diff options
Diffstat (limited to 'libre')
| -rw-r--r-- | libre/netpbm/PKGBUILD | 50 | ||||
| -rw-r--r-- | libre/netpbm/netpbm-security-code.patch | 1160 | ||||
| -rw-r--r-- | libre/netpbm/netpbm-security-scripts.patch | 102 |
3 files changed, 566 insertions, 746 deletions
diff --git a/libre/netpbm/PKGBUILD b/libre/netpbm/PKGBUILD index 9da6a53d9..06a204793 100644 --- a/libre/netpbm/PKGBUILD +++ b/libre/netpbm/PKGBUILD @@ -1,11 +1,12 @@ -# $Id$ +# $Id: PKGBUILD 264943 2016-04-14 11:29:39Z arojas $ # Maintainer: Omar Vega Ramos <ovruni@gnu.org.pe> # Contributor: André Silva <emulatorman@parabola.nu> _pkgname=netpbm-libre pkgname=netpbm -pkgver=10.69.02 -pkgrel=1.parabola2 +pkgver=10.73 +_rev=r2692 +pkgrel=1.parabola1 pkgdesc="A toolkit for manipulation of graphic images, without nonfree parts and patent issues" arch=('i686' 'x86_64' 'armv7h') license=('custom' 'BSD' 'GPL' 'LGPL') @@ -14,35 +15,30 @@ depends=('perl' 'libpng' 'libtiff' 'libxml2') makedepends=('python2' 'jbigkit' 'subversion') options=('!makeflags') # Get docs with: wget --recursive --relative -nH http://netpbm.sourceforge.net/doc/ -mksource=(svn://svn.code.sf.net/p/netpbm/code/advanced) +mksource=(svn://svn.code.sf.net/p/netpbm/code/stable#revision=$_rev) source=(https://repo.parabola.nu/other/${_pkgname}/${_pkgname}-${pkgver}.tar.gz https://sources.archlinux.org/other/packages/netpbm/netpbm-doc-31Jan2014.tar.xz{,.sig} netpbm-CAN-2005-2471.patch netpbm-security-code.patch netpbm-security-scripts.patch) mksha1sums=('SKIP') -sha1sums=('ab442ef64af90f59a121a34e5da587233b6463e6' +sha1sums=('757825cb27458a73026a2956bdd91745c918917f' '25a58975bd8cd383238b4ae31f4405c60914faac' 'SKIP' 'b79cf9d42488fea065ba16262ed97694c47af08d' - 'b0b0168605741a29b96b852d0ba8bae94c96b1bd' - 'c67a63c010353de3ecac3ad72ba76bbb85e4ed4c') + 'af0b348b0d5f863fcf742167bd7f08d5a3a8140b' + 'ca61aabdeb24a6421781ca975719ce7314be2bb9') validpgpkeys=('5357F3B111688D88C1D88119FCF2CB179205AC90') -pkgver() { - cd advanced - echo $(grep MAJOR version.mk |cut -d ' ' -f 3).$(grep MINOR version.mk |cut -d ' ' -f 3).0$(grep POINT version.mk |cut -d ' ' -f 3) -} - mksource() { - cd advanced + cd stable - #Removing hpcdtoppm/pcdindex (non comercial) + # Removing hpcdtoppm/pcdindex (non comercial) rm -rv converter/ppm/hpcdtoppm - #Removing ppmtogif/giftopnm (patent restriction) + # Removing ppmtogif/giftopnm (patent restriction) rm -v converter/other/giftopnm.c converter/ppm/ppmtogif.c rm -v test/gif-quant-roundtrip.test test/gif-roundtrip.test test/all-in-place.ok - #Removing programs without license information + # Removing programs without license information rm -v other/pamchannel.c test/pamchannel.ok rm -v converter/other/pamtopnm.c rm -v converter/pbm/pbmto4425.c @@ -62,21 +58,21 @@ mksource() { } prepare() { - cd advanced + cd stable - #Removing references about hpcdtoppm/pcdindex (non comercial) + # Removing references about hpcdtoppm/pcdindex (non comercial) sed -i 's/hpcdtoppm//g' converter/ppm/Makefile sed -i 's/hpcdtoppm\.1//g' buildtools/manpage.mk sed -i 's/pcdindex\.1//g' buildtools/manpage.mk - #Removing references about ppmtogif/giftopnm (patent restriction) + # Removing references about ppmtogif/giftopnm (patent restriction) sed -i 's/ppmtogif//g' converter/ppm/Makefile test/all-in-place.test sed -i 's/ppmtogif\.1//g' buildtools/manpage.mk sed -i 's/giftopnm//g' converter/other/Makefile test/all-in-place.test sed -i 's/giftopnm\.1//g' buildtools/manpage.mk sed -i '/giftopnm/d' converter/other/pnmtopalm/README - #Removing references about programs without license information + # Removing references about programs without license information sed -i 's/pamchannel//g' other/Makefile test/all-in-place.test sed -i 's/pamchannel\.1//g' buildtools/manpage.mk sed -i 's/pamchannel\.test//g' test/Test-Order @@ -131,27 +127,27 @@ prepare() { } build() { - cd advanced + cd stable make # Generating useful man pages with html doc - make MAKEMAN="${srcdir}/advanced/buildtools/makeman" USERGUIDE=. \ - -C ../doc -f "${srcdir}/advanced/buildtools/manpage.mk" manpages + make MAKEMAN="${srcdir}/stable/buildtools/makeman" USERGUIDE=. \ + -C ../doc -f "${srcdir}/stable/buildtools/manpage.mk" manpages } package() { - cd advanced + cd stable make pkgdir="${pkgdir}/usr" PKGMANDIR=share/man install-run install-dev # Removing dummy man pages rm "${pkgdir}"/usr/share/man/man{1,3,5}/* - make MAKEMAN="${srcdir}/advanced/buildtools/makeman" MANDIR="${pkgdir}/usr/share/man" \ - -C ../doc -f "${srcdir}/advanced/buildtools/manpage.mk" installman + make MAKEMAN="${srcdir}/stable/buildtools/makeman" MANDIR="${pkgdir}/usr/share/man" \ + -C ../doc -f "${srcdir}/stable/buildtools/manpage.mk" installman # Replace obsolete utility echo -e '#!/bin/sh\npamditherbw $@ | pamtopnm\n' > "${pkgdir}/usr/bin/pgmtopbm" # Licensing. Note that each program in the package has a separate license. - install -D -m644 "${srcdir}/advanced/doc/copyright_summary" \ + install -D -m644 "${srcdir}/stable/doc/copyright_summary" \ "${pkgdir}/usr/share/licenses/${pkgname}/copyright_summary.txt" } diff --git a/libre/netpbm/netpbm-security-code.patch b/libre/netpbm/netpbm-security-code.patch index 2127dc592..18f7bd71a 100644 --- a/libre/netpbm/netpbm-security-code.patch +++ b/libre/netpbm/netpbm-security-code.patch @@ -1,16 +1,17 @@ -diff -up netpbm-10.58.01/analyzer/pgmtexture.c.security-code netpbm-10.58.01/analyzer/pgmtexture.c ---- netpbm-10.58.01/analyzer/pgmtexture.c.security-code 2012-04-09 15:31:32.000000000 +0200 -+++ netpbm-10.58.01/analyzer/pgmtexture.c 2012-04-09 15:40:03.183620040 +0200 -@@ -97,7 +97,7 @@ vector(unsigned int const nl, - float * v; +diff --git a/analyzer/pgmtexture.c b/analyzer/pgmtexture.c +index 0731733..635c58b 100644 +--- a/analyzer/pgmtexture.c ++++ b/analyzer/pgmtexture.c +@@ -98,6 +98,8 @@ vector(unsigned int const nl, assert(nh >= nl); -- + + overflow_add(nh - nl, 1); ++ MALLOCARRAY(v, (unsigned) (nh - nl + 1)); if (v == NULL) -@@ -129,6 +129,7 @@ matrix (unsigned int const nrl, +@@ -129,6 +131,7 @@ matrix (unsigned int const nrl, assert(nrh >= nrl); /* allocate pointers to rows */ @@ -18,18 +19,18 @@ diff -up netpbm-10.58.01/analyzer/pgmtexture.c.security-code netpbm-10.58.01/ana MALLOCARRAY(m, (unsigned) (nrh - nrl + 1)); if (m == NULL) pm_error("Unable to allocate memory for a matrix."); -@@ -136,7 +137,7 @@ matrix (unsigned int const nrl, - m -= ncl; +@@ -137,6 +140,7 @@ matrix (unsigned int const nrl, assert (nch >= ncl); -- + + overflow_add(nch - ncl, 1); /* allocate rows and set pointers to them */ for (i = nrl; i <= nrh; ++i) { MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1)); -diff -up netpbm-10.58.01/converter/other/gemtopnm.c.security-code netpbm-10.58.01/converter/other/gemtopnm.c ---- netpbm-10.58.01/converter/other/gemtopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/gemtopnm.c 2012-04-09 15:40:03.183620040 +0200 +diff --git a/converter/other/gemtopnm.c b/converter/other/gemtopnm.c +index aac7479..5f1a51a 100644 +--- a/converter/other/gemtopnm.c ++++ b/converter/other/gemtopnm.c @@ -106,6 +106,7 @@ main(argc, argv) pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 ); @@ -38,10 +39,11 @@ diff -up netpbm-10.58.01/converter/other/gemtopnm.c.security-code netpbm-10.58.0 { /* allocate input row data structure */ int plane; -diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58.01/converter/other/jpegtopnm.c ---- netpbm-10.58.01/converter/other/jpegtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200 -+++ netpbm-10.58.01/converter/other/jpegtopnm.c 2012-04-09 15:40:03.184620028 +0200 -@@ -861,6 +861,8 @@ convertImage(FILE * +diff --git a/converter/other/jpegtopnm.c b/converter/other/jpegtopnm.c +index ab3b18e..c324b86 100644 +--- a/converter/other/jpegtopnm.c ++++ b/converter/other/jpegtopnm.c +@@ -861,6 +861,8 @@ convertImage(FILE * const ofP, /* Calculate output image dimensions so we can allocate space */ jpeg_calc_output_dimensions(cinfoP); @@ -50,9 +52,10 @@ diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58. /* Start decompressor */ jpeg_start_decompress(cinfoP); -diff -up netpbm-10.58.01/converter/other/pbmtopgm.c.security-code netpbm-10.58.01/converter/other/pbmtopgm.c ---- netpbm-10.58.01/converter/other/pbmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pbmtopgm.c 2012-04-09 15:40:03.184620028 +0200 +diff --git a/converter/other/pbmtopgm.c b/converter/other/pbmtopgm.c +index 69b20fb..382a487 100644 +--- a/converter/other/pbmtopgm.c ++++ b/converter/other/pbmtopgm.c @@ -47,6 +47,7 @@ main(int argc, char *argv[]) { "than the image height (%u rows)", height, rows); @@ -61,9 +64,10 @@ diff -up netpbm-10.58.01/converter/other/pbmtopgm.c.security-code netpbm-10.58.0 maxval = MIN(PGM_OVERALLMAXVAL, width*height); pgm_writepgminit(stdout, cols, rows, maxval, 0) ; -diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58.01/converter/other/pnmtoddif.c ---- netpbm-10.58.01/converter/other/pnmtoddif.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pnmtoddif.c 2012-04-09 15:40:03.185620015 +0200 +diff --git a/converter/other/pnmtoddif.c b/converter/other/pnmtoddif.c +index ae8c852..9ee037b 100644 +--- a/converter/other/pnmtoddif.c ++++ b/converter/other/pnmtoddif.c @@ -632,6 +632,7 @@ main(int argc, char *argv[]) { switch (PNM_FORMAT_TYPE(format)) { case PBM_TYPE: @@ -80,10 +84,11 @@ diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58. ip.bytes_per_line = 3 * cols; ip.bits_per_pixel = 24; ip.spectral = 5; -diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58.01/converter/other/pnmtojpeg.c ---- netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code 2012-04-09 15:31:39.