case 'W': /* send last plane */
|
|
if (rows == -1 || r >= rows || image == NULL) {
|
|
- if (rows == -1 || r >= rows)
|
|
+ if (rows == -1 || r >= rows) {
|
|
+ overflow_add(rows, 100);
|
|
rows += 100;
|
|
+ }
|
|
if (image == NULL) {
|
|
- MALLOCARRAY(image, rows * planes);
|
|
- MALLOCARRAY(imlen, rows * planes);
|
|
+ image = (unsigned char **)
|
|
+ malloc3(rows , planes , sizeof(unsigned char *));
|
|
+ imlen = (int *) malloc3(rows , planes, sizeof(int));
|
|
}
|
|
else {
|
|
+ overflow2(rows,planes);
|
|
image = (unsigned char **)
|
|
- realloc(image,
|
|
- rows * planes *
|
|
+ realloc2(image, rows * planes,
|
|
sizeof(unsigned char *));
|
|
- imlen = (int *)
|
|
- realloc(imlen, rows * planes * sizeof(int));
|
|
+ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int));
|
|
}
|
|
}
|
|
if (image == NULL || imlen == NULL)
|
|
@@ -212,8 +214,10 @@ main(argc, argv)
|
|
for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2)
|
|
for (cmd = image[p + r * planes][c],
|
|
val = image[p + r * planes][c+1];
|
|
- cmd >= 0 && i < newcols; cmd--, i++)
|
|
+ cmd >= 0 && i < newcols; cmd--, i++) {
|
|
buf[i] = val;
|
|
+ overflow_add(i, 1);
|
|
+ }
|
|
cols = cols > i ? cols : i;
|
|
free(image[p + r * planes]);
|
|
/*
|
|
@@ -224,6 +228,7 @@ main(argc, argv)
|
|
image[p + r * planes] = (unsigned char *) realloc(buf, i);
|
|
}
|
|
}
|
|
+ overflow2(cols, 8);
|
|
cols *= 8;
|
|
}
|
|
|
|
diff -up converter/ppm/ppmtoeyuv.c.security-code converter/ppm/ppmtoeyuv.c
|
|
--- converter/ppm/ppmtoeyuv.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/ppm/ppmtoeyuv.c 2012-04-09 15:40:03.206619751 +0200
|
|
@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva
|
|
|
|
int index;
|
|
|
|
+ overflow_add(maxval, 1);
|
|
MALLOCARRAY_NOFAIL(mult299 , maxval+1);
|
|
MALLOCARRAY_NOFAIL(mult587 , maxval+1);
|
|
MALLOCARRAY_NOFAIL(mult114 , maxval+1);
|
|
diff -up converter/ppm/ppmtoicr.c.security-code converter/ppm/ppmtoicr.c
|
|
--- converter/ppm/ppmtoicr.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/ppmtoicr.c 2012-04-09 15:40:03.207619739 +0200
|
|
@@ -169,7 +169,7 @@ char* argv[];
|
|
|
|
if (rleflag) {
|
|
pm_message("sending run-length encoded picture data ..." );
|
|
- testimage = (char*) malloc(rows*cols);
|
|
+ testimage = (char*) malloc2(rows, cols);
|
|
p = testimage;
|
|
for (i=0; i<rows; i++)
|
|
for (j=0; j<cols; j++)
|
|
diff -up converter/ppm/ppmtoilbm.c.security-code converter/ppm/ppmtoilbm.c
|
|
--- converter/ppm/ppmtoilbm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/ppm/ppmtoilbm.c 2012-04-09 15:40:03.208619727 +0200
|
|
@@ -1220,6 +1220,7 @@ ppm_to_rgb8(ifP, cols, rows, maxval)
|
|
|
|
maskmethod = 0; /* no masking - RGB8 uses genlock bits */
|
|
compmethod = 4; /* RGB8 files are always compressed */
|
|
+ overflow2(cols, 4);
|
|
MALLOCARRAY_NOFAIL(compr_row, cols * 4);
|
|
|
|
if( maxval != 255 ) {
|
|
@@ -1308,6 +1309,7 @@ ppm_to_rgbn(ifP, cols, rows, maxval)
|
|
|
|
maskmethod = 0; /* no masking - RGBN uses genlock bits */
|
|
compmethod = 4; /* RGBN files are always compressed */
|
|
+ overflow2(cols, 2);
|
|
MALLOCARRAY_NOFAIL(compr_row, cols * 2);
|
|
|
|
if( maxval != 15 ) {
|
|
@@ -2293,8 +2296,11 @@ main(int argc, char ** argv) {
|
|
MALLOCARRAY_NOFAIL(coded_rowbuf, RowBytes(cols));
|
|
for (i = 0; i < RowBytes(cols); ++i)
|
|
coded_rowbuf[i] = 0;
|
|
- if (DO_COMPRESS)
|
|
+ if (DO_COMPRESS) {
|
|
+ overflow2(cols,2);
|
|
+ overflow_add(cols*2,2);
|
|
MALLOCARRAY_NOFAIL(compr_rowbuf, WORSTCOMPR(RowBytes(cols)));
|
|
+ }
|
|
}
|
|
|
|
switch (mode) {
|
|
diff -up converter/ppm/ppmtolj.c.security-code converter/ppm/ppmtolj.c
|
|
--- converter/ppm/ppmtolj.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/ppm/ppmtolj.c 2012-04-09 15:40:03.210619701 +0200
|
|
@@ -181,7 +181,8 @@ int main(int argc, char *argv[]) {
|
|
|
|
ppm_readppminit( ifp, &cols, &rows, &maxval, &format );
|
|
pixelrow = ppm_allocrow( cols );
|
|
-
|
|
+
|
|
+ overflow2(cols, 6);
|
|
obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char));
|
|
cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char));
|
|
if (mode == C_TRANS_MODE_DELTA)
|
|
diff -up converter/ppm/ppmtomitsu.c.security-code converter/ppm/ppmtomitsu.c
|
|
--- converter/ppm/ppmtomitsu.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/ppmtomitsu.c 2012-04-09 15:40:03.210619702 +0200
