Tree - rpms/argyllcms - src.fedoraproject.org

rpms / argyllcms

Blame argyllcms-CVE-2009-0792.patch

Blob History Raw

		9cc86a7	`--- icc/icc.c.orig 2009-04-08 08:38:40.000000000 -0400`
		9cc86a7	`+++ icc/icc.c 2009-04-08 08:54:08.000000000 -0400`
		9cc86a7	`@@ -3312,7 +3312,7 @@ static int icmCurve_lookup_fwd(`
		9cc86a7	`rv \|= 1;`
		9cc86a7	`}`
		9cc86a7	`ix = (unsigned int)floor(val); /* Coordinate */`
		9cc86a7	`- if (ix > (p->size-2))`
		9cc86a7	`+ if (ix < 0 \|\| ix > (p->size-2))`
		9cc86a7	`ix = (p->size-2);`
		9cc86a7	`w = val - (double)ix; /* weight */`
		9cc86a7	`val = p->data[ix];`
		9cc86a7	`@@ -3334,6 +3334,11 @@ static int icmTable_setup_bwd(`
		9cc86a7	`) {`
		9cc86a7	`unsigned int i;`
		9cc86a7
		9cc86a7	`+ if (size > INT_MAX - 2)`
		9cc86a7	`+ /* Although rt->size is unsigned long, the rt data`
		9cc86a7	`+ * structure uses int data types to store indices. */`
		9cc86a7	`+ return 2;`
		9cc86a7	`+`
		9cc86a7	`rt->size = size; /* Stash pointers to these away */`
		9cc86a7	`rt->data = data;`
		9cc86a7
		9cc86a7	`@@ -3352,7 +3357,7 @@ static int icmTable_setup_bwd(`
		9cc86a7	`rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */`
		9cc86a7
		9cc86a7	`/* Initialize the reverse lookup structures, and get overall min/max */`
		9cc86a7	`- if ((rt->rlists = (unsigned int *) icp->al->calloc(icp->al, 1, rt->rsize sizeof(unsigned int *))) == NULL) {`
		9cc86a7	`+ if ((rt->rlists = (unsigned int *) icp->al->calloc(icp->al, rt->rsize, sizeof(int ))) == NULL) {`
		9cc86a7	`return 2;`
		9cc86a7	`}`
		9cc86a7
		9cc86a7	`@@ -3365,6 +3370,16 @@ static int icmTable_setup_bwd(`
		9cc86a7	`int t;`
		9cc86a7	`t = s; s = e; e = t;`
		9cc86a7	`}`
		9cc86a7	`+`
		9cc86a7	`+ /* s and e should both be in the range [0,rt->rsize]`
		9cc86a7	`+ * now, but let's not rely on floating point`
		9cc86a7	`+ * calculations -- double-check. */`
		9cc86a7	`+ if (s < 0)`
		9cc86a7	`+ s = 0;`
		9cc86a7	`+ if (e < 0)`
		9cc86a7	`+ e = 0;`
		9cc86a7	`+ if (s >= rt->rsize)`
		9cc86a7	`+ s = rt->rsize-1;`
		9cc86a7	`if (e >= rt->rsize)`
		9cc86a7	`e = rt->rsize-1;`
		9cc86a7
		9cc86a7	`@@ -3383,6 +3398,9 @@ static int icmTable_setup_bwd(`
		9cc86a7	`as = rt->rlists[j][0]; /* Allocate space for this list */`
		9cc86a7	`nf = rt->rlists[j][1]; /* Next free location in list */`
		9cc86a7	`if (nf >= as) { /* need to expand space */`
		9cc86a7	`+ if (as > INT_MAX / 2 / sizeof (int))`
		9cc86a7	`+ return 2;`
		9cc86a7	`+`
		9cc86a7	`as *= 2;`
		9cc86a7	`rt->rlists[j] = (unsigned int ) icp->al->realloc(icp->al,rt->rlists[j], sizeof(unsigned int) as);`
		9cc86a7	`if (rt->rlists[j] == NULL) {`
		9cc86a7	`@@ -3434,7 +3452,7 @@ static int icmTable_lookup_bwd(`
		9cc86a7	`val = rsize_1;`
		9cc86a7	`ix = (int)floor(val); /* Coordinate */`
		9cc86a7
		9cc86a7	`- if (ix > (rt->size-2))`
		9cc86a7	`+ if (ix < 0 \|\| ix > (rt->size-2))`
		9cc86a7	`ix = (rt->size-2);`
		9cc86a7	`if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */`
		9cc86a7	`/* For each candidate forward range */`
		9cc86a7	`@@ -3461,6 +3479,7 @@ static int icmTable_lookup_bwd(`
		9cc86a7	`/* We have failed to find an exact value, so return the nearest value */`
		9cc86a7	`/* (This is slow !) */`
		9cc86a7	`val = fabs(ival - rt->data[0]);`
		9cc86a7	`+ /* rt->size is known to be < INT_MAX */`
		9cc86a7	`for (k = 0, i = 1; i < rt->size; i++) {`
		9cc86a7	`double er;`
		9cc86a7	`er = fabs(ival - rt->data[i]);`
		9cc86a7	`@@ -4704,7 +4723,7 @@ double in / Input array[inputChan] */`
		9cc86a7	`rv \|= 1;`
		9cc86a7	`}`
		9cc86a7	`ix = (int)floor(val); /* Grid coordinate */`
		9cc86a7	`- if (ix > (p->inputEnt-2))`
		9cc86a7	`+ if (ix < 0 \|\| ix > (p->inputEnt-2))`
		9cc86a7	`ix = (p->inputEnt-2);`
		9cc86a7	`w = val - (double)ix; /* weight */`
		9cc86a7	`val = table[ix];`
		9cc86a7	`@@ -4764,7 +4783,7 @@ double in / Input array[outputChan] *`
		9cc86a7	`rv \|= 1;`
		9cc86a7	`}`
		9cc86a7	`x = (int)floor(val); /* Grid coordinate */`