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pnmtojpeg.c 2012-04-09 15:40:03.186620002 +0200 -@@ -605,7 +605,11 @@ read_scan_script(j_compress_ptr const ci +diff --git a/converter/other/pnmtojpeg.c b/converter/other/pnmtojpeg.c +index ce231c9..1279040 100644 +--- a/converter/other/pnmtojpeg.c ++++ b/converter/other/pnmtojpeg.c +@@ -605,7 +605,11 @@ read_scan_script(j_compress_ptr const cinfo, want JPOOL_PERMANENT. */ const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info); @@ -96,7 +101,7 @@ diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58. (jpeg_scan_info *) (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE, scan_info_size); -@@ -937,6 +941,8 @@ compute_rescaling_array(JSAMPLE ** const +@@ -937,6 +941,8 @@ compute_rescaling_array(JSAMPLE ** const rescale_p, const pixval maxval, const long half_maxval = maxval / 2; long val; @@ -105,7 +110,7 @@ diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58. *rescale_p = (JSAMPLE *) (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE, (size_t) (((long) maxval + 1L) * -@@ -1015,6 +1021,7 @@ convert_scanlines(struct jpeg_compress_s +@@ -1015,6 +1021,7 @@ convert_scanlines(struct jpeg_compress_struct * const cinfo_p, */ /* Allocate the libpnm output and compressor input buffers */ @@ -113,10 +118,11 @@ diff -up netpbm-10.58.01/converter/other/pnmtojpeg.c.security-code netpbm-10.58. buffer = (*cinfo_p->mem->alloc_sarray) ((j_common_ptr) cinfo_p, JPOOL_IMAGE, (unsigned int) cinfo_p->image_width * cinfo_p->input_components, -diff -up netpbm-10.58.01/converter/other/pnmtops.c.security-code netpbm-10.58.01/converter/other/pnmtops.c ---- netpbm-10.58.01/converter/other/pnmtops.c.security-code 2012-04-09 15:31:40.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pnmtops.c 2012-04-09 15:40:03.187619989 +0200 -@@ -256,17 +256,21 @@ parseCommandLine(int argc, const char ** +diff --git a/converter/other/pnmtops.c b/converter/other/pnmtops.c +index 6cd6be9..8a7d25a 100644 +--- a/converter/other/pnmtops.c ++++ b/converter/other/pnmtops.c +@@ -292,17 +292,21 @@ parseCommandLine(int argc, const char ** argv, validateCompDimension(width, 72, "-width value"); validateCompDimension(height, 72, "-height value"); @@ -139,21 +145,10 @@ diff -up netpbm-10.58.01/converter/other/pnmtops.c.security-code netpbm-10.58.01 cmdlineP->imageheight = imageheight * 72; } else -diff -up netpbm-10.58.01/converter/other/pnmtorle.c.security-code netpbm-10.58.01/converter/other/pnmtorle.c ---- netpbm-10.58.01/converter/other/pnmtorle.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/pnmtorle.c 2012-04-09 15:40:03.188619976 +0200 -@@ -19,6 +19,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com> - */ - /* - * pnmtorle - A program which will convert pbmplus (ppm or pgm) images -diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.01/converter/other/rletopnm.c ---- netpbm-10.58.01/converter/other/rletopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/rletopnm.c 2012-04-09 15:40:03.189619963 +0200 +diff --git a/converter/other/rletopnm.c b/converter/other/rletopnm.c +index 9995914..058278c 100644 +--- a/converter/other/rletopnm.c ++++ b/converter/other/rletopnm.c @@ -19,6 +19,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, @@ -163,9 +158,10 @@ diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.0 */ /* * rletopnm - A conversion program to convert from Utah's "rle" image format -diff -up netpbm-10.58.01/converter/other/sirtopnm.c.security-code netpbm-10.58.01/converter/other/sirtopnm.c ---- netpbm-10.58.01/converter/other/sirtopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/sirtopnm.c 2012-04-09 15:40:03.190619951 +0200 +diff --git a/converter/other/sirtopnm.c b/converter/other/sirtopnm.c +index fafcc91..9fe49d0 100644 +--- a/converter/other/sirtopnm.c ++++ b/converter/other/sirtopnm.c @@ -69,6 +69,7 @@ char* argv[]; } break; @@ -174,10 +170,11 @@ diff -up netpbm-10.58.01/converter/other/sirtopnm.c.security-code netpbm-10.58.0 picsize = cols * rows * 3; planesize = cols * rows; if ( !( sirarray = (unsigned char*) malloc( picsize ) ) ) -diff -up netpbm-10.58.01/converter/other/tifftopnm.c.security-code netpbm-10.58.01/converter/other/tifftopnm.c ---- netpbm-10.58.01/converter/other/tifftopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/other/tifftopnm.c 2012-04-09 15:40:03.191619939 +0200 -@@ -1279,7 +1279,9 @@ convertRasterByRows(pnmOut * const +diff --git a/converter/other/tifftopnm.c b/converter/other/tifftopnm.c +index 0d6494f..19e9e38 100644 +--- a/converter/other/tifftopnm.c ++++ b/converter/other/tifftopnm.c +@@ -1309,7 +1309,9 @@ convertRasterByRows(pnmOut * const pnmOutP, if (scanbuf == NULL) pm_error("can't allocate memory for scanline buffer"); @@ -188,10 +185,11 @@ diff -up netpbm-10.58.01/converter/other/tifftopnm.c.security-code netpbm-10.58. if (samplebuf == NULL) pm_error("can't allocate memory for row buffer"); -diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.01/converter/other/xwdtopnm.c ---- netpbm-10.58.01/converter/other/xwdtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200 -+++ netpbm-10.58.01/converter/other/xwdtopnm.c 2012-04-09 15:40:03.192619927 +0200 -@@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * cons +diff --git a/converter/other/xwdtopnm.c b/converter/other/xwdtopnm.c +index 45d66b4..c914481 100644 +--- a/converter/other/xwdtopnm.c ++++ b/converter/other/xwdtopnm.c +@@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * const h10P, *colorsP = pnm_allocrow(2); PNM_ASSIGN1((*colorsP)[0], 0); PNM_ASSIGN1((*colorsP)[1], *maxvalP); @@ -202,7 +200,7 @@ diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.0 *padrightP = (((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width) * 8; *bits_per_itemP = 16; -@@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * cons +@@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * const h11P, *colsP = h11FixedP->pixmap_width; *rowsP = h11FixedP->pixmap_height; @@ -210,9 +208,10 @@ diff -up netpbm-10.58.01/converter/other/xwdtopnm.c.security-code netpbm-10.58.0 *padrightP = h11FixedP->bytes_per_line * 8 - h11FixedP->pixmap_width * h11FixedP->bits_per_pixel; -diff -up netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code netpbm-10.58.01/converter/pbm/mdatopbm.c ---- netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/mdatopbm.c 2012-04-09 15:40:03.192619927 +0200 +diff --git a/converter/pbm/mdatopbm.c b/converter/pbm/mdatopbm.c +index d8e0657..12c7468 100644 +--- a/converter/pbm/mdatopbm.c ++++ b/converter/pbm/mdatopbm.c @@ -245,10 +245,13 @@ main(int argc, char **argv) { pm_readlittleshort(infile, &yy); nInCols = yy; } @@ -228,9 +227,10 @@ diff -up netpbm-10.58.01/converter/pbm/mdatopbm.c.security-code netpbm-10.58.01/ data = pbm_allocarray(nOutCols, nOutRows); -diff -up netpbm-10.58.01/converter/pbm/mgrtopbm.c.security-code netpbm-10.58.01/converter/pbm/mgrtopbm.c ---- netpbm-10.58.01/converter/pbm/mgrtopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/mgrtopbm.c 2012-04-09 15:40:03.193619915 +0200 +diff --git a/converter/pbm/mgrtopbm.c b/converter/pbm/mgrtopbm.c +index 9f7004a..60e8477 100644 +--- a/converter/pbm/mgrtopbm.c ++++ b/converter/pbm/mgrtopbm.c @@ -65,6 +65,8 @@ readMgrHeader(FILE * const ifP, if (head.h_high < ' ' || head.l_high < ' ') pm_error("Invalid width field in MGR header"); @@ -240,9 +240,10 @@ diff -up netpbm-10.58.01/converter/pbm/mgrtopbm.c.security-code netpbm-10.58.01/ *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' '); *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' '); *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP; -diff -up netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code netpbm-10.58.01/converter/pbm/pbmtogem.c ---- netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtogem.c 2012-04-09 15:40:03.193619915 +0200 +diff --git a/converter/pbm/pbmtogem.c b/converter/pbm/pbmtogem.c +index 9eab041..13b0257 100644 +--- a/converter/pbm/pbmtogem.c ++++ b/converter/pbm/pbmtogem.c @@ -79,6 +79,7 @@ putinit (int const rows, int const cols) bitsperitem = 0; bitshift = 7; @@ -251,9 +252,10 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code netpbm-10.58.01/ outmax = (cols + 7) / 8; outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); -diff -up netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code netpbm-10.58.01/converter/pbm/pbmtogo.c ---- netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtogo.c 2012-04-09 15:40:03.193619915 +0200 +diff --git a/converter/pbm/pbmtogo.c b/converter/pbm/pbmtogo.c +index 23b2ee9..d2ee91f 100644 +--- a/converter/pbm/pbmtogo.c ++++ b/converter/pbm/pbmtogo.c @@ -158,6 +158,7 @@ main(int argc, bitrow = pbm_allocrow(cols); @@ -262,9 +264,10 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code netpbm-10.58.01/c rucols = ( cols + 7 ) / 8; bytesperrow = rucols; /* GraphOn uses bytes */ rucols = rucols * 8; -diff -up netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code netpbm-10.58.01/converter/pbm/pbmtolj.c ---- netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtolj.c 2012-04-09 15:40:03.194619902 +0200 +diff --git a/converter/pbm/pbmtolj.c b/converter/pbm/pbmtolj.c +index 0cceb4f..fdab6df 100644 +--- a/converter/pbm/pbmtolj.c ++++ b/converter/pbm/pbmtolj.c @@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv, static void allocateBuffers(unsigned int const cols) { @@ -277,29 +280,10 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code netpbm-10.58.01/c packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1; deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10; -diff -up netpbm-10.58.01/converter/pbm/pbmtomacp.c.security-code netpbm-10.58.01/converter/pbm/pbmtomacp.c ---- netpbm-10.58.01/converter/pbm/pbmtomacp.