1 files changed, 70 insertions, 24 deletions

diff --git a/libre/netpbm/netpbm-security-code.patch b/libre/netpbm/netpbm-security-code.patch
index 18f7bd71a..8674eb7a0 100644
--- a/libre/netpbm/netpbm-security-code.patch
+++ b/libre/netpbm/netpbm-security-code.patch
@@ -240,6 +240,27 @@ index 9f7004a..60e8477 100644
      *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' ');
      *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' ');
      *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP;
+diff --git a/converter/pbm/pbmto4425.c b/converter/pbm/pbmto4425.c
+index 1d97ac6..c4c8cbb 100644
+--- a/converter/pbm/pbmto4425.c
++++ b/converter/pbm/pbmto4425.c
+@@ -2,6 +2,7 @@
+ 
+ #include "nstring.h"
+ #include "pbm.h"
++#include <string.h>
+ 
+ static char bit_table[2][3] = {
+ {1, 4, 0x10},
+@@ -160,7 +161,7 @@ main(int argc, char * argv[]) {
+     xres = vmap_width * 2;
+     yres = vmap_height * 3;
+ 
+-    vmap = malloc(vmap_width * vmap_height * sizeof(char));
++    vmap = malloc3(vmap_width, vmap_height, sizeof(char));
+     if(vmap == NULL)
+ 	{
+         pm_error( "Cannot allocate memory" );
 diff --git a/converter/pbm/pbmtogem.c b/converter/pbm/pbmtogem.c
 index 9eab041..13b0257 100644
 --- a/converter/pbm/pbmtogem.c
@@ -337,6 +358,18 @@ index 14c6b85..362b70e 100644
  
      putinit(xbmVersion);
  
+diff --git a/converter/pbm/pktopbm.c b/converter/pbm/pktopbm.c
+index 712f339..b6fcb02 100644
+--- a/converter/pbm/pktopbm.c
++++ b/converter/pbm/pktopbm.c
+@@ -280,6 +280,7 @@ main(int argc, char *argv[]) {
+         if (flagbyte == 7) {            /* long form preamble */
+             integer packetlength = get32() ;    /* character packet length */
+             car = get32() ;         /* character number */
++            overflow_add(packetlength, pktopbm_pkloc);
+             endofpacket = packetlength + pktopbm_pkloc;
+                 /* calculate end of packet */
+             if ((car >= MAXPKCHAR) || !filename[car]) {
 diff --git a/converter/pbm/thinkjettopbm.l b/converter/pbm/thinkjettopbm.l
 index 5de4f2b..7f31de5 100644
 --- a/converter/pbm/thinkjettopbm.l
@@ -674,6 +707,43 @@ index d116773..fc84cac 100644
  	obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char));
  	cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char));
  
+diff --git a/converter/ppm/ppmtopjxl.c b/converter/ppm/ppmtopjxl.c
+index ddf4963..b2c7e8e 100644
+--- a/converter/ppm/ppmtopjxl.c
++++ b/converter/ppm/ppmtopjxl.c
+@@ -306,6 +306,9 @@ main(int argc, const char * argv[]) {
+     if (maxval > PCL_MAXVAL)
+         pm_error("color range too large; reduce with ppmcscale");
+ 
++    if (cols < 0 || rows < 0)
++        pm_error("negative size is not possible");
++
+     /* Figure out the colormap. */
+     pm_message("Computing colormap...");
+     chv = ppm_computecolorhist(pixels, cols, rows, MAXCOLORS, &colors);
+@@ -325,6 +328,8 @@ main(int argc, const char * argv[]) {
+         case 0: /* direct mode (no palette) */
+             bpp = bitsperpixel(maxval); /* bits per pixel */
+             bpg = bpp; bpb = bpp;
++            overflow2(bpp, 3);
++            overflow_add(bpp*3, 7);
+             bpp = (bpp*3+7)>>3;     /* bytes per pixel now */
+             bpr = (bpp<<3)-bpg-bpb; 
+             bpp *= cols;            /* bytes per row now */
+@@ -334,9 +339,13 @@ main(int argc, const char * argv[]) {
+         case 3: case 7: pclindex++;
+         default:
+             bpp = 8/pclindex;
++            overflow_add(cols, bpp);
++            if(bpp == 0)
++                pm_error("assert: no bpp");
+             bpp = (cols+bpp-1)/bpp;      /* bytes per row */
+         }
+     }
++    overflow2(bpp,2);
+     inrow = (char *)malloc((unsigned)bpp);
+     outrow = (char *)malloc((unsigned)bpp*2);
+     runcnt = (signed char *)malloc((unsigned)bpp);
 diff --git a/converter/ppm/ppmtowinicon.c b/converter/ppm/ppmtowinicon.c
 index c673798..af2b445 100644
 --- a/converter/ppm/ppmtowinicon.c
@@ -773,30 +843,6 @@ diff --git a/converter/ppm/ximtoppm.c b/converter/ppm/ximtoppm.c
 index ce5e639..a39b689 100644
 --- a/converter/ppm/ximtoppm.c
 +++ b/converter/ppm/ximtoppm.c
-@@ -117,6 +117,7 @@ ReadXimHeader(FILE *     const in_fp,
-     header->bits_channel = atoi(a_head.bits_per_channel);
-     header->alpha_flag = atoi(a_head.alpha_channel);
-     if (strlen(a_head.author)) {
-+        overflow_add(strlen(a_head.author),1);
-         if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1,
-                 1))) {
-             pm_message("ReadXimHeader: can't calloc author string" );
-@@ -126,6 +127,7 @@ ReadXimHeader(FILE *     const in_fp,
-         strncpy(header->author, a_head.author, strlen(a_head.author));
-     }
-     if (strlen(a_head.date)) {
-+        overflow_add(strlen(a_head.date),1);
-         if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){
-             pm_message("ReadXimHeader: can't calloc date string" );
-             return(0);
-@@ -134,6 +136,7 @@ ReadXimHeader(FILE *     const in_fp,
-         strncpy(header->date, a_head.date, strlen(a_head.date));
-     }
-     if (strlen(a_head.program)) {
-+        overflow_add(strlen(a_head.program),1);
-         if (!(header->program = calloc(
-                     (unsigned int)strlen(a_head.program) + 1, 1))) {
-             pm_message("ReadXimHeader: can't calloc program string" );
 @@ -160,6 +163,7 @@ ReadXimHeader(FILE *     const in_fp,
      if (header->nchannels == 3 && header->bits_channel == 8)
          header->ncolors = 0;