summaryrefslogtreecommitdiff
path: root/libre/netpbm/netpbm-security-code.patch
diff options
context:
space:
mode:
Diffstat (limited to 'libre/netpbm/netpbm-security-code.patch')
-rw-r--r--libre/netpbm/netpbm-security-code.patch1160
1 files changed, 494 insertions, 666 deletions
diff --git a/libre/netpbm/netpbm-security-code.patch b/libre/netpbm/netpbm-security-code.patch
index 2127dc592..18f7bd71a 100644
--- a/libre/netpbm/netpbm-security-code.patch
+++ b/libre/netpbm/netpbm-security-code.patch
@@ -1,16 +1,17 @@
-diff -up netpbm-10.58.01/analyzer/pgmtexture.c.security-code netpbm-10.58.01/analyzer/pgmtexture.c
---- netpbm-10.58.01/analyzer/pgmtexture.c.security-code 2012-04-09 15:31:32.000000000 +0200
-+++ netpbm-10.58.01/analyzer/pgmtexture.c 2012-04-09 15:40:03.183620040 +0200
-@@ -97,7 +97,7 @@ vector(unsigned int const nl,
- float * v;
+diff --git a/analyzer/pgmtexture.c b/analyzer/pgmtexture.c
+index 0731733..635c58b 100644
+--- a/analyzer/pgmtexture.c
++++ b/analyzer/pgmtexture.c
+@@ -98,6 +98,8 @@ vector(unsigned int const nl,
assert(nh >= nl);
--
+
+ overflow_add(nh - nl, 1);
++
MALLOCARRAY(v, (unsigned) (nh - nl + 1));
if (v == NULL)
-@@ -129,6 +129,7 @@ matrix (unsigned int const nrl,
+@@ -129,6 +131,7 @@ matrix (unsigned int const nrl,
assert(nrh >= nrl);
/* allocate pointers to rows */
@@ -18,18 +19,18 @@ diff -up netpbm-10.58.01/analyzer/pgmtexture.c.security-code netpbm-10.58.01/ana
MALLOCARRAY(m, (unsigned) (nrh - nrl + 1));
if (m == NULL)
pm_error("Unable to allocate memory for a matrix.");
-@@ -136,7 +137,7 @@ matrix (unsigned int const nrl,
- m -= ncl;
+@@ -137,6 +140,7 @@ matrix (unsigned int const nrl,
assert (nch >= ncl);
--
+
+ overflow_add(nch - ncl, 1);
/* allocate rows and set pointers to them */
for (i = nrl; i <= nrh; ++i) {
MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1));
-diff -up netpbm-10.58.01/converter/other/gemtopnm.c.security-code netpbm-10.58.01/converter/other/gemtopnm.c
---- netpbm-10.58.01/converter/other/gemtopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/other/gemtopnm.c 2012-04-09 15:40:03.183620040 +0200
+diff --git a/converter/other/gemtopnm.c b/converter/other/gemtopnm.c
+index aac7479..5f1a51a 100644
+--- a/converter/other/gemtopnm.c
++++ b/converter/other/gemtopnm.c
@@ -106,6 +106,7 @@ main(argc, argv)
pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 );
@@ -38,10 +39,11 @@ diff -up netpbm-10.58.01/converter/other/gemtopnm.c.security-code netpbm-10.58.0
{
/* allocate input row data structure */
int plane;
-diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58.01/converter/other/jpegtopnm.c
---- netpbm-10.58.01/converter/other/jpegtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200
-+++ netpbm-10.58.01/converter/other/jpegtopnm.c 2012-04-09 15:40:03.184620028 +0200
-@@ -861,6 +861,8 @@ convertImage(FILE *
+diff --git a/converter/other/jpegtopnm.c b/converter/other/jpegtopnm.c
+index ab3b18e..c324b86 100644
+--- a/converter/other/jpegtopnm.c
++++ b/converter/other/jpegtopnm.c
+@@ -861,6 +861,8 @@ convertImage(FILE * const ofP,
/* Calculate output image dimensions so we can allocate space */
jpeg_calc_output_dimensions(cinfoP);
@@ -50,9 +52,10 @@ diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58.
/* Start decompressor */
jpeg_start_decompress(cinfoP);
-diff -up netpbm-10.58.01/converter/other/pbmtopgm.c.security-code netpbm-10.58.01/converter/other/pbmtopgm.c
---- netpbm-10.58.01/converter/other/pbmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/other/pbmtopgm.c 2012-04-09 15:40:03.184620028 +0200
+diff --git a/converter/other/pbmtopgm.c b/converter/other/pbmtopgm.c
+index 69b20fb..382a487 100644
+--- a/converter/other/pbmtopgm.c
++++ b/converter/other/pbmtopgm.c
@@ -47,6 +47,7 @@ main(int argc, char *argv[]) {
"than the image height (%u rows)", height, rows);
@@ -61,9 +64,10 @@ diff -up netpbm-10.58.01/converter/other/pbmtopgm.c.security-code netpbm-10.58.0
maxval = MIN(PGM_OVERALLMAXVAL, width*height);
pgm_writepgminit(stdout, cols, rows, maxval, 0) ;
-diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58.01/converter/other/pnmtoddif.c
---- netpbm-10.58.01/converter/other/pnmtoddif.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/other/pnmtoddif.c 2012-04-09 15:40:03.185620015 +0200
+diff --git a/converter/other/pnmtoddif.c b/converter/other/pnmtoddif.c
+index ae8c852..9ee037b 100644
+--- a/converter/other/pnmtoddif.c
++++ b/converter/other/pnmtoddif.c
@@ -632,6 +632,7 @@ main(int argc, char *argv[]) {
switch (PNM_FORMAT_TYPE(format)) {
case PBM_TYPE:
@@ -80,10 +84,11 @@ diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58.
ip.bytes_per_line = 3 * cols;
ip.bits_per_pixel = 24;
ip.spectral = 5;
-diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58.01/converter/other/pnmtojpeg.c
---- netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code 2012-04-09 15:31:39.000000000 +0200
-+++ netpbm-10.58.01/converter/other/pnmtojpeg.c 2012-04-09 15:40:03.186620002 +0200
-@@ -605,7 +605,11 @@ read_scan_script(j_compress_ptr const ci
+diff --git a/converter/other/pnmtojpeg.c b/converter/other/pnmtojpeg.c
+index ce231c9..1279040 100644
+--- a/converter/other/pnmtojpeg.c
++++ b/converter/other/pnmtojpeg.c
+@@ -605,7 +605,11 @@ read_scan_script(j_compress_ptr const cinfo,
want JPOOL_PERMANENT.
*/
const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info);
@@ -96,7 +101,7 @@ diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58.
(jpeg_scan_info *)
(*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
scan_info_size);
-@@ -937,6 +941,8 @@ compute_rescaling_array(JSAMPLE ** const
+@@ -937,6 +941,8 @@ compute_rescaling_array(JSAMPLE ** const rescale_p, const pixval maxval,
const long half_maxval = maxval / 2;
long val;
@@ -105,7 +110,7 @@ diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58.
*rescale_p = (JSAMPLE *)
(cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE,
(size_t) (((long) maxval + 1L) *
-@@ -1015,6 +1021,7 @@ convert_scanlines(struct jpeg_compress_s
+@@ -1015,6 +1021,7 @@ convert_scanlines(struct jpeg_compress_struct * const cinfo_p,
*/
/* Allocate the libpnm output and compressor input buffers */
@@ -113,10 +118,11 @@ diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58.
buffer = (*cinfo_p->mem->alloc_sarray)
((j_common_ptr) cinfo_p, JPOOL_IMAGE,
(unsigned int) cinfo_p->image_width * cinfo_p->input_components,
-diff -up netpbm-10.58.01/converter/other/pnmtops.c.security-code netpbm-10.58.01/converter/other/pnmtops.c
---- netpbm-10.58.01/converter/other/pnmtops.c.security-code 2012-04-09 15:31:40.000000000 +0200
-+++ netpbm-10.58.01/converter/other/pnmtops.c 2012-04-09 15:40:03.187619989 +0200
-@@ -256,17 +256,21 @@ parseCommandLine(int argc, const char **
+diff --git a/converter/other/pnmtops.c b/converter/other/pnmtops.c
+index 6cd6be9..8a7d25a 100644
+--- a/converter/other/pnmtops.c
++++ b/converter/other/pnmtops.c
+@@ -292,17 +292,21 @@ parseCommandLine(int argc, const char ** argv,
validateCompDimension(width, 72, "-width value");
validateCompDimension(height, 72, "-height value");
@@ -139,21 +145,10 @@ diff -up netpbm-10.58.01/converter/other/pnmtops.c.security-code netpbm-10.58.01
cmdlineP->imageheight = imageheight * 72;
}
else
-diff -up netpbm-10.58.01/converter/other/pnmtorle.c.security-code netpbm-10.58.01/converter/other/pnmtorle.c
---- netpbm-10.58.01/converter/other/pnmtorle.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/other/pnmtorle.c 2012-04-09 15:40:03.188619976 +0200
-@@ -19,6 +19,8 @@
- * If you modify this software, you should include a notice giving the
- * name of the person performing the modification, the date of modification,
- * and the reason for such modification.
-+ *
-+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
- */
- /*
- * pnmtorle - A program which will convert pbmplus (ppm or pgm) images
-diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.01/converter/other/rletopnm.c
---- netpbm-10.58.01/converter/other/rletopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/other/rletopnm.c 2012-04-09 15:40:03.189619963 +0200
+diff --git a/converter/other/rletopnm.c b/converter/other/rletopnm.c
+index 9995914..058278c 100644
+--- a/converter/other/rletopnm.c
++++ b/converter/other/rletopnm.c
@@ -19,6 +19,8 @@
* If you modify this software, you should include a notice giving the
* name of the person performing the modification, the date of modification,
@@ -163,9 +158,10 @@ diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.0
*/
/*
* rletopnm - A conversion program to convert from Utah's "rle" image format
-diff -up netpbm-10.58.01/converter/other/sirtopnm.c.security-code netpbm-10.58.01/converter/other/sirtopnm.c
---- netpbm-10.58.01/converter/other/sirtopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/other/sirtopnm.c 2012-04-09 15:40:03.190619951 +0200
+diff --git a/converter/other/sirtopnm.c b/converter/other/sirtopnm.c
+index fafcc91..9fe49d0 100644
+--- a/converter/other/sirtopnm.c
++++ b/converter/other/sirtopnm.c
@@ -69,6 +69,7 @@ char* argv[];
}
break;
@@ -174,10 +170,11 @@ diff -up netpbm-10.58.01/converter/other/sirtopnm.c.security-code netpbm-10.58.0
picsize = cols * rows * 3;
planesize = cols * rows;
if ( !( sirarray = (unsigned char*) malloc( picsize ) ) )
-diff -up netpbm-10.58.01/converter/other/tifftopnm.c.security-code netpbm-10.58.01/converter/other/tifftopnm.c
---- netpbm-10.58.01/converter/other/tifftopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/other/tifftopnm.c 2012-04-09 15:40:03.191619939 +0200
-@@ -1279,7 +1279,9 @@ convertRasterByRows(pnmOut * const
+diff --git a/converter/other/tifftopnm.c b/converter/other/tifftopnm.c
+index 0d6494f..19e9e38 100644
+--- a/converter/other/tifftopnm.c
++++ b/converter/other/tifftopnm.c
+@@ -1309,7 +1309,9 @@ convertRasterByRows(pnmOut * const pnmOutP,
if (scanbuf == NULL)
pm_error("can't allocate memory for scanline buffer");
@@ -188,10 +185,11 @@ diff -up netpbm-10.58.01/converter/other/tifftopnm.c.security-code netpbm-10.58.
