From a212af2be8b2e9ffe3e452b38cf4fbdcc1040d65 Mon Sep 17 00:00:00 2001 From: Jon Ciesla Date: Mar 23 2009 17:09:26 +0000 Subject: Patch for ICC library CVE-2009-{0583, 0584} by Tim Waugh. --- diff --git a/argyllcms-1.0.2-legal.patch b/argyllcms-1.0.2-legal.patch new file mode 100644 index 0000000..3c6ea6e --- /dev/null +++ b/argyllcms-1.0.2-legal.patch @@ -0,0 +1,662 @@ +diff -uNr Argyll_V1.0.1.orig/doc/ArgyllDoc.html Argyll_V1.0.1/doc/ArgyllDoc.html +--- Argyll_V1.0.1.orig/doc/ArgyllDoc.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/ArgyllDoc.html 2008-07-27 11:39:29.000000000 +0200 +@@ -18,7 +18,7 @@ + Author: Graeme Gill +

Introduction

+ Argyll is an open source, ICC compatible color management +-system. It supports accurate ICC profile creation for scanners, CMYK ++system. It supports accurate ICC profile creation for acquisition devices, CMYK + printers, + film recorders and calibration and profiling of displays. + Spectral sample data is supported, +diff -uNr Argyll_V1.0.1.orig/doc/chartread.html Argyll_V1.0.1/doc/chartread.html +--- Argyll_V1.0.1.orig/doc/chartread.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/chartread.html 2008-07-27 11:40:27.000000000 +0200 +@@ -206,7 +206,7 @@ +
+ Normally the patch locations are not needed in the + output, but if a chart is being read as an input reference (for use in +-profiling a scanner or a camera), then the patch locations will still ++profiling an acquisition device), then the patch locations will still + be needed. The -a flag adds + the locations to the output .ti3 file.
+
+diff -uNr Argyll_V1.0.1.orig/doc/colprof.html Argyll_V1.0.1/doc/colprof.html +--- Argyll_V1.0.1.orig/doc/colprof.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/colprof.html 2008-07-27 11:41:01.000000000 +0200 +@@ -617,8 +617,8 @@ + absolute value, and any values whiter than that, will not be clipped by + the profile. The profile effectively operates in an absolute intent + mode,  irrespective of what intent is selected when it is used. +-This flag can be useful when an input profile is needed for using a +-scanner as a "poor mans" colorimeter, or if the white point of the test ++This flag can be useful when an input profile is needed for using an ++acquisition device as a "poor mans" colorimeter, or if the white point of the test + chart doesn't represent the white points of media + that will be used in practice, and that white point adjustment will be + done individually in some downstream application.
+diff -uNr Argyll_V1.0.1.orig/doc/Installing_Linux.html Argyll_V1.0.1/doc/Installing_Linux.html +--- Argyll_V1.0.1.orig/doc/Installing_Linux.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/Installing_Linux.html 2008-07-27 11:42:29.000000000 +0200 +@@ -30,7 +30,7 @@ + variable to give access to the executables from your command line + environment. + The .tgz file also contains several useful reference files (such as +-scanner ++acquisition device + chart recognition templates, sample illumination spectrum etc.) in the + ref sub-directory, as + well +diff -uNr Argyll_V1.0.1.orig/doc/Installing_MSWindows.html Argyll_V1.0.1/doc/Installing_MSWindows.html +--- Argyll_V1.0.1.orig/doc/Installing_MSWindows.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/Installing_MSWindows.html 2008-07-27 11:42:50.000000000 +0200 +@@ -69,7 +69,7 @@ +
+ The .zip file also contains several useful reference files + (such as +-scanner ++acquisition device + chart recognition templates, sample illumination spectrum etc.) in the + ref sub-directory, all the current documentation in a doc + sub-directory, and instrument USB drivers in the libusbw directory.
+diff -uNr Argyll_V1.0.1.orig/doc/Installing_OSX.html Argyll_V1.0.1/doc/Installing_OSX.html +--- Argyll_V1.0.1.orig/doc/Installing_OSX.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/Installing_OSX.html 2008-07-27 11:39:58.000000000 +0200 +@@ -30,7 +30,7 @@ + with how to do this, consult an appropriate tutorial, e.g. <ShellIntro>. + The .tgz file also contains several useful reference files (such as +-scanner chart recognition templates, sample illumination spectrum ++acquisition device chart recognition templates, sample illumination spectrum + etc.) in the ref sub-directory, as well as + all the current documentation in a doc sub-directory.
+
+diff -uNr Argyll_V1.0.1.orig/doc/Organisation.html Argyll_V1.0.1/doc/Organisation.html +--- Argyll_V1.0.1.orig/doc/Organisation.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/Organisation.html 2008-07-27 11:36:55.000000000 +0200 +@@ -13,7 +13,7 @@ + This directory contains routines that generate calibration test charts, + based + on various distribution algorithms suitable for +-reading using an Xrite DTP51 or DTP41 colorimeter, or scanner for print ++reading using an Xrite DTP51 or DTP41 colorimeter, or acquisition device for print + charts, + the Gretag Spectrolino for film charts, or the Xrite DTP92 pr DTP94 for + monitor +diff -uNr Argyll_V1.0.1.orig/doc/printtarg.html Argyll_V1.0.1/doc/printtarg.html +--- Argyll_V1.0.1.orig/doc/printtarg.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/printtarg.html 2008-07-27 11:36:27.000000000 +0200 +@@ -167,7 +167,7 @@ + file, and a .ti2 file containing the device test values together with + the layout information needed to identify the patch location. This + module can also generate the image recognition templates needed to read +-the print targets in using a scanner.
++the print targets in using an acquisition device.
+
+ The -v flag turns on verbose mode. Prints + information about how many patches there are in a row, how many patches +diff -uNr Argyll_V1.0.1.orig/doc/scanin.html Argyll_V1.0.1/doc/scanin.html +--- Argyll_V1.0.1.orig/doc/scanin.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/scanin.html 2008-07-27 11:34:18.000000000 +0200 +@@ -23,7 +23,7 @@ + recogin.cht + valin.cie [diag.tif]
+    :- inputs +-'input.tif',  and outputs scanner ++'input.tif',  and outputs device + 'input.ti3', or
+
+ usage                   + Replace device values in .ti3
+                       +-Default is to create a scanner .ti3 file
++Default is to create a device .ti3 file
+  -F x1,y1,x2,y2,x3,y3,x4,y4
+@@ -187,10 +187,10 @@ + of the chart are visible within the image, and if the image is cropped + to exclude the chart edges, it may well not recognize the chart + properly. It is designed to cope with a variety of resolutions, and +-will cope with some degree of noise in the scan (due to screening ++will cope with some degree of noise in the acquisition (due to screening + artefacts on the original, or film grain), but it isn't really designed + to accept very high resolution input. For anything over 600DPI, you +-should consider down sampling the scan using a filtering downsample, ++should consider down sampling the image using a filtering downsample, + before submitting the file to scanin.
+
+ There are 5 basic modes that scanin operates in.
+@@ -199,7 +199,7 @@ + assumed to be parsing an input device characterization chart (ie. an + IT8.7/2 chart), for the purpose of creating a .ti3 data file containing +-the CIE test values and the corresponding RGB scanner values. The .ti3 file can then be used for + creating + an input profile using colprof. The file +@@ -221,7 +221,7 @@ + file in + this situation, should be a good quality image, perhaps synthetically + generated +-(rather than being scanned), and perfectly oriented, to make ++(rather than being parsed), and perfectly oriented, to make + specification + of the patch locations easier. The file arguments are: The + TIFF file that +@@ -245,7 +245,7 @@ + input devices to be used as a crude replacement for a color measuring + instrument. The icc profile has + (presumably) been +-created by scanning an IT8.7/2 chart (or similar) through the RGB input ++created with an image of a IT8.7/2 chart (or similar) through the RGB input + device, + and + then using scanin to create the .ti3 file needed to feed to colprof to +@@ -267,7 +267,7 @@ + The resulting .ti3 file will have the same base name as the input TIFF + file. + If there is more than one page in the test chart, then scanin will need +-to be run multiple times, once for each scan file made from each test ++to be run multiple times, once for each image file made from each test + chart. The -ca flag combination should be + used + for all pages after the first, +@@ -339,7 +339,7 @@ +
+ By default the automatic chart recognition copes with + rotation, scale and stretch in the chart image, making it suitable for +-charts that have been scanned, or shot squarely with a camera. If a ++charts that have been acquired, or shot squarely with a camera. If a + chart has been shot not exactly facing the camera (perhaps to avoid + reflection, or to get more even lighting), then it will suffer from + perspective distortion as well. The Normally scanin computes an average of the pixel values + within a sample square, using a "robust" mean, that discards pixel + values that are too far from the average ("outlier" pixel values). This +-is done in an attempt to discard value that are due to scanning ++is done in an attempt to discard value that are due to acquisition + artefacts such as dust, scratches etc. You can force scanin to return + the true mean values for the sample squares that includes all the pixel + values, by using the -m flag.
+@@ -357,9 +357,9 @@ + Normally scanin has reasonably robust feature + recognition, but the default assumption is that the input chart has an + approximately even visual distribution of patch values, and has been +-scanned and converted to a typical gamma 2.2 corrected image, meaning ++acquired and converted to a typical gamma 2.2 corrected image, meaning + that the average patch pixel value is expected to be about 50%. If this +-is not the case (for instance if the input chart has been scanned with ++is not the case (for instance if the input chart has been processed with + linear light or "raw" encoding), then it may enhance the image + recognition to provide the approximate gamma encoding of the image. For + instance, if linear light encoding ("Raw") is used, a Installing a + display profile +


