diff options
Diffstat (limited to 'libre/netpbm/netpbm-security-code.patch')
-rw-r--r-- | libre/netpbm/netpbm-security-code.patch | 94 |
1 files changed, 70 insertions, 24 deletions
diff --git a/libre/netpbm/netpbm-security-code.patch b/libre/netpbm/netpbm-security-code.patch index 18f7bd71a..8674eb7a0 100644 --- a/libre/netpbm/netpbm-security-code.patch +++ b/libre/netpbm/netpbm-security-code.patch @@ -240,6 +240,27 @@ index 9f7004a..60e8477 100644 *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' '); *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' '); *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP; +diff --git a/converter/pbm/pbmto4425.c b/converter/pbm/pbmto4425.c +index 1d97ac6..c4c8cbb 100644 +--- a/converter/pbm/pbmto4425.c ++++ b/converter/pbm/pbmto4425.c +@@ -2,6 +2,7 @@ + + #include "nstring.h" + #include "pbm.h" ++#include <string.h> + + static char bit_table[2][3] = { + {1, 4, 0x10}, +@@ -160,7 +161,7 @@ main(int argc, char * argv[]) { + xres = vmap_width * 2; + yres = vmap_height * 3; + +- vmap = malloc(vmap_width * vmap_height * sizeof(char)); ++ vmap = malloc3(vmap_width, vmap_height, sizeof(char)); + if(vmap == NULL) + { + pm_error( "Cannot allocate memory" ); diff --git a/converter/pbm/pbmtogem.c b/converter/pbm/pbmtogem.c index 9eab041..13b0257 100644 --- a/converter/pbm/pbmtogem.c @@ -337,6 +358,18 @@ index 14c6b85..362b70e 100644 putinit(xbmVersion); +diff --git a/converter/pbm/pktopbm.c b/converter/pbm/pktopbm.c +index 712f339..b6fcb02 100644 +--- a/converter/pbm/pktopbm.c ++++ b/converter/pbm/pktopbm.c +@@ -280,6 +280,7 @@ main(int argc, char *argv[]) { + if (flagbyte == 7) { /* long form preamble */ + integer packetlength = get32() ; /* character packet length */ + car = get32() ; /* character number */ ++ overflow_add(packetlength, pktopbm_pkloc); + endofpacket = packetlength + pktopbm_pkloc; + /* calculate end of packet */ + if ((car >= MAXPKCHAR) || !filename[car]) { diff --git a/converter/pbm/thinkjettopbm.l b/converter/pbm/thinkjettopbm.l index 5de4f2b..7f31de5 100644 --- a/converter/pbm/thinkjettopbm.l @@ -674,6 +707,43 @@ index d116773..fc84cac 100644 obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char)); cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char)); +diff --git a/converter/ppm/ppmtopjxl.c b/converter/ppm/ppmtopjxl.c +index ddf4963..b2c7e8e 100644 +--- a/converter/ppm/ppmtopjxl.c ++++ b/converter/ppm/ppmtopjxl.c +@@ -306,6 +306,9 @@ main(int argc, const char * argv[]) { + if (maxval > PCL_MAXVAL) + pm_error("color range too large; reduce with ppmcscale"); + ++ if (cols < 0 || rows < 0) ++ pm_error("negative size is not possible"); ++ + /* Figure out the colormap. */ + pm_message("Computing colormap..."); + chv = ppm_computecolorhist(pixels, cols, rows, MAXCOLORS, &colors); +@@ -325,6 +328,8 @@ main(int argc, const char * argv[]) { + case 0: /* direct mode (no palette) */ + bpp = bitsperpixel(maxval); /* bits per pixel */ + bpg = bpp; bpb = bpp; ++ overflow2(bpp, 3); ++ overflow_add(bpp*3, 7); + bpp = (bpp*3+7)>>3; /* bytes per pixel now */ + bpr = (bpp<<3)-bpg-bpb; + bpp *= cols; /* bytes per row now */ +@@ -334,9 +339,13 @@ main(int argc, const char * argv[]) { + case 3: case 7: pclindex++; + default: + bpp = 8/pclindex; ++ overflow_add(cols, bpp); ++ if(bpp == 0) ++ pm_error("assert: no bpp"); + bpp = (cols+bpp-1)/bpp; /* bytes per row */ + } + } ++ overflow2(bpp,2); + inrow = (char *)malloc((unsigned)bpp); + outrow = (char *)malloc((unsigned)bpp*2); + runcnt = (signed char *)malloc((unsigned)bpp); diff --git a/converter/ppm/ppmtowinicon.c b/converter/ppm/ppmtowinicon.c index c673798..af2b445 100644 --- a/converter/ppm/ppmtowinicon.c @@ -773,30 +843,6 @@ diff --git a/converter/ppm/ximtoppm.c b/converter/ppm/ximtoppm.c index ce5e639..a39b689 100644 --- a/converter/ppm/ximtoppm.c +++ b/converter/ppm/ximtoppm.c -@@ -117,6 +117,7 @@ ReadXimHeader(FILE * const in_fp, - header->bits_channel = atoi(a_head.bits_per_channel); - header->alpha_flag = atoi(a_head.alpha_channel); - if (strlen(a_head.author)) { -+ overflow_add(strlen(a_head.author),1); - if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1, - 1))) { - pm_message("ReadXimHeader: can't calloc author string" ); -@@ -126,6 +127,7 @@ ReadXimHeader(FILE * const in_fp, - strncpy(header->author, a_head.author, strlen(a_head.author)); - } - if (strlen(a_head.date)) { -+ overflow_add(strlen(a_head.date),1); - if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){ - pm_message("ReadXimHeader: can't calloc date string" ); - return(0); -@@ -134,6 +136,7 @@ ReadXimHeader(FILE * const in_fp, - strncpy(header->date, a_head.date, strlen(a_head.date)); - } - if (strlen(a_head.program)) { -+ overflow_add(strlen(a_head.program),1); - if (!(header->program = calloc( - (unsigned int)strlen(a_head.program) + 1, 1))) { - pm_message("ReadXimHeader: can't calloc program string" ); @@ -160,6 +163,7 @@ ReadXimHeader(FILE * const in_fp, if (header->nchannels == 3 && header->bits_channel == 8) header->ncolors = 0; |