if (samplebuf == NULL)
pm_error("can't allocate memory for row buffer");
-diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.01/converter/other/xwdtopnm.c
---- netpbm-10.58.01/converter/other/xwdtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200
-+++ netpbm-10.58.01/converter/other/xwdtopnm.c 2012-04-09 15:40:03.192619927 +0200
-@@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * cons
+diff --git a/converter/other/xwdtopnm.c b/converter/other/xwdtopnm.c
+index 45d66b4..c914481 100644
+--- a/converter/other/xwdtopnm.c
++++ b/converter/other/xwdtopnm.c
+@@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * const h10P,
*colorsP = pnm_allocrow(2);
PNM_ASSIGN1((*colorsP)[0], 0);
PNM_ASSIGN1((*colorsP)[1], *maxvalP);
@@ -202,7 +200,7 @@ diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.0
*padrightP =
(((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width) * 8;
*bits_per_itemP = 16;
-@@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * cons
+@@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * const h11P,
*colsP = h11FixedP->pixmap_width;
*rowsP = h11FixedP->pixmap_height;
@@ -210,9 +208,10 @@ diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.0
*padrightP =
h11FixedP->bytes_per_line * 8 -
h11FixedP->pixmap_width * h11FixedP->bits_per_pixel;
-diff -up netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code netpbm-10.58.01/converter/pbm/mdatopbm.c
---- netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/mdatopbm.c 2012-04-09 15:40:03.192619927 +0200
+diff --git a/converter/pbm/mdatopbm.c b/converter/pbm/mdatopbm.c
+index d8e0657..12c7468 100644
+--- a/converter/pbm/mdatopbm.c
++++ b/converter/pbm/mdatopbm.c
@@ -245,10 +245,13 @@ main(int argc, char **argv) {
pm_readlittleshort(infile, &yy); nInCols = yy;
}
@@ -228,9 +227,10 @@ diff -up netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code netpbm-10.58.01/
data = pbm_allocarray(nOutCols, nOutRows);
-diff -up netpbm-10.58.01/converter/pbm/mgrtopbm.c.security-code netpbm-10.58.01/converter/pbm/mgrtopbm.c
---- netpbm-10.58.01/converter/pbm/mgrtopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/mgrtopbm.c 2012-04-09 15:40:03.193619915 +0200
+diff --git a/converter/pbm/mgrtopbm.c b/converter/pbm/mgrtopbm.c
+index 9f7004a..60e8477 100644
+--- a/converter/pbm/mgrtopbm.c
++++ b/converter/pbm/mgrtopbm.c
@@ -65,6 +65,8 @@ readMgrHeader(FILE * const ifP,
if (head.h_high < ' ' || head.l_high < ' ')
pm_error("Invalid width field in MGR header");
@@ -240,9 +240,10 @@ diff -up netpbm-10.58.01/converter/pbm/mgrtopbm.c.security-code netpbm-10.58.01/
*colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' ');
*rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' ');
*padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP;
-diff -up netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code netpbm-10.58.01/converter/pbm/pbmtogem.c
---- netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtogem.c 2012-04-09 15:40:03.193619915 +0200
+diff --git a/converter/pbm/pbmtogem.c b/converter/pbm/pbmtogem.c
+index 9eab041..13b0257 100644
+--- a/converter/pbm/pbmtogem.c
++++ b/converter/pbm/pbmtogem.c
@@ -79,6 +79,7 @@ putinit (int const rows, int const cols)
bitsperitem = 0;
bitshift = 7;
@@ -251,9 +252,10 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code netpbm-10.58.01/
outmax = (cols + 7) / 8;
outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
-diff -up netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code netpbm-10.58.01/converter/pbm/pbmtogo.c
---- netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtogo.c 2012-04-09 15:40:03.193619915 +0200
+diff --git a/converter/pbm/pbmtogo.c b/converter/pbm/pbmtogo.c
+index 23b2ee9..d2ee91f 100644
+--- a/converter/pbm/pbmtogo.c
++++ b/converter/pbm/pbmtogo.c
@@ -158,6 +158,7 @@ main(int argc,
bitrow = pbm_allocrow(cols);
@@ -262,9 +264,10 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code netpbm-10.58.01/c
rucols = ( cols + 7 ) / 8;
bytesperrow = rucols; /* GraphOn uses bytes */
rucols = rucols * 8;
-diff -up netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code netpbm-10.58.01/converter/pbm/pbmtolj.c
---- netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtolj.c 2012-04-09 15:40:03.194619902 +0200
+diff --git a/converter/pbm/pbmtolj.c b/converter/pbm/pbmtolj.c
+index 0cceb4f..fdab6df 100644
+--- a/converter/pbm/pbmtolj.c
++++ b/converter/pbm/pbmtolj.c
@@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv,
static void
allocateBuffers(unsigned int const cols) {
@@ -277,29 +280,10 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code netpbm-10.58.01/c
packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
-diff -up netpbm-10.58.01/converter/pbm/pbmtomacp.c.security-code netpbm-10.58.01/converter/pbm/pbmtomacp.c
---- netpbm-10.58.01/converter/pbm/pbmtomacp.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtomacp.c 2012-04-09 15:40:03.195619889 +0200
-@@ -101,6 +101,7 @@ char *argv[];
- if( !lflg )
- left = 0;
-
-+ overflow_add(left, MAX_COLS - 1);
- if( rflg )
- { if( right - left >= MAX_COLS )
- right = left + MAX_COLS - 1;
-@@ -111,6 +112,8 @@ char *argv[];
- if( !tflg )
- top = 0;
-
-+ overflow_add(top, MAX_LINES - 1);
-+
- if( bflg )
- { if( bottom - top >= MAX_LINES )
- bottom = top + MAX_LINES - 1;
-diff -up netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code netpbm-10.58.01/converter/pbm/pbmtomda.c
---- netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtomda.c 2012-04-09 15:40:03.195619889 +0200
+diff --git a/converter/pbm/pbmtomda.c b/converter/pbm/pbmtomda.c
+index 3ad5149..9efe5cf 100644
+--- a/converter/pbm/pbmtomda.c
++++ b/converter/pbm/pbmtomda.c
@@ -179,6 +179,7 @@ int main(int argc, char **argv)
nOutRowsUnrounded = bScale ? nInRows/2 : nInRows;
@@ -308,10 +292,11 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code netpbm-10.58.01/
nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4;
/* MDA wants rows a multiple of 4 */
nOutCols = nInCols / 8;
-diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c
---- netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c 2012-04-09 15:40:03.195619889 +0200
-@@ -105,6 +105,7 @@ int pbm_readline(pbm_stat* pbm,unsigned
+diff --git a/converter/pbm/pbmtoppa/pbm.c b/converter/pbm/pbmtoppa/pbm.c
+index 2f8a42b..1c8d236 100644
+--- a/converter/pbm/pbmtoppa/pbm.c
++++ b/converter/pbm/pbmtoppa/pbm.c
+@@ -106,6 +106,7 @@ int pbm_readline(pbm_stat* pbm,unsigned char* data)
return 0;
case P4:
@@ -319,20 +304,19 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c.security-code netpbm-10.58
tmp=(pbm->width+7)/8;
tmp2=fread(data,1,tmp,pbm->fptr);
if(tmp2 == tmp)
-@@ -129,7 +130,8 @@ void pbm_unreadline (pbm_stat *pbm, void
+@@ -130,6 +131,7 @@ void pbm_unreadline (pbm_stat *pbm, void *data)
return;
pbm->unread = 1;
-- pbm->revdata = malloc ((pbm->width+7)/8);
+ overflow_add(pbm->width, 7);
-+ pbm->revdata = malloc((pbm->width+7)/8);
+ pbm->revdata = malloc ((pbm->width+7)/8);
memcpy (pbm->revdata, data, (pbm->width+7)/8);
pbm->current_line--;
- }
-diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c
---- netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c 2012-04-09 15:40:03.196619876 +0200
-@@ -441,6 +441,7 @@ main(int argc, char *argv[]) {
+diff --git a/converter/pbm/pbmtoppa/pbmtoppa.c b/converter/pbm/pbmtoppa/pbmtoppa.c
+index f43c08a..98e0284 100644
+--- a/converter/pbm/pbmtoppa/pbmtoppa.c
++++ b/converter/pbm/pbmtoppa/pbmtoppa.c
+@@ -452,6 +452,7 @@ main(int argc, char *argv[]) {
pm_error("main(): unrecognized parameter '%s'", argv[argn]);
}
@@ -340,10 +324,11 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code netpbm-
Pwidth=(Width+7)/8;
printer.fptr=out;
-diff -up netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoxbm.c
---- netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtoxbm.c 2012-04-09 15:40:03.196619876 +0200
-@@ -335,6 +335,8 @@ convertRaster(FILE * const ifP,
+diff --git a/converter/pbm/pbmtoxbm.c b/converter/pbm/pbmtoxbm.c
+index 14c6b85..362b70e 100644
+--- a/converter/pbm/pbmtoxbm.c
++++ b/converter/pbm/pbmtoxbm.c
+@@ -351,6 +351,8 @@ convertRaster(FILE * const ifP,
unsigned char * bitrow;
unsigned int row;
@@ -352,54 +337,46 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code netpbm-10.58.01/
putinit(xbmVersion);
-diff -up netpbm-10.58.01/converter/pbm/pbmtoybm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoybm.c
---- netpbm-10.58.01/converter/pbm/pbmtoybm.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtoybm.c 2012-04-09 15:40:03.197619863 +0200
-@@ -113,6 +113,7 @@ main(int argc, const char *argv[]) {
- bitrow = pbm_allocrow(cols);
-
- /* Compute padding to round cols up to the nearest multiple of 16. */
-+ overflow_add(cols, 16);
- padright = ((cols + 15) / 16) * 16 - cols;
-
- putinit(cols, rows);
-diff -up netpbm-10.58.01/converter/pbm/pbmtozinc.c.security-code netpbm-10.58.01/converter/pbm/pbmtozinc.c
---- netpbm-10.58.01/converter/pbm/pbmtozinc.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmtozinc.c 2012-04-09 15:40:03.197619863 +0200
-@@ -65,6 +65,7 @@ main(int argc, char * argv[]) {
- bitrow = pbm_allocrow( cols );
-
- /* Compute padding to round cols up to the nearest multiple of 16. */
-+ overflow_add(cols, 16);
- padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
