From 23b2ce035805116cb2328eb0d75dc9c632e83816 Mon Sep 17 00:00:00 2001 From: Kevin Mihelich Date: Sat, 16 Apr 2016 14:36:52 +0000 Subject: [PATCH] extra/netpbm to 10.73-1 --- extra/netpbm/PKGBUILD | 32 +- extra/netpbm/netpbm-security-code.patch | 1420 +++++++++----------- extra/netpbm/netpbm-security-scripts.patch | 102 +- 3 files changed, 678 insertions(+), 876 deletions(-) diff --git a/extra/netpbm/PKGBUILD b/extra/netpbm/PKGBUILD index 7dcf6214d..50bc491ce 100644 --- a/extra/netpbm/PKGBUILD +++ b/extra/netpbm/PKGBUILD @@ -5,7 +5,8 @@ # - add armv7h and aarch64 for -fPIC flag pkgname=netpbm -pkgver=10.69.02 +pkgver=10.73 +_rev=r2692 pkgrel=1 pkgdesc="A toolkit for manipulation of graphic images" arch=('i686' 'x86_64') @@ -15,24 +16,19 @@ depends=('perl' 'libpng' 'libtiff' 'libxml2') makedepends=('python2' 'jbigkit' 'subversion') options=('!makeflags') # Get docs with: wget --recursive --relative -nH http://netpbm.sourceforge.net/doc/ -source=(svn://svn.code.sf.net/p/netpbm/code/advanced - ftp://ftp.archlinux.org/other/packages/netpbm/netpbm-doc-31Jan2014.tar.xz{,.sig} +source=(svn://svn.code.sf.net/p/netpbm/code/stable#revision=$_rev + https://sources.archlinux.org/other/packages/netpbm/netpbm-doc-31Jan2014.tar.xz{,.sig} netpbm-CAN-2005-2471.patch netpbm-security-code.patch netpbm-security-scripts.patch) sha1sums=('SKIP' '25a58975bd8cd383238b4ae31f4405c60914faac' 'SKIP' 'b79cf9d42488fea065ba16262ed97694c47af08d' - '313e040ea74eb73675aa420b6f54e1f4452c4769' - 'c67a63c010353de3ecac3ad72ba76bbb85e4ed4c') + '60088182b44ed2f10914413f7c95841a71a594fe' + 'ca61aabdeb24a6421781ca975719ce7314be2bb9') validpgpkeys=('5357F3B111688D88C1D88119FCF2CB179205AC90') -pkgver() { - cd advanced - echo $(grep MAJOR version.mk |cut -d ' ' -f 3).$(grep MINOR version.mk |cut -d ' ' -f 3).0$(grep POINT version.mk |cut -d ' ' -f 3) -} - prepare() { - cd advanced + cd stable patch -p1 < ../netpbm-CAN-2005-2471.patch patch -p1 < ../netpbm-security-code.patch @@ -57,27 +53,27 @@ prepare() { } build() { - cd advanced + cd stable make # Generating useful man pages with html doc - make MAKEMAN="${srcdir}/advanced/buildtools/makeman" USERGUIDE=. \ - -C ../doc -f "${srcdir}/advanced/buildtools/manpage.mk" manpages + make MAKEMAN="${srcdir}/stable/buildtools/makeman" USERGUIDE=. \ + -C ../doc -f "${srcdir}/stable/buildtools/manpage.mk" manpages } package() { - cd advanced + cd stable make pkgdir="${pkgdir}/usr" PKGMANDIR=share/man install-run install-dev # Removing dummy man pages rm "${pkgdir}"/usr/share/man/man{1,3,5}/* - make MAKEMAN="${srcdir}/advanced/buildtools/makeman" MANDIR="${pkgdir}/usr/share/man" \ - -C ../doc -f "${srcdir}/advanced/buildtools/manpage.mk" installman + make MAKEMAN="${srcdir}/stable/buildtools/makeman" MANDIR="${pkgdir}/usr/share/man" \ + -C ../doc -f "${srcdir}/stable/buildtools/manpage.mk" installman # Replace obsolete utility echo -e '#!/bin/sh\npamditherbw $@ | pamtopnm\n' > "${pkgdir}/usr/bin/pgmtopbm" # Licensing. Note that each program in the package has a separate license. - install -D -m644 "${srcdir}/advanced/doc/copyright_summary" \ + install -D -m644 "${srcdir}/stable/doc/copyright_summary" \ "${pkgdir}/usr/share/licenses/${pkgname}/copyright_summary.txt" } diff --git a/extra/netpbm/netpbm-security-code.patch b/extra/netpbm/netpbm-security-code.patch index e350b5b72..9f2ad8ed4 100644 --- a/extra/netpbm/netpbm-security-code.patch +++ b/extra/netpbm/netpbm-security-code.patch @@ -1,16 +1,17 @@ -diff -up netpbm-10.58.01/analyzer/pgmtexture.c.security-code netpbm-10.58.01/analyzer/pgmtexture.c ---- netpbm-10.58.01/analyzer/pgmtexture.c.security-code 2012-04-09 15:31:32.000000000 +0200 -+++ netpbm-10.58.01/analyzer/pgmtexture.c 2012-04-09 15:40:03.183620040 +0200 -@@ -97,7 +97,7 @@ vector(unsigned int const nl, - float * v; +diff --git a/analyzer/pgmtexture.c b/analyzer/pgmtexture.c +index 0731733..635c58b 100644 +--- a/analyzer/pgmtexture.c ++++ b/analyzer/pgmtexture.c +@@ -98,6 +98,8 @@ vector(unsigned int const nl, assert(nh >= nl); -- + + overflow_add(nh - nl, 1); ++ MALLOCARRAY(v, (unsigned) (nh - nl + 1)); if (v == NULL) -@@ -129,6 +129,7 @@ matrix (unsigned int const nrl, +@@ -129,6 +131,7 @@ matrix (unsigned int const nrl, assert(nrh >= nrl); /* allocate pointers to rows */ @@ -18,18 +19,18 @@ diff -up netpbm-10.58.01/analyzer/pgmtexture.c.security-code netpbm-10.58.01/ana MALLOCARRAY(m, (unsigned) (nrh - nrl + 1)); if (m == NULL) pm_error("Unable to allocate memory for a matrix."); -@@ -136,7 +137,7 @@ matrix (unsigned int const nrl, - m -= ncl; +@@ -137,6 +140,7 @@ matrix (unsigned int const nrl, assert (nch >= ncl); -- + + overflow_add(nch - ncl, 1); /* allocate rows and set pointers to them */ for (i = nrl; i <= nrh; ++i) { MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1)); -diff -up netpbm-10.58.01/converter/other/gemtopnm.c.security-code netpbm-10.58.01/converter/other/gemtopnm.c ---- netpbm-10.58.01/converter/other/gemtopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/gemtopnm.c 2012-04-09 15:40:03.183620040 +0200 +diff --git a/converter/other/gemtopnm.c b/converter/other/gemtopnm.c +index aac7479..5f1a51a 100644 +--- a/converter/other/gemtopnm.c ++++ b/converter/other/gemtopnm.c @@ -106,6 +106,7 @@ main(argc, argv) pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 ); @@ -38,10 +39,11 @@ diff -up netpbm-10.58.01/converter/other/gemtopnm.c.security-code netpbm-10.58.0 { /* allocate input row data structure */ int plane; -diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58.01/converter/other/jpegtopnm.c ---- netpbm-10.58.01/converter/other/jpegtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200 -+++ netpbm-10.58.01/converter/other/jpegtopnm.c 2012-04-09 15:40:03.184620028 +0200 -@@ -861,6 +861,8 @@ convertImage(FILE * +diff --git a/converter/other/jpegtopnm.c b/converter/other/jpegtopnm.c +index ab3b18e..c324b86 100644 +--- a/converter/other/jpegtopnm.c ++++ b/converter/other/jpegtopnm.c +@@ -861,6 +861,8 @@ convertImage(FILE * const ofP, /* Calculate output image dimensions so we can allocate space */ jpeg_calc_output_dimensions(cinfoP); @@ -50,9 +52,10 @@ diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58. /* Start decompressor */ jpeg_start_decompress(cinfoP); -diff -up netpbm-10.58.01/converter/other/pbmtopgm.c.security-code netpbm-10.58.01/converter/other/pbmtopgm.c ---- netpbm-10.58.01/converter/other/pbmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pbmtopgm.c 2012-04-09 15:40:03.184620028 +0200 +diff --git a/converter/other/pbmtopgm.c b/converter/other/pbmtopgm.c +index 69b20fb..382a487 100644 +--- a/converter/other/pbmtopgm.c ++++ b/converter/other/pbmtopgm.c @@ -47,6 +47,7 @@ main(int argc, char *argv[]) { "than the image height (%u rows)", height, rows); @@ -61,9 +64,10 @@ diff -up netpbm-10.58.01/converter/other/pbmtopgm.c.security-code netpbm-10.58.0 maxval = MIN(PGM_OVERALLMAXVAL, width*height); pgm_writepgminit(stdout, cols, rows, maxval, 0) ; -diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58.01/converter/other/pnmtoddif.c ---- netpbm-10.58.01/converter/other/pnmtoddif.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pnmtoddif.c 2012-04-09 15:40:03.185620015 +0200 +diff --git a/converter/other/pnmtoddif.c b/converter/other/pnmtoddif.c +index ae8c852..9ee037b 100644 +--- a/converter/other/pnmtoddif.c ++++ b/converter/other/pnmtoddif.c @@ -632,6 +632,7 @@ main(int argc, char *argv[]) { switch (PNM_FORMAT_TYPE(format)) { case PBM_TYPE: @@ -80,10 +84,11 @@ diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58. ip.bytes_per_line = 3 * cols; ip.bits_per_pixel = 24; ip.spectral = 5; -diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58.01/converter/other/pnmtojpeg.c ---- netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code 2012-04-09 15:31:39.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pnmtojpeg.c 2012-04-09 15:40:03.186620002 +0200 -@@ -605,7 +605,11 @@ read_scan_script(j_compress_ptr const ci +diff --git a/converter/other/pnmtojpeg.c b/converter/other/pnmtojpeg.c +index ce231c9..1279040 100644 +--- a/converter/other/pnmtojpeg.c ++++ b/converter/other/pnmtojpeg.c +@@ -605,7 +605,11 @@ read_scan_script(j_compress_ptr const cinfo, want JPOOL_PERMANENT. */ const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info); @@ -96,7 +101,7 @@ diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58. (jpeg_scan_info *) (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE, scan_info_size); -@@ -937,6 +941,8 @@ compute_rescaling_array(JSAMPLE ** const +@@ -937,6 +941,8 @@ compute_rescaling_array(JSAMPLE ** const rescale_p, const pixval maxval, const long half_maxval = maxval / 2; long val; @@ -105,7 +110,7 @@ diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58. *rescale_p = (JSAMPLE *) (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE, (size_t) (((long) maxval + 1L) * -@@ -1015,6 +1021,7 @@ convert_scanlines(struct jpeg_compress_s +@@ -1015,6 +1021,7 @@ convert_scanlines(struct jpeg_compress_struct * const cinfo_p, */ /* Allocate the libpnm output and compressor input buffers */ @@ -113,10 +118,11 @@ diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58. buffer = (*cinfo_p->mem->alloc_sarray) ((j_common_ptr) cinfo_p, JPOOL_IMAGE, (unsigned int) cinfo_p->image_width * cinfo_p->input_components, -diff -up netpbm-10.58.01/converter/other/pnmtops.c.security-code netpbm-10.58.01/converter/other/pnmtops.c ---- netpbm-10.58.01/converter/other/pnmtops.c.security-code 2012-04-09 15:31:40.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pnmtops.c 2012-04-09 15:40:03.187619989 +0200 -@@ -256,17 +256,21 @@ parseCommandLine(int argc, const char ** +diff --git a/converter/other/pnmtops.c b/converter/other/pnmtops.c +index 6cd6be9..8a7d25a 100644 +--- a/converter/other/pnmtops.c ++++ b/converter/other/pnmtops.c +@@ -292,17 +292,21 @@ parseCommandLine(int argc, const char ** argv, validateCompDimension(width, 72, "-width value"); validateCompDimension(height, 72, "-height value"); @@ -139,21 +145,10 @@ diff -up netpbm-10.58.01/converter/other/pnmtops.c.security-code netpbm-10.58.01 cmdlineP->imageheight = imageheight * 72; } else -diff -up netpbm-10.58.01/converter/other/pnmtorle.c.security-code netpbm-10.58.01/converter/other/pnmtorle.c ---- netpbm-10.58.01/converter/other/pnmtorle.