|
|
@@ -685,6 +685,8 @@ main(int argc, char * argv[]) {
|
|
medias = MSize_User;
|
|
|
|
if (dpi300) {
|
|
+ overflow2(medias.maxcols, 2);
|
|
+ overflow2(medias.maxrows, 2);
|
|
medias.maxcols *= 2;
|
|
medias.maxrows *= 2;
|
|
}
|
|
diff -up converter/ppm/ppmtopcx.c.security-code converter/ppm/ppmtopcx.c
|
|
--- converter/ppm/ppmtopcx.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/ppmtopcx.c 2012-04-09 15:40:03.210619702 +0200
|
|
@@ -419,6 +419,8 @@ ppmTo16ColorPcx(pixel ** cons
|
|
else Planes = 1;
|
|
}
|
|
}
|
|
+ overflow2(BitsPerPixel, cols);
|
|
+ overflow_add(BitsPerPixel * cols, 7);
|
|
BytesPerLine = ((cols * BitsPerPixel) + 7) / 8;
|
|
MALLOCARRAY_NOFAIL(indexRow, cols);
|
|
MALLOCARRAY_NOFAIL(planesrow, BytesPerLine);
|
|
diff -up converter/ppm/ppmtopict.c.security-code converter/ppm/ppmtopict.c
|
|
--- converter/ppm/ppmtopict.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/ppm/ppmtopict.c 2012-04-09 15:40:03.211619690 +0200
|
|
@@ -441,6 +441,8 @@ main(int argc, const char ** argv) {
|
|
putShort(stdout, 0); /* mode */
|
|
|
|
/* Finally, write out the data. */
|
|
+ overflow_add(cols/MAX_COUNT, 1);
|
|
+ overflow_add(cols, cols/MAX_COUNT+1);
|
|
packed = malloc((unsigned)(cols+cols/MAX_COUNT+1));
|
|
for (row = 0, oc = 0; row < rows; row++)
|
|
oc += putRow(stdout, row, cols, pixels[row], packed);
|
|
diff -up converter/ppm/ppmtopj.c.security-code converter/ppm/ppmtopj.c
|
|
--- converter/ppm/ppmtopj.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/ppmtopj.c 2012-04-09 15:40:03.212619677 +0200
|
|
@@ -179,6 +179,7 @@ char *argv[];
|
|
pixels = ppm_readppm( ifp, &cols, &rows, &maxval );
|
|
|
|
pm_close( ifp );
|
|
+ overflow2(cols,2);
|
|
obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char));
|
|
cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char));
|
|
|
|
diff -up converter/ppm/ppmtopjxl.c.security-code converter/ppm/ppmtopjxl.c
|
|
--- converter/ppm/ppmtopjxl.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/ppmtopjxl.c 2012-04-09 15:40:03.212619677 +0200
|
|
@@ -276,6 +276,8 @@ main(int argc, const char * argv[]) {
|
|
pm_error("image too large; reduce with ppmscale");
|
|
if (maxval > PCL_MAXVAL)
|
|
pm_error("color range too large; reduce with ppmcscale");
|
|
+ if (cols < 0 || rows < 0)
|
|
+ pm_error("negative size is not possible");
|
|
|
|
/* Figure out the colormap. */
|
|
pm_message("Computing colormap...");
|
|
@@ -296,6 +298,8 @@ main(int argc, const char * argv[]) {
|
|
case 0: /* direct mode (no palette) */
|
|
bpp = bitsperpixel(maxval); /* bits per pixel */
|
|
bpg = bpp; bpb = bpp;
|
|
+ overflow2(bpp, 3);
|
|
+ overflow_add(bpp*3, 7);
|
|
bpp = (bpp*3+7)>>3; /* bytes per pixel now */
|
|
bpr = (bpp<<3)-bpg-bpb;
|
|
bpp *= cols; /* bytes per row now */
|
|
@@ -305,9 +309,13 @@ main(int argc, const char * argv[]) {
|
|
case 3: case 7: pclindex++;
|
|
default:
|
|
bpp = 8/pclindex;
|
|
+ overflow_add(cols, bpp);
|
|
+ if(bpp == 0)
|
|
+ pm_error("assert: no bpp");
|
|
bpp = (cols+bpp-1)/bpp; /* bytes per row */
|
|
}
|
|
}
|
|
+ overflow2(bpp,2);
|
|
inrow = (char *)malloc((unsigned)bpp);
|
|
outrow = (char *)malloc((unsigned)bpp*2);
|
|
runcnt = (signed char *)malloc((unsigned)bpp);
|
|
diff -up converter/ppm/ppmtowinicon.c.security-code converter/ppm/ppmtowinicon.c
|
|
--- converter/ppm/ppmtowinicon.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/ppmtowinicon.c 2012-04-09 15:40:03.213619664 +0200
|
|
@@ -12,6 +12,7 @@
|
|
|
|
#include <math.h>
|
|
#include <string.h>
|
|
+#include <stdlib.h>
|
|
|
|
#include "pm_c_util.h"
|
|
#include "winico.h"
|
|
@@ -219,6 +220,7 @@ createAndBitmap (gray ** const ba, int c
|
|
MALLOCARRAY_NOFAIL(rowData, rows);
|
|
icBitmap->xBytes = xBytes;
|
|
icBitmap->data = rowData;
|
|
+ overflow2(xBytes, rows);
|
|
icBitmap->size = xBytes * rows;
|
|
for (y=0;y<rows;y++) {
|
|
u1 * row;
|
|
@@ -347,6 +349,7 @@ create4Bitmap (pixel ** const pa, int co
|
|
MALLOCARRAY_NOFAIL(rowData, rows);
|
|
icBitmap->xBytes = xBytes;
|
|
icBitmap->data = rowData;
|
|
+ overflow2(xBytes, rows);
|
|
icBitmap->size = xBytes * rows;
|
|
|
|
for (y=0;y<rows;y++) {
|
|
@@ -407,6 +410,7 @@ create8Bitmap (pixel ** const pa, int co
|
|
MALLOCARRAY_NOFAIL(rowData, rows);
|
|
icBitmap->xBytes = xBytes;
|
|
icBitmap->data = rowData;