-
- printf( "USHORT %s[] = {\n",name);
-diff -up netpbm-10.58.01/converter/pbm/pbmto10x.c.security-code netpbm-10.58.01/converter/pbm/pbmto10x.c
---- netpbm-10.58.01/converter/pbm/pbmto10x.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/pbmto10x.c 2012-04-09 15:40:03.197619863 +0200
-@@ -162,7 +162,7 @@ main(int argc, char * argv[]) {
- res_60x72();
-
- pm_close(ifp);
-- exit(0);
-+ return 0;
- }
-
-
-diff -up netpbm-10.58.01/converter/pbm/ybmtopbm.c.security-code netpbm-10.58.01/converter/pbm/ybmtopbm.c
---- netpbm-10.58.01/converter/pbm/ybmtopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/converter/pbm/ybmtopbm.c 2012-04-09 15:40:03.199619839 +0200
-@@ -49,6 +49,7 @@ getinit(FILE * const ifP,
+diff --git a/converter/pbm/thinkjettopbm.l b/converter/pbm/thinkjettopbm.l
+index 5de4f2b..7f31de5 100644
+--- a/converter/pbm/thinkjettopbm.l
++++ b/converter/pbm/thinkjettopbm.l
+@@ -114,7 +114,9 @@ DIG [0-9]
+ <RASTERMODE>\033\*b{DIG}+W {
+ int l;
+ if (rowCount >= rowCapacity) {
+- rowCapacity += 100;
++ overflow_add(rowCapacity, 100);
++ rowCapacity += 100;
++ overflow2(rowCapacity, sizeof *rows);
+ rows = realloc (rows, rowCapacity * sizeof *rows);
+ if (rows == NULL)
+ pm_error ("Out of memory.");
+@@ -226,6 +228,8 @@ yywrap (void)
+ /*
+ * Quite simple since ThinkJet bit arrangement matches PBM
+ */
++
++ overflow2(maxRowLength, 8);
+ pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0);
+
+ packed_bitrow = malloc(maxRowLength);
+diff --git a/converter/pbm/ybmtopbm.c b/converter/pbm/ybmtopbm.c
+index 2a42908..cf1ff03 100644
+--- a/converter/pbm/ybmtopbm.c
++++ b/converter/pbm/ybmtopbm.c
+@@ -43,6 +43,7 @@ getinit(FILE * const ifP,
pm_error("EOF / read error");
*depthP = 1;
+ overflow_add(*colsP, 15);
- *padrightP = ((*colsP + 15) / 16) * 16 - *colsP;
}
-diff -up netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code netpbm-10.58.01/converter/pgm/lispmtopgm.c
---- netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/pgm/lispmtopgm.c 2012-04-09 15:40:03.199619839 +0200
+
+diff --git a/converter/pgm/lispmtopgm.c b/converter/pgm/lispmtopgm.c
+index 40dd3fb..b5469f7 100644
+--- a/converter/pgm/lispmtopgm.c
++++ b/converter/pgm/lispmtopgm.c
@@ -58,6 +58,7 @@ main( argc, argv )
pm_error( "depth (%d bits) is too large", depth);
@@ -408,20 +385,19 @@ diff -up netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code netpbm-10.58.0
grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 );
for ( row = 0; row < rows; ++row )
-@@ -102,7 +103,9 @@ getinit( file, colsP, rowsP, depthP, pad
+@@ -102,6 +103,8 @@ getinit( file, colsP, rowsP, depthP, padrightP )
if ( *depthP == 0 )
*depthP = 1; /* very old file */
--
+
+ overflow_add((int)colsP, 31);
-+
+
*padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP;
- if ( *colsP != (cols_32 - *padrightP) ) {
-diff -up netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code netpbm-10.58.01/converter/pgm/psidtopgm.c
---- netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/pgm/psidtopgm.c 2012-04-09 15:40:03.200619827 +0200
+diff --git a/converter/pgm/psidtopgm.c b/converter/pgm/psidtopgm.c
+index 07417d1..25bb311 100644
+--- a/converter/pgm/psidtopgm.c
++++ b/converter/pgm/psidtopgm.c
@@ -78,6 +78,7 @@ main(int argc,
pm_error("bits/sample (%d) is too large.", bitspersample);
@@ -430,10 +406,24 @@ diff -up netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code netpbm-10.58.01
grayrow = pgm_allocrow((cols + 7) / 8 * 8);
for (row = 0; row < rows; ++row) {
unsigned int col;
-diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01/converter/ppm/ilbmtoppm.c
---- netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ilbmtoppm.c 2012-04-09 15:40:03.201619815 +0200
-@@ -592,6 +592,7 @@ decode_row(FILE * const ifP,
+diff --git a/converter/ppm/Makefile b/converter/ppm/Makefile
+index 09f05cd..f68170f 100644
+--- a/converter/ppm/Makefile
++++ b/converter/ppm/Makefile
+@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm
+
+ PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
+ leaftoppm mtvtoppm neotoppm \
+- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \
++ pcxtoppm pc1toppm pi1toppm pjtoppm \
+ ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \
+ ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \
+ ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \
+diff --git a/converter/ppm/ilbmtoppm.c b/converter/ppm/ilbmtoppm.c
+index 662be0b..2a86efc 100644
+--- a/converter/ppm/ilbmtoppm.c
++++ b/converter/ppm/ilbmtoppm.c
+@@ -606,6 +606,7 @@ decode_row(FILE * const ifP,
rawtype *chp;
cols = bmhdP->w;
@@ -441,7 +431,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01
bytes = RowBytes(cols);
for( plane = 0; plane < nPlanes; plane++ ) {
int mask;
-@@ -679,6 +680,23 @@ decode_mask(FILE * const ifP,
+@@ -693,6 +694,23 @@ decode_mask(FILE * const ifP,
Multipalette handling
****************************************************************************/
@@ -465,7 +455,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01
static void
multi_adjust(cmap, row, palchange)
-@@ -1341,6 +1359,9 @@ dcol_to_ppm(FILE * const ifP,
+@@ -1355,6 +1373,9 @@ dcol_to_ppm(FILE * const ifP,
if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval )
pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval));
@@ -475,7 +465,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01
MALLOCARRAY_NOFAIL(redtable, redmaxval +1);
MALLOCARRAY_NOFAIL(greentable, greenmaxval +1);
MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1);
-@@ -1763,7 +1784,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, data
+@@ -1784,7 +1805,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, datasize)
ChangeCount32 = *data++;
datasize -= 2;
@@ -485,7 +475,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01
for( i = 0; i < changes; i++ ) {
if( totalchanges >= PCHG->TotalChanges ) goto fail;
if( datasize < 2 ) goto fail;
-@@ -2028,6 +2051,9 @@ read_pchg(FILE * const ifp,
+@@ -2049,6 +2072,9 @@ read_pchg(FILE * const ifP,
cmap->mp_change[i] = NULL;
if( PCHG.StartLine < 0 ) {
int nch;
@@ -495,17 +485,18 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01
nch = PCHG.MaxReg - PCHG.MinReg +1;
MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1);
for( i = 0; i < nch; i++ )
-@@ -2104,6 +2130,7 @@ process_body( FILE * const ifp,
- if( typeid == ID_ILBM ) {
+@@ -2125,6 +2151,7 @@ process_body( FILE * const ifP,
+ if (typeid == ID_ILBM) {
int isdeep;
+ overflow_add(bmhdP->w, 15);
MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w));
*viewportmodesP |= fakeviewport; /* -isham/-isehb */
-diff -up netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code netpbm-10.58.01/converter/ppm/imgtoppm.c
---- netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/imgtoppm.c 2012-04-09 15:40:03.202619802 +0200
+diff --git a/converter/ppm/imgtoppm.c b/converter/ppm/imgtoppm.c
+index 7078b88..eb8509e 100644
+--- a/converter/ppm/imgtoppm.c
++++ b/converter/ppm/imgtoppm.c
@@ -84,6 +84,7 @@ main(int argc, char ** argv) {
len = atoi((char*) buf );
if ( fread( buf, len, 1, ifp ) != 1 )
@@ -522,22 +513,11 @@ diff -up netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code netpbm-10.58.01/
if ( len != cols * rows )
pm_message(
"pixel data length (%d) does not match image size (%d)",
-diff -up netpbm-10.58.01/converter/ppm/Makefile.security-code netpbm-10.58.01/converter/ppm/Makefile
---- netpbm-10.58.01/converter/ppm/Makefile.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/Makefile 2012-04-09 15:40:03.202619802 +0200
-@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg
-
- PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
- leaftoppm mtvtoppm neotoppm \
-- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \
-+ pcxtoppm pc1toppm pi1toppm pjtoppm \
- ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \
- ppmtobmp ppmtoeyuv ppmtoicr ppmtoilbm \
- ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \
-diff -up netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code netpbm-10.58.01/converter/ppm/pcxtoppm.c
---- netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/pcxtoppm.c 2012-04-09 15:40:03.203619789 +0200
-@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes,
+diff --git a/converter/ppm/pcxtoppm.c b/converter/ppm/pcxtoppm.c
+index e252ba2..270ae3b 100644
+--- a/converter/ppm/pcxtoppm.c
++++ b/converter/ppm/pcxtoppm.c
+@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes, bytesperline, planes, bitsperpixel)
/*
* clear the pixel buffer
*/
@@ -553,19 +533,20 @@ diff -up netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code netpbm-10.58.01/
rawcols = BytesPerLine * 8 / BitsPerPixel;
if (headerCols > rawcols) {
pm_message("warning - BytesPerLine = %d, "
-diff -up netpbm-10.58.01/converter/ppm/picttoppm.c.security-code netpbm-10.58.01/converter/ppm/picttoppm.c
---- netpbm-10.58.01/converter/ppm/picttoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/picttoppm.c 2012-04-09 15:40:03.205619763 +0200
-@@ -1,3 +1,5 @@
+diff --git a/converter/ppm/picttoppm.c b/converter/ppm/picttoppm.c
+index 828d527..8cdb7b3 100644
+--- a/converter/ppm/picttoppm.c
++++ b/converter/ppm/picttoppm.c
+@@ -1,3 +1,4 @@
+#error "Unfixable. Don't ship me"
-+
/*
* picttoppm.c -- convert a MacIntosh PICT file to PPM format.