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pnmtorle.c 2012-04-09 15:40:03.188619976 +0200 -@@ -19,6 +19,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ - /* - * pnmtorle - A program which will convert pbmplus (ppm or pgm) images -diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.01/converter/other/rletopnm.c ---- netpbm-10.58.01/converter/other/rletopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/rletopnm.c 2012-04-09 15:40:03.189619963 +0200 +diff --git a/converter/other/rletopnm.c b/converter/other/rletopnm.c +index 9995914..058278c 100644 +--- a/converter/other/rletopnm.c ++++ b/converter/other/rletopnm.c @@ -19,6 +19,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, @@ -163,9 +158,10 @@ diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.0 */ /* * rletopnm - A conversion program to convert from Utah's "rle" image format -diff -up netpbm-10.58.01/converter/other/sirtopnm.c.security-code netpbm-10.58.01/converter/other/sirtopnm.c ---- netpbm-10.58.01/converter/other/sirtopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/sirtopnm.c 2012-04-09 15:40:03.190619951 +0200 +diff --git a/converter/other/sirtopnm.c b/converter/other/sirtopnm.c +index fafcc91..9fe49d0 100644 +--- a/converter/other/sirtopnm.c ++++ b/converter/other/sirtopnm.c @@ -69,6 +69,7 @@ char* argv[]; } break; @@ -174,10 +170,11 @@ diff -up netpbm-10.58.01/converter/other/sirtopnm.c.security-code netpbm-10.58.0 picsize = cols * rows * 3; planesize = cols * rows; if ( !( sirarray = (unsigned char*) malloc( picsize ) ) ) -diff -up netpbm-10.58.01/converter/other/tifftopnm.c.security-code netpbm-10.58.01/converter/other/tifftopnm.c ---- netpbm-10.58.01/converter/other/tifftopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/tifftopnm.c 2012-04-09 15:40:03.191619939 +0200 -@@ -1279,7 +1279,9 @@ convertRasterByRows(pnmOut * const +diff --git a/converter/other/tifftopnm.c b/converter/other/tifftopnm.c +index 0d6494f..19e9e38 100644 +--- a/converter/other/tifftopnm.c ++++ b/converter/other/tifftopnm.c +@@ -1309,7 +1309,9 @@ convertRasterByRows(pnmOut * const pnmOutP, if (scanbuf == NULL) pm_error("can't allocate memory for scanline buffer"); @@ -188,10 +185,11 @@ diff -up netpbm-10.58.01/converter/other/tifftopnm.c.security-code netpbm-10.58. if (samplebuf == NULL) pm_error("can't allocate memory for row buffer"); -diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.01/converter/other/xwdtopnm.c ---- netpbm-10.58.01/converter/other/xwdtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200 -+++ netpbm-10.58.01/converter/other/xwdtopnm.c 2012-04-09 15:40:03.192619927 +0200 -@@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * cons +diff --git a/converter/other/xwdtopnm.c b/converter/other/xwdtopnm.c +index 45d66b4..c914481 100644 +--- a/converter/other/xwdtopnm.c ++++ b/converter/other/xwdtopnm.c +@@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * const h10P, *colorsP = pnm_allocrow(2); PNM_ASSIGN1((*colorsP)[0], 0); PNM_ASSIGN1((*colorsP)[1], *maxvalP); @@ -202,7 +200,7 @@ diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.0 *padrightP = (((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width) * 8; *bits_per_itemP = 16; -@@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * cons +@@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * const h11P, *colsP = h11FixedP->pixmap_width; *rowsP = h11FixedP->pixmap_height; @@ -210,9 +208,10 @@ diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.0 *padrightP = h11FixedP->bytes_per_line * 8 - h11FixedP->pixmap_width * h11FixedP->bits_per_pixel; -diff -up netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code netpbm-10.58.01/converter/pbm/mdatopbm.c ---- netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/mdatopbm.c 2012-04-09 15:40:03.192619927 +0200 +diff --git a/converter/pbm/mdatopbm.c b/converter/pbm/mdatopbm.c +index d8e0657..12c7468 100644 +--- a/converter/pbm/mdatopbm.c ++++ b/converter/pbm/mdatopbm.c @@ -245,10 +245,13 @@ main(int argc, char **argv) { pm_readlittleshort(infile, &yy); nInCols = yy; } @@ -228,9 +227,10 @@ diff -up netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code netpbm-10.58.01/ data = pbm_allocarray(nOutCols, nOutRows); -diff -up netpbm-10.58.01/converter/pbm/mgrtopbm.c.security-code netpbm-10.58.01/converter/pbm/mgrtopbm.c ---- netpbm-10.58.01/converter/pbm/mgrtopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/mgrtopbm.c 2012-04-09 15:40:03.193619915 +0200 +diff --git a/converter/pbm/mgrtopbm.c b/converter/pbm/mgrtopbm.c +index 9f7004a..60e8477 100644 +--- a/converter/pbm/mgrtopbm.c ++++ b/converter/pbm/mgrtopbm.c @@ -65,6 +65,8 @@ readMgrHeader(FILE * const ifP, if (head.h_high < ' ' || head.l_high < ' ') pm_error("Invalid width field in MGR header"); @@ -240,155 +240,10 @@ diff -up netpbm-10.58.01/converter/pbm/mgrtopbm.c.security-code netpbm-10.58.01/ *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' '); *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' '); *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP; -diff -up netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code netpbm-10.58.01/converter/pbm/pbmtogem.c ---- netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtogem.c 2012-04-09 15:40:03.193619915 +0200 -@@ -79,6 +79,7 @@ putinit (int const rows, int const cols) - bitsperitem = 0; - bitshift = 7; - outcol = 0; -+ overflow_add(cols, 7); - outmax = (cols + 7) / 8; - outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); - lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); -diff -up netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code netpbm-10.58.01/converter/pbm/pbmtogo.c ---- netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtogo.c 2012-04-09 15:40:03.193619915 +0200 -@@ -158,6 +158,7 @@ main(int argc, - bitrow = pbm_allocrow(cols); - - /* Round cols up to the nearest multiple of 8. */ -+ overflow_add(cols, 7); - rucols = ( cols + 7 ) / 8; - bytesperrow = rucols; /* GraphOn uses bytes */ - rucols = rucols * 8; -diff -up netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code netpbm-10.58.01/converter/pbm/pbmtolj.c ---- netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtolj.c 2012-04-09 15:40:03.194619902 +0200 -@@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv, - static void - allocateBuffers(unsigned int const cols) { - -+ overflow_add(cols, 8); - rowBufferSize = (cols + 7) / 8; -+ overflow_add(rowBufferSize, 128); -+ overflow_add(rowBufferSize, rowBufferSize+128); -+ overflow_add(rowBufferSize+10, rowBufferSize/8); - packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1; - deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10; - -diff -up netpbm-10.58.01/converter/pbm/pbmtomacp.c.security-code netpbm-10.58.01/converter/pbm/pbmtomacp.c ---- netpbm-10.58.01/converter/pbm/pbmtomacp.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtomacp.c 2012-04-09 15:40:03.195619889 +0200 -@@ -101,6 +101,7 @@ char *argv[]; - if( !lflg ) - left = 0; - -+ overflow_add(left, MAX_COLS - 1); - if( rflg ) - { if( right - left >= MAX_COLS ) - right = left + MAX_COLS - 1; -@@ -111,6 +112,8 @@ char *argv[]; - if( !tflg ) - top = 0; - -+ overflow_add(top, MAX_LINES - 1); -+ - if( bflg ) - { if( bottom - top >= MAX_LINES ) - bottom = top + MAX_LINES - 1; -diff -up netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code netpbm-10.58.01/converter/pbm/pbmtomda.c ---- netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtomda.c 2012-04-09 15:40:03.195619889 +0200 -@@ -179,6 +179,7 @@ int main(int argc, char **argv) - - nOutRowsUnrounded = bScale ? nInRows/2 : nInRows; - -+ overflow_add(nOutRowsUnrounded, 3); - nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4; - /* MDA wants rows a multiple of 4 */ - nOutCols = nInCols / 8; -diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c ---- netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c 2012-04-09 15:40:03.195619889 +0200 -@@ -105,6 +105,7 @@ int pbm_readline(pbm_stat* pbm,unsigned - return 0; - - case P4: -+ overflow_add(pbm->width, 7); - tmp=(pbm->width+7)/8; - tmp2=fread(data,1,tmp,pbm->fptr); - if(tmp2 == tmp) -@@ -129,7 +130,8 @@ void pbm_unreadline (pbm_stat *pbm, void - return; - - pbm->unread = 1; -- pbm->revdata = malloc ((pbm->width+7)/8); -+ overflow_add(pbm->width, 7); -+ pbm->revdata = malloc((pbm->width+7)/8); - memcpy (pbm->revdata, data, (pbm->width+7)/8); - pbm->current_line--; - } -diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c ---- netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c 2012-04-09 15:40:03.196619876 +0200 -@@ -441,6 +441,7 @@ main(int argc, char *argv[]) { - pm_error("main(): unrecognized parameter '%s'", argv[argn]); - } - -+ overflow_add(Width, 7); - Pwidth=(Width+7)/8; - printer.fptr=out; - -diff -up netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoxbm.c ---- netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtoxbm.c 2012-04-09 15:40:03.196619876 +0200 -@@ -335,6 +335,8 @@ convertRaster(FILE * const ifP, - - unsigned char * bitrow; - unsigned int row; -+ -+ overflow_add(cols, padright); - - putinit(xbmVersion); - -diff -up netpbm-10.58.01/converter/pbm/pbmtoybm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoybm.c ---- netpbm-10.58.01/converter/pbm/pbmtoybm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtoybm.c 2012-04-09 15:40:03.197619863 +0200 -@@ -113,6 +113,7 @@ main(int argc, const char *argv[]) { - bitrow = pbm_allocrow(cols); - - /* Compute padding to round cols up to the nearest multiple of 16. */ -+ overflow_add(cols, 16); - padright = ((cols + 15) / 16) * 16 - cols; - - putinit(cols, rows); -diff -up netpbm-10.58.01/converter/pbm/pbmtozinc.c.security-code netpbm-10.58.01/converter/pbm/pbmtozinc.c ---- netpbm-10.58.01/converter/pbm/pbmtozinc.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtozinc.c 2012-04-09 15:40:03.197619863 +0200 -@@ -65,6 +65,7 @@ main(int argc, char * argv[]) { - bitrow = pbm_allocrow( cols ); - - /* Compute padding to round cols up to the nearest multiple of 16. */ -+ overflow_add(cols, 16); - padright = ( ( cols + 15 ) / 16 ) * 16 - cols; - - printf( "USHORT %s[] = {\n",name); -diff -up netpbm-10.58.01/converter/pbm/pbmto10x.c.security-code netpbm-10.58.01/converter/pbm/pbmto10x.c ---- netpbm-10.58.01/converter/pbm/pbmto10x.