|
|
+ overflow2(xBytes, rows);
|
|
icBitmap->size = xBytes * rows;
|
|
|
|
for (y=0;y<rows;y++) {
|
|
@@ -714,6 +718,10 @@ addEntryToIcon(MS_Ico const MSIcon
|
|
entry->bitcount = bpp;
|
|
entry->ih = createInfoHeader(entry, xorBitmap, andBitmap);
|
|
entry->colors = palette->colors;
|
|
+ overflow2(4, entry->color_count);
|
|
+ overflow_add(xorBitmap->size, andBitmap->size);
|
|
+ overflow_add(xorBitmap->size + andBitmap->size, 40);
|
|
+ overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count);
|
|
entry->size_in_bytes =
|
|
xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count);
|
|
if (verbose)
|
|
diff -up converter/ppm/ppmtoxpm.c.security-code converter/ppm/ppmtoxpm.c
|
|
--- converter/ppm/ppmtoxpm.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/ppmtoxpm.c 2012-04-09 15:40:03.214619651 +0200
|
|
@@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int
|
|
unsigned int i;
|
|
|
|
/* Allocate memory for printed number. Abort if error. */
|
|
+ overflow_add(digits, 1);
|
|
if (!(str = (char *) malloc(digits + 1)))
|
|
pm_error("out of memory");
|
|
|
|
@@ -314,6 +315,7 @@ genCmap(colorhist_vector const chv,
|
|
unsigned int charsPerPixel;
|
|
unsigned int xpmMaxval;
|
|
|
|
+ if (includeTransparent) overflow_add(ncolors, 1);
|
|
MALLOCARRAY(cmap, cmapSize);
|
|
if (cmapP == NULL)
|
|
pm_error("Out of memory allocating %u bytes for a color map.",
|
|
diff -up converter/ppm/qrttoppm.c.security-code converter/ppm/qrttoppm.c
|
|
--- converter/ppm/qrttoppm.c.security-code 2012-04-09 15:31:42.000000000 +0200
|
|
+++ converter/ppm/qrttoppm.c 2012-04-09 15:40:03.215619638 +0200
|
|
@@ -46,7 +46,7 @@ main( argc, argv )
|
|
|
|
ppm_writeppminit( stdout, cols, rows, maxval, 0 );
|
|
pixelrow = ppm_allocrow( cols );
|
|
- buf = (unsigned char *) malloc( 3 * cols );
|
|
+ buf = (unsigned char *) malloc2( 3 , cols );
|
|
if ( buf == (unsigned char *) 0 )
|
|
pm_error( "out of memory" );
|
|
|
|
diff -up converter/ppm/sldtoppm.c.security-code converter/ppm/sldtoppm.c
|
|
--- converter/ppm/sldtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/sldtoppm.c 2012-04-09 15:40:03.216619626 +0200
|
|
@@ -455,6 +455,8 @@ slider(slvecfn slvec,
|
|
|
|
/* Allocate image buffer and clear it to black. */
|
|
|
|
+ overflow_add(ixdots,1);
|
|
+ overflow_add(iydots,1);
|
|
pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1);
|
|
PPM_ASSIGN(rgbcolor, 0, 0, 0);
|
|
ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0,
|
|
diff -up converter/ppm/ximtoppm.c.security-code converter/ppm/ximtoppm.c
|
|
--- converter/ppm/ximtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
|
|
+++ converter/ppm/ximtoppm.c 2012-04-09 15:40:03.216619626 +0200
|
|
@@ -117,6 +117,7 @@ ReadXimHeader(FILE * const in_fp,
|
|
header->bits_channel = atoi(a_head.bits_per_channel);
|
|
header->alpha_flag = atoi(a_head.alpha_channel);
|
|
if (strlen(a_head.author)) {
|
|
+ overflow_add(strlen(a_head.author),1);
|
|
if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1,
|
|
1))) {
|
|
pm_message("ReadXimHeader: can't calloc author string" );
|
|
@@ -126,6 +127,7 @@ ReadXimHeader(FILE * const in_fp,
|
|
strncpy(header->author, a_head.author, strlen(a_head.author));
|
|
}
|
|
if (strlen(a_head.date)) {
|
|
+ overflow_add(strlen(a_head.date),1);
|
|
if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){
|
|
pm_message("ReadXimHeader: can't calloc date string" );
|
|
return(0);
|
|
@@ -134,6 +136,7 @@ ReadXimHeader(FILE * const in_fp,
|
|
strncpy(header->date, a_head.date, strlen(a_head.date));
|
|
}
|
|
if (strlen(a_head.program)) {
|
|
+ overflow_add(strlen(a_head.program),1);
|
|
if (!(header->program = calloc(
|
|
(unsigned int)strlen(a_head.program) + 1, 1))) {
|
|
pm_message("ReadXimHeader: can't calloc program string" );
|
|
@@ -160,6 +163,7 @@ ReadXimHeader(FILE * const in_fp,
|
|
if (header->nchannels == 3 && header->bits_channel == 8)
|
|
header->ncolors = 0;
|
|
else if (header->nchannels == 1 && header->bits_channel == 8) {
|
|
+ overflow2(header->ncolors, sizeof(Color));
|
|
header->colors = (Color *)calloc((unsigned int)header->ncolors,
|
|
sizeof(Color));
|
|
if (header->colors == NULL) {
|
|
diff -up editor/pamcut.c.security-code editor/pamcut.c
|
|
--- editor/pamcut.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ editor/pamcut.c 2012-04-09 15:40:03.218619602 +0200