*
-diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/converter/ppm/pjtoppm.c
---- netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/pjtoppm.c 2012-04-09 15:40:03.206619751 +0200
-@@ -127,19 +127,21 @@ main(argc, argv)
+diff --git a/converter/ppm/pjtoppm.c b/converter/ppm/pjtoppm.c
+index 7b694fb..62ce77e 100644
+--- a/converter/ppm/pjtoppm.c
++++ b/converter/ppm/pjtoppm.c
+@@ -127,20 +127,22 @@ main(argc, argv)
case 'V': /* send plane */
case 'W': /* send last plane */
if (rows == -1 || r >= rows || image == NULL) {
@@ -574,6 +555,7 @@ diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/c
+ overflow_add(rows, 100);
rows += 100;
+ }
++
if (image == NULL) {
- MALLOCARRAY(image, rows * planes);
- MALLOCARRAY(imlen, rows * planes);
@@ -582,18 +564,21 @@ diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/c
+ imlen = (int *) malloc3(rows , planes, sizeof(int));
}
else {
-+ overflow2(rows,planes);
- image = (unsigned char **)
+- image = (unsigned char **)
- realloc(image,
- rows * planes *
-+ realloc2(image, rows * planes,
- sizeof(unsigned char *));
+- sizeof(unsigned char *));
- imlen = (int *)
- realloc(imlen, rows * planes * sizeof(int));
-+ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int));
- }
+- }
++ overflow2(rows,planes);
++ image = (unsigned char **)
++ realloc2(image, rows * planes,
++ sizeof(unsigned char *));
++ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); }
}
if (image == NULL || imlen == NULL)
+ pm_error("out of memory");
@@ -212,8 +214,10 @@ main(argc, argv)
for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2)
for (cmd = image[p + r * planes][c],
@@ -614,10 +599,11 @@ diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/c
cols *= 8;
}
-diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01/converter/ppm/ppmtoeyuv.c
---- netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtoeyuv.c 2012-04-09 15:40:03.206619751 +0200
-@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva
+diff --git a/converter/ppm/ppmtoeyuv.c b/converter/ppm/ppmtoeyuv.c
+index f5ce115..6f072be 100644
+--- a/converter/ppm/ppmtoeyuv.c
++++ b/converter/ppm/ppmtoeyuv.c
+@@ -114,6 +114,7 @@ create_multiplication_tables(const pixval maxval) {
int index;
@@ -625,66 +611,22 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01
MALLOCARRAY_NOFAIL(mult299 , maxval+1);
MALLOCARRAY_NOFAIL(mult587 , maxval+1);
MALLOCARRAY_NOFAIL(mult114 , maxval+1);
-diff -up netpbm-10.58.01/converter/ppm/ppmtoicr.c.security-code netpbm-10.58.01/converter/ppm/ppmtoicr.c
---- netpbm-10.58.01/converter/ppm/ppmtoicr.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtoicr.c 2012-04-09 15:40:03.207619739 +0200
-@@ -169,7 +169,7 @@ char* argv[];
-
- if (rleflag) {
- pm_message("sending run-length encoded picture data ..." );
-- testimage = (char*) malloc(rows*cols);
-+ testimage = (char*) malloc2(rows, cols);
- p = testimage;
- for (i=0; i<rows; i++)
- for (j=0; j<cols; j++)
-diff -up netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoilbm.c
---- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2012-04-09 15:40:03.208619727 +0200
-@@ -1220,6 +1220,7 @@ ppm_to_rgb8(ifP, cols, rows, maxval)
-
- maskmethod = 0; /* no masking - RGB8 uses genlock bits */
- compmethod = 4; /* RGB8 files are always compressed */
-+ overflow2(cols, 4);
- MALLOCARRAY_NOFAIL(compr_row, cols * 4);
-
- if( maxval != 255 ) {
-@@ -1308,6 +1309,7 @@ ppm_to_rgbn(ifP, cols, rows, maxval)
-
- maskmethod = 0; /* no masking - RGBN uses genlock bits */
- compmethod = 4; /* RGBN files are always compressed */
-+ overflow2(cols, 2);
- MALLOCARRAY_NOFAIL(compr_row, cols * 2);
-
- if( maxval != 15 ) {
-@@ -2293,8 +2296,11 @@ main(int argc, char ** argv) {
- MALLOCARRAY_NOFAIL(coded_rowbuf, RowBytes(cols));
- for (i = 0; i < RowBytes(cols); ++i)
- coded_rowbuf[i] = 0;
-- if (DO_COMPRESS)
-+ if (DO_COMPRESS) {
-+ overflow2(cols,2);
-+ overflow_add(cols*2,2);
- MALLOCARRAY_NOFAIL(compr_rowbuf, WORSTCOMPR(RowBytes(cols)));
-+ }
- }
-
- switch (mode) {
-diff -up netpbm-10.58.01/converter/ppm/ppmtolj.c.security-code netpbm-10.58.01/converter/ppm/ppmtolj.c
---- netpbm-10.58.01/converter/ppm/ppmtolj.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtolj.c 2012-04-09 15:40:03.210619701 +0200
-@@ -181,7 +181,8 @@ int main(int argc, char *argv[]) {
-
+diff --git a/converter/ppm/ppmtolj.c b/converter/ppm/ppmtolj.c
+index 7ed814e..b4e7db1 100644
+--- a/converter/ppm/ppmtolj.c
++++ b/converter/ppm/ppmtolj.c
+@@ -182,6 +182,7 @@ int main(int argc, char *argv[]) {
ppm_readppminit( ifp, &cols, &rows, &maxval, &format );
pixelrow = ppm_allocrow( cols );
--
-+
+
+ overflow2(cols, 6);
obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char));
cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char));
if (mode == C_TRANS_MODE_DELTA)
-diff -up netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code netpbm-10.58.01/converter/ppm/ppmtomitsu.c
---- netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtomitsu.c 2012-04-09 15:40:03.210619702 +0200
+diff --git a/converter/ppm/ppmtomitsu.c b/converter/ppm/ppmtomitsu.c
+index e59f09b..1d2be20 100644
+--- a/converter/ppm/ppmtomitsu.c
++++ b/converter/ppm/ppmtomitsu.c
@@ -685,6 +685,8 @@ main(int argc, char * argv[]) {
medias = MSize_User;
@@ -694,10 +636,11 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code netpbm-10.58.0
medias.maxcols *= 2;
medias.maxrows *= 2;
}
-diff -up netpbm-10.58.01/converter/ppm/ppmtopcx.c.security-code netpbm-10.58.01/converter/ppm/ppmtopcx.c
---- netpbm-10.58.01/converter/ppm/ppmtopcx.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtopcx.c 2012-04-09 15:40:03.210619702 +0200
-@@ -419,6 +419,8 @@ ppmTo16ColorPcx(pixel ** cons
+diff --git a/converter/ppm/ppmtopcx.c b/converter/ppm/ppmtopcx.c
+index fa68edc..97dfb2b 100644
+--- a/converter/ppm/ppmtopcx.c
++++ b/converter/ppm/ppmtopcx.c
+@@ -425,6 +425,8 @@ ppmTo16ColorPcx(pixel ** const pixels,
else Planes = 1;
}
}
@@ -706,32 +649,35 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtopcx.c.security-code netpbm-10.58.01/
BytesPerLine = ((cols * BitsPerPixel) + 7) / 8;
MALLOCARRAY_NOFAIL(indexRow, cols);
MALLOCARRAY_NOFAIL(planesrow, BytesPerLine);
-diff -up netpbm-10.58.01/converter/ppm/ppmtopict.c.security-code netpbm-10.58.01/converter/ppm/ppmtopict.c
---- netpbm-10.58.01/converter/ppm/ppmtopict.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtopict.c 2012-04-09 15:40:03.211619690 +0200
-@@ -441,6 +441,8 @@ main(int argc, const char ** argv) {
+diff --git a/converter/ppm/ppmtopict.c b/converter/ppm/ppmtopict.c
+index 034e705..4541387 100644
+--- a/converter/ppm/ppmtopict.c
++++ b/converter/ppm/ppmtopict.c
+@@ -450,6 +450,8 @@ main(int argc, const char ** argv) {
putShort(stdout, 0); /* mode */
/* Finally, write out the data. */
+ overflow_add(cols/MAX_COUNT, 1);
+ overflow_add(cols, cols/MAX_COUNT+1);
outBuf = malloc((unsigned)(cols+cols/MAX_COUNT+1));
- for (row = 0, oc = 0; row < rows; row++)
+ for (row = 0, oc = 0; row < rows; ++row) {
unsigned int rowSize;
-diff -up netpbm-10.58.01/converter/ppm/ppmtopj.c.security-code netpbm-10.58.01/converter/ppm/ppmtopj.c
---- netpbm-10.58.01/converter/ppm/ppmtopj.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtopj.c 2012-04-09 15:40:03.212619677 +0200
+diff --git a/converter/ppm/ppmtopj.c b/converter/ppm/ppmtopj.c
+index d116773..fc84cac 100644
+--- a/converter/ppm/ppmtopj.c
++++ b/converter/ppm/ppmtopj.c
@@ -179,6 +179,7 @@ char *argv[];
pixels = ppm_readppm( ifp, &cols, &rows, &maxval );
pm_close( ifp );
-+ overflow2(cols,2);
++ overflow2(cols,2);
obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char));
cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char));
-diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58.01/converter/ppm/ppmtowinicon.c
---- netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtowinicon.c 2012-04-09 15:40:03.213619664 +0200
+diff --git a/converter/ppm/ppmtowinicon.c b/converter/ppm/ppmtowinicon.c
+index c673798..af2b445 100644
+--- a/converter/ppm/ppmtowinicon.c
++++ b/converter/ppm/ppmtowinicon.c
@@ -12,6 +12,7 @@
#include <math.h>
@@ -740,7 +686,7 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58
#include "pm_c_util.h"
#include "winico.h"
-@@ -219,6 +220,7 @@ createAndBitmap (gray ** const ba, int c
+@@ -214,6 +215,7 @@ createAndBitmap (gray ** const ba, int const cols, int const rows,
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmap->xBytes = xBytes;
icBitmap->data = rowData;
@@ -748,7 +694,7 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58