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtomacp.c 2012-04-09 15:40:03.195619889 +0200 -@@ -101,6 +101,7 @@ char *argv[]; - if( !lflg ) - left = 0; - -+ overflow_add(left, MAX_COLS - 1); - if( rflg ) - { if( right - left >= MAX_COLS ) - right = left + MAX_COLS - 1; -@@ -111,6 +112,8 @@ char *argv[]; - if( !tflg ) - top = 0; - -+ overflow_add(top, MAX_LINES - 1); -+ - if( bflg ) - { if( bottom - top >= MAX_LINES ) - bottom = top + MAX_LINES - 1; -diff -up netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code netpbm-10.58.01/converter/pbm/pbmtomda.c ---- netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtomda.c 2012-04-09 15:40:03.195619889 +0200 +diff --git a/converter/pbm/pbmtomda.c b/converter/pbm/pbmtomda.c +index 3ad5149..9efe5cf 100644 +--- a/converter/pbm/pbmtomda.c ++++ b/converter/pbm/pbmtomda.c @@ -179,6 +179,7 @@ int main(int argc, char **argv) nOutRowsUnrounded = bScale ? nInRows/2 : nInRows; @@ -308,10 +292,11 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code netpbm-10.58.01/ nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4; /* MDA wants rows a multiple of 4 */ nOutCols = nInCols / 8; -diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c ---- netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c 2012-04-09 15:40:03.195619889 +0200 -@@ -105,6 +105,7 @@ int pbm_readline(pbm_stat* pbm,unsigned +diff --git a/converter/pbm/pbmtoppa/pbm.c b/converter/pbm/pbmtoppa/pbm.c +index 2f8a42b..1c8d236 100644 +--- a/converter/pbm/pbmtoppa/pbm.c ++++ b/converter/pbm/pbmtoppa/pbm.c +@@ -106,6 +106,7 @@ int pbm_readline(pbm_stat* pbm,unsigned char* data) return 0; case P4: @@ -319,20 +304,19 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbm.c.security-code netpbm-10.58 tmp=(pbm->width+7)/8; tmp2=fread(data,1,tmp,pbm->fptr); if(tmp2 == tmp) -@@ -129,7 +130,8 @@ void pbm_unreadline (pbm_stat *pbm, void +@@ -130,6 +131,7 @@ void pbm_unreadline (pbm_stat *pbm, void *data) return; pbm->unread = 1; -- pbm->revdata = malloc ((pbm->width+7)/8); + overflow_add(pbm->width, 7); -+ pbm->revdata = malloc((pbm->width+7)/8); + pbm->revdata = malloc ((pbm->width+7)/8); memcpy (pbm->revdata, data, (pbm->width+7)/8); pbm->current_line--; - } -diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c ---- netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c 2012-04-09 15:40:03.196619876 +0200 -@@ -441,6 +441,7 @@ main(int argc, char *argv[]) { +diff --git a/converter/pbm/pbmtoppa/pbmtoppa.c b/converter/pbm/pbmtoppa/pbmtoppa.c +index f43c08a..98e0284 100644 +--- a/converter/pbm/pbmtoppa/pbmtoppa.c ++++ b/converter/pbm/pbmtoppa/pbmtoppa.c +@@ -452,6 +452,7 @@ main(int argc, char *argv[]) { pm_error("main(): unrecognized parameter '%s'", argv[argn]); } @@ -340,10 +324,11 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtoppa/pbmtoppa.c.security-code netpbm- Pwidth=(Width+7)/8; printer.fptr=out; -diff -up netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoxbm.c ---- netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtoxbm.c 2012-04-09 15:40:03.196619876 +0200 -@@ -335,6 +335,8 @@ convertRaster(FILE * const ifP, +diff --git a/converter/pbm/pbmtoxbm.c b/converter/pbm/pbmtoxbm.c +index 14c6b85..362b70e 100644 +--- a/converter/pbm/pbmtoxbm.c ++++ b/converter/pbm/pbmtoxbm.c +@@ -351,6 +351,8 @@ convertRaster(FILE * const ifP, unsigned char * bitrow; unsigned int row; @@ -352,54 +337,46 @@ diff -up netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code netpbm-10.58.01/ putinit(xbmVersion); -diff -up netpbm-10.58.01/converter/pbm/pbmtoybm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoybm.c ---- netpbm-10.58.01/converter/pbm/pbmtoybm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtoybm.c 2012-04-09 15:40:03.197619863 +0200 -@@ -113,6 +113,7 @@ main(int argc, const char *argv[]) { - bitrow = pbm_allocrow(cols); - - /* Compute padding to round cols up to the nearest multiple of 16. */ -+ overflow_add(cols, 16); - padright = ((cols + 15) / 16) * 16 - cols; - - putinit(cols, rows); -diff -up netpbm-10.58.01/converter/pbm/pbmtozinc.c.security-code netpbm-10.58.01/converter/pbm/pbmtozinc.c ---- netpbm-10.58.01/converter/pbm/pbmtozinc.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmtozinc.c 2012-04-09 15:40:03.197619863 +0200 -@@ -65,6 +65,7 @@ main(int argc, char * argv[]) { - bitrow = pbm_allocrow( cols ); - - /* Compute padding to round cols up to the nearest multiple of 16. */ -+ overflow_add(cols, 16); - padright = ( ( cols + 15 ) / 16 ) * 16 - cols; - - printf( "USHORT %s[] = {\n",name); -diff -up netpbm-10.58.01/converter/pbm/pbmto10x.c.security-code netpbm-10.58.01/converter/pbm/pbmto10x.c ---- netpbm-10.58.01/converter/pbm/pbmto10x.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/pbmto10x.c 2012-04-09 15:40:03.197619863 +0200 -@@ -162,7 +162,7 @@ main(int argc, char * argv[]) { - res_60x72(); - - pm_close(ifp); -- exit(0); -+ return 0; - } - - -diff -up netpbm-10.58.01/converter/pbm/ybmtopbm.c.security-code netpbm-10.58.01/converter/pbm/ybmtopbm.c ---- netpbm-10.58.01/converter/pbm/ybmtopbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/converter/pbm/ybmtopbm.c 2012-04-09 15:40:03.199619839 +0200 -@@ -49,6 +49,7 @@ getinit(FILE * const ifP, +diff --git a/converter/pbm/thinkjettopbm.l b/converter/pbm/thinkjettopbm.l +index 5de4f2b..7f31de5 100644 +--- a/converter/pbm/thinkjettopbm.l ++++ b/converter/pbm/thinkjettopbm.l +@@ -114,7 +114,9 @@ DIG [0-9] + <RASTERMODE>\033\*b{DIG}+W { + int l; + if (rowCount >= rowCapacity) { +- rowCapacity += 100; ++ overflow_add(rowCapacity, 100); ++ rowCapacity += 100; ++ overflow2(rowCapacity, sizeof *rows); + rows = realloc (rows, rowCapacity * sizeof *rows); + if (rows == NULL) + pm_error ("Out of memory."); +@@ -226,6 +228,8 @@ yywrap (void) + /* + * Quite simple since ThinkJet bit arrangement matches PBM + */ ++ ++ overflow2(maxRowLength, 8); + pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0); + + packed_bitrow = malloc(maxRowLength); +diff --git a/converter/pbm/ybmtopbm.c b/converter/pbm/ybmtopbm.c +index 2a42908..cf1ff03 100644 +--- a/converter/pbm/ybmtopbm.c ++++ b/converter/pbm/ybmtopbm.c +@@ -43,6 +43,7 @@ getinit(FILE * const ifP, pm_error("EOF / read error"); *depthP = 1; + overflow_add(*colsP, 15); - *padrightP = ((*colsP + 15) / 16) * 16 - *colsP; } -diff -up netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code netpbm-10.58.01/converter/pgm/lispmtopgm.c ---- netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/pgm/lispmtopgm.c 2012-04-09 15:40:03.199619839 +0200 + +diff --git a/converter/pgm/lispmtopgm.c b/converter/pgm/lispmtopgm.c +index 40dd3fb..b5469f7 100644 +--- a/converter/pgm/lispmtopgm.c ++++ b/converter/pgm/lispmtopgm.c @@ -58,6 +58,7 @@ main( argc, argv ) pm_error( "depth (%d bits) is too large", depth); @@ -408,20 +385,19 @@ diff -up netpbm-10.58.01/converter/pgm/lispmtopgm.c.security-code netpbm-10.58.0 grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 ); for ( row = 0; row < rows; ++row ) -@@ -102,7 +103,9 @@ getinit( file, colsP, rowsP, depthP, pad +@@ -102,6 +103,8 @@ getinit( file, colsP, rowsP, depthP, padrightP ) if ( *depthP == 0 ) *depthP = 1; /* very old file */ -- + + overflow_add((int)colsP, 31); -+ + *padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP; - if ( *colsP != (cols_32 - *padrightP) ) { -diff -up netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code netpbm-10.58.01/converter/pgm/psidtopgm.c ---- netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/pgm/psidtopgm.c 2012-04-09 15:40:03.200619827 +0200 +diff --git a/converter/pgm/psidtopgm.c b/converter/pgm/psidtopgm.c +index 07417d1..25bb311 100644 +--- a/converter/pgm/psidtopgm.c ++++ b/converter/pgm/psidtopgm.c @@ -78,6 +78,7 @@ main(int argc, pm_error("bits/sample (%d) is too large.", bitspersample); @@ -430,10 +406,24 @@ diff -up netpbm-10.58.01/converter/pgm/psidtopgm.c.security-code netpbm-10.58.01 grayrow = pgm_allocrow((cols + 7) / 8 * 8); for (row = 0; row < rows; ++row) { unsigned int col; -diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01/converter/ppm/ilbmtoppm.c ---- netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ilbmtoppm.c 2012-04-09 15:40:03.201619815 +0200 -@@ -592,6 +592,7 @@ decode_row(FILE * const ifP, +diff --git a/converter/ppm/Makefile b/converter/ppm/Makefile +index 09f05cd..f68170f 100644 +--- a/converter/ppm/Makefile ++++ b/converter/ppm/Makefile +@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm + + PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ + leaftoppm mtvtoppm neotoppm \ +- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ ++ pcxtoppm pc1toppm pi1toppm pjtoppm \ + ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \ + ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \ + ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ +diff --git a/converter/ppm/ilbmtoppm.c b/converter/ppm/ilbmtoppm.c +index 662be0b..2a86efc 100644 +--- a/converter/ppm/ilbmtoppm.c ++++ b/converter/ppm/ilbmtoppm.c +@@ -606,6 +606,7 @@ decode_row(FILE * const ifP, rawtype *chp; cols = bmhdP->w; @@ -441,7 +431,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 bytes = RowBytes(cols); for( plane = 0; plane < nPlanes; plane++ ) { int mask; -@@ -679,6 +680,23 @@ decode_mask(FILE * const ifP, +@@ -693,6 +694,23 @@ decode_mask(FILE * const ifP, Multipalette handling ****************************************************************************/ @@ -465,7 +455,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 static void multi_adjust(cmap, row, palchange) -@@ -1341,6 +1359,9 @@ dcol_to_ppm(FILE * const ifP, +@@ -1355,6 +1373,9 @@ dcol_to_ppm(FILE * const ifP, if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval ) pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval)); @@ -475,7 +465,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 MALLOCARRAY_NOFAIL(redtable, redmaxval +1); MALLOCARRAY_NOFAIL(greentable, greenmaxval +1); MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1); -@@ -1763,7 +1784,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, data +@@ -1784,7 +1805,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, datasize) ChangeCount32 = *data++; datasize -= 2; @@ -485,7 +475,7 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 for( i = 0; i < changes; i++ ) { if( totalchanges >= PCHG->TotalChanges ) goto fail; if( datasize < 2 ) goto fail; -@@ -2028,6 +2051,9 @@ read_pchg(FILE * const ifp, +@@ -2049,6 +2072,9 @@ read_pchg(FILE * const ifP, cmap->mp_change[i] = NULL; if( PCHG.StartLine < 0 ) { int nch; @@ -495,17 +485,18 @@ diff -up netpbm-10.58.01/converter/ppm/ilbmtoppm.c.security-code netpbm-10.58.01 nch = PCHG.MaxReg - PCHG.MinReg +1; MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1); for( i = 0; i < nch; i++ ) -@@ -2104,6 +2130,7 @@ process_body( FILE * const ifp, - if( typeid == ID_ILBM ) { +@@ -2125,6 +2151,7 @@ process_body( FILE * const ifP, + if (typeid == ID_ILBM) { int isdeep; + overflow_add(bmhdP->w, 15); MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w)); *viewportmodesP |= fakeviewport; /* -isham/-isehb */ -diff -up netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code netpbm-10.58.01/converter/ppm/imgtoppm.c ---- netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/imgtoppm.c 2012-04-09 15:40:03.202619802 +0200 +diff --git a/converter/ppm/imgtoppm.c b/converter/ppm/imgtoppm.c +index 7078b88..eb8509e 100644 +--- a/converter/ppm/imgtoppm.c ++++ b/converter/ppm/imgtoppm.c @@ -84,6 +84,7 @@ main(int argc, char ** argv) { len = atoi((char*) buf ); if ( fread( buf, len, 1, ifp ) != 1 ) @@ -522,22 +513,11 @@ diff -up netpbm-10.58.01/converter/ppm/imgtoppm.c.security-code netpbm-10.58.01/ if ( len != cols * rows ) pm_message( "pixel data length (%d) does not match image size (%d)", -diff -up netpbm-10.58.01/converter/ppm/Makefile.security-code netpbm-10.58.01/converter/ppm/Makefile ---- netpbm-10.58.01/converter/ppm/Makefile.