|
|
@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP
|
|
|
|
outpam = inpam; /* Initial value -- most fields should be same */
|
|
outpam.file = ofP;
|
|
+ overflow_add(rightcol, 1);
|
|
+ overflow_add(bottomrow, 1);
|
|
outpam.width = rightcol - leftcol + 1;
|
|
outpam.height = bottomrow - toprow + 1;
|
|
|
|
diff -up editor/pbmreduce.c.security-code editor/pbmreduce.c
|
|
--- editor/pbmreduce.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ editor/pbmreduce.c 2012-04-09 15:40:03.219619590 +0200
|
|
@@ -94,6 +94,7 @@ main( argc, argv )
|
|
if (halftone == QT_FS) {
|
|
unsigned int col;
|
|
/* Initialize Floyd-Steinberg. */
|
|
+ overflow_add(newcols, 2);
|
|
MALLOCARRAY(thiserr, newcols + 2);
|
|
MALLOCARRAY(nexterr, newcols + 2);
|
|
if (thiserr == NULL || nexterr == NULL)
|
|
diff -up editor/pnmgamma.c.security-code editor/pnmgamma.c
|
|
--- editor/pnmgamma.c.security-code 2012-04-09 15:31:34.000000000 +0200
|
|
+++ editor/pnmgamma.c 2012-04-09 15:40:03.220619577 +0200
|
|
@@ -586,6 +586,7 @@ createGammaTables(enum transferFunction
|
|
xelval ** const btableP) {
|
|
|
|
/* Allocate space for the tables. */
|
|
+ overflow_add(maxval, 1);
|
|
MALLOCARRAY(*rtableP, maxval+1);
|
|
MALLOCARRAY(*gtableP, maxval+1);
|
|
MALLOCARRAY(*btableP, maxval+1);
|
|
diff -up editor/pnmhisteq.c.security-code editor/pnmhisteq.c
|
|
--- editor/pnmhisteq.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ editor/pnmhisteq.c 2012-04-09 15:40:03.220619577 +0200
|
|
@@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const *
|
|
unsigned int pixelCount;
|
|
unsigned int * lumahist;
|
|
|
|
+ overflow_add(maxval, 1);
|
|
MALLOCARRAY(lumahist, maxval + 1);
|
|
if (lumahist == NULL)
|
|
pm_error("Out of storage allocating array for %u histogram elements",
|
|
diff -up editor/pnmindex.csh.security-code editor/pnmindex.csh
|
|
--- editor/pnmindex.csh.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ editor/pnmindex.csh 2012-04-09 15:40:03.221619564 +0200
|
|
@@ -1,5 +1,8 @@
|
|
#!/bin/csh -f
|
|
#
|
|
+echo "Unsafe code, needs debugging, do not ship"
|
|
+exit 1
|
|
+#
|
|
# pnmindex - build a visual index of a bunch of anymaps
|
|
#
|
|
# Copyright (C) 1991 by Jef Poskanzer.
|
|
diff -up editor/pnmpad.c.security-code editor/pnmpad.c
|
|
--- editor/pnmpad.c.security-code 2012-04-09 15:31:34.000000000 +0200
|
|
+++ editor/pnmpad.c 2012-04-09 15:40:03.221619564 +0200
|
|
@@ -527,6 +527,8 @@ main(int argc, const char ** argv) {
|
|
|
|
computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad);
|
|
|
|
+ overflow_add(cols, lpad);
|
|
+ overflow_add(cols + lpad, rpad);
|
|
newcols = cols + lpad + rpad;
|
|
|
|
if (PNM_FORMAT_TYPE(format) == PBM_TYPE)
|
|
diff -up editor/pnmremap.c.security-code editor/pnmremap.c
|
|
--- editor/pnmremap.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ editor/pnmremap.c 2012-04-09 15:40:03.222619551 +0200
|
|
@@ -409,7 +409,7 @@ initFserr(struct pam * const pamP,
|
|
unsigned int plane;
|
|
|
|
unsigned int const fserrSize = pamP->width + 2;
|
|
-
|
|
+ overflow_add(pamP->width, 2);
|
|
fserrP->width = pamP->width;
|
|
|
|
MALLOCARRAY(fserrP->thiserr, pamP->depth);
|
|
@@ -445,6 +445,7 @@ floydInitRow(struct pam * const pamP, st
|
|
|
|
int col;
|
|
|
|
+ overflow_add(pamP->width, 2);
|
|
for (col = 0; col < pamP->width + 2; ++col) {
|
|
unsigned int plane;
|
|
for (plane = 0; plane < pamP->depth; ++plane)
|
|
diff -up editor/pnmscalefixed.c.security-code editor/pnmscalefixed.c
|
|
--- editor/pnmscalefixed.c.security-code 2012-04-09 15:31:34.000000000 +0200
|
|
+++ editor/pnmscalefixed.c 2012-04-09 15:40:03.223619538 +0200
|
|
@@ -214,6 +214,8 @@ compute_output_dimensions(const struct c
|
|
const int rows, const int cols,
|
|
int * newrowsP, int * newcolsP) {
|
|
|
|
+ overflow2(rows, cols);
|
|
+
|
|
if (cmdline.pixels) {
|
|
if (rows * cols <= cmdline.pixels) {
|
|
*newrowsP = rows;
|
|
@@ -265,6 +267,8 @@ compute_output_dimensions(const struct c
|
|
|
|
if (*newcolsP < 1) *newcolsP = 1;
|
|
if (*newrowsP < 1) *newrowsP = 1;
|
|
+
|
|
+ overflow2(*newcolsP, *newrowsP);
|
|
}
|
|
|
|
|
|
@@ -446,6 +450,9 @@ main(int argc, char **argv ) {
|
|
unfilled. We can address that by stretching, whereas the other
|
|
case would require throwing away some of the input.