icBitmap->size = xBytes * rows;
for (y=0;y<rows;y++) {
u1 * row;
-@@ -347,6 +349,7 @@ create4Bitmap (pixel ** const pa, int co
+@@ -342,6 +344,7 @@ create4Bitmap (pixel ** const pa, int const cols, int const rows,
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmap->xBytes = xBytes;
icBitmap->data = rowData;
@@ -756,7 +702,7 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58
icBitmap->size = xBytes * rows;
for (y=0;y<rows;y++) {
-@@ -407,6 +410,7 @@ create8Bitmap (pixel ** const pa, int co
+@@ -402,6 +405,7 @@ create8Bitmap (pixel ** const pa, int const cols, int const rows,
MALLOCARRAY_NOFAIL(rowData, rows);
icBitmap->xBytes = xBytes;
icBitmap->data = rowData;
@@ -764,21 +710,24 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58
icBitmap->size = xBytes * rows;
for (y=0;y<rows;y++) {
-@@ -714,6 +718,10 @@ addEntryToIcon(MS_Ico const MSIcon
+@@ -709,7 +713,11 @@ addEntryToIcon(MS_Ico const MSIconData,
entry->bitcount = bpp;
entry->ih = createInfoHeader(entry, xorBitmap, andBitmap);
entry->colors = palette->colors;
+- entry->size_in_bytes =
+ overflow2(4, entry->color_count);
+ overflow_add(xorBitmap->size, andBitmap->size);
+ overflow_add(xorBitmap->size + andBitmap->size, 40);
+ overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count);
- entry->size_in_bytes =
++ entry->size_in_bytes =
xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count);
if (verbose)
-diff -up netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoxpm.c
---- netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ppmtoxpm.c 2012-04-09 15:40:03.214619651 +0200
-@@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int
+ pm_message("entry->size_in_bytes = %d + %d + %d = %d",
+diff --git a/converter/ppm/ppmtoxpm.c b/converter/ppm/ppmtoxpm.c
+index 38d9997..904c98d 100644
+--- a/converter/ppm/ppmtoxpm.c
++++ b/converter/ppm/ppmtoxpm.c
+@@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int const digits) {
unsigned int i;
/* Allocate memory for printed number. Abort if error. */
@@ -794,9 +743,10 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code netpbm-10.58.01/
MALLOCARRAY(cmap, cmapSize);
if (cmapP == NULL)
pm_error("Out of memory allocating %u bytes for a color map.",
-diff -up netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code netpbm-10.58.01/converter/ppm/qrttoppm.c
---- netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code 2012-04-09 15:31:42.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/qrttoppm.c 2012-04-09 15:40:03.215619638 +0200
+diff --git a/converter/ppm/qrttoppm.c b/converter/ppm/qrttoppm.c
+index 935463e..653084c 100644
+--- a/converter/ppm/qrttoppm.c
++++ b/converter/ppm/qrttoppm.c
@@ -46,7 +46,7 @@ main( argc, argv )
ppm_writeppminit( stdout, cols, rows, maxval, 0 );
@@ -806,26 +756,28 @@ diff -up netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code netpbm-10.58.01/
if ( buf == (unsigned char *) 0 )
pm_error( "out of memory" );
-diff -up netpbm-10.58.01/converter/ppm/sldtoppm.c.security-code netpbm-10.58.01/converter/ppm/sldtoppm.c
---- netpbm-10.58.01/converter/ppm/sldtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/sldtoppm.c 2012-04-09 15:40:03.216619626 +0200
-@@ -455,6 +455,8 @@ slider(slvecfn slvec,
+diff --git a/converter/ppm/sldtoppm.c b/converter/ppm/sldtoppm.c
+index 6ba4cb4..fc6a498 100644
+--- a/converter/ppm/sldtoppm.c
++++ b/converter/ppm/sldtoppm.c
+@@ -464,6 +464,8 @@ slider(slvecfn slvec,
/* Allocate image buffer and clear it to black. */
-+ overflow_add(ixdots,1);
-+ overflow_add(iydots,1);
++ overflow_add(ixdots, 1);
++ overflow_add(iydots, 1);
pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1);
PPM_ASSIGN(rgbcolor, 0, 0, 0);
ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0,
-diff -up netpbm-10.58.01/converter/ppm/ximtoppm.c.security-code netpbm-10.58.01/converter/ppm/ximtoppm.c
---- netpbm-10.58.01/converter/ppm/ximtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200
-+++ netpbm-10.58.01/converter/ppm/ximtoppm.c 2012-04-09 15:40:03.216619626 +0200
+diff --git a/converter/ppm/ximtoppm.c b/converter/ppm/ximtoppm.c
+index ce5e639..a39b689 100644
+--- a/converter/ppm/ximtoppm.c
++++ b/converter/ppm/ximtoppm.c
@@ -117,6 +117,7 @@ ReadXimHeader(FILE * const in_fp,
header->bits_channel = atoi(a_head.bits_per_channel);
header->alpha_flag = atoi(a_head.alpha_channel);
if (strlen(a_head.author)) {
-+ overflow_add(strlen(a_head.author),1);
++ overflow_add(strlen(a_head.author),1);
if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1,
1))) {
pm_message("ReadXimHeader: can't calloc author string" );
@@ -849,14 +801,15 @@ diff -up netpbm-10.58.01/converter/ppm/ximtoppm.c.security-code netpbm-10.58.01/
if (header->nchannels == 3 && header->bits_channel == 8)
header->ncolors = 0;
else if (header->nchannels == 1 && header->bits_channel == 8) {
-+ overflow2(header->ncolors, sizeof(Color));
++ overflow2(header->ncolors, sizeof(Color));
header->colors = (Color *)calloc((unsigned int)header->ncolors,
sizeof(Color));
if (header->colors == NULL) {
-diff -up netpbm-10.58.01/editor/pamcut.c.security-code netpbm-10.58.01/editor/pamcut.c
---- netpbm-10.58.01/editor/pamcut.c.security-code 2012-04-09 15:31:33.000000000 +0200
-+++ netpbm-10.58.01/editor/pamcut.c 2012-04-09 15:40:03.218619602 +0200
-@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP
+diff --git a/editor/pamcut.c b/editor/pamcut.c
+index 7c41af3..72df687 100644
+--- a/editor/pamcut.c
++++ b/editor/pamcut.c
+@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP,
outpam = inpam; /* Initial value -- most fields should be same */
outpam.file = ofP;
@@ -865,9 +818,10 @@ diff -up netpbm-10.58.01/editor/pamcut.c.security-code netpbm-10.58.01/editor/pa
outpam.width = rightcol - leftcol + 1;
outpam.height = bottomrow - toprow + 1;
-diff -up netpbm-10.58.01/editor/pbmreduce.c.security-code netpbm-10.58.01/editor/pbmreduce.c
---- netpbm-10.58.01/editor/pbmreduce.c.security-code 2012-04-09 15:31:33.000000000 +0200
-+++ netpbm-10.58.01/editor/pbmreduce.c 2012-04-09 15:40:03.219619590 +0200
+diff --git a/editor/pbmreduce.c b/editor/pbmreduce.c
+index f49c8d9..580e5e0 100644
+--- a/editor/pbmreduce.c
++++ b/editor/pbmreduce.c
@@ -94,6 +94,7 @@ main( argc, argv )
if (halftone == QT_FS) {
unsigned int col;
@@ -876,10 +830,11 @@ diff -up netpbm-10.58.01/editor/pbmreduce.c.security-code netpbm-10.58.01/editor
MALLOCARRAY(thiserr, newcols + 2);
MALLOCARRAY(nexterr, newcols + 2);
if (thiserr == NULL || nexterr == NULL)
-diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/pnmgamma.c
---- netpbm-10.58.01/editor/pnmgamma.c.security-code 2012-04-09 15:31:34.000000000 +0200
-+++ netpbm-10.58.01/editor/pnmgamma.c 2012-04-09 15:40:03.220619577 +0200
-@@ -586,6 +586,7 @@ createGammaTables(enum transferFunction
+diff --git a/editor/pnmgamma.c b/editor/pnmgamma.c
+index b357b0d..ec612d3 100644
+--- a/editor/pnmgamma.c
++++ b/editor/pnmgamma.c
+@@ -596,6 +596,7 @@ createGammaTables(enum transferFunction const transferFunction,
xelval ** const btableP) {
/* Allocate space for the tables. */
@@ -887,10 +842,11 @@ diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/
MALLOCARRAY(*rtableP, maxval+1);
MALLOCARRAY(*gtableP, maxval+1);
MALLOCARRAY(*btableP, maxval+1);
-diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor/pnmhisteq.c
---- netpbm-10.58.01/editor/pnmhisteq.c.security-code 2012-04-09 15:31:33.000000000 +0200
-+++ netpbm-10.58.01/editor/pnmhisteq.c 2012-04-09 15:40:03.220619577 +0200
-@@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const *
+diff --git a/editor/pnmhisteq.c b/editor/pnmhisteq.c
+index 8af4201..0c8d6e5 100644
+--- a/editor/pnmhisteq.c
++++ b/editor/pnmhisteq.c
+@@ -107,6 +107,7 @@ computeLuminosityHistogram(xel * const * const xels,
unsigned int pixelCount;
unsigned int * lumahist;
@@ -898,21 +854,22 @@ diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor
MALLOCARRAY(lumahist, maxval + 1);
if (lumahist == NULL)
pm_error("Out of storage allocating array for %u histogram elements",
-diff -up netpbm-10.58.01/editor/pnmindex.csh.security-code netpbm-10.58.01/editor/pnmindex.csh
---- netpbm-10.58.01/editor/pnmindex.csh.security-code 2012-04-09 15:31:33.000000000 +0200
-+++ netpbm-10.58.01/editor/pnmindex.csh 2012-04-09 15:40:03.221619564 +0200
-@@ -1,5 +1,8 @@
+diff --git a/editor/pnmindex.csh b/editor/pnmindex.csh
+index c6f1e84..c513a84 100755
+--- a/editor/pnmindex.csh
++++ b/editor/pnmindex.csh
+@@ -1,5 +1,7 @@
#!/bin/csh -f
#
+echo "Unsafe code, needs debugging, do not ship"