		9cc86a7	`- if (x > clutPoints_2)`
		9cc86a7	`+ if (x < 0 \|\| x > clutPoints_2)`
		9cc86a7	`x = clutPoints_2;`
		9cc86a7	`co[e] = val - (double)x; /* 1.0 - weight */`
		9cc86a7	`gp += x * p->dinc[e]; /* Add index offset for base of cube */`
		9cc86a7	`@@ -4838,7 +4857,7 @@ double in / Input array[outputChan] *`
		9cc86a7	`rv \|= 1;`
		9cc86a7	`}`
		9cc86a7	`x = (int)floor(val); /* Grid coordinate */`
		9cc86a7	`- if (x > clutPoints_2)`
		9cc86a7	`+ if (x < 0 \|\| x > clutPoints_2)`
		9cc86a7	`x = clutPoints_2;`
		9cc86a7	`co[e] = val - (double)x; /* 1.0 - weight */`
		9cc86a7	`gp += x * p->dinc[e]; /* Add index offset for base of cube */`
		9cc86a7	`@@ -4957,7 +4976,7 @@ double in / Input array[outputChan] *`
		9cc86a7	`rv \|= 1;`
		9cc86a7	`}`
		9cc86a7	`x = (int)floor(val); /* Grid coordinate */`
		9cc86a7	`- if (x > clutPoints_2)`
		9cc86a7	`+ if (x < 0 \|\| x > clutPoints_2)`
		9cc86a7	`x = clutPoints_2;`
		9cc86a7	`co[e] = val - (double)x; /* 1.0 - weight */`
		9cc86a7	`gp += x * p->dinc[e]; /* Add index offset for base of cube */`
		9cc86a7	`@@ -5070,7 +5089,7 @@ double in / Input array[outputChan] *`
		9cc86a7	`rv \|= 1;`
		9cc86a7	`}`
		9cc86a7	`ix = (int)floor(val); /* Grid coordinate */`
		9cc86a7	`- if (ix > (p->outputEnt-2))`
		9cc86a7	`+ if (ix < 0 \|\| ix > (p->outputEnt-2))`
		9cc86a7	`ix = (p->outputEnt-2);`
		9cc86a7	`w = val - (double)ix; /* weight */`
		9cc86a7	`val = table[ix];`
		9cc86a7	`@@ -7887,7 +7906,7 @@ static int icmTextDescription_allocate(`
		9cc86a7	`if (p->size != p->_size) {`
		9cc86a7	`if (p->desc != NULL)`
		9cc86a7	`icp->al->free(icp->al, p->desc);`
		9cc86a7	`- if ((p->desc = (char ) icp->al->malloc(icp->al, p->size sizeof(char))) == NULL) {`
		9cc86a7	`+ if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {`
		9cc86a7	`sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed");`
		9cc86a7	`return icp->errc = 2;`
		9cc86a7	`}`
		9cc86a7	`@@ -9061,7 +9080,7 @@ static int icmUcrBg_allocate(`
		9cc86a7	`if (p->size != p->_size) {`
		9cc86a7	`if (p->string != NULL)`
		9cc86a7	`icp->al->free(icp->al, p->string);`
		9cc86a7	`- if ((p->string = (char ) icp->al->malloc(icp->al, p->size sizeof(char))) == NULL) {`
		9cc86a7	`+ if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {`
		9cc86a7	`sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed");`
		9cc86a7	`return icp->errc = 2;`
		9cc86a7	`}`
		9cc86a7	`@@ -9515,7 +9534,7 @@ static double icmVideoCardGamma_lookup(`
		9cc86a7	`else if (val0 > inputEnt_1)`
		9cc86a7	`val0 = inputEnt_1;`
		9cc86a7	`ix = (int)floor(val0); /* Coordinate */`
		9cc86a7	`- if (ix > (p->u.table.entryCount-2))`
		9cc86a7	`+ if (ix < 0 \|\| ix > (p->u.table.entryCount-2))`
		9cc86a7	`ix = (p->u.table.entryCount-2);`
		9cc86a7	`w = val0 - (double)ix; /* weight */`
		9cc86a7	`if (p->u.table.entrySize == 1) {`
		9cc86a7	`@@ -10061,7 +10080,7 @@ static int icmCrdInfo_allocate(`
		9cc86a7	`if (p->ppsize != p->_ppsize) {`
		9cc86a7	`if (p->ppname != NULL)`
		9cc86a7	`icp->al->free(icp->al, p->ppname);`
		9cc86a7	`- if ((p->ppname = (char ) icp->al->malloc(icp->al, p->ppsize sizeof(char))) == NULL) {`
		9cc86a7	`+ if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) {`
		9cc86a7	`sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed");`
		9cc86a7	`return icp->errc = 2;`
		9cc86a7	`}`
		9cc86a7	`@@ -10071,7 +10090,7 @@ static int icmCrdInfo_allocate(`
		9cc86a7	`if (p->crdsize[t] != p->_crdsize[t]) {`
		9cc86a7	`if (p->crdname[t] != NULL)`
		9cc86a7	`icp->al->free(icp->al, p->crdname[t]);`
		9cc86a7	`- if ((p->crdname[t] = (char ) icp->al->malloc(icp->al, p->crdsize[t] sizeof(char))) == NULL) {`
		9cc86a7	`+ if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) {`
		9cc86a7	`sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t);`
		9cc86a7	`return icp->errc = 2;`
		9cc86a7	`}`

rpms / argyllcms

Source Code

Blame argyllcms-CVE-2009-0792.patch