|
|
*/
|
|
+
|
|
+ overflow2(newcols, SCALE);
|
|
+ overflow2(newrows, SCALE);
|
|
sxscale = SCALE * newcols / cols;
|
|
syscale = SCALE * newrows / rows;
|
|
|
|
diff -up editor/pnmshear.c.security-code editor/pnmshear.c
|
|
--- editor/pnmshear.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ editor/pnmshear.c 2012-04-09 15:40:03.224619526 +0200
|
|
@@ -15,6 +15,7 @@
|
|
#include <assert.h>
|
|
#include <math.h>
|
|
#include <string.h>
|
|
+#include <limits.h>
|
|
|
|
#include "pm_c_util.h"
|
|
#include "ppm.h"
|
|
@@ -236,6 +237,11 @@ main(int argc, char * argv[]) {
|
|
|
|
shearfac = fabs(tan(cmdline.angle));
|
|
|
|
+ if(rows * shearfac >= INT_MAX-1)
|
|
+ pm_error("image too large");
|
|
+
|
|
+ overflow_add(rows * shearfac, cols+1);
|
|
+
|
|
newcols = rows * shearfac + cols + 0.999999;
|
|
|
|
pnm_writepnminit(stdout, newcols, rows, newmaxval, newformat, 0);
|
|
diff -up editor/ppmdither.c.security-code editor/ppmdither.c
|
|
--- editor/ppmdither.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ editor/ppmdither.c 2012-04-09 15:40:03.224619526 +0200
|
|
@@ -355,7 +355,11 @@ dithMatrix(unsigned int const dithPower)
|
|
unsigned int const dithMatSize =
|
|
(dithDim * sizeof(*dithMat)) + /* pointers */
|
|
(dithDim * dithDim * sizeof(**dithMat)); /* data */
|
|
-
|
|
+
|
|
+ overflow2(dithDim, sizeof(*dithMat));
|
|
+ overflow3(dithDim, dithDim, sizeof(**dithMat));
|
|
+ overflow_add(dithDim * sizeof(*dithMat), dithDim * dithDim * sizeof(**dithMat));
|
|
+
|
|
dithMat = malloc(dithMatSize);
|
|
|
|
if (dithMat == NULL)
|
|
diff -up editor/specialty/pamoil.c.security-code editor/specialty/pamoil.c
|
|
--- editor/specialty/pamoil.c.security-code 2012-04-09 15:31:33.000000000 +0200
|
|
+++ editor/specialty/pamoil.c 2012-04-09 15:40:03.224619526 +0200
|
|
@@ -112,6 +112,7 @@ main(int argc, char *argv[] ) {
|
|
tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type));
|
|
pm_close(ifp);
|
|
|
|
+ overflow_add(inpam.maxval, 1);
|
|
MALLOCARRAY(hist, inpam.maxval + 1);
|
|
if (hist == NULL)
|
|
pm_error("Unable to allocate memory for histogram.");
|
|
diff -up generator/pbmtext.c.security-code generator/pbmtext.c
|
|
--- generator/pbmtext.c.security-code 2012-04-09 15:31:34.000000000 +0200
|
|
+++ generator/pbmtext.c 2012-04-09 15:40:03.225619514 +0200
|
|
@@ -96,12 +96,14 @@ parseCommandLine(int argc, const char **
|
|
|
|
for (i = 1; i < argc; ++i) {
|
|
if (i > 1) {
|
|
+ overflow_add(totaltextsize, 1);
|
|
totaltextsize += 1;
|
|
text = realloc(text, totaltextsize);
|
|
if (text == NULL)
|
|
pm_error("out of memory allocating space for input text");
|
|
strcat(text, " ");
|
|
}
|
|
+ overflow_add(totaltextsize, strlen(argv[i]));
|
|
totaltextsize += strlen(argv[i]);
|
|
text = realloc(text, totaltextsize);
|
|
if (text == NULL)
|
|
@@ -712,6 +714,7 @@ getText(const char cmdline_text
|
|
pm_error("A line of input text is longer than %u characters."
|
|
"Cannot process.", (unsigned)sizeof(buf)-1);
|
|
if (lineCount >= maxlines) {
|
|
+ overflow2(maxlines, 2);
|
|
maxlines *= 2;
|
|
REALLOCARRAY(text_array, maxlines);
|
|
if (text_array == NULL)
|
|
@@ -832,6 +835,7 @@ main(int argc, const char *argv[]) {
|
|
hmargin = fontP->maxwidth;
|
|
} else {
|
|
vmargin = fontP->maxheight;
|
|
+ overflow2(2, fontP->maxwidth);
|
|
hmargin = 2 * fontP->maxwidth;
|
|
}
|
|
}
|
|
diff -up generator/pgmcrater.c.security-code generator/pgmcrater.c
|
|
--- generator/pgmcrater.c.security-code 2012-04-09 15:31:34.000000000 +0200
|
|
+++ generator/pgmcrater.c 2012-04-09 15:40:03.226619502 +0200
|
|
@@ -130,7 +130,7 @@ static void gencraters()
|
|
/* Acquire the elevation array and initialize it to mean
|
|
surface elevation. */
|
|
|
|
- MALLOCARRAY(aux, SCRX * SCRY);
|
|
+ aux = (unsigned short *) malloc3(SCRX, SCRY, sizeof(short));
|
|
if (aux == NULL)
|
|
pm_error("out of memory allocating elevation array");
|
|
|
|
diff -up lib/libpam.c.security-code lib/libpam.c
|
|
--- lib/libpam.c.security-code 2012-04-09 15:31:38.000000000 +0200
|
|
+++ lib/libpam.c 2012-04-09 15:40:03.227619490 +0200
|
|
@@ -220,7 +220,8 @@ allocPamRow(const struct pam * const pam
|
|
unsigned int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample);
|
|
tuple * tuplerow;
|
|
|
|
- tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple));
|
|
+ overflow_add(sizeof(tuple *), bytesPerTuple);
|
|
+ tuplerow = malloc2(pamP->width, (sizeof(tuple *) + bytesPerTuple));
|
|
|
|
if (tuplerow != NULL) {
|
|
/* Now we initialize the pointers to the individual tuples
|
|
diff -up lib/libpammap.c.security-code lib/libpammap.c
|
|
--- lib/libpammap.c.security-code 2012-04-09 15:31:38.000000000 +0200
|
|
+++ lib/libpammap.c 2012-04-09 15:40:03.228619477 +0200
|
|
@@ -104,6 +104,8 @@ allocTupleIntListItem(struct pam * const
|
|
*/
|
|
struct tupleint_list_item * retval;
|
|
|
|
+ overflow2(pamP->depth, sizeof(sample));
|
|
+ overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample));
|
|
unsigned int const size =