+exit 1
-+#
# pnmindex - build a visual index of a bunch of anymaps
#
# Copyright (C) 1991 by Jef Poskanzer.
-diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pnmpad.c
---- netpbm-10.58.01/editor/pnmpad.c.security-code 2012-04-09 15:31:34.000000000 +0200
-+++ netpbm-10.58.01/editor/pnmpad.c 2012-04-09 15:40:03.221619564 +0200
+diff --git a/editor/pnmpad.c b/editor/pnmpad.c
+index 1904b68..0797cf1 100644
+--- a/editor/pnmpad.c
++++ b/editor/pnmpad.c
@@ -527,6 +527,8 @@ main(int argc, const char ** argv) {
computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad);
@@ -922,19 +879,19 @@ diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pn
newcols = cols + lpad + rpad;
if (PNM_FORMAT_TYPE(format) == PBM_TYPE)
-diff -up netpbm-10.58.01/editor/pnmremap.c.security-code netpbm-10.58.01/editor/pnmremap.c
---- netpbm-10.58.01/editor/pnmremap.c.security-code 2012-04-09 15:31:33.000000000 +0200
-+++ netpbm-10.58.01/editor/pnmremap.c 2012-04-09 15:40:03.222619551 +0200
-@@ -409,7 +409,7 @@ initFserr(struct pam * const pamP,
- unsigned int plane;
+diff --git a/editor/pnmremap.c b/editor/pnmremap.c
+index b2448cb..b924120 100644
+--- a/editor/pnmremap.c
++++ b/editor/pnmremap.c
+@@ -428,6 +428,7 @@ initFserr(struct pam * const pamP,
unsigned int const fserrSize = pamP->width + 2;
--
+
+ overflow_add(pamP->width, 2);
fserrP->width = pamP->width;
MALLOCARRAY(fserrP->thiserr, pamP->depth);
-@@ -445,6 +445,7 @@ floydInitRow(struct pam * const pamP, st
+@@ -465,6 +466,7 @@ floydInitRow(struct pam * const pamP, struct fserr * const fserrP) {
int col;
@@ -942,68 +899,45 @@ diff -up netpbm-10.58.01/editor/pnmremap.c.security-code netpbm-10.58.01/editor/
for (col = 0; col < pamP->width + 2; ++col) {
unsigned int plane;
for (plane = 0; plane < pamP->depth; ++plane)
-diff -up netpbm-10.58.01/editor/pnmscalefixed.c.security-code netpbm-10.58.01/editor/pnmscalefixed.c
---- netpbm-10.58.01/editor/pnmscalefixed.c.security-code 2012-04-09 15:31:34.000000000 +0200
-+++ netpbm-10.58.01/editor/pnmscalefixed.c 2012-04-09 15:40:03.223619538 +0200
-@@ -214,6 +214,8 @@ compute_output_dimensions(const struct c
+diff --git a/editor/pnmscalefixed.c b/editor/pnmscalefixed.c
+index 884ca31..747cd8f 100644
+--- a/editor/pnmscalefixed.c
++++ b/editor/pnmscalefixed.c
+@@ -214,6 +214,7 @@ compute_output_dimensions(const struct cmdline_info cmdline,
const int rows, const int cols,
int * newrowsP, int * newcolsP) {
+ overflow2(rows, cols);
-+
if (cmdline.pixels) {
if (rows * cols <= cmdline.pixels) {
*newrowsP = rows;
-@@ -265,6 +267,8 @@ compute_output_dimensions(const struct c
+@@ -265,6 +266,8 @@ compute_output_dimensions(const struct cmdline_info cmdline,
if (*newcolsP < 1) *newcolsP = 1;
if (*newrowsP < 1) *newrowsP = 1;
-+
++
+ overflow2(*newcolsP, *newrowsP);
}
-@@ -446,6 +450,9 @@ main(int argc, char **argv ) {
+@@ -446,6 +449,9 @@ main(int argc, char **argv ) {
unfilled. We can address that by stretching, whereas the other
case would require throwing away some of the input.
*/
-+
++
+ overflow2(newcols, SCALE);
+ overflow2(newrows, SCALE);
sxscale = SCALE * newcols / cols;
syscale = SCALE * newrows / rows;
-diff -up netpbm-10.58.01/editor/pnmshear.c.security-code netpbm-10.58.01/editor/pnmshear.c
---- netpbm-10.58.01/editor/pnmshear.c.security-code 2012-04-09 15:31:33.000000000 +0200
-+++ netpbm-10.58.01/editor/pnmshear.c 2012-04-09 15:40:03.224619526 +0200
-@@ -15,6 +15,7 @@
- #include <assert.h>
- #include <math.h>
- #include <string.h>
-+#include <limits.h>
-
- #include "pm_c_util.h"
- #include "ppm.h"
-@@ -236,6 +237,11 @@ main(int argc, char * argv[]) {
-
- shearfac = fabs(tan(cmdline.angle));
-
-+ if(rows * shearfac >= INT_MAX-1)
-+ pm_error("image too large");
-+
-+ overflow_add(rows * shearfac, cols+1);
-+
- newcols = rows * shearfac + cols + 0.999999;
-
- pnm_writepnminit(stdout, newcols, rows, newmaxval, newformat, 0);
-diff -up netpbm-10.58.01/editor/ppmdither.c.security-code netpbm-10.58.01/editor/ppmdither.c
---- netpbm-10.58.01/editor/ppmdither.c.security-code 2012-04-09 15:31:33.000000000 +0200
-+++ netpbm-10.58.01/editor/ppmdither.c 2012-04-09 15:40:03.224619526 +0200
-@@ -355,7 +355,11 @@ dithMatrix(unsigned int const dithPower)
- unsigned int const dithMatSize =
+diff --git a/editor/ppmdither.c b/editor/ppmdither.c
+index ec1b977..e701e09 100644
+--- a/editor/ppmdither.c
++++ b/editor/ppmdither.c
+@@ -356,6 +356,11 @@ dithMatrix(unsigned int const dithPower) {
(dithDim * sizeof(*dithMat)) + /* pointers */
(dithDim * dithDim * sizeof(**dithMat)); /* data */
--
+
+
+ overflow2(dithDim, sizeof(*dithMat));
+ overflow3(dithDim, dithDim, sizeof(**dithMat));
@@ -1012,9 +946,10 @@ diff -up netpbm-10.58.01/editor/ppmdither.c.security-code netpbm-10.58.01/editor
dithMat = malloc(dithMatSize);
if (dithMat == NULL)
-diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01/editor/specialty/pamoil.c
---- netpbm-10.58.01/editor/specialty/pamoil.c.security-code 2012-04-09 15:31:33.000000000 +0200
-+++ netpbm-10.58.01/editor/specialty/pamoil.c 2012-04-09 15:40:03.224619526 +0200
+diff --git a/editor/specialty/pamoil.c b/editor/specialty/pamoil.c
+index 6cb8d3a..6f4bde9 100644
+--- a/editor/specialty/pamoil.c
++++ b/editor/specialty/pamoil.c
@@ -112,6 +112,7 @@ main(int argc, char *argv[] ) {
tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type));
pm_close(ifp);
@@ -1023,10 +958,11 @@ diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01
MALLOCARRAY(hist, inpam.maxval + 1);
if (hist == NULL)
pm_error("Unable to allocate memory for histogram.");
-diff -up netpbm-10.58.01/generator/pbmtext.c.security-code netpbm-10.58.01/generator/pbmtext.c
---- netpbm-10.58.01/generator/pbmtext.c.security-code 2012-04-09 15:31:34.000000000 +0200
-+++ netpbm-10.58.01/generator/pbmtext.c 2012-04-09 15:40:03.225619514 +0200
-@@ -96,12 +96,14 @@ parseCommandLine(int argc, const char **
+diff --git a/generator/pbmtext.c b/generator/pbmtext.c
+index 9f4366d..445d718 100644
+--- a/generator/pbmtext.c
++++ b/generator/pbmtext.c
+@@ -96,12 +96,14 @@ parseCommandLine(int argc, const char ** argv,
for (i = 1; i < argc; ++i) {
if (i > 1) {
@@ -1036,16 +972,17 @@ diff -up netpbm-10.58.01/generator/pbmtext.c.security-code netpbm-10.58.01/gener
if (text == NULL)
pm_error("out of memory allocating space for input text");
strcat(text, " ");
- }
+- }
++ }
+ overflow_add(totaltextsize, strlen(argv[i]));
totaltextsize += strlen(argv[i]);
text = realloc(text, totaltextsize);
if (text == NULL)
-@@ -712,6 +714,7 @@ getText(const char cmdline_text
+@@ -712,6 +714,7 @@ getText(const char cmdline_text[],
pm_error("A line of input text is longer than %u characters."
"Cannot process.", (unsigned)sizeof(buf)-1);
if (lineCount >= maxlines) {
-+ overflow2(maxlines, 2);
++ overflow2(maxlines, 2);
maxlines *= 2;
REALLOCARRAY(text_array, maxlines);
if (text_array == NULL)
@@ -1053,99 +990,107 @@ diff -up netpbm-10.58.01/generator/pbmtext.c.security-code netpbm-10.58.01/gener
hmargin = fontP->maxwidth;
} else {
vmargin = fontP->maxheight;
-+ overflow2(2, fontP->maxwidth);
++ overflow2(2, fontP->maxwidth);
hmargin = 2 * fontP->maxwidth;
}
}
-diff -up netpbm-10.58.01/lib/libpam.c.security-code netpbm-10.58.01/lib/libpam.c
---- netpbm-10.58.01/lib/libpam.c.security-code 2012-04-09 15:31:38.000000000 +0200
-+++ netpbm-10.58.01/lib/libpam.c 2012-04-09 15:40:03.227619490 +0200
-@@ -220,7 +220,8 @@ allocPamRow(const struct pam * const pam
+diff --git a/lib/libpam.c b/lib/libpam.c
+index cc6368e..4e10572 100644
+--- a/lib/libpam.c
++++ b/lib/libpam.c
+@@ -224,8 +224,9 @@ allocPamRow(const struct pam * const pamP) {
unsigned int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample);
tuple * tuplerow;
- tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple));
+-
+ overflow_add(sizeof(tuple *), bytesPerTuple);
+ tuplerow = malloc2(pamP->width, (sizeof(tuple *) + bytesPerTuple));
-
++
if (tuplerow != NULL) {
/* Now we initialize the pointers to the individual tuples
-diff -up netpbm-10.58.01/lib/libpammap.c.security-code netpbm-10.58.01/lib/libpammap.c
---- netpbm-10.58.01/lib/libpammap.c.security-code 2012-04-09 15:31:38.000000000 +0200
-+++ netpbm-10.58.01/lib/libpammap.c 2012-04-09 15:40:03.228619477 +0200
-@@ -104,6 +104,8 @@ allocTupleIntListItem(struct pam * const
+ to make this a regulation C two dimensional array.