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmto10x.c 2012-04-09 15:40:03.197619863 +0200 -@@ -162,7 +162,7 @@ main(int argc, char * argv[]) { - res_60x72(); - - pm_close(ifp); -- exit(0); -+ return 0; - } - - -diff -up netpbm-10.58.01/converter/pbm/pbmto4425.c.security-code netpbm-10.58.01/converter/pbm/pbmto4425.c ---- netpbm-10.58.01/converter/pbm/pbmto4425.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmto4425.c 2012-04-09 15:40:03.198619851 +0200 +diff --git a/converter/pbm/pbmto4425.c b/converter/pbm/pbmto4425.c +index 1d97ac6..c4c8cbb 100644 +--- a/converter/pbm/pbmto4425.c ++++ b/converter/pbm/pbmto4425.c @@ -2,6 +2,7 @@ #include "nstring.h" @@ -406,10 +261,108 @@ diff -up netpbm-10.58.01/converter/pbm/pbmto4425.c.security-code netpbm-10.58.01 if(vmap == NULL) { pm_error( "Cannot allocate memory" ); -diff -up netpbm-10.58.01/converter/pbm/pktopbm.c.security-code netpbm-10.58.01/converter/pbm/pktopbm.c ---- netpbm-10.58.01/converter/pbm/pktopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pktopbm.c 2012-04-09 15:40:03.198619851 +0200 -@@ -277,6 +277,7 @@ main(int argc, char *argv[]) { +diff --git a/converter/pbm/pbmtogem.c b/converter/pbm/pbmtogem.c +index 9eab041..13b0257 100644 +--- a/converter/pbm/pbmtogem.c ++++ b/converter/pbm/pbmtogem.c +@@ -79,6 +79,7 @@ putinit (int const rows, int const cols) + bitsperitem = 0; + bitshift = 7; + outcol = 0; ++ overflow_add(cols, 7); + outmax = (cols + 7) / 8; + outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); + lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); +diff --git a/converter/pbm/pbmtogo.c b/converter/pbm/pbmtogo.c +index 23b2ee9..d2ee91f 100644 +--- a/converter/pbm/pbmtogo.c ++++ b/converter/pbm/pbmtogo.c +@@ -158,6 +158,7 @@ main(int argc, + bitrow = pbm_allocrow(cols); + + /* Round cols up to the nearest multiple of 8. */ ++ overflow_add(cols, 7); + rucols = ( cols + 7 ) / 8; + bytesperrow = rucols; /* GraphOn uses bytes */ + rucols = rucols * 8; +diff --git a/converter/pbm/pbmtolj.c b/converter/pbm/pbmtolj.c +index 0cceb4f..fdab6df 100644 +--- a/converter/pbm/pbmtolj.c ++++ b/converter/pbm/pbmtolj.c +@@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv, + static void + allocateBuffers(unsigned int const cols) { + ++ overflow_add(cols, 8); + rowBufferSize = (cols + 7) / 8; ++ overflow_add(rowBufferSize, 128); ++ overflow_add(rowBufferSize, rowBufferSize+128); ++ overflow_add(rowBufferSize+10, rowBufferSize/8); + packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1; + deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10; + +diff --git a/converter/pbm/pbmtomda.c b/converter/pbm/pbmtomda.c +index 3ad5149..9efe5cf 100644 +--- a/converter/pbm/pbmtomda.c ++++ b/converter/pbm/pbmtomda.c +@@ -179,6 +179,7 @@ int main(int argc, char **argv) + + nOutRowsUnrounded = bScale ? nInRows/2 : nInRows; + ++ overflow_add(nOutRowsUnrounded, 3); + nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4; + /* MDA wants rows a multiple of 4 */ + nOutCols = nInCols / 8; +diff --git a/converter/pbm/pbmtoppa/pbm.c b/converter/pbm/pbmtoppa/pbm.c +index 2f8a42b..1c8d236 100644 +--- a/converter/pbm/pbmtoppa/pbm.c ++++ b/converter/pbm/pbmtoppa/pbm.c +@@ -106,6 +106,7 @@ int pbm_readline(pbm_stat* pbm,unsigned char* data) + return 0; + + case P4: ++ overflow_add(pbm->width, 7); + tmp=(pbm->width+7)/8; + tmp2=fread(data,1,tmp,pbm->fptr); + if(tmp2 == tmp) +@@ -130,6 +131,7 @@ void pbm_unreadline (pbm_stat *pbm, void *data) + return; + + pbm->unread = 1; ++ overflow_add(pbm->width, 7); + pbm->revdata = malloc ((pbm->width+7)/8); + memcpy (pbm->revdata, data, (pbm->width+7)/8); + pbm->current_line--; +diff --git a/converter/pbm/pbmtoppa/pbmtoppa.c b/converter/pbm/pbmtoppa/pbmtoppa.c +index f43c08a..98e0284 100644 +--- a/converter/pbm/pbmtoppa/pbmtoppa.c ++++ b/converter/pbm/pbmtoppa/pbmtoppa.c +@@ -452,6 +452,7 @@ main(int argc, char *argv[]) { + pm_error("main(): unrecognized parameter '%s'", argv[argn]); + } + ++ overflow_add(Width, 7); + Pwidth=(Width+7)/8; + printer.fptr=out; + +diff --git a/converter/pbm/pbmtoxbm.c b/converter/pbm/pbmtoxbm.c +index 14c6b85..362b70e 100644 +--- a/converter/pbm/pbmtoxbm.c ++++ b/converter/pbm/pbmtoxbm.c +@@ -351,6 +351,8 @@ convertRaster(FILE * const ifP, + + unsigned char * bitrow; + unsigned int row; ++ ++ overflow_add(cols, padright); + + putinit(xbmVersion); + +diff --git a/converter/pbm/pktopbm.c b/converter/pbm/pktopbm.c +index 712f339..b6fcb02 100644 +--- a/converter/pbm/pktopbm.c ++++ b/converter/pbm/pktopbm.c +@@ -280,6 +280,7 @@ main(int argc, char *argv[]) { if (flagbyte == 7) { /* long form preamble */ integer packetlength = get32() ; /* character packet length */ car = get32() ; /* character number */ @@ -417,15 +370,17 @@ diff -up netpbm-10.58.01/converter/pbm/pktopbm.c.security-code netpbm-10.58.01/c endofpacket = packetlength + pktopbm_pkloc; /* calculate end of packet */ if ((car >= MAXPKCHAR) || !filename[car]) { -diff -up netpbm-10.58.01/converter/pbm/thinkjettopbm.l.security-code netpbm-10.58.01/converter/pbm/thinkjettopbm.l ---- netpbm-10.58.01/converter/pbm/thinkjettopbm.l.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/thinkjettopbm.l 2012-04-09 15:40:03.199619839 +0200 +diff --git a/converter/pbm/thinkjettopbm.l b/converter/pbm/thinkjettopbm.l +index 5de4f2b..7f31de5 100644 +--- a/converter/pbm/thinkjettopbm.l ++++ b/converter/pbm/thinkjettopbm.l @@ -114,7 +114,9 @@ DIG [0-9] \033\*b{DIG}+W { int l; if (rowCount >= rowCapacity) { +- rowCapacity += 100; + overflow_add(rowCapacity, 100); - rowCapacity += 100; ++ rowCapacity += 100; + overflow2(rowCapacity, sizeof *rows); rows = realloc (rows, rowCapacity * sizeof *rows); if (rows == NULL) @@ -439,20 +394,22 @@ diff -up netpbm-10.58.01/converter/pbm/thinkjettopbm.l.security-code netpbm-10.5 pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0); packed_bitrow = malloc(maxRowLength); -diff -up netpbm-10.58.01/converter/pbm/ybmtopbm.c.security-code netpbm-10.58.01/converter/pbm/ybmtopbm.c ---- netpbm-10.58.01/converter/pbm/ybmtopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/ybmtopbm.c 2012-04-09 15:40:03.199619839 +0200 -@@ -49,6 +49,7 @@ getinit(FILE * const ifP, +diff --git a/converter/pbm/ybmtopbm.c b/converter/pbm/ybmtopbm.c +index 2a42908..cf1ff03 100644 +--- a/converter/pbm/ybmtopbm.c ++++ b/converter/pbm/ybmtopbm.c +@@ -43,6 +43,7 @@ getinit(FILE * const ifP, pm_error("EOF / read error"); *depthP = 1; + overflow_add(*colsP, 15); - *padrightP = ((*colsP + 15) / 16) * 16 - *colsP; } -diff -up netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code netpbm-10.58.01/converter/pgm/lispmtopgm.c ---- netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/pgm/lispmtopgm.c 2012-04-09 15:40:03.199619839 +0200 + +diff --git a/converter/pgm/lispmtopgm.c b/converter/pgm/lispmtopgm.c +index 40dd3fb..b5469f7 100644 +--- a/converter/pgm/lispmtopgm.c ++++ b/converter/pgm/lispmtopgm.c @@ -58,6 +58,7 @@ main( argc, argv ) pm_error( "depth (%d bits) is too large", depth); @@ -461,20 +418,19 @@ diff -up netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code netpbm-10.58.0 grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 ); for ( row = 0; row < rows; ++row ) -@@ -102,7 +103,9 @@ getinit( file, colsP, rowsP, depthP, pad +@@ -102,6 +103,8 @@ getinit( file, colsP, rowsP, depthP, padrightP ) if ( *depthP == 0 ) *depthP = 1; /* very old file */ -- + + overflow_add((int)colsP, 31); -+ + *padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP; - if ( *colsP != (cols_32 - *padrightP) ) { -diff -up netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code netpbm-10.58.01/converter/pgm/psidtopgm.c ---- netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/pgm/psidtopgm.c 2012-04-09 15:40:03.200619827 +0200 +diff --git a/converter/pgm/psidtopgm.c b/converter/pgm/psidtopgm.c +index 07417d1..25bb311 100644 +--- a/converter/pgm/psidtopgm.c ++++ b/converter/pgm/psidtopgm.c @@ -78,6 +78,7 @@ main(int argc, pm_error("bits/sample (%d) is too large.", bitspersample); @@ -483,10 +439,24 @@ diff -up netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code netpbm-10.58.01 grayrow = pgm_allocrow((cols + 7) / 8 * 8); for (row = 0; row < rows; ++row) { unsigned int col; -diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01/converter/ppm/ilbmtoppm.c ---- netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ilbmtoppm.c 2012-04-09 15:40:03.201619815 +0200 -@@ -592,6 +592,7 @@ decode_row(FILE * const ifP, +diff --git a/converter/ppm/Makefile b/converter/ppm/Makefile +index 09f05cd..f68170f 100644 +--- a/converter/ppm/Makefile ++++ b/converter/ppm/Makefile +@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm + + PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ + leaftoppm mtvtoppm neotoppm \ +- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ ++ pcxtoppm pc1toppm pi1toppm pjtoppm \ + ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \ + ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \ + ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ +diff --git a/converter/ppm/ilbmtoppm.c b/converter/ppm/ilbmtoppm.c +index 662be0b..2a86efc 100644 +--- a/converter/ppm/ilbmtoppm.c ++++ b/converter/ppm/ilbmtoppm.c +@@ -606,6 +606,7 @@ decode_row(FILE * const ifP, rawtype *chp; cols = bmhdP->w; @@ -494,7 +464,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 bytes = RowBytes(cols); for( plane = 0; plane < nPlanes; plane++ ) { int mask; -@@ -679,6 +680,23 @@ decode_mask(FILE * const ifP, +@@ -693,6 +694,23 @@ decode_mask(FILE * const ifP, Multipalette handling ****************************************************************************/ @@ -518,7 +488,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 static void multi_adjust(cmap, row, palchange) -@@ -1341,6 +1359,9 @@ dcol_to_ppm(FILE * const ifP, +@@ -1355,6 +1373,9 @@ dcol_to_ppm(FILE * const ifP, if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval ) pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval)); @@ -528,7 +498,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 MALLOCARRAY_NOFAIL(redtable, redmaxval +1); MALLOCARRAY_NOFAIL(greentable, greenmaxval +1); MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1); -@@ -1763,7 +1784,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, data +@@ -1784,7 +1805,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, datasize) ChangeCount32 = *data++; datasize -= 2; @@ -538,7 +508,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 for( i = 0; i < changes; i++ ) { if( totalchanges >= PCHG->TotalChanges ) goto fail; if( datasize < 2 ) goto fail; -@@ -2028,6 +2051,9 @@ read_pchg(FILE * const ifp, +@@ -2049,6 +2072,9 @@ read_pchg(FILE * const ifP, cmap->mp_change[i] = NULL; if( PCHG.StartLine < 0 ) { int nch; @@ -548,17 +518,18 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 nch = PCHG.MaxReg - PCHG.MinReg +1; MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1); for( i = 0; i < nch; i++ ) -@@ -2104,6 +2130,7 @@ process_body( FILE * const ifp, - if( typeid == ID_ILBM ) { +@@ -2125,6 +2151,7 @@ process_body( FILE * const ifP, + if (typeid == ID_ILBM) { int isdeep; + overflow_add(bmhdP->w, 15); MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w)); *viewportmodesP |= fakeviewport; /* -isham/-isehb */ -diff -up netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code netpbm-10.58.01/converter/ppm/imgtoppm.c ---- netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/imgtoppm.c 2012-04-09 15:40:03.202619802 +0200 +diff --git a/converter/ppm/imgtoppm.c b/converter/ppm/imgtoppm.c +index 7078b88..eb8509e 100644 +--- a/converter/ppm/imgtoppm.c ++++ b/converter/ppm/imgtoppm.c @@ -84,6 +84,7 @@ main(int argc, char ** argv) { len = atoi((char*) buf ); if ( fread( buf, len, 1, ifp ) != 1 ) @@ -575,22 +546,11 @@ diff -up netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code netpbm-10.58.01/ if ( len != cols * rows ) pm_message( "pixel data length (%d) does not match image size (%d)", -diff -up netpbm-10.58.01/converter/ppm/Makefile.security-code netpbm-10.58.01/converter/ppm/Makefile ---- netpbm-10.58.01/converter/ppm/Makefile.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/Makefile 2012-04-09 15:40:03.202619802 +0200 -@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg - - PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ - leaftoppm mtvtoppm neotoppm \ -- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ -+ pcxtoppm pc1toppm pi1toppm pjtoppm \ - ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \ - ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \ - ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ -diff -up netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code netpbm-10.58.01/converter/ppm/pcxtoppm.c ---- netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/pcxtoppm.c 2012-04-09 15:40:03.203619789 +0200 -@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes, +diff --git a/converter/ppm/pcxtoppm.c b/converter/ppm/pcxtoppm.c +index e252ba2..270ae3b 100644 +--- a/converter/ppm/pcxtoppm.c ++++ b/converter/ppm/pcxtoppm.c +@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes, bytesperline, planes, bitsperpixel) /* * clear the pixel buffer */ @@ -606,19 +566,20 @@ diff -up netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code netpbm-10.58.01/ rawcols = BytesPerLine * 8 / BitsPerPixel; if (headerCols > rawcols) { pm_message("warning - BytesPerLine = %d, " -diff -up netpbm-10.58.01/converter/ppm/picttoppm.c.security-code netpbm-10.58.01/converter/ppm/picttoppm.c ---- netpbm-10.58.01/converter/ppm/picttoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/picttoppm.c 2012-04-09 15:40:03.205619763 +0200 -@@ -1,3 +1,5 @@ +diff --git a/converter/ppm/picttoppm.c b/converter/ppm/picttoppm.c +index 828d527..8cdb7b3 100644 +--- a/converter/ppm/picttoppm.c ++++ b/converter/ppm/picttoppm.c +@@ -1,3 +1,4 @@ +#error "Unfixable. Don't ship me" -+ /* * picttoppm.c -- convert a MacIntosh PICT file to PPM format. * -diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/converter/ppm/pjtoppm.c ---- netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/pjtoppm.c 2012-04-09 15:40:03.206619751 +0200 -@@ -127,19 +127,21 @@ main(argc, argv) +diff --git a/converter/ppm/pjtoppm.c b/converter/ppm/pjtoppm.c +index 7b694fb..62ce77e 100644 +--- a/converter/ppm/pjtoppm.c ++++ b/converter/ppm/pjtoppm.c +@@ -127,20 +127,22 @@ main(argc, argv) case 'V': /* send plane */ case 'W': /* send last plane */ if (rows == -1 || r >= rows || image == NULL) { @@ -627,6 +588,7 @@ diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/c + overflow_add(rows, 100); rows += 100; + } ++ if (image == NULL) { - MALLOCARRAY(image, rows * planes); - MALLOCARRAY(imlen, rows * planes); @@ -635,18 +597,21 @@ diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/c + imlen = (int *) malloc3(rows , planes, sizeof(int)); } else { -+ overflow2(rows,planes); - image = (unsigned char **) +- image = (unsigned char **) - realloc(image, - rows * planes * -+ realloc2(image, rows * planes, - sizeof(unsigned char *)); +- sizeof(unsigned char *)); - imlen = (int *) - realloc(imlen, rows * planes * sizeof(int)); -+ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); - } +- } ++ overflow2(rows,planes); ++ image = (unsigned char **) ++ realloc2(image, rows * planes, ++ sizeof(unsigned char *)); ++ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); } } if (image == NULL || imlen == NULL) + pm_error("out of memory"); @@ -212,8 +214,10 @@ main(argc, argv) for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2) for (cmd = image[p + r * planes][c], @@ -667,10 +632,11 @@ diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/c cols *= 8; } -diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01/converter/ppm/ppmtoeyuv.c ---- netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtoeyuv.c 2012-04-09 15:40:03.206619751 +0200 -@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva +diff --git a/converter/ppm/ppmtoeyuv.c b/converter/ppm/ppmtoeyuv.c +index f5ce115..6f072be 100644 +--- a/converter/ppm/ppmtoeyuv.c ++++ b/converter/ppm/ppmtoeyuv.c +@@ -114,6 +114,7 @@ create_multiplication_tables(const pixval maxval) { int index; @@ -678,66 +644,22 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01 MALLOCARRAY_NOFAIL(mult299 , maxval+1); MALLOCARRAY_NOFAIL(mult587 , maxval+1); MALLOCARRAY_NOFAIL(mult114 , maxval+1); -diff -up netpbm-10.58.01/converter/ppm/ppmtoicr.c.security-code netpbm-10.58.01/converter/ppm/ppmtoicr.c ---- netpbm-10.58.01/converter/ppm/ppmtoicr.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtoicr.c 2012-04-09 15:40:03.207619739 +0200 -@@ -169,7 +169,7 @@ char* argv[]; - - if (rleflag) { - pm_message("sending run-length encoded picture data ..." ); -- testimage = (char*) malloc(rows*cols); -+ testimage = (char*) malloc2(rows, cols); - p = testimage; - for (i=0; i PCL_MAXVAL) pm_error("color range too large; reduce with ppmcscale"); + + if (cols < 0 || rows < 0) + pm_error("negative size is not possible"); - ++ /* Figure out the colormap. */ pm_message("Computing colormap..."); -@@ -296,6 +298,8 @@ main(int argc, const char * argv[]) { + chv = ppm_computecolorhist(pixels, cols, rows, MAXCOLORS, &colors); +@@ -325,6 +328,8 @@ main(int argc, const char * argv[]) { case 0: /* direct mode (no palette) */ bpp = bitsperpixel(maxval); /* bits per pixel */ bpg = bpp; bpb = bpp; -+ overflow2(bpp, 3); -+ overflow_add(bpp*3, 7); ++ overflow2(bpp, 3); ++ overflow_add(bpp*3, 7); bpp = (bpp*3+7)>>3; /* bytes per pixel now */ bpr = (bpp<<3)-bpg-bpb; bpp *= cols; /* bytes per row now */ -@@ -305,9 +309,13 @@ main(int argc, const char * argv[]) { +@@ -334,9 +339,13 @@ main(int argc, const char * argv[]) { case 3: case 7: pclindex++; default: bpp = 8/pclindex; -+ overflow_add(cols, bpp); -+ if(bpp == 0) -+ pm_error("assert: no bpp"); ++ overflow_add(cols, bpp); ++ if(bpp == 0) ++ pm_error("assert: no bpp"); bpp = (cols+bpp-1)/bpp; /* bytes per row */ } } @@ -817,9 +744,10 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtopjxl.c.security-code netpbm-10.58.01 inrow = (char *)malloc((unsigned)bpp); outrow = (char *)malloc((unsigned)bpp*2); runcnt = (signed char *)malloc((unsigned)bpp); -diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58.01/converter/ppm/ppmtowinicon.c ---- netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtowinicon.c 2012-04-09 15:40:03.213619664 +0200 +diff --git a/converter/ppm/ppmtowinicon.c b/converter/ppm/ppmtowinicon.c +index c673798..af2b445 100644 +--- a/converter/ppm/ppmtowinicon.c ++++ b/converter/ppm/ppmtowinicon.c @@ -12,6 +12,7 @@ #include @@ -828,7 +756,7 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58 #include "pm_c_util.h" #include "winico.h" -@@ -219,6 +220,7 @@ createAndBitmap (gray ** const ba, int c +@@ -214,6 +215,7 @@ createAndBitmap (gray ** const ba, int const cols, int const rows, MALLOCARRAY_NOFAIL(rowData, rows); icBitmap->xBytes = xBytes; icBitmap->data = rowData; @@ -836,7 +764,7 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58 icBitmap->size = xBytes * rows; for (y=0;yxBytes = xBytes; icBitmap->data = rowData; @@ -844,7 +772,7 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58 icBitmap->size = xBytes * rows; for (y=0;yxBytes = xBytes; icBitmap->data = rowData; @@ -852,21 +780,24 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58 icBitmap->size = xBytes * rows; for (y=0;ybitcount = bpp; entry->ih = createInfoHeader(entry, xorBitmap, andBitmap); entry->colors = palette->colors; +- entry->size_in_bytes = + overflow2(4, entry->color_count); + overflow_add(xorBitmap->size, andBitmap->size); + overflow_add(xorBitmap->size + andBitmap->size, 40); + overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count); - entry->size_in_bytes = ++ entry->size_in_bytes = xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count); if (verbose) -diff -up netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoxpm.c ---- netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtoxpm.c 2012-04-09 15:40:03.214619651 +0200 -@@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int + pm_message("entry->size_in_bytes = %d + %d + %d = %d", +diff --git a/converter/ppm/ppmtoxpm.c b/converter/ppm/ppmtoxpm.c +index 38d9997..904c98d 100644 +--- a/converter/ppm/ppmtoxpm.c ++++ b/converter/ppm/ppmtoxpm.c +@@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int const digits) { unsigned int i; /* Allocate memory for printed number. Abort