|
|
sizeof(*retval) - sizeof(retval->tupleint.tuple)
|
|
+ pamP->depth * sizeof(sample);
|
|
diff -up lib/libpm.c.security-code lib/libpm.c
|
|
--- lib/libpm.c.security-code 2012-04-09 15:31:38.000000000 +0200
|
|
+++ lib/libpm.c 2012-04-09 15:40:03.229619464 +0200
|
|
@@ -808,4 +808,53 @@ pm_parse_height(const char * const arg)
|
|
}
|
|
|
|
|
|
+/*
|
|
+ * Maths wrapping
|
|
+ */
|
|
+
|
|
+void __overflow2(int a, int b)
|
|
+{
|
|
+ if(a < 0 || b < 0)
|
|
+ pm_error("object too large");
|
|
+ if(b == 0)
|
|
+ return;
|
|
+ if(a > INT_MAX / b)
|
|
+ pm_error("object too large");
|
|
+}
|
|
+
|
|
+void overflow3(int a, int b, int c)
|
|
+{
|
|
+ overflow2(a,b);
|
|
+ overflow2(a*b, c);
|
|
+}
|
|
+
|
|
+void overflow_add(int a, int b)
|
|
+{
|
|
+ if( a > INT_MAX - b)
|
|
+ pm_error("object too large");
|
|
+}
|
|
+
|
|
+void *malloc2(int a, int b)
|
|
+{
|
|
+ overflow2(a, b);
|
|
+ if(a*b == 0)
|
|
+ pm_error("Zero byte allocation");
|
|
+ return malloc(a*b);
|
|
+}
|
|
+
|
|
+void *malloc3(int a, int b, int c)
|
|
+{
|
|
+ overflow3(a, b, c);
|
|
+ if(a*b*c == 0)
|
|
+ pm_error("Zero byte allocation");
|
|
+ return malloc(a*b*c);
|
|
+}
|
|
+
|
|
+void *realloc2(void * a, int b, int c)
|
|
+{
|
|
+ overflow2(b, c);
|
|
+ if(b*c == 0)
|
|
+ pm_error("Zero byte allocation");
|
|
+ return realloc(a, b*c);
|
|
+}
|
|
|
|
diff -up lib/pm.h.security-code lib/pm.h
|
|
--- lib/pm.h.security-code 2012-04-09 15:31:38.000000000 +0200
|
|
+++ lib/pm.h 2012-04-09 15:40:03.229619464 +0200
|
|
@@ -432,4 +432,11 @@ pm_parse_height(const char * const arg);
|
|
#endif
|
|
|
|
|
|
+void *malloc2(int, int);
|
|
+void *malloc3(int, int, int);
|
|
+#define overflow2(a,b) __overflow2(a,b)
|
|
+void __overflow2(int, int);
|
|
+void overflow3(int, int, int);
|
|
+void overflow_add(int, int);
|
|
+
|
|
#endif
|
|
diff -up other/pnmcolormap.c.security-code other/pnmcolormap.c
|
|
--- other/pnmcolormap.c.security-code 2012-04-09 15:31:32.000000000 +0200
|
|
+++ other/pnmcolormap.c 2012-04-09 15:40:03.230619451 +0200
|
|
@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP
|
|
pamP->width = intsqrt;
|
|
else
|
|
pamP->width = intsqrt + 1;
|
|
+ overflow_add(intsqrt, 1);
|
|
}
|
|
{
|
|
unsigned int const intQuotient = colormap.size / pamP->width;
|
|
diff -up urt/README.security-code urt/README
|
|
--- urt/README.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ urt/README 2012-04-09 15:40:03.231619438 +0200
|
|
@@ -18,3 +18,8 @@ in its initializer in the original. But
|
|
defines stdout as a variable, so that wouldn't compile. So I changed
|
|
it to NULL and added a line to rle_hdr_init to set that field to
|
|
'stdout' dynamically. 2000.06.02 BJH.
|
|
+
|
|
+Redid the code to check for maths overflows and other crawly horrors.
|
|
+Removed pipe through and compress support (unsafe)
|
|
+
|
|
+Alan Cox <alan@redhat.com>
|
|
diff -up urt/rle_addhist.c.security-code urt/rle_addhist.c
|
|
--- urt/rle_addhist.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ urt/rle_addhist.c 2012-04-09 15:40:03.231619438 +0200
|
|
@@ -14,6 +14,8 @@
|
|
* If you modify this software, you should include a notice giving the
|
|
* name of the person performing the modification, the date of modification,
|
|
* and the reason for such modification.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
/*
|
|
* rle_addhist.c - Add to the HISTORY comment in header
|
|
@@ -71,13 +73,19 @@ rle_addhist(char * argv[],
|
|
return;
|
|
|
|
length = 0;
|
|
- for (i = 0; argv[i]; ++i)
|
|
+ for (i = 0; argv[i]; ++i) {
|
|
+ overflow_add(length, strlen(argv[i]));
|
|
+ overflow_add(length+1, strlen(argv[i]));
|
|
length += strlen(argv[i]) +1; /* length of each arg plus space. */
|
|
+ }
|
|
|
|
time(&temp);
|
|
timedate = ctime(&temp);
|
|
length += strlen(timedate); /* length of date and time in ASCII. */
|
|
|
|
+ overflow_add(strlen(padding), 4);
|
|
+ overflow_add(strlen(histoire), strlen(padding) + 4);
|
|
+ overflow_add(length, strlen(histoire) + strlen(padding) + 4);
|
|
length += strlen(padding) + 3 + strlen(histoire) + 1;
|
|
/* length of padding, "on " and length of history name plus "="*/
|
|
if (in_hdr) /* if we are interested in the old comments... */
|
|
@@ -85,9 +93,12 @@ rle_addhist(char * argv[],
|
|
else
|
|
old = NULL;
|
|
|
|
- if (old && *old)
|
|
+ if (old && *old) {
|
|
+ overflow_add(length, strlen(old));
|
|
length += strlen(old); /* add length if there. */
|
|
+ }
|
|
|
|
+ overflow_add(length, 1);
|
|
++length; /*Cater for the null. */
|
|
|
|
MALLOCARRAY(newc, length);
|
|
diff -up urt/rle_getrow.c.security-code urt/rle_getrow.c
|
|
--- urt/rle_getrow.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ urt/rle_getrow.c 2012-04-09 15:40:03.232619426 +0200
|
|
@@ -17,6 +17,8 @@
|
|
*
|
|
* Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
|
|
* to have all "void" functions so declared.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
/*
|
|
* rle_getrow.c - Read an RLE file in.