+-Profiling Scanners

++Profiling Acquisition Devices +

    Types of test charts

+-

    Taking readings from a scanner

+-

    Creating a scanner profile

++

    Taking readings from an acquisition device

++

    Creating an acquisition device profile

+


+ Profiling Printers

+

    Creating a print test chart

+

    Reading a print test chart + using an instrument

+

    Reading a print test chart +-using a scanner

++using an acquisition device +

+

    Creating a printer profile
+

+@@ -353,14 +353,14 @@ + the connected display.
+
+
+-

Profiling Scanners

+-Because a scanner is an input device, it is necessary to go about ++

Profiling Acquisition Devices

++Because a acquisition device is an input device, it is necessary to go about + profiling it in quite a different way to an output device. To profile +-it, a test chart is needed to exercise the scanner response, to which ++it, a test chart is needed to exercise the device response, to which + the CIE values for each test patch is known. Generally standard + reflection or transparency test charts are used for this purpose.
+

Types of test charts

+-The most common and popular test chart for scanner profiling is the ++The most common and popular test chart for acquisiton device profiling is the + IT8.7/2 chart. This is a standard format chart generally reproduced on + photographic film, containing about 264 test patches. The Kodak Q-60 + Color Input Target is a typical example:
+@@ -400,18 +400,18 @@ + CMP_DT_003
+
+-

Taking readings from a scanner

+-The test chart you are using needs to be placed on the scanner, and the +-scanner needs to be configured to a suitable state, and restored to ++

Taking readings from an acquisition device

++The test chart you are using needs to be exposed to the device, and the ++acquisition device needs to be configured to a suitable state, and restored to + that + same state when used subsequently with the resulting profile. The chart + should + be scanned, and saved to a TIFF format file. I will assume the + resulting +-file is called scanner.tif. The raster file need only be roughly ++file is called device.tif. The raster file need only be roughly + cropped so as to contain the test chart (including the charts edges).
+
+-The second step is to extract the RGB values from the scanner.tif file, ++The second step is to extract the RGB values from the device.tif file, + and match then to the reference CIE values. + To locate the patch values in the scan, the scanin utility + needs to +@@ -485,32 +485,32 @@ + chart recognition template file will need to be created (this is beyond + the scope of the current documentation).
+
+-To create the scanner .ti3 file, run the scanin utility as ++To create the device .ti3 file, run the scanin utility as + follows + (assuming an IT8 chart is being used):
+
+- scanin -v scanner.tif It8.cht It8ref.txt
++ scanin -v device.tif It8.cht It8ref.txt
+
+ "It8ref.txt" is assumed to be the name of the CIE reference file +-supplied by the chart manufacturer. The resulting file will be named "scanner.ti3".
++supplied by the chart manufacturer. The resulting file will be named "device.ti3".
+
+ scanin will process 16 bit per +-component .tiff files, which (if the scanner is capable of creating ++component .tiff files, which (if the device is capable of creating + such files),  may improve the quality of the profile.
+
+ If you have any doubts about the correctness of the chart recognition, + or the subsequent profile's delta E report is unusual, then use the + scanin diagnostic flags -dipn and examine + the diag.tif diagnostic file.
+-

Creating a scanner profile

+-Similar to a display profile, a scanner profile can be either a +-shaper/matrix or LUT based profile. Well behaved scanners will ++