if error. */ @@ -882,9 +813,10 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code netpbm-10.58.01/ MALLOCARRAY(cmap, cmapSize); if (cmapP == NULL) pm_error("Out of memory allocating %u bytes for a color map.", -diff -up netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code netpbm-10.58.01/converter/ppm/qrttoppm.c ---- netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/qrttoppm.c 2012-04-09 15:40:03.215619638 +0200 +diff --git a/converter/ppm/qrttoppm.c b/converter/ppm/qrttoppm.c +index 935463e..653084c 100644 +--- a/converter/ppm/qrttoppm.c ++++ b/converter/ppm/qrttoppm.c @@ -46,7 +46,7 @@ main( argc, argv ) ppm_writeppminit( stdout, cols, rows, maxval, 0 ); @@ -894,26 +826,28 @@ diff -up netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code netpbm-10.58.01/ if ( buf == (unsigned char *) 0 ) pm_error( "out of memory" ); -diff -up netpbm-10.58.01/converter/ppm/sldtoppm.c.security-code netpbm-10.58.01/converter/ppm/sldtoppm.c ---- netpbm-10.58.01/converter/ppm/sldtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/sldtoppm.c 2012-04-09 15:40:03.216619626 +0200 -@@ -455,6 +455,8 @@ slider(slvecfn slvec, +diff --git a/converter/ppm/sldtoppm.c b/converter/ppm/sldtoppm.c +index 6ba4cb4..fc6a498 100644 +--- a/converter/ppm/sldtoppm.c ++++ b/converter/ppm/sldtoppm.c +@@ -464,6 +464,8 @@ slider(slvecfn slvec, /* Allocate image buffer and clear it to black. */ -+ overflow_add(ixdots,1); -+ overflow_add(iydots,1); ++ overflow_add(ixdots, 1); ++ overflow_add(iydots, 1); pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1); PPM_ASSIGN(rgbcolor, 0, 0, 0); ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0, -diff -up netpbm-10.58.01/converter/ppm/ximtoppm.c.security-code netpbm-10.58.01/converter/ppm/ximtoppm.c ---- netpbm-10.58.01/converter/ppm/ximtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ximtoppm.c 2012-04-09 15:40:03.216619626 +0200 +diff --git a/converter/ppm/ximtoppm.c b/converter/ppm/ximtoppm.c +index ce5e639..a39b689 100644 +--- a/converter/ppm/ximtoppm.c ++++ b/converter/ppm/ximtoppm.c @@ -117,6 +117,7 @@ ReadXimHeader(FILE * const in_fp, header->bits_channel = atoi(a_head.bits_per_channel); header->alpha_flag = atoi(a_head.alpha_channel); if (strlen(a_head.author)) { -+ overflow_add(strlen(a_head.author),1); ++ overflow_add(strlen(a_head.author),1); if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1, 1))) { pm_message("ReadXimHeader: can't calloc author string" ); @@ -937,14 +871,15 @@ diff -up netpbm-10.58.01/converter/ppm/ximtoppm.c.security-code netpbm-10.58.01/ if (header->nchannels == 3 && header->bits_channel == 8) header->ncolors = 0; else if (header->nchannels == 1 && header->bits_channel == 8) { -+ overflow2(header->ncolors, sizeof(Color)); ++ overflow2(header->ncolors, sizeof(Color)); header->colors = (Color *)calloc((unsigned int)header->ncolors, sizeof(Color)); if (header->colors == NULL) { -diff -up netpbm-10.58.01/editor/pamcut.c.security-code netpbm-10.58.01/editor/pamcut.c ---- netpbm-10.58.01/editor/pamcut.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pamcut.c 2012-04-09 15:40:03.218619602 +0200 -@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP +diff --git a/editor/pamcut.c b/editor/pamcut.c +index 7c41af3..72df687 100644 +--- a/editor/pamcut.c ++++ b/editor/pamcut.c +@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP, outpam = inpam; /* Initial value -- most fields should be same */ outpam.file = ofP; @@ -953,9 +888,10 @@ diff -up netpbm-10.58.01/editor/pamcut.c.security-code netpbm-10.58.01/editor/pa outpam.width = rightcol - leftcol + 1; outpam.height = bottomrow - toprow + 1; -diff -up netpbm-10.58.01/editor/pbmreduce.c.security-code netpbm-10.58.01/editor/pbmreduce.c ---- netpbm-10.58.01/editor/pbmreduce.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pbmreduce.c 2012-04-09 15:40:03.219619590 +0200 +diff --git a/editor/pbmreduce.c b/editor/pbmreduce.c +index f49c8d9..580e5e0 100644 +--- a/editor/pbmreduce.c ++++ b/editor/pbmreduce.c @@ -94,6 +94,7 @@ main( argc, argv ) if (halftone == QT_FS) { unsigned int col; @@ -964,10 +900,11 @@ diff -up netpbm-10.58.01/editor/pbmreduce.c.security-code netpbm-10.58.01/editor MALLOCARRAY(thiserr, newcols + 2); MALLOCARRAY(nexterr, newcols + 2); if (thiserr == NULL || nexterr == NULL) -diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/pnmgamma.c ---- netpbm-10.58.01/editor/pnmgamma.c.security-code 2012-04-09 15:31:34.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmgamma.c 2012-04-09 15:40:03.220619577 +0200 -@@ -586,6 +586,7 @@ createGammaTables(enum transferFunction +diff --git a/editor/pnmgamma.c b/editor/pnmgamma.c +index b357b0d..ec612d3 100644 +--- a/editor/pnmgamma.c ++++ b/editor/pnmgamma.c +@@ -596,6 +596,7 @@ createGammaTables(enum transferFunction const transferFunction, xelval ** const btableP) { /* Allocate space for the tables. */ @@ -975,10 +912,11 @@ diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/ MALLOCARRAY(*rtableP, maxval+1); MALLOCARRAY(*gtableP, maxval+1); MALLOCARRAY(*btableP, maxval+1); -diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor/pnmhisteq.c ---- netpbm-10.58.01/editor/pnmhisteq.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmhisteq.c 2012-04-09 15:40:03.220619577 +0200 -@@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const * +diff --git a/editor/pnmhisteq.c b/editor/pnmhisteq.c +index 8af4201..0c8d6e5 100644 +--- a/editor/pnmhisteq.c ++++ b/editor/pnmhisteq.c +@@ -107,6 +107,7 @@ computeLuminosityHistogram(xel * const * const xels, unsigned int pixelCount; unsigned int * lumahist; @@ -986,21 +924,22 @@ diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor MALLOCARRAY(lumahist, maxval + 1); if (lumahist == NULL) pm_error("Out of storage allocating array for %u histogram elements", -diff -up netpbm-10.58.01/editor/pnmindex.csh.security-code netpbm-10.58.01/editor/pnmindex.csh ---- netpbm-10.58.01/editor/pnmindex.csh.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmindex.csh 2012-04-09 15:40:03.221619564 +0200 -@@ -1,5 +1,8 @@ +diff --git a/editor/pnmindex.csh b/editor/pnmindex.csh +index c6f1e84..c513a84 100755 +--- a/editor/pnmindex.csh ++++ b/editor/pnmindex.csh +@@ -1,5 +1,7 @@ #!/bin/csh -f # +echo "Unsafe code, needs debugging, do not ship" +exit 1 -+# # pnmindex - build a visual index of a bunch of anymaps # # Copyright (C) 1991 by Jef Poskanzer. -diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pnmpad.c ---- netpbm-10.58.01/editor/pnmpad.c.security-code 2012-04-09 15:31:34.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmpad.c 2012-04-09 15:40:03.221619564 +0200 +diff --git a/editor/pnmpad.c b/editor/pnmpad.c +index 1904b68..0797cf1 100644 +--- a/editor/pnmpad.c ++++ b/editor/pnmpad.c @@ -527,6 +527,8 @@ main(int argc, const char ** argv) { computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad); @@ -1010,19 +949,19 @@ diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pn newcols = cols + lpad + rpad; if (PNM_FORMAT_TYPE(format) == PBM_TYPE) -diff -up netpbm-10.58.01/editor/pnmremap.c.security-code netpbm-10.58.01/editor/pnmremap.c ---- netpbm-10.58.01/editor/pnmremap.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmremap.c 2012-04-09 15:40:03.222619551 +0200 -@@ -409,7 +409,7 @@ initFserr(struct pam * const pamP, - unsigned int plane; +diff --git a/editor/pnmremap.c b/editor/pnmremap.c +index b2448cb..b924120 100644 +--- a/editor/pnmremap.c ++++ b/editor/pnmremap.c +@@ -428,6 +428,7 @@ initFserr(struct pam * const pamP, unsigned int const fserrSize = pamP->width + 2; -- + + overflow_add(pamP->width, 2); fserrP->width = pamP->width; MALLOCARRAY(fserrP->thiserr, pamP->depth); -@@ -445,6 +445,7 @@ floydInitRow(struct pam * const pamP, st +@@ -465,6 +466,7 @@ floydInitRow(struct pam * const pamP, struct fserr * const fserrP) { int col; @@ -1030,68 +969,45 @@ diff -up netpbm-10.58.01/editor/pnmremap.c.security-code netpbm-10.58.01/editor/ for (col = 0; col < pamP->width + 2; ++col) { unsigned int plane; for (plane = 0; plane < pamP->depth; ++plane) -diff -up netpbm-10.58.01/editor/pnmscalefixed.c.security-code netpbm-10.58.01/editor/pnmscalefixed.c ---- netpbm-10.58.01/editor/pnmscalefixed.c.security-code 2012-04-09 15:31:34.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmscalefixed.c 2012-04-09 15:40:03.223619538 +0200 -@@ -214,6 +214,8 @@ compute_output_dimensions(const struct c +diff --git a/editor/pnmscalefixed.c b/editor/pnmscalefixed.c +index 884ca31..747cd8f 100644 +--- a/editor/pnmscalefixed.c ++++ b/editor/pnmscalefixed.c +@@ -214,6 +214,7 @@ compute_output_dimensions(const struct cmdline_info cmdline, const int rows, const int cols, int * newrowsP, int * newcolsP) { + overflow2(rows, cols); -+ if (cmdline.pixels) { if (rows * cols <= cmdline.pixels) { *newrowsP = rows; -@@ -265,6 +267,8 @@ compute_output_dimensions(const struct c +@@ -265,6 +266,8 @@ compute_output_dimensions(const struct cmdline_info cmdline, if (*newcolsP < 1) *newcolsP = 1; if (*newrowsP < 1) *newrowsP = 1; -+ ++ + overflow2(*newcolsP, *newrowsP); } -@@ -446,6 +450,9 @@ main(int argc, char **argv ) { +@@ -446,6 +449,9 @@ main(int argc, char **argv ) { unfilled. We can address that by stretching, whereas the other case would require throwing away some of the input. */ -+ ++ + overflow2(newcols, SCALE); + overflow2(newrows, SCALE); sxscale = SCALE * newcols / cols; syscale = SCALE * newrows / rows; -diff -up netpbm-10.58.01/editor/pnmshear.c.security-code netpbm-10.58.01/editor/pnmshear.c ---- netpbm-10.58.01/editor/pnmshear.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmshear.c 2012-04-09 15:40:03.224619526 +0200 -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - - #include "pm_c_util.h" - #include "ppm.h" -@@ -236,6 +237,11 @@ main(int argc, char * argv[]) { - - shearfac = fabs(tan(cmdline.angle)); - -+ if(rows * shearfac >= INT_MAX-1) -+ pm_error("image too large"); -+ -+ overflow_add(rows * shearfac, cols+1); -+ - newcols = rows * shearfac + cols + 0.999999; - - pnm_writepnminit(stdout, newcols, rows, newmaxval, newformat, 0); -diff -up netpbm-10.58.01/editor/ppmdither.c.security-code netpbm-10.58.01/editor/ppmdither.c ---- netpbm-10.58.01/editor/ppmdither.