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/Makefile 2012-04-09 15:40:03.202619802 +0200 -@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg - - PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ - leaftoppm mtvtoppm neotoppm \ -- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ -+ pcxtoppm pc1toppm pi1toppm pjtoppm \ - ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \ - ppmtobmp ppmtoeyuv ppmtoicr ppmtoilbm \ - ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ -diff -up netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code netpbm-10.58.01/converter/ppm/pcxtoppm.c ---- netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/pcxtoppm.c 2012-04-09 15:40:03.203619789 +0200 -@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes, +diff --git a/converter/ppm/pcxtoppm.c b/converter/ppm/pcxtoppm.c +index e252ba2..270ae3b 100644 +--- a/converter/ppm/pcxtoppm.c ++++ b/converter/ppm/pcxtoppm.c +@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes, bytesperline, planes, bitsperpixel) /* * clear the pixel buffer */ @@ -553,19 +533,20 @@ diff -up netpbm-10.58.01/converter/ppm/pcxtoppm.c.security-code netpbm-10.58.01/ rawcols = BytesPerLine * 8 / BitsPerPixel; if (headerCols > rawcols) { pm_message("warning - BytesPerLine = %d, " -diff -up netpbm-10.58.01/converter/ppm/picttoppm.c.security-code netpbm-10.58.01/converter/ppm/picttoppm.c ---- netpbm-10.58.01/converter/ppm/picttoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/picttoppm.c 2012-04-09 15:40:03.205619763 +0200 -@@ -1,3 +1,5 @@ +diff --git a/converter/ppm/picttoppm.c b/converter/ppm/picttoppm.c +index 828d527..8cdb7b3 100644 +--- a/converter/ppm/picttoppm.c ++++ b/converter/ppm/picttoppm.c +@@ -1,3 +1,4 @@ +#error "Unfixable. Don't ship me" -+ /* * picttoppm.c -- convert a MacIntosh PICT file to PPM format. * -diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/converter/ppm/pjtoppm.c ---- netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/pjtoppm.c 2012-04-09 15:40:03.206619751 +0200 -@@ -127,19 +127,21 @@ main(argc, argv) +diff --git a/converter/ppm/pjtoppm.c b/converter/ppm/pjtoppm.c +index 7b694fb..62ce77e 100644 +--- a/converter/ppm/pjtoppm.c ++++ b/converter/ppm/pjtoppm.c +@@ -127,20 +127,22 @@ main(argc, argv) case 'V': /* send plane */ case 'W': /* send last plane */ if (rows == -1 || r >= rows || image == NULL) { @@ -574,6 +555,7 @@ diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/c + overflow_add(rows, 100); rows += 100; + } ++ if (image == NULL) { - MALLOCARRAY(image, rows * planes); - MALLOCARRAY(imlen, rows * planes); @@ -582,18 +564,21 @@ diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/c + imlen = (int *) malloc3(rows , planes, sizeof(int)); } else { -+ overflow2(rows,planes); - image = (unsigned char **) +- image = (unsigned char **) - realloc(image, - rows * planes * -+ realloc2(image, rows * planes, - sizeof(unsigned char *)); +- sizeof(unsigned char *)); - imlen = (int *) - realloc(imlen, rows * planes * sizeof(int)); -+ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); - } +- } ++ overflow2(rows,planes); ++ image = (unsigned char **) ++ realloc2(image, rows * planes, ++ sizeof(unsigned char *)); ++ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); } } if (image == NULL || imlen == NULL) + pm_error("out of memory"); @@ -212,8 +214,10 @@ main(argc, argv) for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2) for (cmd = image[p + r * planes][c], @@ -614,10 +599,11 @@ diff -up netpbm-10.58.01/converter/ppm/pjtoppm.c.security-code netpbm-10.58.01/c cols *= 8; } -diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01/converter/ppm/ppmtoeyuv.c ---- netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtoeyuv.c 2012-04-09 15:40:03.206619751 +0200 -@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva +diff --git a/converter/ppm/ppmtoeyuv.c b/converter/ppm/ppmtoeyuv.c +index f5ce115..6f072be 100644 +--- a/converter/ppm/ppmtoeyuv.c ++++ b/converter/ppm/ppmtoeyuv.c +@@ -114,6 +114,7 @@ create_multiplication_tables(const pixval maxval) { int index; @@ -625,66 +611,22 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01 MALLOCARRAY_NOFAIL(mult299 , maxval+1); MALLOCARRAY_NOFAIL(mult587 , maxval+1); MALLOCARRAY_NOFAIL(mult114 , maxval+1); -diff -up netpbm-10.58.01/converter/ppm/ppmtoicr.c.security-code netpbm-10.58.01/converter/ppm/ppmtoicr.c ---- netpbm-10.58.01/converter/ppm/ppmtoicr.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtoicr.c 2012-04-09 15:40:03.207619739 +0200 -@@ -169,7 +169,7 @@ char* argv[]; - - if (rleflag) { - pm_message("sending run-length encoded picture data ..." ); -- testimage = (char*) malloc(rows*cols); -+ testimage = (char*) malloc2(rows, cols); - p = testimage; - for (i=0; i<rows; i++) - for (j=0; j<cols; j++) -diff -up netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoilbm.c ---- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2012-04-09 15:40:03.208619727 +0200 -@@ -1220,6 +1220,7 @@ ppm_to_rgb8(ifP, cols, rows, maxval) - - maskmethod = 0; /* no masking - RGB8 uses genlock bits */ - compmethod = 4; /* RGB8 files are always compressed */ -+ overflow2(cols, 4); - MALLOCARRAY_NOFAIL(compr_row, cols * 4); - - if( maxval != 255 ) { -@@ -1308,6 +1309,7 @@ ppm_to_rgbn(ifP, cols, rows, maxval) - - maskmethod = 0; /* no masking - RGBN uses genlock bits */ - compmethod = 4; /* RGBN files are always compressed */ -+ overflow2(cols, 2); - MALLOCARRAY_NOFAIL(compr_row, cols * 2); - - if( maxval != 15 ) { -@@ -2293,8 +2296,11 @@ main(int argc, char ** argv) { - MALLOCARRAY_NOFAIL(coded_rowbuf, RowBytes(cols)); - for (i = 0; i < RowBytes(cols); ++i) - coded_rowbuf[i] = 0; -- if (DO_COMPRESS) -+ if (DO_COMPRESS) { -+ overflow2(cols,2); -+ overflow_add(cols*2,2); - MALLOCARRAY_NOFAIL(compr_rowbuf, WORSTCOMPR(RowBytes(cols))); -+ } - } - - switch (mode) { -diff -up netpbm-10.58.01/converter/ppm/ppmtolj.c.security-code netpbm-10.58.01/converter/ppm/ppmtolj.c ---- netpbm-10.58.01/converter/ppm/ppmtolj.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtolj.c 2012-04-09 15:40:03.210619701 +0200 -@@ -181,7 +181,8 @@ int main(int argc, char *argv[]) { - +diff --git a/converter/ppm/ppmtolj.c b/converter/ppm/ppmtolj.c +index 7ed814e..b4e7db1 100644 +--- a/converter/ppm/ppmtolj.c ++++ b/converter/ppm/ppmtolj.c +@@ -182,6 +182,7 @@ int main(int argc, char *argv[]) { ppm_readppminit( ifp, &cols, &rows, &maxval, &format ); pixelrow = ppm_allocrow( cols ); -- -+ + + overflow2(cols, 6); obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char)); cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char)); if (mode == C_TRANS_MODE_DELTA) -diff -up netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code netpbm-10.58.01/converter/ppm/ppmtomitsu.c ---- netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtomitsu.c 2012-04-09 15:40:03.210619702 +0200 +diff --git a/converter/ppm/ppmtomitsu.c b/converter/ppm/ppmtomitsu.c +index e59f09b..1d2be20 100644 +--- a/converter/ppm/ppmtomitsu.c ++++ b/converter/ppm/ppmtomitsu.c @@ -685,6 +685,8 @@ main(int argc, char * argv[]) { medias = MSize_User; @@ -694,10 +636,11 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code netpbm-10.58.0 medias.maxcols *= 2; medias.maxrows *= 2; } -diff -up netpbm-10.58.01/converter/ppm/ppmtopcx.c.security-code netpbm-10.58.01/converter/ppm/ppmtopcx.c ---- netpbm-10.58.01/converter/ppm/ppmtopcx.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtopcx.c 2012-04-09 15:40:03.210619702 +0200 -@@ -419,6 +419,8 @@ ppmTo16ColorPcx(pixel ** cons +diff --git a/converter/ppm/ppmtopcx.c b/converter/ppm/ppmtopcx.c +index fa68edc..97dfb2b 100644 +--- a/converter/ppm/ppmtopcx.c ++++ b/converter/ppm/ppmtopcx.c +@@ -425,6 +425,8 @@ ppmTo16ColorPcx(pixel ** const pixels, else Planes = 1; } } @@ -706,32 +649,35 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtopcx.c.security-code netpbm-10.58.01/ BytesPerLine = ((cols * BitsPerPixel) + 7) / 8; MALLOCARRAY_NOFAIL(indexRow, cols); MALLOCARRAY_NOFAIL(planesrow, BytesPerLine); -diff -up netpbm-10.58.01/converter/ppm/ppmtopict.c.security-code netpbm-10.58.01/converter/ppm/ppmtopict.c ---- netpbm-10.58.01/converter/ppm/ppmtopict.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtopict.c 2012-04-09 15:40:03.211619690 +0200 -@@ -441,6 +441,8 @@ main(int argc, const char ** argv) { +diff --git a/converter/ppm/ppmtopict.c b/converter/ppm/ppmtopict.c +index 034e705..4541387 100644 +--- a/converter/ppm/ppmtopict.c ++++ b/converter/ppm/ppmtopict.c +@@ -450,6 +450,8 @@ main(int argc, const char ** argv) { putShort(stdout, 0); /* mode */ /* Finally, write out the data. */ + overflow_add(cols/MAX_COUNT, 1); + overflow_add(cols, cols/MAX_COUNT+1); outBuf = malloc((unsigned)(cols+cols/MAX_COUNT+1)); - for (row = 0, oc = 0; row < rows; row++) + for (row = 0, oc = 0; row < rows; ++row) { unsigned int rowSize; -diff -up netpbm-10.58.01/converter/ppm/ppmtopj.c.security-code netpbm-10.58.01/converter/ppm/ppmtopj.c ---- netpbm-10.58.01/converter/ppm/ppmtopj.