Creating an acquisition device profile

++Similar to a display profile, an acquisition device profile can be either a ++shaper/matrix or LUT based profile. Well behaved devices will + probably give the best results + with a shaper/matrix profile, but if the fit is poor, consider using a + LUT + type profile.
+
+-If the purpose of the scanner profile is to use it as a substitute for ++If the purpose of the device profile is to use it as a substitute for + a + colorimeter, then the -u flag should be used to avoid clipping + values above the white point. Unless the shaper/matrix type profile is +@@ -520,24 +520,24 @@ + To create a matrix/shaper profile, the following suffices:
+
+ colprof -v -D"Scanner A" -D"Device A" -qm -as +-scanner
++device
+
+ For a LUT based profile then the following would be used:
+
+ colprof -v -D"Scanner A" ++ href="colprof.html#E">-D"Device A" + -qm +-scanner
++device
+
+ For the purposes of a poor mans colorimeter, the following would + generally be used:
+
+ colprof -v -D"Scanner A" ++ href="colprof.html#E">-D"Device A" + -qm -u +-scanner
++device
+
+ Make sure you check the delta E report at the end of the profile + creation, to see if the profile is behaving reasonably.
+@@ -703,7 +703,7 @@ + -ii1 -pA4 + PrinterA
+
+-For using with a scanner as a colorimeter, the Gretag Spectroscan ++For using with an acquisition device as a colorimeter, the Gretag Spectroscan + layout is suitable, but the -s flag + should be used so as to generate a layout suitable for scan + recognition, as well as generating the scan recognition template +@@ -804,28 +804,27 @@ + for each type of instrument. Continue with Creating + a printer profile.
+
+-