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/ppmdither.c 2012-04-09 15:40:03.224619526 +0200 -@@ -355,7 +355,11 @@ dithMatrix(unsigned int const dithPower) - unsigned int const dithMatSize = +diff --git a/editor/ppmdither.c b/editor/ppmdither.c +index ec1b977..e701e09 100644 +--- a/editor/ppmdither.c ++++ b/editor/ppmdither.c +@@ -356,6 +356,11 @@ dithMatrix(unsigned int const dithPower) { (dithDim * sizeof(*dithMat)) + /* pointers */ (dithDim * dithDim * sizeof(**dithMat)); /* data */ -- + + + overflow2(dithDim, sizeof(*dithMat)); + overflow3(dithDim, dithDim, sizeof(**dithMat)); @@ -1100,9 +1016,10 @@ diff -up netpbm-10.58.01/editor/ppmdither.c.security-code netpbm-10.58.01/editor dithMat = malloc(dithMatSize); if (dithMat == NULL) -diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01/editor/specialty/pamoil.c ---- netpbm-10.58.01/editor/specialty/pamoil.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/specialty/pamoil.c 2012-04-09 15:40:03.224619526 +0200 +diff --git a/editor/specialty/pamoil.c b/editor/specialty/pamoil.c +index 6cb8d3a..6f4bde9 100644 +--- a/editor/specialty/pamoil.c ++++ b/editor/specialty/pamoil.c @@ -112,6 +112,7 @@ main(int argc, char *argv[] ) { tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type)); pm_close(ifp); @@ -1111,10 +1028,11 @@ diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01 MALLOCARRAY(hist, inpam.maxval + 1); if (hist == NULL) pm_error("Unable to allocate memory for histogram."); -diff -up netpbm-10.58.01/generator/pbmtext.c.security-code netpbm-10.58.01/generator/pbmtext.c ---- netpbm-10.58.01/generator/pbmtext.c.security-code 2012-04-09 15:31:34.000000000 +0200 -+++ netpbm-10.58.01/generator/pbmtext.c 2012-04-09 15:40:03.225619514 +0200 -@@ -96,12 +96,14 @@ parseCommandLine(int argc, const char ** +diff --git a/generator/pbmtext.c b/generator/pbmtext.c +index 9f4366d..445d718 100644 +--- a/generator/pbmtext.c ++++ b/generator/pbmtext.c +@@ -96,12 +96,14 @@ parseCommandLine(int argc, const char ** argv, for (i = 1; i < argc; ++i) { if (i > 1) { @@ -1124,16 +1042,17 @@ diff -up netpbm-10.58.01/generator/pbmtext.c.security-code netpbm-10.58.01/gener if (text == NULL) pm_error("out of memory allocating space for input text"); strcat(text, " "); - } +- } ++ } + overflow_add(totaltextsize, strlen(argv[i])); totaltextsize += strlen(argv[i]); text = realloc(text, totaltextsize); if (text == NULL) -@@ -712,6 +714,7 @@ getText(const char cmdline_text +@@ -712,6 +714,7 @@ getText(const char cmdline_text[], pm_error("A line of input text is longer than %u characters." "Cannot process.", (unsigned)sizeof(buf)-1); if (lineCount >= maxlines) { -+ overflow2(maxlines, 2); ++ overflow2(maxlines, 2); maxlines *= 2; REALLOCARRAY(text_array, maxlines); if (text_array == NULL) @@ -1141,99 +1060,107 @@ diff -up netpbm-10.58.01/generator/pbmtext.c.security-code netpbm-10.58.01/gener hmargin = fontP->maxwidth; } else { vmargin = fontP->maxheight; -+ overflow2(2, fontP->maxwidth); ++ overflow2(2, fontP->maxwidth); hmargin = 2 * fontP->maxwidth; } } -diff -up netpbm-10.58.01/lib/libpam.c.security-code netpbm-10.58.01/lib/libpam.c ---- netpbm-10.58.01/lib/libpam.c.security-code 2012-04-09 15:31:38.000000000 +0200 -+++ netpbm-10.58.01/lib/libpam.c 2012-04-09 15:40:03.227619490 +0200 -@@ -220,7 +220,8 @@ allocPamRow(const struct pam * const pam +diff --git a/lib/libpam.c b/lib/libpam.c +index cc6368e..4e10572 100644 +--- a/lib/libpam.c ++++ b/lib/libpam.c +@@ -224,8 +224,9 @@ allocPamRow(const struct pam * const pamP) { unsigned int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample); tuple * tuplerow; - tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple)); +- + overflow_add(sizeof(tuple *), bytesPerTuple); + tuplerow = malloc2(pamP->width, (sizeof(tuple *) + bytesPerTuple)); - ++ if (tuplerow != NULL) { /* Now we initialize the pointers to the individual tuples -diff -up netpbm-10.58.01/lib/libpammap.c.security-code netpbm-10.58.01/lib/libpammap.c ---- netpbm-10.58.01/lib/libpammap.c.security-code 2012-04-09 15:31:38.000000000 +0200 -+++ netpbm-10.58.01/lib/libpammap.c 2012-04-09 15:40:03.228619477 +0200 -@@ -104,6 +104,8 @@ allocTupleIntListItem(struct pam * const + to make this a regulation C two dimensional array. +diff --git a/lib/libpammap.c b/lib/libpammap.c +index 55e1d3f..04b1ba3 100644 +--- a/lib/libpammap.c ++++ b/lib/libpammap.c +@@ -108,7 +108,9 @@ allocTupleIntListItem(struct pam * const pamP) { */ struct tupleint_list_item * retval; +- unsigned int const size = + overflow2(pamP->depth, sizeof(sample)); + overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample)); - unsigned int const size = ++ unsigned int const size = sizeof(*retval) - sizeof(retval->tupleint.tuple) + pamP->depth * sizeof(sample); -diff -up netpbm-10.58.01/lib/libpm.c.security-code netpbm-10.58.01/lib/libpm.c ---- netpbm-10.58.01/lib/libpm.c.security-code 2012-04-09 15:31:38.000000000 +0200 -+++ netpbm-10.58.01/lib/libpm.c 2012-04-09 15:40:03.229619464 +0200 -@@ -808,4 +808,53 @@ pm_parse_height(const char * const arg) - } +diff --git a/lib/libpm.c b/lib/libpm.c +index 4374bbe..5ab7f83 100644 +--- a/lib/libpm.c ++++ b/lib/libpm.c +@@ -841,5 +841,53 @@ pm_parse_height(const char * const arg) { + return height; + } +/* + * Maths wrapping + */ -+ + +void __overflow2(int a, int b) +{ -+ if(a < 0 || b < 0) -+ pm_error("object too large"); -+ if(b == 0) -+ return; -+ if(a > INT_MAX / b) -+ pm_error("object too large"); ++ if(a < 0 || b < 0) ++ pm_error("object too large"); ++ if(b == 0) ++ return; ++ if(a > INT_MAX / b) ++ pm_error("object too large"); +} + +void overflow3(int a, int b, int c) +{ -+ overflow2(a,b); -+ overflow2(a*b, c); ++ overflow2(a,b); ++ overflow2(a*b, c); +} + +void overflow_add(int a, int b) +{ -+ if( a > INT_MAX - b) -+ pm_error("object too large"); ++ if( a > INT_MAX - b) ++ pm_error("object too large"); +} + +void *malloc2(int a, int b) +{ -+ overflow2(a, b); -+ if(a*b == 0) -+ pm_error("Zero byte allocation"); -+ return malloc(a*b); ++ overflow2(a, b); ++ if(a*b == 0) ++ pm_error("Zero byte allocation"); ++ return malloc(a*b); +} + +void *malloc3(int a, int b, int c) +{ -+ overflow3(a, b, c); -+ if(a*b*c == 0) -+ pm_error("Zero byte allocation"); -+ return malloc(a*b*c); ++ overflow3(a, b, c); ++ if(a*b*c == 0) ++ pm_error("Zero byte allocation"); ++ return malloc(a*b*c); +} + +void *realloc2(void * a, int b, int c) +{ -+ overflow2(b, c); -+ if(b*c == 0) -+ pm_error("Zero byte allocation"); -+ return realloc(a, b*c); ++ overflow2(b, c); ++ if(b*c == 0) ++ pm_error("Zero byte allocation"); ++ return realloc(a, b*c); +} -diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h ---- netpbm-10.58.01/lib/pm.h.security-code 2012-04-09 15:31:38.000000000 +0200 -+++ netpbm-10.58.01/lib/pm.h 2012-04-09 15:40:03.229619464 +0200 -@@ -432,4 +432,11 @@ pm_parse_height(const char * const arg); +diff --git a/lib/pm.h b/lib/pm.h +index e9f1405..da54391 100644 +--- a/lib/pm.h ++++ b/lib/pm.h +@@ -435,5 +435,12 @@ pm_parse_height(const char * const arg); + } #endif - +void *malloc2(int, int); +void *malloc3(int, int, int); +#define overflow2(a,b) __overflow2(a,b) @@ -1241,11 +1168,13 @@ diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h +void overflow3(int, int, int); +void overflow_add(int, int); + + #endif -diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other/pnmcolormap.c ---- netpbm-10.58.01/other/pnmcolormap.c.security-code 2012-04-09 15:31:32.000000000 +0200 -+++ netpbm-10.58.01/other/pnmcolormap.c 2012-04-09 15:40:03.230619451 +0200 -@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP +diff --git a/other/pnmcolormap.c b/other/pnmcolormap.c +index 57db432..7195295 100644 +--- a/other/pnmcolormap.c ++++ b/other/pnmcolormap.c +@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP, pamP->width = intsqrt; else pamP->width = intsqrt + 1; @@ -1253,175 +1182,47 @@ diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other } { unsigned int const intQuotient = colormap.size / pamP->width; -diff -up netpbm-10.58.01/urt/README.security-code netpbm-10.58.01/urt/README ---- netpbm-10.58.01/urt/README.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/README 2012-04-09 15:40:03.231619438 +0200 -@@ -18,3 +18,8 @@ in its initializer in the original. But - defines stdout as a variable, so that wouldn't compile. So I changed - it to NULL and added a line to rle_hdr_init to set that field to - 'stdout' dynamically. 2000.06.02 BJH. +diff --git a/urt/Runput.c b/urt/Runput.c +index 3bc562a..645a376 100644 +--- a/urt/Runput.c ++++ b/urt/Runput.c +@@ -202,10 +202,11 @@ RunSetup(rle_hdr * the_hdr) + if ( the_hdr->background != 0 ) + { + register int i; +- register rle_pixel *background = +- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); +- register int *bg_color; +- /* ++ register rle_pixel *background; ++ register int *bg_color; + -+Redid the code to check for maths overflows and other crawly horrors. -+Removed pipe through and compress support (unsafe) -+ -+Alan Cox -diff -up netpbm-10.58.01/urt/rle_addhist.c.security-code netpbm-10.58.01/urt/rle_addhist.c ---- netpbm-10.58.01/urt/rle_addhist.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_addhist.c 2012-04-09 15:40:03.231619438 +0200 -@@ -14,6 +14,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ - /* - * rle_addhist.c - Add to the HISTORY comment in header -@@ -71,13 +73,19 @@ rle_addhist(char * argv[], - return; - - length = 0; -- for (i = 0; argv[i]; ++i) -+ for (i = 0; argv[i]; ++i) { -+ overflow_add(length, strlen(argv[i])); -+ overflow_add(length+1, strlen(argv[i])); - length += strlen(argv[i]) +1; /* length of each arg plus space. */ -+ } - - time(&temp); - timedate = ctime(&temp); - length += strlen(timedate); /* length of date and time in ASCII. */ - -+ overflow_add(strlen(padding), 4); -+ overflow_add(strlen(histoire), strlen(padding) + 4); -+ overflow_add(length, strlen(histoire) + strlen(padding) + 4); - length += strlen(padding) + 3 + strlen(histoire) + 1; - /* length of padding, "on " and length of history name plus "="*/ - if (in_hdr) /* if we are interested in the old comments... */ -@@ -85,9 +93,12 @@ rle_addhist(char * argv[], - else - old = NULL; - -- if (old && *old) -+ if (old && *old) { -+ overflow_add(length, strlen(old)); - length += strlen(old); /* add length if there. */ -+ } - -+ overflow_add(length, 1); - ++length; /*Cater for the null. */ - - MALLOCARRAY(newc, length); -diff -up netpbm-10.58.01/urt/rle_getrow.c.security-code netpbm-10.58.01/urt/rle_getrow.c ---- netpbm-10.58.01/urt/rle_getrow.