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtopj.c 2012-04-09 15:40:03.212619677 +0200 +diff --git a/converter/ppm/ppmtopj.c b/converter/ppm/ppmtopj.c +index d116773..fc84cac 100644 +--- a/converter/ppm/ppmtopj.c ++++ b/converter/ppm/ppmtopj.c @@ -179,6 +179,7 @@ char *argv[]; pixels = ppm_readppm( ifp, &cols, &rows, &maxval ); pm_close( ifp ); -+ overflow2(cols,2); ++ overflow2(cols,2); obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char)); cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char)); -diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58.01/converter/ppm/ppmtowinicon.c ---- netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtowinicon.c 2012-04-09 15:40:03.213619664 +0200 +diff --git a/converter/ppm/ppmtowinicon.c b/converter/ppm/ppmtowinicon.c +index c673798..af2b445 100644 +--- a/converter/ppm/ppmtowinicon.c ++++ b/converter/ppm/ppmtowinicon.c @@ -12,6 +12,7 @@ #include <math.h> @@ -740,7 +686,7 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58 #include "pm_c_util.h" #include "winico.h" -@@ -219,6 +220,7 @@ createAndBitmap (gray ** const ba, int c +@@ -214,6 +215,7 @@ createAndBitmap (gray ** const ba, int const cols, int const rows, MALLOCARRAY_NOFAIL(rowData, rows); icBitmap->xBytes = xBytes; icBitmap->data = rowData; @@ -748,7 +694,7 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58 icBitmap->size = xBytes * rows; for (y=0;y<rows;y++) { u1 * row; -@@ -347,6 +349,7 @@ create4Bitmap (pixel ** const pa, int co +@@ -342,6 +344,7 @@ create4Bitmap (pixel ** const pa, int const cols, int const rows, MALLOCARRAY_NOFAIL(rowData, rows); icBitmap->xBytes = xBytes; icBitmap->data = rowData; @@ -756,7 +702,7 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58 icBitmap->size = xBytes * rows; for (y=0;y<rows;y++) { -@@ -407,6 +410,7 @@ create8Bitmap (pixel ** const pa, int co +@@ -402,6 +405,7 @@ create8Bitmap (pixel ** const pa, int const cols, int const rows, MALLOCARRAY_NOFAIL(rowData, rows); icBitmap->xBytes = xBytes; icBitmap->data = rowData; @@ -764,21 +710,24 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtowinicon.c.security-code netpbm-10.58 icBitmap->size = xBytes * rows; for (y=0;y<rows;y++) { -@@ -714,6 +718,10 @@ addEntryToIcon(MS_Ico const MSIcon +@@ -709,7 +713,11 @@ addEntryToIcon(MS_Ico const MSIconData, entry->bitcount = bpp; entry->ih = createInfoHeader(entry, xorBitmap, andBitmap); entry->colors = palette->colors; +- entry->size_in_bytes = + overflow2(4, entry->color_count); + overflow_add(xorBitmap->size, andBitmap->size); + overflow_add(xorBitmap->size + andBitmap->size, 40); + overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count); - entry->size_in_bytes = ++ entry->size_in_bytes = xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count); if (verbose) -diff -up netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoxpm.c ---- netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ppmtoxpm.c 2012-04-09 15:40:03.214619651 +0200 -@@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int + pm_message("entry->size_in_bytes = %d + %d + %d = %d", +diff --git a/converter/ppm/ppmtoxpm.c b/converter/ppm/ppmtoxpm.c +index 38d9997..904c98d 100644 +--- a/converter/ppm/ppmtoxpm.c ++++ b/converter/ppm/ppmtoxpm.c +@@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int const digits) { unsigned int i; /* Allocate memory for printed number. Abort if error. */ @@ -794,9 +743,10 @@ diff -up netpbm-10.58.01/converter/ppm/ppmtoxpm.c.security-code netpbm-10.58.01/ MALLOCARRAY(cmap, cmapSize); if (cmapP == NULL) pm_error("Out of memory allocating %u bytes for a color map.", -diff -up netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code netpbm-10.58.01/converter/ppm/qrttoppm.c ---- netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code 2012-04-09 15:31:42.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/qrttoppm.c 2012-04-09 15:40:03.215619638 +0200 +diff --git a/converter/ppm/qrttoppm.c b/converter/ppm/qrttoppm.c +index 935463e..653084c 100644 +--- a/converter/ppm/qrttoppm.c ++++ b/converter/ppm/qrttoppm.c @@ -46,7 +46,7 @@ main( argc, argv ) ppm_writeppminit( stdout, cols, rows, maxval, 0 ); @@ -806,26 +756,28 @@ diff -up netpbm-10.58.01/converter/ppm/qrttoppm.c.security-code netpbm-10.58.01/ if ( buf == (unsigned char *) 0 ) pm_error( "out of memory" ); -diff -up netpbm-10.58.01/converter/ppm/sldtoppm.c.security-code netpbm-10.58.01/converter/ppm/sldtoppm.c ---- netpbm-10.58.01/converter/ppm/sldtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/sldtoppm.c 2012-04-09 15:40:03.216619626 +0200 -@@ -455,6 +455,8 @@ slider(slvecfn slvec, +diff --git a/converter/ppm/sldtoppm.c b/converter/ppm/sldtoppm.c +index 6ba4cb4..fc6a498 100644 +--- a/converter/ppm/sldtoppm.c ++++ b/converter/ppm/sldtoppm.c +@@ -464,6 +464,8 @@ slider(slvecfn slvec, /* Allocate image buffer and clear it to black. */ -+ overflow_add(ixdots,1); -+ overflow_add(iydots,1); ++ overflow_add(ixdots, 1); ++ overflow_add(iydots, 1); pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1); PPM_ASSIGN(rgbcolor, 0, 0, 0); ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0, -diff -up netpbm-10.58.01/converter/ppm/ximtoppm.c.security-code netpbm-10.58.01/converter/ppm/ximtoppm.c ---- netpbm-10.58.01/converter/ppm/ximtoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 -+++ netpbm-10.58.01/converter/ppm/ximtoppm.c 2012-04-09 15:40:03.216619626 +0200 +diff --git a/converter/ppm/ximtoppm.c b/converter/ppm/ximtoppm.c +index ce5e639..a39b689 100644 +--- a/converter/ppm/ximtoppm.c ++++ b/converter/ppm/ximtoppm.c @@ -117,6 +117,7 @@ ReadXimHeader(FILE * const in_fp, header->bits_channel = atoi(a_head.bits_per_channel); header->alpha_flag = atoi(a_head.alpha_channel); if (strlen(a_head.author)) { -+ overflow_add(strlen(a_head.author),1); ++ overflow_add(strlen(a_head.author),1); if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1, 1))) { pm_message("ReadXimHeader: can't calloc author string" ); @@ -849,14 +801,15 @@ diff -up netpbm-10.58.01/converter/ppm/ximtoppm.c.security-code netpbm-10.58.01/ if (header->nchannels == 3 && header->bits_channel == 8) header->ncolors = 0; else if (header->nchannels == 1 && header->bits_channel == 8) { -+ overflow2(header->ncolors, sizeof(Color)); ++ overflow2(header->ncolors, sizeof(Color)); header->colors = (Color *)calloc((unsigned int)header->ncolors, sizeof(Color)); if (header->colors == NULL) { -diff -up netpbm-10.58.01/editor/pamcut.c.security-code netpbm-10.58.01/editor/pamcut.c ---- netpbm-10.58.01/editor/pamcut.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pamcut.c 2012-04-09 15:40:03.218619602 +0200 -@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP +diff --git a/editor/pamcut.c b/editor/pamcut.c +index 7c41af3..72df687 100644 +--- a/editor/pamcut.c ++++ b/editor/pamcut.c +@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP, outpam = inpam; /* Initial value -- most fields should be same */ outpam.file = ofP; @@ -865,9 +818,10 @@ diff -up netpbm-10.58.01/editor/pamcut.c.security-code netpbm-10.58.01/editor/pa outpam.width = rightcol - leftcol + 1; outpam.height = bottomrow - toprow + 1; -diff -up netpbm-10.58.01/editor/pbmreduce.c.security-code netpbm-10.58.01/editor/pbmreduce.c ---- netpbm-10.58.01/editor/pbmreduce.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pbmreduce.c 2012-04-09 15:40:03.219619590 +0200 +diff --git a/editor/pbmreduce.c b/editor/pbmreduce.c +index f49c8d9..580e5e0 100644 +--- a/editor/pbmreduce.c ++++ b/editor/pbmreduce.c @@ -94,6 +94,7 @@ main( argc, argv ) if (halftone == QT_FS) { unsigned int col; @@ -876,10 +830,11 @@ diff -up netpbm-10.58.01/editor/pbmreduce.c.security-code netpbm-10.58.01/editor MALLOCARRAY(thiserr, newcols + 2); MALLOCARRAY(nexterr, newcols + 2); if (thiserr == NULL || nexterr == NULL) -diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/pnmgamma.c ---- netpbm-10.58.01/editor/pnmgamma.c.security-code 2012-04-09 15:31:34.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmgamma.c 2012-04-09 15:40:03.220619577 +0200 -@@ -586,6 +586,7 @@ createGammaTables(enum transferFunction +diff --git a/editor/pnmgamma.c b/editor/pnmgamma.c +index b357b0d..ec612d3 100644 +--- a/editor/pnmgamma.c ++++ b/editor/pnmgamma.c +@@ -596,6 +596,7 @@ createGammaTables(enum transferFunction const transferFunction, xelval ** const btableP) { /* Allocate space for the tables. */ @@ -887,10 +842,11 @@ diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/ MALLOCARRAY(*rtableP, maxval+1); MALLOCARRAY(*gtableP, maxval+1); MALLOCARRAY(*btableP, maxval+1); -diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor/pnmhisteq.c ---- netpbm-10.58.01/editor/pnmhisteq.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmhisteq.c 2012-04-09 15:40:03.220619577 +0200 -@@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const * +diff --git a/editor/pnmhisteq.c b/editor/pnmhisteq.c +index 8af4201..0c8d6e5 100644 +--- a/editor/pnmhisteq.c ++++ b/editor/pnmhisteq.c +@@ -107,6 +107,7 @@ computeLuminosityHistogram(xel * const * const xels, unsigned int pixelCount; unsigned int * lumahist; @@ -898,21 +854,22 @@ diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor MALLOCARRAY(lumahist, maxval + 1); if (lumahist == NULL) pm_error("Out of storage allocating array for %u histogram elements", -diff -up netpbm-10.58.01/editor/pnmindex.csh.security-code netpbm-10.58.01/editor/pnmindex.csh ---- netpbm-10.58.01/editor/pnmindex.csh.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmindex.csh 2012-04-09 15:40:03.221619564 +0200 -@@ -1,5 +1,8 @@ +diff --git a/editor/pnmindex.csh b/editor/pnmindex.csh +index c6f1e84..c513a84 100755 +--- a/editor/pnmindex.csh ++++ b/editor/pnmindex.csh +@@ -1,5 +1,7 @@ #!/bin/csh -f # +echo "Unsafe code, needs debugging, do not ship" +exit 1 -+# # pnmindex - build a visual index of a bunch of anymaps # # Copyright (C) 1991 by Jef Poskanzer. -diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pnmpad.c ---- netpbm-10.58.01/editor/pnmpad.c.security-code 2012-04-09 15:31:34.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmpad.c 2012-04-09 15:40:03.221619564 +0200 +diff --git a/editor/pnmpad.c b/editor/pnmpad.c +index 1904b68..0797cf1 100644 +--- a/editor/pnmpad.c ++++ b/editor/pnmpad.c @@ -527,6 +527,8 @@ main(int argc, const char ** argv) { computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad); @@ -922,19 +879,19 @@ diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pn newcols = cols + lpad + rpad; if (PNM_FORMAT_TYPE(format) == PBM_TYPE) -diff -up netpbm-10.58.01/editor/pnmremap.c.security-code netpbm-10.58.01/editor/pnmremap.c ---- netpbm-10.58.01/editor/pnmremap.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmremap.c 2012-04-09 15:40:03.222619551 +0200 -@@ -409,7 +409,7 @@ initFserr(struct pam * const pamP, - unsigned int plane; +diff --git a/editor/pnmremap.c b/editor/pnmremap.c +index b2448cb..b924120 100644 +--- a/editor/pnmremap.c ++++ b/editor/pnmremap.c +@@ -428,6 +428,7 @@ initFserr(struct pam * const pamP, unsigned int const fserrSize = pamP->width + 2; -- + + overflow_add(pamP->width, 2); fserrP->width = pamP->width; MALLOCARRAY(fserrP->thiserr, pamP->depth); -@@ -445,6 +445,7 @@ floydInitRow(struct pam * const pamP, st +@@ -465,6 +466,7 @@ floydInitRow(struct pam * const pamP, struct fserr * const fserrP) { int col; @@ -942,68 +899,45 @@ diff -up netpbm-10.58.01/editor/pnmremap.c.security-code netpbm-10.58.01/editor/ for (col = 0; col < pamP->width + 2; ++col) { unsigned int plane; for (plane = 0; plane < pamP->depth; ++plane) -diff -up netpbm-10.58.01/editor/pnmscalefixed.c.security-code netpbm-10.58.01/editor/pnmscalefixed.c ---- netpbm-10.58.01/editor/pnmscalefixed.c.security-code 2012-04-09 15:31:34.