Reading a print test chart using a scanner or +-camera
++

Reading a print test chart using an acquisition device
+

+
+-Argyll supports using a scanner or even a camera as a substitute for a ++Argyll supports using any acquisition device as a substitute for a + colorimeter. +-While a scanner or camera is no replacement for a color measurement ++While most are no replacement for a color measurement + instrument, it may give acceptable results in some situations, and may + give better results than a generic profile for a printing device.
+
+-The main limitation of the scanner-as-colorimeter approach are:
++The main limitation of the any-device-as-colorimeter approach are:
+
+-* The scanner dynamic range and/or precision may not match the printers ++* The acquisition device dynamic range and/or precision may not match the printers + or what is required for a good profile.
+-* The spectral interaction of the scanner test chart and printer test +-chart with the scanner ++* The spectral interaction of the device test chart and printer test ++chart with the device + spectral response can cause color errors.
+ * Spectral differences caused by different black amounts in the print + test chart can cause + color errors.
+ * The IT8 chart gamut may be so much smaller than the printers that the +-scanner profile is too inaccurate.
++acquisition device profile is too inaccurate.
+
+ As well as some of the above, a camera may not be suitable if it + automatically adjusts exposure or white point when taking a picture, +@@ -834,23 +833,23 @@ + The end result is often a profile that has a slight color cast to, + compared to a profile created using a colorimeter or spectrometer..
+
+-It is assumed that you have created a scanner or camera profile ++It is assumed that you have created an acquisition device profile + following the procedure + outline above. For best possible results it +-is advisable to both profile the scanner or camera, and use it in ++is advisable to both profile the acquisition device, and use it in + scanning the + printed test chart, in as "raw" mode as possible (i.e. using 16 bits +-per component images, if the scanner or camera is ++per component images, if the acquisition device is + capable of doing so; not setting white or black points, using a fixed + exposure etc.). It is + generally advisable to create a LUT type input profile, and use the -u flag to + avoid clipping scanned value whiter than the input calibration chart.
+
+-Scan or photograph your printer chart (or charts) on the scanner or +-camera previously profiled. ++Scan or photograph your printer chart (or charts) on the acquisition device ++previously profiled. + The +-scanner or camera must be configured and used exactly the same as it ++acquisition device must be configured and used exactly the same as it + was when it + was profiled.
+
+@@ -858,21 +857,21 @@ + style="font-weight: bold;">PrinterB.tif (or PrinterB1.tif, PrinterB2.tif etc. in the case of +-multiple charts). As with profiling the scanner or camera, the raster ++multiple charts). As with profiling the acquisition device, the raster + file need + only be roughly cropped so as to contain the test chart.
+
+-The scanner recognition files ++The acquisition device recognition files + created when printtarg was run + is assumed to be called PrinterB.cht. +-Using the scanner profile created previously (assumed to be called scanner.icm), the printer test chart ++Using the device profile created previously (assumed to be called device.icm), the printer test chart + scan patches are converted to CIE values using the scanin utility:
+
+ scanin -v -c PrinterB.tif +-PrinterB.cht scanner.icm ++PrinterB.cht device.icm + PrinterB
+
+ If there were multiple test chart pages, the results would be +@@ -881,15 +880,15 @@ +
+ scanin -v -c PrinterB1.tif +-PrinterB1.cht scanner.icm ++PrinterB1.cht device.icm + PrinterB
+ scanin -v -ca PrinterB2.tif +-PrinterB2.cht scanner.icm ++PrinterB2.cht device.icm + PrinterB
+ scanin -v -ca PrinterB3.tif +-PrinterB3.cht scanner.icm ++PrinterB3.cht device.icm + PrinterB
+
+ Now that the PrinterB.ti3 data +diff -uNr Argyll_V1.0.1.orig/doc/targen.html Argyll_V1.0.1/doc/targen.html +--- Argyll_V1.0.1.orig/doc/targen.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/targen.html 2008-07-27 11:53:34.000000000 +0200 +@@ -615,7 +615,7 @@ +       3 x Letter   1386
+       4 x Letter   1848
+
+-  Scanner (printtarg with -iSS -s options):
++  Acquisition device (printtarg with -iSS -s options):
+
+        1 x A4R      1014
+        2 x A4R      2028
+diff -uNr Argyll_V1.0.1.orig/doc/ti3_format.html Argyll_V1.0.1/doc/ti3_format.html +--- Argyll_V1.0.1.orig/doc/ti3_format.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/ti3_format.html 2008-07-27 11:42:04.000000000 +0200 +@@ -173,7 +173,7 @@ + or "RGB_LAB" for an RGB printer + or display, "CMYK_XYZ" for a + printer, "XYZ_RGB" for an RGB +-scanner.
++acquisition device.
+
+ If spectral values are going to be included in the file, the following + keywords and values shall be used:
+diff -uNr Argyll_V1.0.1.orig/doc/ucmm.html Argyll_V1.0.1/doc/ucmm.html +--- Argyll_V1.0.1.orig/doc/ucmm.html 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/doc/ucmm.html 2008-07-27 11:41:27.000000000 +0200 +@@ -13,7 +13,7 @@ + designed just to handle the necessary configuration needed to track the + installation and association of ICC profiles with Unix/Linux X11 + displays. It could be expanded at some point to also hold the +-associations for other devices such as scanner and printers.
++associations for other devices such as acquisition devices and printers.
+
+ It consists primarily of a small configuration database that associates + a display monitor (identified by its EDID or the X11 display name if an +diff -uNr Argyll_V1.0.1.orig/log.txt Argyll_V1.0.1/log.txt +--- Argyll_V1.0.1.orig/log.txt 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/log.txt 2008-07-27 11:35:38.000000000 +0200 +@@ -1648,7 +1648,7 @@ + + * Added shaper/matrix input profile support. + (profile/profin.c, xicc/xmatrix.c) +- This may be more accurate for scanner profiles, ++ This may be more accurate for device profiles, + given the poor coverage of test points provided + by an IT8 chart (but doesn't appear to be in practice). + +@@ -1659,7 +1659,7 @@ + + * Added support in scanin.c and scanrd.c for + using a scan of a print test chart, plus a +- profile for the scanner, to be able to measure ++ profile for the device, to be able to measure + color for printer calibration. This + new mode handles multi-page test charts. + +@@ -1689,13 +1689,13 @@ + patch spacer contrast determination. + Also added an XYZ to sRGB conversion + function to support RGB previews of N color +- devices, as well as scanner recognition template files. ++ devices, as well as device recognition template files. + + * Expanded xicc/xcolorants.c to incorporate + an approximate device model for arbitrary + colorant combinations. This is used to + be able to approximate expected density readings, +- as well as preview colors and scanner recognition templates. ++ as well as preview colors and device recognition templates. + + * Create a new test point creation module, + target/simplat.c, to create higher dimentional, +@@ -1793,7 +1793,7 @@ + + * Added preliminary support in printtarg for the SpectroScan + spectrodensitometer. Also added preliminary support for +- scanner recognisable test charts. ++ device recognisable test charts. + + * Added option to icclink to turn off the use of linearisation + curves in the output link, since this sometimes seems to +@@ -1960,7 +1960,7 @@ + Cleaned up build automation somewhat. + + Added