|
|
@@ -168,6 +170,7 @@ rle_get_setup(rle_hdr * const the_hdr) {
|
|
register char * cp;
|
|
|
|
VAXSHORT( comlen, infile ); /* get comment length */
|
|
+ overflow_add(comlen, 1);
|
|
evenlen = (comlen + 1) & ~1; /* make it even */
|
|
if ( evenlen )
|
|
{
|
|
diff -up urt/rle_hdr.c.security-code urt/rle_hdr.c
|
|
--- urt/rle_hdr.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ urt/rle_hdr.c 2012-04-09 15:40:03.233619414 +0200
|
|
@@ -14,6 +14,8 @@
|
|
* If you modify this software, you should include a notice giving the
|
|
* name of the person performing the modification, the date of modification,
|
|
* and the reason for such modification.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
/*
|
|
* rle_hdr.c - Functions to manipulate rle_hdr structures.
|
|
@@ -80,7 +82,10 @@ int img_num;
|
|
/* Fill in with copies of the strings. */
|
|
if ( the_hdr->cmd != pgmname )
|
|
{
|
|
- char *tmp = (char *)malloc( strlen( pgmname ) + 1 );
|
|
+ char *tmp ;
|
|
+
|
|
+ overflow_add(strlen(pgmname), 1);
|
|
+ tmp = malloc( strlen( pgmname ) + 1 );
|
|
RLE_CHECK_ALLOC( pgmname, tmp, 0 );
|
|
strcpy( tmp, pgmname );
|
|
the_hdr->cmd = tmp;
|
|
@@ -88,7 +93,9 @@ int img_num;
|
|
|
|
if ( the_hdr->file_name != fname )
|
|
{
|
|
- char *tmp = (char *)malloc( strlen( fname ) + 1 );
|
|
+ char *tmp;
|
|
+ overflow_add(strlen(fname), 1);
|
|
+ tmp = malloc( strlen( fname ) + 1 );
|
|
RLE_CHECK_ALLOC( pgmname, tmp, 0 );
|
|
strcpy( tmp, fname );
|
|
the_hdr->file_name = tmp;
|
|
@@ -153,6 +160,7 @@ rle_hdr *from_hdr, *to_hdr;
|
|
if ( to_hdr->bg_color )
|
|
{
|
|
int size = to_hdr->ncolors * sizeof(int);
|
|
+ overflow2(to_hdr->ncolors, sizeof(int));
|
|
to_hdr->bg_color = (int *)malloc( size );
|
|
RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" );
|
|
memcpy( to_hdr->bg_color, from_hdr->bg_color, size );
|
|
@@ -161,7 +169,7 @@ rle_hdr *from_hdr, *to_hdr;
|
|
if ( to_hdr->cmap )
|
|
{
|
|
int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map);
|
|
- to_hdr->cmap = (rle_map *)malloc( size );
|
|
+ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<<to_hdr->cmaplen, sizeof(rle_map));
|
|
RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" );
|
|
memcpy( to_hdr->cmap, from_hdr->cmap, size );
|
|
}
|
|
@@ -174,11 +182,16 @@ rle_hdr *from_hdr, *to_hdr;
|
|
int size = 0;
|
|
CONST_DECL char **cp;
|
|
for ( cp=to_hdr->comments; *cp; cp++ )
|
|
+ {
|
|
+ overflow_add(size, 1);
|
|
size++; /* Count the comments. */
|
|
+ }
|
|
/* Check if there are really any comments. */
|
|
if ( size )
|
|
{
|
|
+ overflow_add(size, 1);
|
|
size++; /* Copy the NULL pointer, too. */
|
|
+ overflow2(size, sizeof(char *));
|
|
size *= sizeof(char *);
|
|
to_hdr->comments = (CONST_DECL char **)malloc( size );
|
|
RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" );
|
|
diff -up urt/rle.h.security-code urt/rle.h
|
|
--- urt/rle.h.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ urt/rle.h 2012-04-09 15:40:03.233619414 +0200
|
|
@@ -14,6 +14,9 @@
|
|
* If you modify this software, you should include a notice giving the
|
|
* name of the person performing the modification, the date of modification,
|
|
* and the reason for such modification.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
+ * Header declarations needed
|
|
*/
|
|
/*
|
|
* rle.h - Global declarations for Utah Raster Toolkit RLE programs.
|
|
@@ -160,6 +163,17 @@ rle_hdr /* End of typedef. *
|
|
*/
|
|
extern rle_hdr rle_dflt_hdr;
|
|
|
|
+/*
|
|
+ * Provided by pm library
|
|
+ */
|
|
+
|
|
+extern void overflow_add(int, int);
|
|
+#define overflow2(a,b) __overflow2(a,b)
|
|
+extern void __overflow2(int, int);
|
|
+extern void overflow3(int, int, int);
|
|
+extern void *malloc2(int, int);
|
|
+extern void *malloc3(int, int, int);
|
|
+extern void *realloc2(void *, int, int);
|
|
|
|
/* Declare RLE library routines. */
|
|
|
|
diff -up urt/rle_open_f.c.security-code urt/rle_open_f.c
|
|
--- urt/rle_open_f.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ urt/rle_open_f.c 2012-04-09 15:40:03.234619402 +0200
|
|
@@ -163,65 +163,7 @@ dealWithSubprocess(const char * const f
|
|
FILE ** const fpP,
|
|
bool * const noSubprocessP,
|
|
const char ** const errorP) {
|
|
-
|
|
-#ifdef NO_OPEN_PIPES
|
|
*noSubprocessP = TRUE;
|
|
-#else
|
|
- const char *cp;
|
|
-
|
|
- reapChildren(catchingChildrenP, pids);
|
|
-
|
|
- /* Real file, not stdin or stdout. If name ends in ".Z",
|
|
- * pipe from/to un/compress (depending on r/w mode).
|
|
- *
|
|
- * If it starts with "|", popen that command.