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmscalefixed.c 2012-04-09 15:40:03.223619538 +0200 -@@ -214,6 +214,8 @@ compute_output_dimensions(const struct c +diff --git a/editor/pnmscalefixed.c b/editor/pnmscalefixed.c +index 884ca31..747cd8f 100644 +--- a/editor/pnmscalefixed.c ++++ b/editor/pnmscalefixed.c +@@ -214,6 +214,7 @@ compute_output_dimensions(const struct cmdline_info cmdline, const int rows, const int cols, int * newrowsP, int * newcolsP) { + overflow2(rows, cols); -+ if (cmdline.pixels) { if (rows * cols <= cmdline.pixels) { *newrowsP = rows; -@@ -265,6 +267,8 @@ compute_output_dimensions(const struct c +@@ -265,6 +266,8 @@ compute_output_dimensions(const struct cmdline_info cmdline, if (*newcolsP < 1) *newcolsP = 1; if (*newrowsP < 1) *newrowsP = 1; -+ ++ + overflow2(*newcolsP, *newrowsP); } -@@ -446,6 +450,9 @@ main(int argc, char **argv ) { +@@ -446,6 +449,9 @@ main(int argc, char **argv ) { unfilled. We can address that by stretching, whereas the other case would require throwing away some of the input. */ -+ ++ + overflow2(newcols, SCALE); + overflow2(newrows, SCALE); sxscale = SCALE * newcols / cols; syscale = SCALE * newrows / rows; -diff -up netpbm-10.58.01/editor/pnmshear.c.security-code netpbm-10.58.01/editor/pnmshear.c ---- netpbm-10.58.01/editor/pnmshear.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/pnmshear.c 2012-04-09 15:40:03.224619526 +0200 -@@ -15,6 +15,7 @@ - #include <assert.h> - #include <math.h> - #include <string.h> -+#include <limits.h> - - #include "pm_c_util.h" - #include "ppm.h" -@@ -236,6 +237,11 @@ main(int argc, char * argv[]) { - - shearfac = fabs(tan(cmdline.angle)); - -+ if(rows * shearfac >= INT_MAX-1) -+ pm_error("image too large"); -+ -+ overflow_add(rows * shearfac, cols+1); -+ - newcols = rows * shearfac + cols + 0.999999; - - pnm_writepnminit(stdout, newcols, rows, newmaxval, newformat, 0); -diff -up netpbm-10.58.01/editor/ppmdither.c.security-code netpbm-10.58.01/editor/ppmdither.c ---- netpbm-10.58.01/editor/ppmdither.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/ppmdither.c 2012-04-09 15:40:03.224619526 +0200 -@@ -355,7 +355,11 @@ dithMatrix(unsigned int const dithPower) - unsigned int const dithMatSize = +diff --git a/editor/ppmdither.c b/editor/ppmdither.c +index ec1b977..e701e09 100644 +--- a/editor/ppmdither.c ++++ b/editor/ppmdither.c +@@ -356,6 +356,11 @@ dithMatrix(unsigned int const dithPower) { (dithDim * sizeof(*dithMat)) + /* pointers */ (dithDim * dithDim * sizeof(**dithMat)); /* data */ -- + + + overflow2(dithDim, sizeof(*dithMat)); + overflow3(dithDim, dithDim, sizeof(**dithMat)); @@ -1012,9 +946,10 @@ diff -up netpbm-10.58.01/editor/ppmdither.c.security-code netpbm-10.58.01/editor dithMat = malloc(dithMatSize); if (dithMat == NULL) -diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01/editor/specialty/pamoil.c ---- netpbm-10.58.01/editor/specialty/pamoil.c.security-code 2012-04-09 15:31:33.000000000 +0200 -+++ netpbm-10.58.01/editor/specialty/pamoil.c 2012-04-09 15:40:03.224619526 +0200 +diff --git a/editor/specialty/pamoil.c b/editor/specialty/pamoil.c +index 6cb8d3a..6f4bde9 100644 +--- a/editor/specialty/pamoil.c ++++ b/editor/specialty/pamoil.c @@ -112,6 +112,7 @@ main(int argc, char *argv[] ) { tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type)); pm_close(ifp); @@ -1023,10 +958,11 @@ diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01 MALLOCARRAY(hist, inpam.maxval + 1); if (hist == NULL) pm_error("Unable to allocate memory for histogram."); -diff -up netpbm-10.58.01/generator/pbmtext.c.security-code netpbm-10.58.01/generator/pbmtext.c ---- netpbm-10.58.01/generator/pbmtext.c.security-code 2012-04-09 15:31:34.000000000 +0200 -+++ netpbm-10.58.01/generator/pbmtext.c 2012-04-09 15:40:03.225619514 +0200 -@@ -96,12 +96,14 @@ parseCommandLine(int argc, const char ** +diff --git a/generator/pbmtext.c b/generator/pbmtext.c +index 9f4366d..445d718 100644 +--- a/generator/pbmtext.c ++++ b/generator/pbmtext.c +@@ -96,12 +96,14 @@ parseCommandLine(int argc, const char ** argv, for (i = 1; i < argc; ++i) { if (i > 1) { @@ -1036,16 +972,17 @@ diff -up netpbm-10.58.01/generator/pbmtext.c.security-code netpbm-10.58.01/gener if (text == NULL) pm_error("out of memory allocating space for input text"); strcat(text, " "); - } +- } ++ } + overflow_add(totaltextsize, strlen(argv[i])); totaltextsize += strlen(argv[i]); text = realloc(text, totaltextsize); if (text == NULL) -@@ -712,6 +714,7 @@ getText(const char cmdline_text +@@ -712,6 +714,7 @@ getText(const char cmdline_text[], pm_error("A line of input text is longer than %u characters." "Cannot process.", (unsigned)sizeof(buf)-1); if (lineCount >= maxlines) { -+ overflow2(maxlines, 2); ++ overflow2(maxlines, 2); maxlines *= 2; REALLOCARRAY(text_array, maxlines); if (text_array == NULL) @@ -1053,99 +990,107 @@ diff -up netpbm-10.58.01/generator/pbmtext.c.security-code netpbm-10.58.01/gener hmargin = fontP->maxwidth; } else { vmargin = fontP->maxheight; -+ overflow2(2, fontP->maxwidth); ++ overflow2(2, fontP->maxwidth); hmargin = 2 * fontP->maxwidth; } } -diff -up netpbm-10.58.01/lib/libpam.c.security-code netpbm-10.58.01/lib/libpam.c ---- netpbm-10.58.01/lib/libpam.c.security-code 2012-04-09 15:31:38.000000000 +0200 -+++ netpbm-10.58.01/lib/libpam.c 2012-04-09 15:40:03.227619490 +0200 -@@ -220,7 +220,8 @@ allocPamRow(const struct pam * const pam +diff --git a/lib/libpam.c b/lib/libpam.c +index cc6368e..4e10572 100644 +--- a/lib/libpam.c ++++ b/lib/libpam.c +@@ -224,8 +224,9 @@ allocPamRow(const struct pam * const pamP) { unsigned int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample); tuple * tuplerow; - tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple)); +- + overflow_add(sizeof(tuple *), bytesPerTuple); + tuplerow = malloc2(pamP->width, (sizeof(tuple *) + bytesPerTuple)); - ++ if (tuplerow != NULL) { /* Now we initialize the pointers to the individual tuples -diff -up netpbm-10.58.01/lib/libpammap.c.security-code netpbm-10.58.01/lib/libpammap.c ---- netpbm-10.58.01/lib/libpammap.c.security-code 2012-04-09 15:31:38.000000000 +0200 -+++ netpbm-10.58.01/lib/libpammap.c 2012-04-09 15:40:03.228619477 +0200 -@@ -104,6 +104,8 @@ allocTupleIntListItem(struct pam * const + to make this a regulation C two dimensional array. +diff --git a/lib/libpammap.c b/lib/libpammap.c +index 55e1d3f..04b1ba3 100644 +--- a/lib/libpammap.c ++++ b/lib/libpammap.c +@@ -108,7 +108,9 @@ allocTupleIntListItem(struct pam * const pamP) { */ struct tupleint_list_item * retval; +- unsigned int const size = + overflow2(pamP->depth, sizeof(sample)); + overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample)); - unsigned int const size = ++ unsigned int const size = sizeof(*retval) - sizeof(retval->tupleint.tuple) + pamP->depth * sizeof(sample); -diff -up netpbm-10.58.01/lib/libpm.c.security-code netpbm-10.58.01/lib/libpm.c ---- netpbm-10.58.01/lib/libpm.c.security-code 2012-04-09 15:31:38.000000000 +0200 -+++ netpbm-10.58.01/lib/libpm.c 2012-04-09 15:40:03.229619464 +0200 -@@ -808,4 +808,53 @@ pm_parse_height(const char * const arg) - } +diff --git a/lib/libpm.c b/lib/libpm.c +index 4374bbe..5ab7f83 100644 +--- a/lib/libpm.c ++++ b/lib/libpm.c +@@ -841,5 +841,53 @@ pm_parse_height(const char * const arg) { + return height; + } +/* + * Maths wrapping + */ -+ + +void __overflow2(int a, int b) +{ -+ if(a < 0 || b < 0) -+ pm_error("object too large"); -+ if(b == 0) -+ return; -+ if(a > INT_MAX / b) -+ pm_error("object too large"); ++ if(a < 0 || b < 0) ++ pm_error("object too large"); ++ if(b == 0) ++ return; ++ if(a > INT_MAX / b) ++ pm_error("object too large"); +} + +void overflow3(int a, int b, int c) +{ -+ overflow2(a,b); -+ overflow2(a*b, c); ++ overflow2(a,b); ++ overflow2(a*b, c); +} + +void overflow_add(int a, int b) +{ -+ if( a > INT_MAX - b) -+ pm_error("object too large"); ++ if( a > INT_MAX - b) ++ pm_error("object too large"); +} + +void *malloc2(int a, int b) +{ -+ overflow2(a, b); -+ if(a*b == 0) -+ pm_error("Zero byte allocation"); -+ return malloc(a*b); ++ overflow2(a, b); ++ if(a*b == 0) ++ pm_error("Zero byte allocation"); ++ return malloc(a*b); +} + +void *malloc3(int a, int b, int c) +{ -+ overflow3(a, b, c); -+ if(a*b*c == 0) -+ pm_error("Zero byte allocation"); -+ return malloc(a*b*c); ++ overflow3(a, b, c); ++ if(a*b*c == 0) ++ pm_error("Zero byte allocation"); ++ return malloc(a*b*c); +} + +void *realloc2(void * a, int b, int c) +{ -+ overflow2(b, c); -+ if(b*c == 0) -+ pm_error("Zero byte allocation"); -+ return realloc(a, b*c); ++ overflow2(b, c); ++ if(b*c == 0) ++ pm_error("Zero byte allocation"); ++ return realloc(a, b*c); +} -diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h ---- netpbm-10.58.01/lib/pm.h.security-code 2012-04-09 15:31:38.000000000 +0200 -+++ netpbm-10.58.01/lib/pm.h 2012-04-09 15:40:03.229619464 +0200 -@@ -432,4 +432,11 @@ pm_parse_height(const char * const arg); +diff --git a/lib/pm.h b/lib/pm.h +index e9f1405..da54391 100644 +--- a/lib/pm.h ++++ b/lib/pm.h +@@ -435,5 +435,12 @@ pm_parse_height(const char * const arg); + } #endif - +void *malloc2(int, int); +void *malloc3(int, int, int); +#define overflow2(a,b) __overflow2(a,b) @@ -1153,11 +1098,13 @@ diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h +void overflow3(int, int, int); +void overflow_add(int, int); + + #endif -diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other/pnmcolormap.c ---- netpbm-10.58.01/other/pnmcolormap.c.security-code 2012-04-09 15:31:32.000000000 +0200 -+++ netpbm-10.58.01/other/pnmcolormap.c 2012-04-09 15:40:03.230619451 +0200 -@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP +diff --git a/other/pnmcolormap.c b/other/pnmcolormap.c +index 57db432..7195295 100644 +--- a/other/pnmcolormap.c ++++ b/other/pnmcolormap.c +@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP, pamP->width = intsqrt; else pamP->width = intsqrt + 1; @@ -1165,189 +1112,176 @@ diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other } { unsigned int const intQuotient = colormap.size / pamP->width; -diff -up netpbm-10.58.01/urt/README.security-code netpbm-10.58.01/urt/README ---- netpbm-10.58.01/urt/README.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/README 2012-04-09 15:40:03.231619438 +0200 -@@ -18,3 +18,8 @@ in its initializer in the original. But - defines stdout as a variable, so that wouldn't compile. So I changed - it to NULL and added a line to rle_hdr_init to set that field to - 'stdout' dynamically. 