RGB output device profile generation support. +- Added RGB scanner device profile generation support. ++ Added RGB device profile generation support. + + Added a couple of spectrometer conversion utilities for + raw data files from other CMSs. +diff -uNr Argyll_V1.0.1.orig/profile/profcheck.c Argyll_V1.0.1/profile/profcheck.c +--- Argyll_V1.0.1.orig/profile/profcheck.c 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/profile/profcheck.c 2008-07-27 11:54:01.000000000 +0200 +@@ -360,7 +360,7 @@ + devchan = 3; + isLab = 1; + isAdditive = 1; +- /* Scanner .ti3 files: */ ++ /* Acquisition Device .ti3 files: */ + } else if (strcmp(icg->t[0].kdata[ti],"XYZ_RGB") == 0) { + devspace = icSigRgbData; + devchan = 3; +diff -uNr Argyll_V1.0.1.orig/profile/profin.c Argyll_V1.0.1/profile/profin.c +--- Argyll_V1.0.1.orig/profile/profin.c 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/profile/profin.c 2008-07-27 11:53:08.000000000 +0200 +@@ -49,7 +49,7 @@ + /* + Basic algorithm outline: + +- Scanner: ++ Acquisition Device: + + Figure out the input curves to give + the flattest grid. +diff -uNr Argyll_V1.0.1.orig/scanin/scanin.c Argyll_V1.0.1/scanin/scanin.c +--- Argyll_V1.0.1.orig/scanin/scanin.c 2008-07-27 11:18:53.000000000 +0200 ++++ Argyll_V1.0.1/scanin/scanin.c 2008-07-27 11:26:37.000000000 +0200 +@@ -2,7 +2,7 @@ + /* + * Argyll Color Correction System + * +- * Scanin: Input the scan of a test chart, and output cgats data ++ * Scanin: Input the image of a test chart, and output cgats data + * Uses scanrd to do the hard work. + * + * Author: Graeme W. Gill +@@ -72,7 +72,7 @@ + fprintf(stderr,"Author: Graeme W. Gill, licensed under the GPL Version 3\n"); + fprintf(stderr,"\n"); + fprintf(stderr,"usage: scanin [options] input.tif recogin.cht valin.cie [diag.tif]\n"); +- fprintf(stderr," :- inputs 'input.tif' and outputs scanner 'input.ti3', or\n"); ++ fprintf(stderr," :- inputs 'input.tif' and outputs device 'input.ti3', or\n"); + fprintf(stderr,"\n"); + fprintf(stderr,"usage: scanin -g [options] input.tif recogout.cht [diag.tif]\n"); + fprintf(stderr," :- outputs file 'recogout.cht', or\n"); +@@ -92,7 +92,7 @@ + fprintf(stderr," -ca Same as -c, but accumulates more values to .ti3\n"); + fprintf(stderr," from subsequent pages\n"); + fprintf(stderr," -r Replace device values in .ti2/.ti3\n"); +- fprintf(stderr," Default is to create a scanner .ti3 file\n"); ++ fprintf(stderr," Default is to create a device .ti3 file\n"); + fprintf(stderr," -F x1,y1,x2,y2,x3,y3,x4,y4\n"); + fprintf(stderr," Don't auto recognize, locate using four fiducual marks\n"); + fprintf(stderr," -p Compensate for perspective distortion\n"); +@@ -127,12 +127,12 @@ + static char datin_name[200] = { 0 }; /* Data input name (.cie/.q60) */ + static char datout_name[200] = { 0 }; /* Data output name (.ti3/.val) */ + static char recog_name[200] = { 0 }; /* Reference chart name (.cht) */ +- static char prof_name[200] = { 0 }; /* scanner profile name (.cht) */ ++ static char prof_name[200] = { 0 }; /* device profile name (.cht) */ + static char diag_name[200] = { 0 }; /* Diagnostic Output (.tif) name, if used */ + int verb = 1; + int tmean = 0; /* Return true mean, rather than robust mean */ + int repl = 0; /* Replace .ti3 device values from raster file */ +- int outo = 0; /* Output the values read, rather than creating scanner .ti3 */ ++ int outo = 0; /* Output the values read, rather than creating device .ti3 */ + int colm = 0; /* Use inage values to measure color for print profile. > 1 == append */ + int flags = SI_GENERAL_ROT; /* Default allow all rotations */ + +@@ -153,7 +153,7 @@ + scanrd *sr; /* Scanrd object */ + int err; + char *errm; +- int pnotscan = 0; /* Number of patches that wern't scanned */ ++ int pnotscan = 0; /* Number of patches that weren't processed */ + + if (argc <= 1) + usage(); +diff -uNr Argyll_V1.0.1.orig/target/printtarg.c Argyll_V1.0.1/target/printtarg.c +--- Argyll_V1.0.1.orig/target/printtarg.c 2008-07-27 11:18:52.000000000 +0200 ++++ Argyll_V1.0.1/target/printtarg.c 2008-07-27 11:37:20.000000000 +0200 +@@ -3252,7 +3252,7 @@ + } + + /******************************************************************/ +-/* Edge tracking support, for generating the scanner image */ ++/* Edge tracking support, for generating the device image */ + /* recognition reference chart file. */ + + /* Establish width and height to convert between topleft and */ +diff -uNr Argyll_V1.0.1.orig/ttbd.txt Argyll_V1.0.1/ttbd.txt +--- Argyll_V1.0.1.orig/ttbd.txt 2008-07-27 11:18:54.000000000 +0200 ++++ Argyll_V1.0.1/ttbd.txt 2008-07-27 11:54:46.000000000 +0200 +@@ -123,7 +123,7 @@ + + * Should create a .ti2 template file for some standard charts, + such as an IT8.7/3, ECI2002 random and non-random etc. +- Scanner recognition files too ?? ++ Device recognition files too ?? + + * Add an option to targen, that allows generation of + test points down the neutral axis (how does this work +@@ -293,7 +293,7 @@ + patch variance is too high (probable faulty read). + + * Add spectral fix options to scanin code to allow compensation +- for scanner and media errors when using a scanned image to ++ for device and media errors when using an acquired image to + measure color. + This means figuring out how it will work, as well as creating + to tools to create the spectral fix data (or just add general diff --git a/argyllcms-1.0.3-remove-libusb-fork-check.patch b/argyllcms-1.0.3-remove-libusb-fork-check.patch new file mode 100644 index 0000000..5fbf3bc --- /dev/null +++ b/argyllcms-1.0.3-remove-libusb-fork-check.patch @@ -0,0 +1,13 @@ +diff -uNr Argyll_V1.0.3.orig/spectro/usbio.c Argyll_V1.0.3/spectro/usbio.c +--- Argyll_V1.0.3.orig/spectro/usbio.c 2008-09-03 02:10:32.000000000 +0200 ++++ Argyll_V1.0.3/spectro/usbio.c 2008-09-03 22:27:19.000000000 +0200 +@@ -102,9 +102,6 @@ + #ifdef ENABLE_USB + struct usb_bus *bus; + +- /* Check that we've got an up to date version of libusb */ +- if (usb_argyll_patched() < 2) +- error("usblib isn't up to date to work with this version of Argyll"); + + // ~~99 + // if (p->debug) diff --git a/argyllcms-CVE-2009-0583,0584.patch b/argyllcms-CVE-2009-0583,0584.patch new file mode 100644 index 0000000..4cd0127 --- /dev/null +++ b/argyllcms-CVE-2009-0583,0584.patch @@ -0,0 +1,1063 @@ +--- icc/icc.c.CVE-2009-0583,0584 2008-09-03 01:10:23.000000000 +0100 ++++ icc/icc.c 2009-03-20 17:36:41.000000000 +0000 +@@ -53,6 +53,8 @@ + + #define _ICC_C_ /* Turn on implimentation code */ + ++#include ++#include + #include + #include + #include +@@ -122,8 +124,11 @@ size_t count + icmFileMem *p = (icmFileMem *)pp; + size_t len; + ++ if (count > 0 && size > SIZE_MAX / count) ++ return 0; ++ + len = size * count; +- if ((p->cur + len) >= p->end) { /* Too much */ ++ if (len > (p->end - p->cur)) { /* Too much */ + if (size > 0) + count = (p->end - p->cur)/size; + else +@@ -146,8 +151,11 @@ size_t count + icmFileMem *p = (icmFileMem *)pp; + size_t len; + ++ if (count > 0 && size > SIZE_MAX / count) ++ return 0; ++ + len = size * count; +- if ((p->cur + len) >= p->end) { /* Too much */ ++ if (len > (p->end - p->cur)) { /* Too much */ + if (size > 0) + count = (p->end - p->cur)/size; + else +@@ -1725,6 +1733,8 @@ static int icmUnknown_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUnknown_write malloc() failed"); + return icp->errc = 2; +@@ -1833,7 +1843,7 @@ static int icmUnknown_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) { ++ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) { + sprintf(icp->err,"icmUnknown_alloc: malloc() of icmUnknown data failed"); + return icp->errc = 2; + } +@@ -1957,6 +1967,8 @@ static int icmUInt8Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUInt8Array_write