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_getrow.c 2012-04-09 15:40:03.232619426 +0200 -@@ -17,6 +17,8 @@ - * - * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire - * to have all "void" functions so declared. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ - /* - * rle_getrow.c - Read an RLE file in. -@@ -168,6 +170,7 @@ rle_get_setup(rle_hdr * const the_hdr) { - register char * cp; - - VAXSHORT( comlen, infile ); /* get comment length */ -+ overflow_add(comlen, 1); - evenlen = (comlen + 1) & ~1; /* make it even */ - if ( evenlen ) - { -diff -up netpbm-10.58.01/urt/rle_hdr.c.security-code netpbm-10.58.01/urt/rle_hdr.c ---- netpbm-10.58.01/urt/rle_hdr.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_hdr.c 2012-04-09 15:40:03.233619414 +0200 -@@ -14,6 +14,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ - /* - * rle_hdr.c - Functions to manipulate rle_hdr structures. -@@ -80,7 +82,10 @@ int img_num; - /* Fill in with copies of the strings. */ - if ( the_hdr->cmd != pgmname ) - { -- char *tmp = (char *)malloc( strlen( pgmname ) + 1 ); -+ char *tmp ; -+ -+ overflow_add(strlen(pgmname), 1); -+ tmp = malloc( strlen( pgmname ) + 1 ); - RLE_CHECK_ALLOC( pgmname, tmp, 0 ); - strcpy( tmp, pgmname ); - the_hdr->cmd = tmp; -@@ -88,7 +93,9 @@ int img_num; - - if ( the_hdr->file_name != fname ) - { -- char *tmp = (char *)malloc( strlen( fname ) + 1 ); -+ char *tmp; -+ overflow_add(strlen(fname), 1); -+ tmp = malloc( strlen( fname ) + 1 ); - RLE_CHECK_ALLOC( pgmname, tmp, 0 ); - strcpy( tmp, fname ); - the_hdr->file_name = tmp; -@@ -153,6 +160,7 @@ rle_hdr *from_hdr, *to_hdr; - if ( to_hdr->bg_color ) - { - int size = to_hdr->ncolors * sizeof(int); -+ overflow2(to_hdr->ncolors, sizeof(int)); - to_hdr->bg_color = (int *)malloc( size ); - RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" ); - memcpy( to_hdr->bg_color, from_hdr->bg_color, size ); -@@ -161,7 +169,7 @@ rle_hdr *from_hdr, *to_hdr; - if ( to_hdr->cmap ) - { - int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map); -- to_hdr->cmap = (rle_map *)malloc( size ); -+ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<cmaplen, sizeof(rle_map)); - RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" ); - memcpy( to_hdr->cmap, from_hdr->cmap, size ); - } -@@ -174,11 +182,16 @@ rle_hdr *from_hdr, *to_hdr; - int size = 0; - CONST_DECL char **cp; - for ( cp=to_hdr->comments; *cp; cp++ ) -+ { -+ overflow_add(size, 1); - size++; /* Count the comments. */ -+ } - /* Check if there are really any comments. */ - if ( size ) ++ overflow_add(the_hdr->ncolors,1); ++ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); /* + * If even number of bg color bytes, put out one more to get to + * 16 bit boundary. + */ +@@ -224,7 +225,7 @@ RunSetup(rle_hdr * the_hdr) + /* Big-endian machines are harder */ + register int i, nmap = (1 << the_hdr->cmaplen) * + the_hdr->ncmap; +- register char *h_cmap = (char *)malloc( nmap * 2 ); ++ register char *h_cmap = (char *)malloc2( nmap, 2 ); + if ( h_cmap == NULL ) { -+ overflow_add(size, 1); - size++; /* Copy the NULL pointer, too. */ -+ overflow2(size, sizeof(char *)); - size *= sizeof(char *); - to_hdr->comments = (CONST_DECL char **)malloc( size ); - RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" ); -diff -up netpbm-10.58.01/urt/rle.h.security-code netpbm-10.58.01/urt/rle.h ---- netpbm-10.58.01/urt/rle.h.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle.h 2012-04-09 15:40:03.233619414 +0200 -@@ -14,6 +14,9 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox -+ * Header declarations needed - */ - /* - * rle.h - Global declarations for Utah Raster Toolkit RLE programs. -@@ -160,6 +163,17 @@ rle_hdr /* End of typedef. * + fprintf( stderr, +diff --git a/urt/rle.h b/urt/rle.h +index 8d72cb9..ac65b94 100644 +--- a/urt/rle.h ++++ b/urt/rle.h +@@ -161,6 +161,17 @@ rle_hdr /* End of typedef. */ */ extern rle_hdr rle_dflt_hdr; -+/* ++/* + * Provided by pm library + */ -+ ++ +extern void overflow_add(int, int); +#define overflow2(a,b) __overflow2(a,b) +extern void __overflow2(int, int); @@ -1432,10 +1233,125 @@ diff -up netpbm-10.58.01/urt/rle.h.security-code netpbm-10.58.01/urt/rle.h /* Declare RLE library routines. */ -diff -up netpbm-10.58.01/urt/rle_open_f.c.security-code netpbm-10.58.01/urt/rle_open_f.c ---- netpbm-10.58.01/urt/rle_open_f.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_open_f.c 2012-04-09 15:40:03.234619402 +0200 -@@ -163,65 +163,7 @@ dealWithSubprocess(const char * const f +diff --git a/urt/rle_addhist.c b/urt/rle_addhist.c +index b165175..e09ed94 100644 +--- a/urt/rle_addhist.c ++++ b/urt/rle_addhist.c +@@ -70,13 +70,18 @@ rle_addhist(char * argv[], + return; + + length = 0; +- for (i = 0; argv[i]; ++i) ++ for (i = 0; argv[i]; ++i) { ++ overflow_add(length, strlen(argv[i])); ++ overflow_add(length+1, strlen(argv[i])); + length += strlen(argv[i]) +1; /* length of each arg plus space. */ ++ } + + time(&temp); + timedate = ctime(&temp); + length += strlen(timedate); /* length of date and time in ASCII. */ +- ++ overflow_add(strlen(padding), 4); ++ overflow_add(strlen(histoire), strlen(padding) + 4); ++ overflow_add(length, strlen(histoire) + strlen(padding) + 4); + length += strlen(padding) + 3 + strlen(histoire) + 1; + /* length of padding, "on " and length of history name plus "="*/ + if (in_hdr) /* if we are interested in the old comments... */ +@@ -84,8 +89,10 @@ rle_addhist(char * argv[], + else + old = NULL; + +- if (old && *old) ++ if (old && *old) { ++ overflow_add(length, strlen(old)); + length += strlen(old); /* add length if there. */ ++ } + + ++length; /*Cater for the null. */ + +diff --git a/urt/rle_getrow.c b/urt/rle_getrow.c +index bd7d1c8..bd05698 100644 +--- a/urt/rle_getrow.c ++++ b/urt/rle_getrow.c +@@ -168,6 +168,7 @@ rle_get_setup(rle_hdr * const the_hdr) { + char * cp; + + VAXSHORT(comlen, infile); /* get comment length */ ++ overflow_add(comlen, 1); + evenlen = (comlen + 1) & ~1; /* make it even */ + if (evenlen) { + MALLOCARRAY(comment_buf, evenlen); +diff --git a/urt/rle_hdr.c b/urt/rle_hdr.c +index 1611324..7c9c010 100644 +--- a/urt/rle_hdr.c ++++ b/urt/rle_hdr.c +@@ -80,7 +80,10 @@ int img_num; + /* Fill in with copies of the strings. */ + if ( the_hdr->cmd != pgmname ) + { +- char *tmp = (char *)malloc( strlen( pgmname ) + 1 ); ++ char *tmp; ++ ++ overflow_add(strlen(pgmname), 1); ++ tmp = malloc( strlen(pgmname) + 1 ); + RLE_CHECK_ALLOC( pgmname, tmp, 0 ); + strcpy( tmp, pgmname ); + the_hdr->cmd = tmp; +@@ -88,8 +91,10 @@ int img_num; + + if ( the_hdr->file_name != fname ) + { +- char *tmp = (char *)malloc( strlen( fname ) + 1 ); +- RLE_CHECK_ALLOC( pgmname, tmp, 0 ); ++ char *tmp; ++ overflow_add(strlen(fname), 1); ++ tmp = malloc( strlen( fname ) + 1 ); ++ RLE_CHECK_ALLOC( pgmname, tmp, 0 ); + strcpy( tmp, fname ); + the_hdr->file_name = tmp; + } +@@ -153,6 +158,7 @@ rle_hdr *from_hdr, *to_hdr; + if ( to_hdr->bg_color ) + { + int size = to_hdr->ncolors * sizeof(int); ++ overflow2(to_hdr->ncolors, sizeof(int)); + to_hdr->bg_color = (int *)malloc( size ); + RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" ); + memcpy( to_hdr->bg_color, from_hdr->bg_color, size ); +@@ -161,7 +167,7 @@ rle_hdr *from_hdr, *to_hdr; + if ( to_hdr->cmap ) + { + int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map); +- to_hdr->cmap = (rle_map *)malloc( size ); ++ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<cmaplen, sizeof(rle_map)); + RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" ); + memcpy( to_hdr->cmap, from_hdr->cmap, size ); + } +@@ -173,12 +179,17 @@ rle_hdr *from_hdr, *to_hdr; + { + int size = 0; + CONST_DECL char **cp; +- for ( cp=to_hdr->comments; *cp; cp++ ) ++ for ( cp=to_hdr->comments; *cp; cp++ ) ++ { ++ overflow_add(size, 1); + size++; /* Count the comments. */ ++ } + /* Check if there are really any comments. */ + if ( size ) + { ++ overflow_add(size, 1); + size++; /* Copy the NULL pointer, too. */ ++ overflow2(size, sizeof(char *)); + size *= sizeof(char *); + to_hdr->comments = (CONST_DECL char **)malloc( size ); + RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" ); +diff --git a/urt/rle_open_f.c b/urt/rle_open_f.c +index ae8548b..c2ef37d 100644 +--- a/urt/rle_open_f.c ++++ b/urt/rle_open_f.c +@@ -163,65 +163,7 @@ dealWithSubprocess(const char * const file_name, FILE ** const fpP, bool * const noSubprocessP, const char ** const errorP) { @@ -1501,146 +1417,40 @@ diff -up netpbm-10.58.01/urt/rle_open_f.c.security-code netpbm-10.58.01/urt/rle_ } -diff -up netpbm-10.58.01/urt/rle_putcom.c.security-code netpbm-10.58.01/urt/rle_putcom.c ---- netpbm-10.58.01/urt/rle_putcom.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_putcom.c 2012-04-09 15:40:03.234619402 +0200 -@@ -14,6 +14,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ - /* - * rle_putcom.c - Add a picture comment to the header struct. -@@ -98,12 +100,14 @@ rle_putcom(const char * const value, +diff --git a/urt/rle_putcom.c b/urt/rle_putcom.c +index ab2eb20..f6a6ff7 100644 +--- a/urt/rle_putcom.c ++++ b/urt/rle_putcom.c +@@ -98,12 +98,14 @@ rle_putcom(const char * const value, const char * v; const char ** old_comments; int i; - for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) + for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) { -+ overflow_add(i, 1); ++ overflow_add(i, 1); if (match(value, *cp) != NULL) { v = *cp; *cp = value; return v; } -+ } ++ } /* Not found */ /* Can't realloc because somebody else might be pointing to this * comments block. Of course, if this were true, then the -diff -up netpbm-10.58.01/urt/Runput.c.security-code netpbm-10.58.01/urt/Runput.c ---- netpbm-10.58.01/urt/Runput.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/Runput.c 2012-04-09 15:40:03.235619390 +0200 -@@ -17,6 +17,8 @@ - * - * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire - * to have all "void" functions so declared. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ - /* - * Runput.c - General purpose Run Length Encoding. -@@ -202,9 +204,11 @@ RunSetup(rle_hdr * the_hdr) - if ( the_hdr->background != 0 ) - { - register int i; -- register rle_pixel *background = -- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); -+ register rle_pixel *background; - register int *bg_color; -+ -+ overflow_add(the_hdr->ncolors,1); -+ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); - /* - * If even number of bg color bytes, put out one more to get to - * 16 bit boundary. -@@ -224,7 +228,7 @@ RunSetup(rle_hdr * the_hdr) - /* Big-endian machines are harder */ - register int i, nmap = (1 << the_hdr->cmaplen) * - the_hdr->ncmap; -- register char *h_cmap = (char *)malloc( nmap * 2 ); -+ register char *h_cmap = (char *)malloc2( nmap, 2 ); - if ( h_cmap == NULL ) - { - fprintf( stderr, -diff -up netpbm-10.58.01/urt/scanargs.c.security-code netpbm-10.58.01/urt/scanargs.c ---- netpbm-10.58.01/urt/scanargs.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/scanargs.c 2012-04-09 15:40:03.235619390 +0200 -@@ -38,6 +38,8 @@ - * - * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire - * to have all "void" functions so declared. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ - - #include -@@ -63,8 +65,8 @@ typedef int *ptr; +diff --git a/urt/scanargs.c b/urt/scanargs.c +index f3af334..5e114bb 100644 +--- a/urt/scanargs.c ++++ b/urt/scanargs.c +@@ -62,9 +62,8 @@ typedef int *ptr; /* * Storage allocation macros */ -#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) ) -#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) ) +- +#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) ) +#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) ) - static CONST_DECL char * prformat( CONST_DECL char *, int ); static int isnum( CONST_DECL char *, int, int ); ---- netpbm-10.58.01/lib/libpbm1.c.orig 2014-06-16 21:12:28.499230631 -0400 -+++ netpbm-10.58.01/lib/libpbm1.c 2014-06-16 21:12:55.932519324 -0400 -@@ -78,6 +78,7 @@ - } else { - pm_filepos const bytesPerRow = (cols+7)/8; - pm_filepos const needRasterSize = rows * bytesPerRow; -+ overflow2(bytesPerRow, rows); - pm_check(fileP, checkType, needRasterSize, retvalP); - } - } ---- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.orig 2014-06-16 21:23:40.061473868 -0400 -+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2014-06-16 21:23:44.701466379 -0400 -@@ -185,6 +185,7 @@ - unsigned int i; - int * table; - -+ overflow_add(oldmaxval, 1); - MALLOCARRAY_NOFAIL(table, oldmaxval + 1); - for (i = 0; i <= oldmaxval; ++i) - table[i] = ROUNDDIV(i * newmaxval, oldmaxval); ---- netpbm-10.58.01/converter/other/sgitopnm.c.orig 2014-07-08 16:57:30.878754976 -0400 -+++ netpbm-10.58.01/converter/other/sgitopnm.c 2014-07-08 17:07:52.727745725 -0400 -@@ -372,10 +372,14 @@ - MALLOCARRAY_NOFAIL(image, head->ysize); - } else { - maxchannel = 3; -+ overflow2(head->ysize, maxchannel); - MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel); - } -- if (table) -+ if (table) { -+ overflow2(head->xsize, 2); -+ overflow_add(head->xsize*2, 2); - MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize)); -+ } - - for (channel = 0; channel < maxchannel; ++channel) { - unsigned int row; ---- netpbm-10.58.01/converter/other/pnmtosgi.c.orig 2014-07-08 16:57:30.878754976 -0400 -+++ netpbm-10.58.01/converter/other/pnmtosgi.c 2014-07-08 17:11:55.164018919 -0400 -@@ -176,6 +176,8 @@ - break; - case STORAGE_RLE: { - unsigned int const tabrow = chanNum * rows + row; -+ overflow2(chanNum, rows); -+ overflow_add(chanNum* rows, row); - unsigned int const len = rleCompress(tempArg, cols); - /* writes result into rletemp */ - unsigned int i; -@@ -212,6 +214,7 @@ - ScanElem * temp; - - if (storage != STORAGE_VERBATIM) { -+ overflow2(channels, rows); - MALLOCARRAY_NOFAIL(table, channels * rows); - MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols)); - } else + static int _do_scanargs( int argc, char **argv, CONST_DECL char *format, + diff --git a/extra/netpbm/netpbm-security-scripts.patch b/extra/netpbm/netpbm-security-scripts.patch index db056db99..0dfe84f43 100644 --- a/extra/netpbm/netpbm-security-scripts.patch +++ b/extra/netpbm/netpbm-security-scripts.patch @@ -1,7 +1,8 @@ -diff -up netpbm-10.47.05/converter/other/anytopnm.security-scripts netpbm-10.47.05/converter/other/anytopnm ---- netpbm-10.47.05/converter/other/anytopnm.security-scripts 2009-12-10 08:34:36.000000000 +0100 -+++ netpbm-10.47.05/converter/other/anytopnm 2010-03-16 21:28:09.000000000 +0100 -@@ -510,10 +510,7 @@ else +diff --git a/converter/other/anytopnm b/converter/other/anytopnm +index acf8813..335312a 100755 +--- a/converter/other/anytopnm ++++ b/converter/other/anytopnm +@@ -511,10 +511,7 @@ else inputFile="-" fi @@ -13,10 +14,13 @@ diff -up netpbm-10.47.05/converter/other/anytopnm.security-scripts netpbm-10.47. # Take out all spaces # Find the filename extension for last-ditch efforts later -@@ -539,9 +536,17 @@ if [ "$filetype" = "unknown" ]; then - echo "$progname: unknown file type. " \ - "'file' says mime type is '$mimeType', " 1>&2 - echo "type description is '$typeDescription'" 1>&2 +@@ -537,12 +534,17 @@ typeDescription=`file "$file" | cut -d: -f2- | cut -c2-` + determineType "$file" "$mimeType" "$typeDescription" "$fileExtension" + + if [ "$filetype" = "unknown" ]; then +- echo "$progname: unknown file type. " \ +- "'file' says mime type is '$mimeType', " 1>&2 +- echo "type description is '$typeDescription'" 1>&2 + if [ -d "$tempdir" ] ; then + rm -rf "$tempdir" + fi @@ -31,10 +35,11 @@ diff -up netpbm-10.47.05/converter/other/anytopnm.security-scripts netpbm-10.47. +fi + exit 0 -diff -up netpbm-10.47.05/editor/pamstretch-gen.security-scripts netpbm-10.47.05/editor/pamstretch-gen ---- netpbm-10.47.05/editor/pamstretch-gen.security-scripts 2009-12-10 08:34:32.000000000 +0100 -+++ netpbm-10.47.05/editor/pamstretch-gen 2010-03-16 21:28:47.000000000 +0100 -@@ -31,13 +31,9 @@ if [ "$1" = "" ]; then +diff --git a/editor/pamstretch-gen b/editor/pamstretch-gen +index ba0e818..250fca0 100755 +--- a/editor/pamstretch-gen ++++ b/editor/pamstretch-gen +@@ -31,9 +31,7 @@ if [ "$1" = "" ]; then exit 1 fi @@ -44,15 +49,12 @@ diff -up netpbm-10.47.05/editor/pamstretch-gen.security-scripts netpbm-10.47.05/ +tempfile=$(mktemp /tmp/pnmig.XXXXXXXXXX) || exit 1 trap 'rm -rf $tempdir' 0 1 3 15 --tempfile=$tempdir/pnmig -- - if ! cat $2 >$tempfile 2>/dev/null; then - echo 'pamstretch-gen: error reading file' 1>&2 - exit 1 -diff -up netpbm-10.47.05/editor/pnmmargin.security-scripts netpbm-10.47.05/editor/pnmmargin ---- netpbm-10.47.05/editor/pnmmargin.security-scripts 2009-12-10 08:34:32.000000000 +0100 -+++ netpbm-10.47.05/editor/pnmmargin 2010-03-16 21:28:09.000000000 +0100 -@@ -11,15 +11,11 @@ + tempfile=$tempdir/pnmig +diff --git a/editor/pnmmargin b/editor/pnmmargin +index 0f57d1d..e0d3625 100755 +--- a/editor/pnmmargin ++++ b/editor/pnmmargin +@@ -11,11 +11,7 @@ # documentation. This software is provided "as is" without express or # implied warranty. @@ -61,38 +63,37 @@ diff -up netpbm-10.47.05/editor/pnmmargin.security-scripts netpbm-10.47.05/edito - { echo "Could not create temporary file. Exiting." 1>&2; exit 1;} -trap 'rm -rf $tempdir' 0 1 3 15 - --tmp1=$tempdir/pnmm1 --tmp2=$tempdir/pnmm2 --tmp3=$tempdir/pnmm3 --tmp4=$tempdir/pnmm4 -+tmpdir=$(mktemp -d -t ppmmargin.XXXXXXX) || exit 1 -+tmp1="$tmpdir/tmp1" -+tmp2="$tmpdir/tmp2" -+tmp3="$tmpdir/tmp3" -+tmp4="$tmpdir/tmp4" - - color="-gofigure" - plainopt="" ++tempdir=$(mktemp -d -t ppmmargin.XXXXXXX) || exit 1 + tmp1=$tempdir/pnmm1 + tmp2=$tempdir/pnmm2 + tmp3=$tempdir/pnmm3 @@ -90,6 +86,7 @@ else -white | -black ) pnmpad $plainopt $color \ -left=$size -right=$size -top=$size -bottom=$size $tmp1 -+ rm -rf "$tmpdir" ++ rm -rf "$tempdir" exit ;; * ) -diff -up netpbm-10.47.05/editor/ppmfade.security-scripts netpbm-10.47.05/editor/ppmfade ---- netpbm-10.47.05/editor/ppmfade.security-scripts 2009-12-10 08:34:32.000000000 +0100 -+++ netpbm-10.47.05/editor/ppmfade 2010-03-16 21:28:09.000000000 +0100 -@@ -14,6 +14,7 @@ +@@ -103,4 +100,4 @@ else + pnmcat -tb $plainopt $tmp3 $tmp4 $tmp3 + fi + +- ++rm -rf "$tempdir" +diff --git a/editor/ppmfade b/editor/ppmfade +index 027fc79..8eb094f 100755 +--- a/editor/ppmfade ++++ b/editor/ppmfade +@@ -40,6 +40,7 @@ exec perl -w -x -S -- "$0" "$@" # - #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + ############################################################################## use strict; +use File::Temp "tempdir"; my $SPREAD = 1; my $SHIFT = 2; -@@ -111,20 +112,26 @@ if ($first_file ne "undefined") { +@@ -137,20 +138,26 @@ if ($first_file ne "undefined") { print("Frames are " . $width . "W x " . $height . "H\n"); @@ -123,7 +124,7 @@ diff -up netpbm-10.47.05/editor/ppmfade.security-scripts netpbm-10.47.05/editor/ } # -@@ -132,14 +139,14 @@ if ($last_file eq "undefined") { +@@ -158,14 +165,14 @@ if ($last_file eq "undefined") { # # Here's what our temporary files are: @@ -146,7 +147,7 @@ diff -up netpbm-10.47.05/editor/ppmfade.security-scripts netpbm-10.47.05/editor/ my $i; # Frame number for ($i = 1; $i <= $nframes; $i++) { -@@ -147,147 +154,147 @@ for ($i = 1; $i <= $nframes; $i++) { +@@ -173,147 +180,147 @@ for ($i = 1; $i <= $nframes; $i++) { if ($mode eq $SPREAD) { if ($i <= 10) { my $n = $spline20[$i] * 100; @@ -347,10 +348,11 @@ diff -up netpbm-10.47.05/editor/ppmfade.security-scripts netpbm-10.47.05/editor/ +system("rm $tmpdir/junk*$$.ppm"); exit(0); -diff -up netpbm-10.47.05/editor/ppmshadow.security-scripts netpbm-10.47.05/editor/ppmshadow ---- netpbm-10.47.05/editor/ppmshadow.security-scripts 2009-12-10 08:34:32.000000000 +0100 -+++ netpbm-10.47.05/editor/ppmshadow 2010-03-16 21:28:09.000000000 +0100 -@@ -72,9 +72,10 @@ sub makeConvolutionKernel($$) { +diff --git a/editor/ppmshadow b/editor/ppmshadow +index 62cdf8b..72e1b22 100755 +--- a/editor/ppmshadow ++++ b/editor/ppmshadow +@@ -97,9 +97,10 @@ sub makeConvolutionKernel($$) { my $tmpdir = $ENV{TMPDIR} || "/tmp"; @@ -364,10 +366,4 @@ diff -up netpbm-10.47.05/editor/ppmshadow.security-scripts netpbm-10.47.05/edito # Process command line options ---- snetpbm-10.47.05/editor/pnmmargin.orig 2014-06-16 21:30:27.480812666 -0400 -+++ netpbm-10.47.05/editor/pnmmargin 2014-06-16 21:30:41.500789921 -0400 -@@ -101,3 +101,4 @@ - fi - - -+rm -rf "$tmpdir" +