|
|
- */
|
|
-
|
|
- cp = file_name + strlen(file_name) - 2;
|
|
- /* Pipe case. */
|
|
- if (file_name[0] == '|') {
|
|
- pid_t thepid; /* PID from my_popen */
|
|
-
|
|
- *noSubprocessP = FALSE;
|
|
-
|
|
- *fpP = my_popen(file_name + 1, mode, &thepid);
|
|
- if (*fpP == NULL)
|
|
- *errorP = "%s: can't invoke <<%s>> for %s: ";
|
|
- else {
|
|
- /* One more child to catch, eventually. */
|
|
- if (*catchingChildrenP < MAX_CHILDREN)
|
|
- pids[(*catchingChildrenP)++] = thepid;
|
|
- }
|
|
- } else if (cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) {
|
|
- /* Compress case. */
|
|
- pid_t thepid; /* PID from my_popen. */
|
|
- const char * command;
|
|
-
|
|
- *noSubprocessP = FALSE;
|
|
-
|
|
- if (*mode == 'w')
|
|
- pm_asprintf(&command, "compress > %s", file_name);
|
|
- else if (*mode == 'a')
|
|
- pm_asprintf(&command, "compress >> %s", file_name);
|
|
- else
|
|
- pm_asprintf(&command, "compress -d < %s", file_name);
|
|
-
|
|
- *fpP = my_popen(command, mode, &thepid);
|
|
-
|
|
- if (*fpP == NULL)
|
|
- *errorP = "%s: can't invoke 'compress' program, "
|
|
- "trying to open %s for %s";
|
|
- else {
|
|
- /* One more child to catch, eventually. */
|
|
- if (*catchingChildrenP < MAX_CHILDREN)
|
|
- pids[(*catchingChildrenP)++] = thepid;
|
|
- }
|
|
- pm_strfree(command);
|
|
- } else {
|
|
- *noSubprocessP = TRUE;
|
|
- *errorP = NULL;
|
|
- }
|
|
-#endif
|
|
}
|
|
|
|
|
|
diff -up urt/rle_putcom.c.security-code urt/rle_putcom.c
|
|
--- urt/rle_putcom.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ urt/rle_putcom.c 2012-04-09 15:40:03.234619402 +0200
|
|
@@ -14,6 +14,8 @@
|
|
* If you modify this software, you should include a notice giving the
|
|
* name of the person performing the modification, the date of modification,
|
|
* and the reason for such modification.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
/*
|
|
* rle_putcom.c - Add a picture comment to the header struct.
|
|
@@ -98,12 +100,14 @@ rle_putcom(const char * const value,
|
|
const char * v;
|
|
const char ** old_comments;
|
|
int i;
|
|
- for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp)
|
|
+ for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) {
|
|
+ overflow_add(i, 1);
|
|
if (match(value, *cp) != NULL) {
|
|
v = *cp;
|
|
*cp = value;
|
|
return v;
|
|
}
|
|
+ }
|
|
/* Not found */
|
|
/* Can't realloc because somebody else might be pointing to this
|
|
* comments block. Of course, if this were true, then the
|
|
diff -up urt/Runput.c.security-code urt/Runput.c
|
|
--- urt/Runput.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ urt/Runput.c 2012-04-09 15:40:03.235619390 +0200
|
|
@@ -17,6 +17,8 @@
|
|
*
|
|
* Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
|
|
* to have all "void" functions so declared.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
/*
|
|
* Runput.c - General purpose Run Length Encoding.
|
|
@@ -202,9 +204,11 @@ RunSetup(rle_hdr * the_hdr)
|
|
if ( the_hdr->background != 0 )
|
|
{
|
|
register int i;
|
|
- register rle_pixel *background =
|
|
- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
|
|
+ register rle_pixel *background;
|
|
register int *bg_color;
|
|
+
|
|
+ overflow_add(the_hdr->ncolors,1);
|
|
+ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
|
|
/*
|
|
* If even number of bg color bytes, put out one more to get to
|
|
* 16 bit boundary.
|
|
@@ -224,7 +228,7 @@ RunSetup(rle_hdr * the_hdr)
|
|
/* Big-endian machines are harder */
|
|
register int i, nmap = (1 << the_hdr->cmaplen) *
|
|
the_hdr->ncmap;
|
|
- register char *h_cmap = (char *)malloc( nmap * 2 );
|
|
+ register char *h_cmap = (char *)malloc2( nmap, 2 );
|
|
if ( h_cmap == NULL )
|
|
{
|
|
fprintf( stderr,
|
|
diff -up urt/scanargs.c.security-code urt/scanargs.c
|
|
--- urt/scanargs.c.security-code 2012-04-09 15:31:45.000000000 +0200
|
|
+++ urt/scanargs.c 2012-04-09 15:40:03.235619390 +0200
|
|
@@ -38,6 +38,8 @@
|
|
*
|
|
* Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
|
|
* to have all "void" functions so declared.
|
|
+ *
|
|
+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
@@ -63,8 +65,8 @@ typedef int *ptr;
|
|
/*
|
|
* Storage allocation macros
|
|
*/
|
|
-#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) )
|
|
-#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) )
|
|
+#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) )
|
|
+#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) )
|
|
|
|
static CONST_DECL char * prformat( CONST_DECL char *, int );
|
|
static int isnum( CONST_DECL char *, int, int );
|
|
--- lib/libpbm1.c.orig 2014-06-16 21:12:28.499230631 -0400
|
|
+++ lib/libpbm1.c 2014-06-16 21:12:55.932519324 -0400
|
|
@@ -78,6 +78,7 @@
|
|
} else {
|
|
pm_filepos const bytesPerRow = (cols+7)/8;
|
|
pm_filepos const needRasterSize = rows * bytesPerRow;
|
|
+ overflow2(bytesPerRow, rows);
|
|
pm_check(fileP, checkType, needRasterSize, retvalP);
|
|
}
|
|
}
|
|
--- converter/ppm/ppmtoilbm.c.orig 2014-06-16 21:23:40.061473868 -0400
|
|
+++ converter/ppm/ppmtoilbm.c 2014-06-16 21:23:44.701466379 -0400
|
|
@@ -185,6 +185,7 @@
|
|
unsigned int i;
|
|
int * table;
|
|
|
|
+ overflow_add(oldmaxval, 1);
|
|
MALLOCARRAY_NOFAIL(table, oldmaxval + 1);
|
|
for (i = 0; i <= oldmaxval; ++i)
|
|
table[i] = ROUNDDIV(i * newmaxval, oldmaxval);
|