2000.06.02 BJH. -+ -+Redid the code to check for maths overflows and other crawly horrors. -+Removed pipe through and compress support (unsafe) +diff --git a/urt/Runput.c b/urt/Runput.c +index 3bc562a..645a376 100644 +--- a/urt/Runput.c ++++ b/urt/Runput.c +@@ -202,10 +202,11 @@ RunSetup(rle_hdr * the_hdr) + if ( the_hdr->background != 0 ) + { + register int i; +- register rle_pixel *background = +- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); +- register int *bg_color; +- /* ++ register rle_pixel *background; ++ register int *bg_color; + -+Alan Cox <alan@redhat.com> -diff -up netpbm-10.58.01/urt/rle_addhist.c.security-code netpbm-10.58.01/urt/rle_addhist.c ---- netpbm-10.58.01/urt/rle_addhist.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_addhist.c 2012-04-09 15:40:03.231619438 +0200 -@@ -14,6 +14,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com> ++ overflow_add(the_hdr->ncolors,1); ++ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); /* + * If even number of bg color bytes, put out one more to get to + * 16 bit boundary. + */ +@@ -224,7 +225,7 @@ RunSetup(rle_hdr * the_hdr) + /* Big-endian machines are harder */ + register int i, nmap = (1 << the_hdr->cmaplen) * + the_hdr->ncmap; +- register char *h_cmap = (char *)malloc( nmap * 2 ); ++ register char *h_cmap = (char *)malloc2( nmap, 2 ); + if ( h_cmap == NULL ) + { + fprintf( stderr, +diff --git a/urt/rle.h b/urt/rle.h +index 8d72cb9..ac65b94 100644 +--- a/urt/rle.h ++++ b/urt/rle.h +@@ -161,6 +161,17 @@ rle_hdr /* End of typedef. */ */ - /* - * rle_addhist.c - Add to the HISTORY comment in header -@@ -71,13 +73,19 @@ rle_addhist(char * argv[], + extern rle_hdr rle_dflt_hdr; + ++/* ++ * Provided by pm library ++ */ ++ ++extern void overflow_add(int, int); ++#define overflow2(a,b) __overflow2(a,b) ++extern void __overflow2(int, int); ++extern void overflow3(int, int, int); ++extern void *malloc2(int, int); ++extern void *malloc3(int, int, int); ++extern void *realloc2(void *, int, int); + + /* Declare RLE library routines. */ + +diff --git a/urt/rle_addhist.c b/urt/rle_addhist.c +index b165175..e09ed94 100644 +--- a/urt/rle_addhist.c ++++ b/urt/rle_addhist.c +@@ -70,13 +70,18 @@ rle_addhist(char * argv[], return; length = 0; - for (i = 0; argv[i]; ++i) + for (i = 0; argv[i]; ++i) { -+ overflow_add(length, strlen(argv[i])); -+ overflow_add(length+1, strlen(argv[i])); ++ overflow_add(length, strlen(argv[i])); ++ overflow_add(length+1, strlen(argv[i])); length += strlen(argv[i]) +1; /* length of each arg plus space. */ + } time(&temp); timedate = ctime(&temp); length += strlen(timedate); /* length of date and time in ASCII. */ - +- + overflow_add(strlen(padding), 4); + overflow_add(strlen(histoire), strlen(padding) + 4); + overflow_add(length, strlen(histoire) + strlen(padding) + 4); length += strlen(padding) + 3 + strlen(histoire) + 1; /* length of padding, "on " and length of history name plus "="*/ if (in_hdr) /* if we are interested in the old comments... */ -@@ -85,9 +93,12 @@ rle_addhist(char * argv[], +@@ -84,8 +89,10 @@ rle_addhist(char * argv[], else old = NULL; - if (old && *old) + if (old && *old) { -+ overflow_add(length, strlen(old)); ++ overflow_add(length, strlen(old)); length += strlen(old); /* add length if there. */ + } -+ overflow_add(length, 1); ++length; /*Cater for the null. */ - MALLOCARRAY(newc, length); -diff -up netpbm-10.58.01/urt/rle_getrow.c.security-code netpbm-10.58.01/urt/rle_getrow.c ---- netpbm-10.58.01/urt/rle_getrow.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_getrow.c 2012-04-09 15:40:03.232619426 +0200 -@@ -17,6 +17,8 @@ - * - * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire - * to have all "void" functions so declared. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com> - */ - /* - * rle_getrow.c - Read an RLE file in. -@@ -168,6 +170,7 @@ rle_get_setup(rle_hdr * const the_hdr) { - register char * cp; +diff --git a/urt/rle_getrow.c b/urt/rle_getrow.c +index bd7d1c8..bd05698 100644 +--- a/urt/rle_getrow.c ++++ b/urt/rle_getrow.c +@@ -168,6 +168,7 @@ rle_get_setup(rle_hdr * const the_hdr) { + char * cp; - VAXSHORT( comlen, infile ); /* get comment length */ -+ overflow_add(comlen, 1); + VAXSHORT(comlen, infile); /* get comment length */ ++ overflow_add(comlen, 1); evenlen = (comlen + 1) & ~1; /* make it even */ - if ( evenlen ) - { -diff -up netpbm-10.58.01/urt/rle_hdr.c.security-code netpbm-10.58.01/urt/rle_hdr.c ---- netpbm-10.58.01/urt/rle_hdr.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_hdr.c 2012-04-09 15:40:03.233619414 +0200 -@@ -14,6 +14,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com> - */ - /* - * rle_hdr.c - Functions to manipulate rle_hdr structures. -@@ -80,7 +82,10 @@ int img_num; + if (evenlen) { + MALLOCARRAY(comment_buf, evenlen); +diff --git a/urt/rle_hdr.c b/urt/rle_hdr.c +index 1611324..7c9c010 100644 +--- a/urt/rle_hdr.c ++++ b/urt/rle_hdr.c +@@ -80,7 +80,10 @@ int img_num; /* Fill in with copies of the strings. */ if ( the_hdr->cmd != pgmname ) { - char *tmp = (char *)malloc( strlen( pgmname ) + 1 ); -+ char *tmp ; ++ char *tmp; + -+ overflow_add(strlen(pgmname), 1); -+ tmp = malloc( strlen( pgmname ) + 1 ); ++ overflow_add(strlen(pgmname), 1); ++ tmp = malloc( strlen(pgmname) + 1 ); RLE_CHECK_ALLOC( pgmname, tmp, 0 ); strcpy( tmp, pgmname ); the_hdr->cmd = tmp; -@@ -88,7 +93,9 @@ int img_num; +@@ -88,8 +91,10 @@ int img_num; if ( the_hdr->file_name != fname ) { - char *tmp = (char *)malloc( strlen( fname ) + 1 ); -+ char *tmp; -+ overflow_add(strlen(fname), 1); -+ tmp = malloc( strlen( fname ) + 1 ); - RLE_CHECK_ALLOC( pgmname, tmp, 0 ); +- RLE_CHECK_ALLOC( pgmname, tmp, 0 ); ++ char *tmp; ++ overflow_add(strlen(fname), 1); ++ tmp = malloc( strlen( fname ) + 1 ); ++ RLE_CHECK_ALLOC( pgmname, tmp, 0 ); strcpy( tmp, fname ); the_hdr->file_name = tmp; -@@ -153,6 +160,7 @@ rle_hdr *from_hdr, *to_hdr; + } +@@ -153,6 +158,7 @@ rle_hdr *from_hdr, *to_hdr; if ( to_hdr->bg_color ) { int size = to_hdr->ncolors * sizeof(int); -+ overflow2(to_hdr->ncolors, sizeof(int)); ++ overflow2(to_hdr->ncolors, sizeof(int)); to_hdr->bg_color = (int *)malloc( size ); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" ); memcpy( to_hdr->bg_color, from_hdr->bg_color, size ); -@@ -161,7 +169,7 @@ rle_hdr *from_hdr, *to_hdr; +@@ -161,7 +167,7 @@ rle_hdr *from_hdr, *to_hdr; if ( to_hdr->cmap ) { int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map); - to_hdr->cmap = (rle_map *)malloc( size ); -+ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<<to_hdr->cmaplen, sizeof(rle_map)); ++ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<<to_hdr->cmaplen, sizeof(rle_map)); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" ); memcpy( to_hdr->cmap, from_hdr->cmap, size ); } -@@ -174,11 +182,16 @@ rle_hdr *from_hdr, *to_hdr; +@@ -173,12 +179,17 @@ rle_hdr *from_hdr, *to_hdr; + { int size = 0; CONST_DECL char **cp; - for ( cp=to_hdr->comments; *cp; cp++ ) -+ { -+ overflow_add(size, 1); +- for ( cp=to_hdr->comments; *cp; cp++ ) ++ for ( cp=to_hdr->comments; *cp; cp++ ) ++ { ++ overflow_add(size, 1); size++; /* Count the comments. */ -+ } ++ } /* Check if there are really any comments. */ if ( size ) { -+ overflow_add(size, 1); ++ overflow_add(size, 1); size++; /* Copy the NULL pointer, too. */ -+ overflow2(size, sizeof(char *)); ++ overflow2(size, sizeof(char *)); size *= sizeof(char *); to_hdr->comments = (CONST_DECL char **)malloc( size ); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" ); -diff -up netpbm-10.58.01/urt/rle.h.security-code netpbm-10.58.01/urt/rle.h ---- netpbm-10.58.01/urt/rle.h.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle.h 2012-04-09 15:40:03.233619414 +0200 -@@ -14,6 +14,9 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com> -+ * Header declarations needed - */ - /* - * rle.h - Global declarations for Utah Raster Toolkit RLE programs. -@@ -160,6 +163,17 @@ rle_hdr /* End of typedef. * - */ - extern rle_hdr rle_dflt_hdr; - -+/* -+ * Provided by pm library -+ */ -+ -+extern void overflow_add(int, int); -+#define overflow2(a,b) __overflow2(a,b) -+extern void __overflow2(int, int); -+extern void overflow3(int, int, int); -+extern void *malloc2(int, int); -+extern void *malloc3(int, int, int); -+extern void *realloc2(void *, int, int); - - /* Declare RLE library routines. */ - -diff -up netpbm-10.58.01/urt/rle_open_f.c.security-code netpbm-10.58.01/urt/rle_open_f.c ---- netpbm-10.58.01/urt/rle_open_f.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_open_f.c 2012-04-09 15:40:03.234619402 +0200 -@@ -163,65 +163,7 @@ dealWithSubprocess(const char * const f +diff --git a/urt/rle_open_f.c b/urt/rle_open_f.c +index ae8548b..c2ef37d 100644 +--- a/urt/rle_open_f.c ++++ b/urt/rle_open_f.c +@@ -163,65 +163,7 @@ dealWithSubprocess(const char * const file_name, FILE ** const fpP, bool * const noSubprocessP, const char ** const errorP) { @@ -1413,146 +1347,40 @@ diff -up netpbm-10.58.01/urt/rle_open_f.c.security-code netpbm-10.58.01/urt/rle_ } -diff -up netpbm-10.58.01/urt/rle_putcom.c.security-code netpbm-10.58.01/urt/rle_putcom.c ---- netpbm-10.58.01/urt/rle_putcom.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/rle_putcom.c 2012-04-09 15:40:03.234619402 +0200 -@@ -14,6 +14,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com> - */ - /* - * rle_putcom.c - Add a picture comment to the header struct. -@@ -98,12 +100,14 @@ rle_putcom(const char * const value, +diff --git a/urt/rle_putcom.c b/urt/rle_putcom.c +index ab2eb20..f6a6ff7 100644 +--- a/urt/rle_putcom.c ++++ b/urt/rle_putcom.c +@@ -98,12 +98,14 @@ rle_putcom(const char * const value, const char * v; const char ** old_comments; int i; - for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) + for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) { -+ overflow_add(i, 1); ++ overflow_add(i, 1); if (match(value, *cp) != NULL) { v = *cp; *cp = value; return v; } -+ } ++ } /* Not found */ /* Can't realloc because somebody else might be pointing to this * comments block. Of course, if this were true, then the -diff -up netpbm-10.58.01/urt/Runput.c.security-code netpbm-10.58.01/urt/Runput.c ---- netpbm-10.58.01/urt/Runput.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/Runput.c 2012-04-09 15:40:03.235619390 +0200 -@@ -17,6 +17,8 @@ - * - * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire - * to have all "void" functions so declared. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com> - */ - /* - * Runput.c - General purpose Run Length Encoding. -@@ -202,9 +204,11 @@ RunSetup(rle_hdr * the_hdr) - if ( the_hdr->background != 0 ) - { - register int i; -- register rle_pixel *background = -- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); -+ register rle_pixel *background; - register int *bg_color; -+ -+ overflow_add(the_hdr->ncolors,1); -+ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); - /* - * If even number of bg color bytes, put out one more to get to - * 16 bit boundary. -@@ -224,7 +228,7 @@ RunSetup(rle_hdr * the_hdr) - /* Big-endian machines are harder */ - register int i, nmap = (1 << the_hdr->cmaplen) * - the_hdr->ncmap; -- register char *h_cmap = (char *)malloc( nmap * 2 ); -+ register char *h_cmap = (char *)malloc2( nmap, 2 ); - if ( h_cmap == NULL ) - { - fprintf( stderr, -diff -up netpbm-10.58.01/urt/scanargs.c.security-code netpbm-10.58.01/urt/scanargs.c ---- netpbm-10.58.01/urt/scanargs.c.security-code 2012-04-09 15:31:45.000000000 +0200 -+++ netpbm-10.58.01/urt/scanargs.c 2012-04-09 15:40:03.235619390 +0200 -@@ -38,6 +38,8 @@ - * - * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire - * to have all "void" functions so declared. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com> - */ - - #include <stdio.h> -@@ -63,8 +65,8 @@ typedef int *ptr; +diff --git a/urt/scanargs.c b/urt/scanargs.c +index f3af334..5e114bb 100644 +--- a/urt/scanargs.c ++++ b/urt/scanargs.c +@@ -62,9 +62,8 @@ typedef int *ptr; /* * Storage allocation macros */ -#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) ) -#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) ) +- +#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) ) +#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) ) - static CONST_DECL char * prformat( CONST_DECL char *, int ); static int isnum( CONST_DECL char *, int, int ); ---- netpbm-10.58.01/lib/libpbm1.c.orig 2014-06-16 21:12:28.499230631 -0400 -+++ netpbm-10.58.01/lib/libpbm1.c 2014-06-16 21:12:55.932519324 -0400 -@@ -78,6 +78,7 @@ - } else { - pm_filepos const bytesPerRow = (cols+7)/8; - pm_filepos const needRasterSize = rows * bytesPerRow; -+ overflow2(bytesPerRow, rows); - pm_check(fileP, checkType, needRasterSize, retvalP); - } - } ---- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.orig 2014-06-16 21:23:40.061473868 -0400 -+++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2014-06-16 21:23:44.701466379 -0400 -@@ -185,6 +185,7 @@ - unsigned int i; - int * table; - -+ overflow_add(oldmaxval, 1); - MALLOCARRAY_NOFAIL(table, oldmaxval + 1); - for (i = 0; i <= oldmaxval; ++i) - table[i] = ROUNDDIV(i * newmaxval, oldmaxval); ---- netpbm-10.58.01/converter/other/sgitopnm.c.orig 2014-07-08 16:57:30.878754976 -0400 -+++ netpbm-10.58.01/converter/other/sgitopnm.c 2014-07-08 17:07:52.727745725 -0400 -@@ -372,10 +372,14 @@ - MALLOCARRAY_NOFAIL(image, head->ysize); - } else { - maxchannel = 3; -+ overflow2(head->ysize, maxchannel); - MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel); - } -- if (table) -+ if (table) { -+ overflow2(head->xsize, 2); -+ overflow_add(head->xsize*2, 2); - MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize)); -+ } - - for (channel = 0; channel < maxchannel; ++channel) { - unsigned int row; ---- netpbm-10.58.01/converter/other/pnmtosgi.c.orig 2014-07-08 16:57:30.878754976 -0400 -+++ netpbm-10.58.01/converter/other/pnmtosgi.c 2014-07-08 17:11:55.164018919 -0400 -@@ -176,6 +176,8 @@ - break; - case STORAGE_RLE: { - unsigned int const tabrow = chanNum * rows + row; -+ overflow2(chanNum, rows); -+ overflow_add(chanNum* rows, row); - unsigned int const len = rleCompress(tempArg, cols); - /* writes result into rletemp */ - unsigned int i; -@@ -212,6 +214,7 @@ - ScanElem * temp; - - if (storage != STORAGE_VERBATIM) { -+ overflow2(channels, rows); - MALLOCARRAY_NOFAIL(table, channels * rows); - MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols)); - } else + static int _do_scanargs( int argc, char **argv, CONST_DECL char *format, + diff --git a/libre/netpbm/netpbm-security-scripts.patch b/libre/netpbm/netpbm-security-scripts.patch index db056db99..0dfe84f43 100644 --- a/libre/netpbm/netpbm-security-scripts.patch +++ b/libre/netpbm/netpbm-security-scripts.patch @@ -1,7 +1,8 @@ -diff -up netpbm-10.47.05/converter/other/anytopnm.security-scripts netpbm-10.47.05/converter/other/anytopnm ---- netpbm-10.47.05/converter/other/anytopnm.security-scripts 2009-12-10 08:34:36.000000000 +0100 -+++ netpbm-10.47.05/converter/other/anytopnm 2010-03-16 21:28:09.000000000 +0100 -@@ -510,10 +510,7 @@ else +diff --git a/converter/other/anytopnm b/converter/other/anytopnm +index acf8813..335312a 100755 +--- a/converter/other/anytopnm ++++ b/converter/other/anytopnm +@@ -511,10 +511,7 @@ else inputFile="-" fi @@ -13,10 +14,13 @@ diff -up netpbm-10.47.05/converter/other/anytopnm.security-scripts netpbm-10.47. # Take out all spaces # Find the filename extension for last-ditch efforts later -@@ -539,9 +536,17 @@ if [ "$filetype" = "unknown" ]; then - echo "$progname: unknown file type. " \ - "'file' says mime type is '$mimeType', " 1>&2 - echo "type description is '$typeDescription'" 1>&2 +@@ -537,12 +534,17 @@ typeDescription=`file "$file" | cut -d: -f2- | cut -c2-` + determineType "$file" "$mimeType" "$typeDescription" "$fileExtension" + + if [ "$filetype" = "unknown" ]; then +- echo "$progname: unknown file type. " \ +- "'file' says mime type is '$mimeType', " 1>&2 +- echo "type description is '$typeDescription'" 1>&2 + if [ -d "$tempdir" ] ; then + rm -rf "$tempdir" + fi @@ -31,10 +35,11 @@ diff -up netpbm-10.47.05/converter/other/anytopnm.security-scripts netpbm-10.47. +fi + exit 0 -diff -up netpbm-10.47.05/editor/pamstretch-gen.security-scripts netpbm-10.47.05/editor/pamstretch-gen ---- netpbm-10.47.05/editor/pamstretch-gen.security-scripts 2009-12-10 08:34:32.000000000 +0100 -+++ netpbm-10.47.05/editor/pamstretch-gen 2010-03-16 21:28:47.000000000 +0100 -@@ -31,13 +31,9 @@ if [ "$1" = "" ]; then +diff --git a/editor/pamstretch-gen b/editor/pamstretch-gen +index ba0e818..250fca0 100755 +--- a/editor/pamstretch-gen ++++ b/editor/pamstretch-gen +@@ -31,9 +31,7 @@ if [ "$1" = "" ]; then exit 1 fi @@ -44,15 +49,12 @@ diff -up netpbm-10.47.05/editor/pamstretch-gen.security-scripts netpbm-10.47.05/ +tempfile=$(mktemp /tmp/pnmig.XXXXXXXXXX) || exit 1 trap 'rm -rf $tempdir' 0 1 3 15 --tempfile=$tempdir/pnmig -- - if ! cat $2 >$tempfile 2>/dev/null; then - echo 'pamstretch-gen: error reading file' 1>&2 - exit 1 -diff -up netpbm-10.47.05/editor/pnmmargin.security-scripts netpbm-10.47.05/editor/pnmmargin ---- netpbm-10.47.05/editor/pnmmargin.security-scripts 2009-12-10 08:34:32.000000000 +0100 -+++ netpbm-10.47.05/editor/pnmmargin 2010-03-16 21:28:09.000000000 +0100 -@@ -11,15 +11,11 @@ + tempfile=$tempdir/pnmig +diff --git a/editor/pnmmargin b/editor/pnmmargin +index 0f57d1d..e0d3625 100755 +--- a/editor/pnmmargin ++++ b/editor/pnmmargin +@@ -11,11 +11,7 @@ # documentation. This software is provided "as is" without express or # implied warranty. @@ -61,38 +63,37 @@ diff -up netpbm-10.47.05/editor/pnmmargin.security-scripts netpbm-10.47.05/edito - { echo "Could not create temporary file. Exiting." 1>&2; exit 1;} -trap 'rm -rf $tempdir' 0 1 3 15 - --tmp1=$tempdir/pnmm1 --tmp2=$tempdir/pnmm2 --tmp3=$tempdir/pnmm3 --tmp4=$tempdir/pnmm4 -+tmpdir=$(mktemp -d -t ppmmargin.XXXXXXX) || exit 1 -+tmp1="$tmpdir/tmp1" -+tmp2="$tmpdir/tmp2" -+tmp3="$tmpdir/tmp3" -+tmp4="$tmpdir/tmp4" - - color="-gofigure" - plainopt="" ++tempdir=$(mktemp -d -t ppmmargin.XXXXXXX) || exit 1 + tmp1=$tempdir/pnmm1 + tmp2=$tempdir/pnmm2 + tmp3=$tempdir/pnmm3 @@ -90,6 +86,7 @@ else -white | -black ) pnmpad $plainopt $color \ -left=$size -right=$size -top=$size -bottom=$size $tmp1 -+ rm -rf "$tmpdir" ++ rm -rf "$tempdir" exit ;; * ) -diff -up netpbm-10.47.05/editor/ppmfade.security-scripts netpbm-10.47.05/editor/ppmfade ---- netpbm-10.47.05/editor/ppmfade.security-scripts 2009-12-10 08:34:32.000000000 +0100 -+++ netpbm-10.47.05/editor/ppmfade 2010-03-16 21:28:09.000000000 +0100 -@@ -14,6 +14,7 @@ +@@ -103,4 +100,4 @@ else + pnmcat -tb $plainopt $tmp3 $tmp4 $tmp3 + fi + +- ++rm -rf "$tempdir" +diff --git a/editor/ppmfade b/editor/ppmfade +index 027fc79..8eb094f 100755 +--- a/editor/ppmfade ++++ b/editor/ppmfade +@@ -40,6 +40,7 @@ exec perl -w -x -S -- "$0" "$@" # - #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + ############################################################################## use strict; +use File::Temp "tempdir"; my $SPREAD = 1; my $SHIFT = 2; -@@ -111,20 +112,26 @@ if ($first_file ne "undefined") { +@@ -137,20 +138,26 @@ if ($first_file ne "undefined") { print("Frames are " . $width . "W x " . $height . "H\n"); @@ -123,7 +124,7 @@ diff -up netpbm-10.47.05/editor/ppmfade.security-scripts netpbm-10.47.05/editor/ } # -@@ -132,14 +139,14 @@ if ($last_file eq "undefined") { +@@ -158,14 +165,14 @@ if ($last_file eq "undefined") { # # Here's what our temporary files are: @@ -146,7 +147,7 @@ diff -up netpbm-10.47.05/editor/ppmfade.security-scripts netpbm-10.47.05/editor/ my $i; # Frame number for ($i = 1; $i <= $nframes; $i++) { -@@ -147,147 +154,147 @@ for ($i = 1; $i <= $nframes; $i++) { +@@ -173,147 +180,147 @@ for ($i = 1; $i <= $nframes; $i++) { if ($mode eq $SPREAD) { if ($i <= 10) { my $n = $spline20[$i] * 100; @@ -347,10 +348,11 @@ diff -up netpbm-10.47.05/editor/ppmfade.security-scripts netpbm-10.47.05/editor/ +system("rm $tmpdir/junk*$$.ppm"); exit(0); -diff -up netpbm-10.47.05/editor/ppmshadow.security-scripts netpbm-10.47.05/editor/ppmshadow ---- netpbm-10.47.05/editor/ppmshadow.security-scripts 2009-12-10 08:34:32.000000000 +0100 -+++ netpbm-10.47.05/editor/ppmshadow 2010-03-16 21:28:09.000000000 +0100 -@@ -72,9 +72,10 @@ sub makeConvolutionKernel($$) { +diff --git a/editor/ppmshadow b/editor/ppmshadow +index 62cdf8b..72e1b22 100755 +--- a/editor/ppmshadow ++++ b/editor/ppmshadow +@@ -97,9 +97,10 @@ sub makeConvolutionKernel($$) { my $tmpdir = $ENV{TMPDIR} || "/tmp"; @@ -364,10 +366,4 @@ diff -up netpbm-10.47.05/editor/ppmshadow.security-scripts netpbm-10.47.05/edito # Process command line options ---- snetpbm-10.47.05/editor/pnmmargin.orig 2014-06-16 21:30:27.480812666 -0400 -+++ netpbm-10.47.05/editor/pnmmargin 2014-06-16 21:30:41.500789921 -0400 -@@ -101,3 +101,4 @@ - fi - - -+rm -rf "$tmpdir" + |