malloc() failed"); + return icp->errc = 2; +@@ -2021,7 +2033,7 @@ static int icmUInt8Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { ++ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { + sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed"); + return icp->errc = 2; + } +@@ -2072,6 +2084,10 @@ static unsigned int icmUInt16Array_get_s + icmUInt16Array *p = (icmUInt16Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 2) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->size * 2; /* 2 bytes for each UInt16 */ + return len; + } +@@ -2144,6 +2160,8 @@ static int icmUInt16Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUInt16Array_write malloc() failed"); + return icp->errc = 2; +@@ -2208,7 +2226,7 @@ static int icmUInt16Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { ++ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { + sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed"); + return icp->errc = 2; + } +@@ -2259,6 +2277,10 @@ static unsigned int icmUInt32Array_get_s + icmUInt32Array *p = (icmUInt32Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 4) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->size * 4; /* 4 bytes for each UInt32 */ + return len; + } +@@ -2331,6 +2353,8 @@ static int icmUInt32Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUInt32Array_write malloc() failed"); + return icp->errc = 2; +@@ -2395,7 +2419,7 @@ static int icmUInt32Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { ++ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { + sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed"); + return icp->errc = 2; + } +@@ -2446,6 +2470,10 @@ static unsigned int icmUInt64Array_get_s + icmUInt64Array *p = (icmUInt64Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 8) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->size * 8; /* 8 bytes for each UInt64 */ + return len; + } +@@ -2518,6 +2546,8 @@ static int icmUInt64Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUInt64Array_write malloc() failed"); + return icp->errc = 2; +@@ -2582,7 +2612,7 @@ static int icmUInt64Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (icmUint64 *) icp->al->malloc(icp->al, p->size * sizeof(icmUint64))) == NULL) { ++ if ((p->data = (icmUint64 *) icp->al->calloc(icp->al, p->size, sizeof(icmUint64))) == NULL) { + sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed"); + return icp->errc = 2; + } +@@ -2633,6 +2663,10 @@ static unsigned int icmU16Fixed16Array_g + icmU16Fixed16Array *p = (icmU16Fixed16Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 4) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->size * 4; /* 4 byte for each U16Fixed16 */ + return len; + } +@@ -2705,6 +2739,8 @@ static int icmU16Fixed16Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed"); + return icp->errc = 2; +@@ -2769,7 +2805,7 @@ static int icmU16Fixed16Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { ++ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { + sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed"); + return icp->errc = 2; + } +@@ -2820,6 +2856,10 @@ static unsigned int icmS15Fixed16Array_g + icmS15Fixed16Array *p = (icmS15Fixed16Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 4) { ++ p->icp->errc = 1; ++ return (unsigned int) - 1; ++ } + len += p->size * 4; /* 4 byte for each S15Fixed16 */ + return len; + } +@@ -2892,6 +2932,8 @@ static int icmS15Fixed16Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed"); + return icp->errc = 2; +@@ -2956,7 +2998,7 @@ static int icmS15Fixed16Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { ++ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { + sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed"); + return icp->errc = 2; + } +@@ -3049,6 +3091,10 @@ static unsigned int icmXYZArray_get_size + icmXYZArray *p = (icmXYZArray *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 12) { ++ p->icp->errc = 1; ++ return (unsigned int) - 1; ++ } + len += p->size * 12; /* 12 bytes for each XYZ */ + return len; + } +@@ -3121,6 +3167,8 @@ static int icmXYZArray_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmXYZArray_write malloc() failed"); + return icp->errc = 2; +@@ -3188,7 +3236,7 @@ static int icmXYZArray_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (icmXYZNumber *) icp->al->malloc(icp->al, p->size * sizeof(icmXYZNumber))) == NULL) { ++ if ((p->data = (icmXYZNumber *) icp->al->calloc(icp->al, p->size, sizeof(icmXYZNumber))) == NULL) { + sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed"); + return icp->errc = 2; + } +@@ -3468,6 +3516,10 @@ static unsigned int icmCurve_get_size( + icmCurve *p = (icmCurve *)pp; + unsigned int len = 0; + len += 12; /* 12 bytes for tag, padding and count */ ++ if (p->size > (UINT_MAX - len) / 2) { ++ p->icp->errc = 1; ++ return (unsigned int) - 1; ++ } + len += p->size * 2; /* 2 bytes for each UInt16 */ + return len; + } +@@ -3565,6 +3617,8 @@ static int icmCurve_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmCurve_write malloc() failed"); + return icp->errc = 2; +@@ -3674,7 +3728,7 @@ static int icmCurve_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { ++ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { + sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed"); + return icp->errc = 2; + } +@@ -3824,6 +3878,8 @@ static int icmData_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmData_write malloc() failed"); + return icp->errc = 2; +@@ -3971,7 +4027,7 @@ static int icmData_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) { ++ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) { + sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed"); + return icp->errc = 2; + } +@@ -4096,6 +4152,8 @@ static int icmText_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmText_write malloc() failed"); + return icp->errc = 2; +@@ -4185,7 +4243,7 @@ static int icmText_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { ++ if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { + sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed"); + return icp->errc = 2; + } +@@ -4433,6 +4491,8 @@ static int icmDateTimeNumber_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmDateTimeNumber_write malloc() failed"); + return icp->errc = 2; +@@ -4523,11 +4583,15 @@ static icmBase *new_icmDateTimeNumber( + /* icmLut object */ + + /* Utility function - raise one integer to an integer power */ +-static unsigned int uipow(unsigned int a, unsigned int b) { ++static int uipow(unsigned int a, unsigned int b, unsigned int *ret) { + unsigned int rv = 1; +- for (; b > 0; b--) ++ for (; b > 0; b--) { ++ if (a > 0 && rv > UINT_MAX / a) ++ return 1; + rv *= a; +- return rv; ++ } ++ *ret = rv; ++ return 0; + } + + /* - - - - - - - - - - - - - - - - */ +@@ -4667,7 +4731,7 @@ double *in /* Input array[outputChan] * + if (p->inputChan <= 8) { + gw = GW; /* Use stack allocation */ + } else { +- if ((gw = (double *) icp->al->malloc(icp->al, (1 << p->inputChan) * sizeof(double))) == NULL) { ++ if ((gw = (double *) icp->al->calloc(icp->al, (1 << p->inputChan), sizeof(double))) == NULL) { + sprintf(icp->err,"icmLut_lookup_clut: malloc() failed"); + return icp->errc = 2; + } +@@ -5653,19 +5717,50 @@ static unsigned int icmLut_get_size( + ) { + icmLut *p = (icmLut *)pp; + unsigned int len = 0; ++ unsigned int pw; + + if (p->ttype == icSigLut8Type) { + len += 48; /* tag and header */ ++ if (p->inputChan > 0 && ++ p->inputEnt > (UINT_MAX - len) / p->inputChan / 1) ++ goto overflow; ++ + len += 1 * (p->inputChan * p->inputEnt); +- len += 1 * (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan, &pw) || ++ (p->outputChan > 0 && ++ pw > (UINT_MAX - len) / p->outputChan / 1)) ++ goto overflow; ++ ++ len += 1 * (p->outputChan * pw); ++ if (p->outputChan > 0 && ++ p->outputEnt > (UINT_MAX - len) / p->outputChan / 1) ++ goto overflow; ++ + len += 1 * (p->outputChan * p->outputEnt); + } else { + len += 52; /* tag and header */ ++ if (p->inputChan > 0 && ++ p->inputEnt > (UINT_MAX - len) / p->inputChan / 2) ++ goto overflow; ++ + len += 2 * (p->inputChan * p->inputEnt); +- len += 2 * (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan, &pw) || ++ (p->outputChan > 0 && ++ pw > (UINT_MAX - len) / p->outputChan / 2)) ++ goto overflow; ++ ++ len += 2 * (p->outputChan * pw); ++ if (p->outputChan > 0 && ++ p->outputEnt > (UINT_MAX - len) / p->outputChan / 2) ++ goto overflow; ++ + len += 2 * (p->outputChan * p->outputEnt); + } + return len; ++ ++ overflow: ++ p->icp->errc = 1; ++ return (unsigned int) -1; + } + + /* read the object, return 0 on success, error code on fail */ +@@ -5678,6 +5773,7 @@ static int icmLut_read( + icc *icp = p->icp; + int rv = 0; + unsigned long i, j, g, size; ++ unsigned int pw; + char *bp, *buf; + + if (len < 4) { +@@ -5738,6 +5834,11 @@ static int icmLut_read( + return icp->errc = 1; + } + ++ if (p->clutPoints > 100) { ++ sprintf(icp->err,"icmLut_read: too many clutPoints"); ++ return icp->errc = 1; ++ } ++ + /* Read 3x3 transform matrix */ + for (j = 0; j < 3; j++) { /* Rows */ + for (i = 0; i < 3; i++) { /* Columns */ +@@ -5755,13 +5856,18 @@ static int icmLut_read( + bp = buf+52; + } + +- if (len < icmLut_get_size((icmBase *)p)) { ++ if (len < icmLut_get_size((icmBase *)p) || icp->errc) { + sprintf(icp->err,"icmLut_read: Tag too small for contents"); + icp->al->free(icp->al, buf); + return icp->errc = 1; + } + + /* Read the input tables */ ++ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { ++ sprintf(icp->err,"icmLut_read: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } + size = (p->inputChan * p->inputEnt); + if ((rv = p->allocate((icmBase *)p)) != 0) { + icp->al->free(icp->al, buf); +@@ -5776,7 +5882,14 @@ static int icmLut_read( + } + + /* Read the clut table */ +- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan,&pw) || ++ (p->outputChan > 0 && ++ pw > UINT_MAX / p->outputChan)) { ++ sprintf(icp->err,"icmLut_read: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } ++ size = (p->outputChan * pw); + if ((rv = p->allocate((icmBase *)p)) != 0) { + icp->al->free(icp->al, buf); + return rv; +@@ -5790,6 +5903,11 @@ static int icmLut_read( + } + + /* Read the output tables */ ++ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { ++ sprintf(icp->err,"icmLut_read: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } + size = (p->outputChan * p->outputEnt); + if ((rv = p->allocate((icmBase *)p)) != 0) { + icp->al->free(icp->al, buf); +@@ -5829,12 +5947,14 @@ static int icmLut_write( + icmLut *p = (icmLut *)pp; + icc *icp = p->icp; + unsigned long i,j; +- unsigned int len, size; ++ unsigned int len, size, pw; + char *bp, *buf; /* Buffer to write from */ + int rv = 0; + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmLut_write malloc() failed"); + return icp->errc = 2; +@@ -5907,6 +6027,11 @@ static int icmLut_write( + } + + /* Write the input tables */ ++ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { ++ sprintf(icp->err,"icmLut_write: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } + size = (p->inputChan * p->inputEnt); + if (p->ttype == icSigLut8Type) { + for (i = 0; i < size; i++, bp += 1) { +@@ -5927,7 +6052,14 @@ static int icmLut_write( + } + + /* Write the clut table */ +- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan,&pw) || ++ (p->outputChan > 0 && ++ pw > UINT_MAX / p->outputChan)) { ++ sprintf(icp->err,"icmLut_write: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } ++ size = (p->outputChan * pw); + if (p->ttype == icSigLut8Type) { + for (i = 0; i < size; i++, bp += 1) { + if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) { +@@ -5947,6 +6079,11 @@ static int icmLut_write( + } + + /* Write the output tables */ ++ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { ++ sprintf(icp->err,"icmLut_write: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } + size = (p->outputChan * p->outputEnt); + if (p->ttype == icSigLut8Type) { + for (i = 0; i < size; i++, bp += 1) { +@@ -6017,7 +6154,14 @@ static void icmLut_dump( + if (p->inputChan > MAX_CHAN) { + op->gprintf(op," !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN); + } else { +- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ unsigned int pw; ++ if (uipow(p->clutPoints,p->inputChan,&pw) || ++ (p->outputChan > 0 && ++ pw > UINT_MAX / p->outputChan)) { ++ fprintf(op,"Would overflow.\n"); ++ return; ++ } ++ size = (p->outputChan * pw); + for (j = 0; j < p->inputChan; j++) + ii[j] = 0; + for (i = 0; i < size;) { +@@ -6056,7 +6200,7 @@ static void icmLut_dump( + static int icmLut_allocate( + icmBase *pp + ) { +- unsigned int i, j, g, size; ++ unsigned int i, j, g, size, pw; + icmLut *p = (icmLut *)pp; + icc *icp = p->icp; + +@@ -6071,6 +6215,10 @@ static int icmLut_allocate( + return icp->errc = 1; + } + ++ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { ++ sprintf(icp->err,"icmLut_alloc: too many entries"); ++ return icp->errc = 1; ++ } + size = (p->inputChan * p->inputEnt); + if (size != p->inputTable_size) { + if (p->inputTable != NULL) +@@ -6081,7 +6229,13 @@ static int icmLut_allocate( + } + p->inputTable_size = size; + } +- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan,&pw) || ++ (p->outputChan > 0 && ++ pw > UINT_MAX / p->outputChan)) { ++ sprintf(icp->err,"icmLut_alloc: overflow"); ++ return icp->errc = 1; ++ } ++ size = (p->outputChan * pw); + if (size != p->clutTable_size) { + if (p->clutTable != NULL) + icp->al->free(icp->al, p->clutTable); +@@ -6091,6 +6245,10 @@ static int icmLut_allocate( + } + p->clutTable_size = size; + } ++ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { ++ sprintf(icp->err,"icmLut_alloc: overflow"); ++ return icp->errc = 1; ++ } + size = (p->outputChan * p->outputEnt); + if (size != p->outputTable_size) { + if (p->outputTable != NULL) +@@ -6286,6 +6444,8 @@ static int icmMeasurement_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmMeasurement_write malloc() failed"); + return icp->errc = 2; +@@ -6553,13 +6713,20 @@ static unsigned int icmNamedColor_get_si + len += p->nDeviceCoords * 1; /* bytes for each named color */ + } + } else { /* Named Color 2 */ ++ unsigned int col; + len += 8; /* 8 bytes for tag and padding */ + len += 4; /* 4 for vendor specific flags */ + len += 4; /* 4 for count of named colors */ + len += 4; /* 4 for number of device coords */ + len += 32; /* 32 for prefix of color names */ + len += 32; /* 32 for suffix of color names */ +- len += p->count * (32 + 6 + p->nDeviceCoords * 2); /* bytes for each named color */ ++ col = 32 + 6 + p->nDeviceCoords * 2; ++ if (p->nDeviceCoords > (UINT_MAX - (32 + 6)) / 2 || ++ (p->count > 0 && col > (UINT_MAX - len) / p->count)) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } ++ len += p->count * col; /* bytes for each named color */ + } + return len; + } +@@ -6723,6 +6890,8 @@ static int icmNamedColor_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmNamedColor_write malloc() failed"); + return icp->errc = 2; +@@ -7116,6 +7285,8 @@ static int icmColorantTable_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmColorantTable_write malloc() failed"); + return icp->errc = 2; +@@ -7270,9 +7441,22 @@ static unsigned int icmTextDescription_g + ) { + icmTextDescription *p = (icmTextDescription *)pp; + unsigned int len = 0; ++ if (p->size > UINT_MAX - (8 + 4 + 8)) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += 8; /* 8 bytes for tag and