+diff --git a/lib/libpammap.c b/lib/libpammap.c
+index 55e1d3f..04b1ba3 100644
+--- a/lib/libpammap.c
++++ b/lib/libpammap.c
+@@ -108,7 +108,9 @@ allocTupleIntListItem(struct pam * const pamP) {
*/
struct tupleint_list_item * retval;
+- unsigned int const size =
+ overflow2(pamP->depth, sizeof(sample));
+ overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample));
- unsigned int const size =
++ unsigned int const size =
sizeof(*retval) - sizeof(retval->tupleint.tuple)
+ pamP->depth * sizeof(sample);
-diff -up netpbm-10.58.01/lib/libpm.c.security-code netpbm-10.58.01/lib/libpm.c
---- netpbm-10.58.01/lib/libpm.c.security-code 2012-04-09 15:31:38.000000000 +0200
-+++ netpbm-10.58.01/lib/libpm.c 2012-04-09 15:40:03.229619464 +0200
-@@ -808,4 +808,53 @@ pm_parse_height(const char * const arg)
- }
+diff --git a/lib/libpm.c b/lib/libpm.c
+index 4374bbe..5ab7f83 100644
+--- a/lib/libpm.c
++++ b/lib/libpm.c
+@@ -841,5 +841,53 @@ pm_parse_height(const char * const arg) {
+ return height;
+ }
+/*
+ * Maths wrapping
+ */
-+
+
+void __overflow2(int a, int b)
+{
-+ if(a < 0 || b < 0)
-+ pm_error("object too large");
-+ if(b == 0)
-+ return;
-+ if(a > INT_MAX / b)
-+ pm_error("object too large");
++ if(a < 0 || b < 0)
++ pm_error("object too large");
++ if(b == 0)
++ return;
++ if(a > INT_MAX / b)
++ pm_error("object too large");
+}
+
+void overflow3(int a, int b, int c)
+{
-+ overflow2(a,b);
-+ overflow2(a*b, c);
++ overflow2(a,b);
++ overflow2(a*b, c);
+}
+
+void overflow_add(int a, int b)
+{
-+ if( a > INT_MAX - b)
-+ pm_error("object too large");
++ if( a > INT_MAX - b)
++ pm_error("object too large");
+}
+
+void *malloc2(int a, int b)
+{
-+ overflow2(a, b);
-+ if(a*b == 0)
-+ pm_error("Zero byte allocation");
-+ return malloc(a*b);
++ overflow2(a, b);
++ if(a*b == 0)
++ pm_error("Zero byte allocation");
++ return malloc(a*b);
+}
+
+void *malloc3(int a, int b, int c)
+{
-+ overflow3(a, b, c);
-+ if(a*b*c == 0)
-+ pm_error("Zero byte allocation");
-+ return malloc(a*b*c);
++ overflow3(a, b, c);
++ if(a*b*c == 0)
++ pm_error("Zero byte allocation");
++ return malloc(a*b*c);
+}
+
+void *realloc2(void * a, int b, int c)
+{
-+ overflow2(b, c);
-+ if(b*c == 0)
-+ pm_error("Zero byte allocation");
-+ return realloc(a, b*c);
++ overflow2(b, c);
++ if(b*c == 0)
++ pm_error("Zero byte allocation");
++ return realloc(a, b*c);
+}
-diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h
---- netpbm-10.58.01/lib/pm.h.security-code 2012-04-09 15:31:38.000000000 +0200
-+++ netpbm-10.58.01/lib/pm.h 2012-04-09 15:40:03.229619464 +0200
-@@ -432,4 +432,11 @@ pm_parse_height(const char * const arg);
+diff --git a/lib/pm.h b/lib/pm.h
+index e9f1405..da54391 100644
+--- a/lib/pm.h
++++ b/lib/pm.h
+@@ -435,5 +435,12 @@ pm_parse_height(const char * const arg);
+ }
#endif
-
+void *malloc2(int, int);
+void *malloc3(int, int, int);
+#define overflow2(a,b) __overflow2(a,b)
@@ -1153,11 +1098,13 @@ diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h
+void overflow3(int, int, int);
+void overflow_add(int, int);
+
+
#endif
-diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other/pnmcolormap.c
---- netpbm-10.58.01/other/pnmcolormap.c.security-code 2012-04-09 15:31:32.000000000 +0200
-+++ netpbm-10.58.01/other/pnmcolormap.c 2012-04-09 15:40:03.230619451 +0200
-@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP
+diff --git a/other/pnmcolormap.c b/other/pnmcolormap.c
+index 57db432..7195295 100644
+--- a/other/pnmcolormap.c
++++ b/other/pnmcolormap.c
+@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP,
pamP->width = intsqrt;
else
pamP->width = intsqrt + 1;
@@ -1165,189 +1112,176 @@ diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other
}
{
unsigned int const intQuotient = colormap.size / pamP->width;
-diff -up netpbm-10.58.01/urt/README.security-code netpbm-10.58.01/urt/README
---- netpbm-10.58.01/urt/README.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/urt/README 2012-04-09 15:40:03.231619438 +0200
-@@ -18,3 +18,8 @@ in its initializer in the original. But
- defines stdout as a variable, so that wouldn't compile. So I changed
- it to NULL and added a line to rle_hdr_init to set that field to
- 'stdout' dynamically. 2000.06.02 BJH.
-+
-+Redid the code to check for maths overflows and other crawly horrors.
-+Removed pipe through and compress support (unsafe)
+diff --git a/urt/Runput.c b/urt/Runput.c
+index 3bc562a..645a376 100644
+--- a/urt/Runput.c
++++ b/urt/Runput.c
+@@ -202,10 +202,11 @@ RunSetup(rle_hdr * the_hdr)
+ if ( the_hdr->background != 0 )
+ {
+ register int i;
+- register rle_pixel *background =
+- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
+- register int *bg_color;
+- /*
++ register rle_pixel *background;
++ register int *bg_color;
+
-+Alan Cox <alan@redhat.com>
-diff -up netpbm-10.58.01/urt/rle_addhist.c.security-code netpbm-10.58.01/urt/rle_addhist.c
---- netpbm-10.58.01/urt/rle_addhist.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/urt/rle_addhist.c 2012-04-09 15:40:03.231619438 +0200
-@@ -14,6 +14,8 @@
- * If you modify this software, you should include a notice giving the
- * name of the person performing the modification, the date of modification,
- * and the reason for such modification.
-+ *
-+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
++ overflow_add(the_hdr->ncolors,1);
++ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); /*
+ * If even number of bg color bytes, put out one more to get to
+ * 16 bit boundary.
+ */
+@@ -224,7 +225,7 @@ RunSetup(rle_hdr * the_hdr)
+ /* Big-endian machines are harder */
+ register int i, nmap = (1 << the_hdr->cmaplen) *
+ the_hdr->ncmap;
+- register char *h_cmap = (char *)malloc( nmap * 2 );
++ register char *h_cmap = (char *)malloc2( nmap, 2 );
+ if ( h_cmap == NULL )
+ {
+ fprintf( stderr,
+diff --git a/urt/rle.h b/urt/rle.h
+index 8d72cb9..ac65b94 100644
+--- a/urt/rle.h
++++ b/urt/rle.h
+@@ -161,6 +161,17 @@ rle_hdr /* End of typedef. */
*/
- /*
- * rle_addhist.c - Add to the HISTORY comment in header
-@@ -71,13 +73,19 @@ rle_addhist(char * argv[],
+ extern rle_hdr rle_dflt_hdr;
+
++/*
++ * Provided by pm library
++ */
++
++extern void overflow_add(int, int);
++#define overflow2(a,b) __overflow2(a,b)
++extern void __overflow2(int, int);
++extern void overflow3(int, int, int);
++extern void *malloc2(int, int);
++extern void *malloc3(int, int, int);
++extern void *realloc2(void *, int, int);
+
+ /* Declare RLE library routines. */
+
+diff --git a/urt/rle_addhist.c b/urt/rle_addhist.c
+index b165175..e09ed94 100644
+--- a/urt/rle_addhist.c
++++ b/urt/rle_addhist.c
+@@ -70,13 +70,18 @@ rle_addhist(char * argv[],
return;
length = 0;
- for (i = 0; argv[i]; ++i)
+ for (i = 0; argv[i]; ++i) {
-+ overflow_add(length, strlen(argv[i]));
-+ overflow_add(length+1, strlen(argv[i]));
++ overflow_add(length, strlen(argv[i]));
++ overflow_add(length+1, strlen(argv[i]));
length += strlen(argv[i]) +1; /* length of each arg plus space. */
+ }
time(&temp);
timedate = ctime(&temp);
length += strlen(timedate); /* length of date and time in ASCII. */
-
+-
+ overflow_add(strlen(padding), 4);
+ overflow_add(strlen(histoire), strlen(padding) + 4);
+ overflow_add(length, strlen(histoire) + strlen(padding) + 4);
length += strlen(padding) + 3 + strlen(histoire) + 1;
/* length of padding, "on " and length of history name plus "="*/
if (in_hdr) /* if we are interested in the old comments... */
-@@ -85,9 +93,12 @@ rle_addhist(char * argv[],
+@@ -84,8 +89,10 @@ rle_addhist(char * argv[],
else
old = NULL;
- if (old && *old)
+ if (old && *old) {
-+ overflow_add(length, strlen(old));
++ overflow_add(length, strlen(old));
length += strlen(old); /* add length if there. */
+ }
-+ overflow_add(length, 1);
++length; /*Cater for the null. */
- MALLOCARRAY(newc, length);
-diff -up netpbm-10.58.01/urt/rle_getrow.c.security-code netpbm-10.58.01/urt/rle_getrow.c
---- netpbm-10.58.01/urt/rle_getrow.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/urt/rle_getrow.c 2012-04-09 15:40:03.232619426 +0200
-@@ -17,6 +17,8 @@
- *
- * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
- * to have all "void" functions so declared.
-+ *
-+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
- */
- /*
- * rle_getrow.c - Read an RLE file in.
-@@ -168,6 +170,7 @@ rle_get_setup(rle_hdr * const the_hdr) {
- register char * cp;
+diff --git a/urt/rle_getrow.c b/urt/rle_getrow.c
+index bd7d1c8..bd05698 100644
+--- a/urt/rle_getrow.c
++++ b/urt/rle_getrow.c
+@@ -168,6 +168,7 @@ rle_get_setup(rle_hdr * const the_hdr) {
+ char * cp;
- VAXSHORT( comlen, infile ); /* get comment length */
-+ overflow_add(comlen, 1);
+ VAXSHORT(comlen, infile); /* get comment length */
++ overflow_add(comlen, 1);
evenlen = (comlen + 1) & ~1; /* make it even */
- if ( evenlen )
- {
-diff -up netpbm-10.58.01/urt/rle_hdr.c.security-code netpbm-10.58.01/urt/rle_hdr.c
---- netpbm-10.58.01/urt/rle_hdr.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/urt/rle_hdr.c 2012-04-09 15:40:03.233619414 +0200
-@@ -14,6 +14,8 @@
- * If you modify this software, you should include a notice giving the
- * name of the person performing the modification, the date of modification,
- * and the reason for such modification.
-+ *
-+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
- */
- /*
- * rle_hdr.c - Functions to manipulate rle_hdr structures.
-@@ -80,7 +82,10 @@ int img_num;
+ if (evenlen) {
+ MALLOCARRAY(comment_buf, evenlen);
+diff --git a/urt/rle_hdr.c b/urt/rle_hdr.c
+index 1611324..7c9c010 100644
+--- a/urt/rle_hdr.c
++++ b/urt/rle_hdr.c
+@@ -80,7 +80,10 @@ int img_num;
/* Fill in with copies of the strings. */
if ( the_hdr->cmd != pgmname )
{
- char *tmp = (char *)malloc( strlen( pgmname ) + 1 );
-+ char *tmp ;
++ char *tmp;
+
-+ overflow_add(strlen(pgmname), 1);
-+ tmp = malloc( strlen( pgmname ) + 1 );
++ overflow_add(strlen(pgmname), 1);
++ tmp = malloc( strlen(pgmname) + 1 );
RLE_CHECK_ALLOC( pgmname, tmp, 0 );
strcpy( tmp, pgmname );
the_hdr->cmd = tmp;
-@@ -88,7 +93,9 @@ int img_num;
+@@ -88,8 +91,10 @@ int img_num;
if ( the_hdr->file_name != fname )
{
- char *tmp = (char *)malloc( strlen( fname ) + 1 );
-+ char *tmp;
-+ overflow_add(strlen(fname), 1);
-+ tmp = malloc( strlen( fname ) + 1 );
- RLE_CHECK_ALLOC( pgmname, tmp, 0 );
+- RLE_CHECK_ALLOC( pgmname, tmp, 0 );
++ char *tmp;
++ overflow_add(strlen(fname), 1);
++ tmp = malloc( strlen( fname ) + 1 );
++ RLE_CHECK_ALLOC( pgmname, tmp, 0 );
strcpy( tmp, fname );
the_hdr->file_name = tmp;
-@@ -153,6 +160,7 @@ rle_hdr *from_hdr, *to_hdr;
+ }
+@@ -153,6 +158,7 @@ rle_hdr *from_hdr, *to_hdr;
if ( to_hdr->bg_color )
{
int size = to_hdr->ncolors * sizeof(int);
-+ overflow2(to_hdr->ncolors, sizeof(int));
++ overflow2(to_hdr->ncolors, sizeof(int));
to_hdr->bg_color = (int *)malloc( size );
RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" );
memcpy( to_hdr->bg_color, from_hdr->bg_color, size );
-@@ -161,7 +169,7 @@ rle_hdr *from_hdr, *to_hdr;
+@@ -161,7 +167,7 @@ rle_hdr *from_hdr, *to_hdr;
if ( to_hdr->cmap )
{
int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map);
- to_hdr->cmap = (rle_map *)malloc( size );
-+ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<<to_hdr->cmaplen, sizeof(rle_map));
++ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<<to_hdr->cmaplen, sizeof(rle_map));
RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" );
memcpy( to_hdr->cmap, from_hdr->cmap, size );
}
-@@ -174,11 +182,16 @@ rle_hdr *from_hdr, *to_hdr;
+@@ -173,12 +179,17 @@ rle_hdr *from_hdr, *to_hdr;
+ {
int size = 0;
CONST_DECL char **cp;
- for ( cp=to_hdr->comments; *cp; cp++ )
-+ {
-+ overflow_add(size, 1);
+- for ( cp=to_hdr->comments; *cp; cp++ )
++ for ( cp=to_hdr->comments; *cp; cp++ )
++ {
++ overflow_add(size, 1);
size++; /* Count the comments. */
-+ }
++ }
/* Check if there are really any comments. */
if ( size )
{
-+ overflow_add(size, 1);
++ overflow_add(size, 1);
size++; /* Copy the NULL pointer, too. */
-+ overflow2(size, sizeof(char *));
++ overflow2(size, sizeof(char *));
size *= sizeof(char *);
to_hdr->comments = (CONST_DECL char **)malloc( size );
RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" );
-diff -up netpbm-10.58.01/urt/rle.h.security-code netpbm-10.58.01/urt/rle.h
---- netpbm-10.58.01/urt/rle.h.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/urt/rle.h 2012-04-09 15:40:03.233619414 +0200
-@@ -14,6 +14,9 @@
- * If you modify this software, you should include a notice giving the
- * name of the person performing the modification, the date of modification,
- * and the reason for such modification.
-+ *
-+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
-+ * Header declarations needed
- */
- /*
- * rle.h - Global declarations for Utah Raster Toolkit RLE programs.
-@@ -160,6 +163,17 @@ rle_hdr /* End of typedef. *
- */
- extern rle_hdr rle_dflt_hdr;
-
-+/*
-+ * Provided by pm library
-+ */
-+
-+extern void overflow_add(int, int);
-+#define overflow2(a,b) __overflow2(a,b)
-+extern void __overflow2(int, int);
-+extern void overflow3(int, int, int);
-+extern void *malloc2(int, int);
-+extern void *malloc3(int, int, int);
-+extern void *realloc2(void *, int, int);
-
- /* Declare RLE library routines. */
-
-diff -up netpbm-10.58.01/urt/rle_open_f.c.security-code netpbm-10.58.01/urt/rle_open_f.c
---- netpbm-10.58.01/urt/rle_open_f.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/urt/rle_open_f.c 2012-04-09 15:40:03.234619402 +0200
-@@ -163,65 +163,7 @@ dealWithSubprocess(const char * const f
+diff --git a/urt/rle_open_f.c b/urt/rle_open_f.c
+index ae8548b..c2ef37d 100644
+--- a/urt/rle_open_f.c
++++ b/urt/rle_open_f.c
+@@ -163,65 +163,7 @@ dealWithSubprocess(const char * const file_name,
FILE ** const fpP,
bool * const noSubprocessP,
const char ** const errorP) {
@@ -1413,146 +1347,40 @@ diff -up netpbm-10.58.01/urt/rle_open_f.c.security-code netpbm-10.58.01/urt/rle_
}
-diff -up netpbm-10.58.01/urt/rle_putcom.c.security-code netpbm-10.58.01/urt/rle_putcom.c
---- netpbm-10.58.01/urt/rle_putcom.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/urt/rle_putcom.c 2012-04-09 15:40:03.234619402 +0200
-@@ -14,6 +14,8 @@
- * If you modify this software, you should include a notice giving the
- * name of the person performing the modification, the date of modification,
- * and the reason for such modification.
-+ *
-+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
- */
- /*
- * rle_putcom.c - Add a picture comment to the header struct.
-@@ -98,12 +100,14 @@ rle_putcom(const char * const value,
+diff --git a/urt/rle_putcom.c b/urt/rle_putcom.c
+index ab2eb20..f6a6ff7 100644
+--- a/urt/rle_putcom.c
++++ b/urt/rle_putcom.c
+@@ -98,12 +98,14 @@ rle_putcom(const char * const value,
const char * v;
const char ** old_comments;
int i;
- for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp)
+ for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) {
-+ overflow_add(i, 1);
++ overflow_add(i, 1);
if (match(value, *cp) != NULL) {
v = *cp;
*cp = value;
return v;
}
-+ }
++ }
/* Not found */
/* Can't realloc because somebody else might be pointing to this
* comments block. Of course, if this were true, then the
-diff -up netpbm-10.58.01/urt/Runput.c.security-code netpbm-10.58.01/urt/Runput.c
---- netpbm-10.58.01/urt/Runput.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/urt/Runput.c 2012-04-09 15:40:03.235619390 +0200
-@@ -17,6 +17,8 @@
- *
- * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
- * to have all "void" functions so declared.
-+ *
-+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
- */
- /*
- * Runput.c - General purpose Run Length Encoding.
-@@ -202,9 +204,11 @@ RunSetup(rle_hdr * the_hdr)
- if ( the_hdr->background != 0 )
- {
- register int i;
-- register rle_pixel *background =
-- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
-+ register rle_pixel *background;
- register int *bg_color;
-+
-+ overflow_add(the_hdr->ncolors,1);
-+ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
- /*
- * If even number of bg color bytes, put out one more to get to
- * 16 bit boundary.
-@@ -224,7 +228,7 @@ RunSetup(rle_hdr * the_hdr)
- /* Big-endian machines are harder */
- register int i, nmap = (1 << the_hdr->cmaplen) *
- the_hdr->ncmap;
-- register char *h_cmap = (char *)malloc( nmap * 2 );
-+ register char *h_cmap = (char *)malloc2( nmap, 2 );
- if ( h_cmap == NULL )
- {
- fprintf( stderr,
-diff -up netpbm-10.58.01/urt/scanargs.c.security-code netpbm-10.58.01/urt/scanargs.c
---- netpbm-10.58.01/urt/scanargs.c.security-code 2012-04-09 15:31:45.000000000 +0200
-+++ netpbm-10.58.01/urt/scanargs.c 2012-04-09 15:40:03.235619390 +0200
-@@ -38,6 +38,8 @@
- *
- * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
- * to have all "void" functions so declared.
-+ *
-+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
- */
-
- #include <stdio.h>
-@@ -63,8 +65,8 @@ typedef int *ptr;
+diff --git a/urt/scanargs.c b/urt/scanargs.c
+index f3af334..5e114bb 100644
+--- a/urt/scanargs.c
++++ b/urt/scanargs.c
+@@ -62,9 +62,8 @@ typedef int *ptr;
/*
* Storage allocation macros
*/
-#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) )
-#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) )
+-
+#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) )
+#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) )
-
static CONST_DECL char * prformat( CONST_DECL char *, int );
static int isnum( CONST_DECL char *, int, int );
---- netpbm-10.58.01/lib/libpbm1.c.orig 2014-06-16 21:12:28.499230631 -0400
-+++ netpbm-10.58.01/lib/libpbm1.c 2014-06-16 21:12:55.932519324 -0400
-@@ -78,6 +78,7 @@
- } else {
- pm_filepos const bytesPerRow = (cols+7)/8;
- pm_filepos const needRasterSize = rows * bytesPerRow;
-+ overflow2(bytesPerRow, rows);
- pm_check(fileP, checkType, needRasterSize, retvalP);
- }
- }
---- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.orig 2014-06-16 21:23:40.061473868 -0400
-+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2014-06-16 21:23:44.701466379 -0400
-@@ -185,6 +185,7 @@
- unsigned int i;
- int * table;
-
-+ overflow_add(oldmaxval, 1);
- MALLOCARRAY_NOFAIL(table, oldmaxval + 1);
- for (i = 0; i <= oldmaxval; ++i)
- table[i] = ROUNDDIV(i * newmaxval, oldmaxval);
---- netpbm-10.58.01/converter/other/sgitopnm.c.orig 2014-07-08 16:57:30.878754976 -0400
-+++ netpbm-10.58.01/converter/other/sgitopnm.c 2014-07-08 17:07:52.727745725 -0400
-@@ -372,10 +372,14 @@
- MALLOCARRAY_NOFAIL(image, head->ysize);
- } else {
- maxchannel = 3;
-+ overflow2(head->ysize, maxchannel);
- MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel);
- }
-- if (table)
-+ if (table) {
-+ overflow2(head->xsize, 2);
-+ overflow_add(head->xsize*2, 2);
- MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize));
-+ }
-
- for (channel = 0; channel < maxchannel; ++channel) {
- unsigned int row;
---- netpbm-10.58.01/converter/other/pnmtosgi.c.orig 2014-07-08 16:57:30.878754976 -0400
-+++ netpbm-10.58.01/converter/other/pnmtosgi.c 2014-07-08 17:11:55.164018919 -0400
-@@ -176,6 +176,8 @@
- break;
- case STORAGE_RLE: {
- unsigned int const tabrow = chanNum * rows + row;
-+ overflow2(chanNum, rows);
-+ overflow_add(chanNum* rows, row);
- unsigned int const len = rleCompress(tempArg, cols);
- /* writes result into rletemp */
- unsigned int i;
-@@ -212,6 +214,7 @@
- ScanElem * temp;
-
- if (storage != STORAGE_VERBATIM) {
-+ overflow2(channels, rows);
- MALLOCARRAY_NOFAIL(table, channels * rows);
- MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols));
- } else
+ static int _do_scanargs( int argc, char **argv, CONST_DECL char *format,
+