padding */ + len += 4 + p->size; /* Ascii string length + ascii string */ +- len += 8 + 2 * p->ucSize; /* Unicode language code + length + string */ ++ len += 8; /* Unicode language code + length */ ++ if (p->ucSize > (UINT_MAX - len) / 2) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } ++ len += 2 * p->ucSize; /* Unicode string */ ++ if (len > (UINT_MAX - (3 + 67))) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += 3 + 67; /* ScriptCode code, length string */ + return len; + } +@@ -7460,6 +7644,8 @@ static int icmTextDescription_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmTextDescription_write malloc() failed"); + return icp->errc = 2; +@@ -7710,7 +7896,7 @@ static int icmTextDescription_allocate( + if (p->ucSize != p->uc_size) { + if (p->ucDesc != NULL) + icp->al->free(icp->al, p->ucDesc); +- if ((p->ucDesc = (ORD16 *) icp->al->malloc(icp->al, p->ucSize * sizeof(ORD16))) == NULL) { ++ if ((p->ucDesc = (ORD16 *) icp->al->calloc(icp->al, p->ucSize, sizeof(ORD16))) == NULL) { + sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed"); + return icp->errc = 2; + } +@@ -7986,6 +8172,12 @@ static int icmProfileSequenceDesc_read( + bp += 8; /* Skip padding */ + + p->count = read_UInt32Number(bp); /* Number of sequence descriptions */ ++ if (p->count > 1000) { ++ sprintf(icp->err,"icmProfileSequenceDesc_read: too many sequence descriptions"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } ++ + bp += 4; + + /* Read all the sequence descriptions */ +@@ -8018,6 +8210,8 @@ static int icmProfileSequenceDesc_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed"); + return icp->errc = 2; +@@ -8088,7 +8282,7 @@ static int icmProfileSequenceDesc_alloca + if (p->count != p->_count) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (icmDescStruct *) icp->al->malloc(icp->al, p->count * sizeof(icmDescStruct))) == NULL) { ++ if ((p->data = (icmDescStruct *) icp->al->calloc(icp->al, p->count, sizeof(icmDescStruct))) == NULL) { + sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed"); + return icp->errc = 2; + } +@@ -8207,6 +8401,8 @@ static int icmSignature_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmSignature_write malloc() failed"); + return icp->errc = 2; +@@ -8322,6 +8518,10 @@ static unsigned int icmScreening_get_siz + icmScreening *p = (icmScreening *)pp; + unsigned int len = 0; + len += 16; /* 16 bytes for tag, padding, flag & channeles */ ++ if (p->channels > (UINT_MAX - len) / 12) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->channels * 12; /* 12 bytes for each channel */ + return len; + } +@@ -8401,6 +8601,8 @@ static int icmScreening_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmScreening_write malloc() failed"); + return icp->errc = 2; +@@ -8481,7 +8683,7 @@ static int icmScreening_allocate( + if (p->channels != p->_channels) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (icmScreeningData *) icp->al->malloc(icp->al, p->channels * sizeof(icmScreeningData))) == NULL) { ++ if ((p->data = (icmScreeningData *) icp->al->calloc(icp->al, p->channels, sizeof(icmScreeningData))) == NULL) { + sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed"); + return icp->errc = 2; + } +@@ -8532,10 +8734,20 @@ static unsigned int icmUcrBg_get_size( + icmUcrBg *p = (icmUcrBg *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->UCRcount > (UINT_MAX - len - 4) / 2) ++ goto overflow; ++ + len += 4 + p->UCRcount * 2; /* Undercolor Removal */ ++ if (p->BGcount > (UINT_MAX - len - 4 - p->size) / 2) ++ goto overflow; ++ + len += 4 + p->BGcount * 2; /* Black Generation */ + len += p->size; /* Description string */ + return len; ++ ++ overflow: ++ p->icp->errc = 1; ++ return (unsigned int) -1; + } + + /* read the object, return 0 on success, error code on fail */ +@@ -8664,6 +8876,8 @@ static int icmUcrBg_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUcrBg_write malloc() failed"); + return icp->errc = 2; +@@ -8829,7 +9043,7 @@ static int icmUcrBg_allocate( + if (p->UCRcount != p->UCR_count) { + if (p->UCRcurve != NULL) + icp->al->free(icp->al, p->UCRcurve); +- if ((p->UCRcurve = (double *) icp->al->malloc(icp->al, p->UCRcount * sizeof(double))) == NULL) { ++ if ((p->UCRcurve = (double *) icp->al->calloc(icp->al, p->UCRcount, sizeof(double))) == NULL) { + sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed"); + return icp->errc = 2; + } +@@ -8838,7 +9052,7 @@ static int icmUcrBg_allocate( + if (p->BGcount != p->BG_count) { + if (p->BGcurve != NULL) + icp->al->free(icp->al, p->BGcurve); +- if ((p->BGcurve = (double *) icp->al->malloc(icp->al, p->BGcount * sizeof(double))) == NULL) { ++ if ((p->BGcurve = (double *) icp->al->calloc(icp->al, p->BGcount, sizeof(double))) == NULL) { + sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed"); + return icp->errc = 2; + } +@@ -8910,6 +9124,15 @@ static unsigned int icmVideoCardGamma_ge + len += 2; /* 2 bytes for channels */ + len += 2; /* 2 for entry count */ + len += 2; /* 2 for entry size */ ++ if (p->u.table.entryCount > 0 && ++ p->u.table.entrySize > 0 && ++ p->u.table.channels > ++ (UINT_MAX - len) / ++ p->u.table.entryCount / ++ p->u.table.entrySize) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += ( p->u.table.channels * /* compute table size */ + p->u.table.entryCount * + p->u.table.entrySize ); +@@ -8929,10 +9152,11 @@ static int icmVideoCardGamma_read( + ) { + icmVideoCardGamma *p = (icmVideoCardGamma *)pp; + icc *icp = p->icp; +- int rv, c; ++ int rv; + char *bp, *buf; + ORD8 *pchar; + ORD16 *pshort; ++ unsigned long c; + + if (len < 18) { + sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal"); +@@ -8969,6 +9193,16 @@ static int icmVideoCardGamma_read( + p->u.table.channels = read_UInt16Number(bp+12); + p->u.table.entryCount = read_UInt16Number(bp+14); + p->u.table.entrySize = read_UInt16Number(bp+16); ++ if (p->u.table.entrySize > 65530 || p->u.table.entrySize == 0) { ++ sprintf(icp->err,"icmVideoCardGamma_read: Too many entries (or none)"); ++ return icp->errc = 1; ++ } ++ if (p->u.table.entryCount > 0 && p->u.table.entrySize > 0 && ++ p->u.table.channels > ++ UINT_MAX / p->u.table.entryCount / p->u.table.entrySize) { ++ sprintf(icp->err,"icmVideoCardGamma_read: Overflow reading tag"); ++ return icp->errc = 1; ++ } + if ((len-18) < (unsigned int)(p->u.table.channels + * p->u.table.entryCount + * p->u.table.entrySize)) { +@@ -9039,6 +9273,8 @@ static int icmVideoCardGamma_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmViewingConditions_write malloc() failed"); + return icp->errc = 2; +@@ -9211,7 +9447,7 @@ static int icmVideoCardGamma_allocate( + ) { + icmVideoCardGamma *p = (icmVideoCardGamma *)pp; + icc *icp = p->icp; +- int size; ++ unsigned int size; + + /* note: allocation is only relevant for table type + * and in that case the channels, entryCount, and entrySize +@@ -9221,6 +9457,11 @@ static int icmVideoCardGamma_allocate( + if (p->tagType == icmVideoCardGammaTableType) { + if (p->u.table.data != NULL) + icp->al->free(icp->al, p->u.table.data); ++ if (p->u.table.entryCount > 0 && ++ p->u.table.channels > UINT_MAX / p->u.table.entryCount) { ++ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large"); ++ return icp->errc = 1; ++ } + size = (p->u.table.channels * + p->u.table.entryCount); + switch (p->u.table.entrySize) { +@@ -9228,6 +9469,10 @@ static int icmVideoCardGamma_allocate( + size *= sizeof(ORD8); + break; + case 2: ++ if (size > UINT_MAX / sizeof(unsigned short)) { ++ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large"); ++ return icp->errc = 1; ++ } + size *= sizeof(unsigned short); + break; + default: +@@ -9428,6 +9673,8 @@ static int icmViewingConditions_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmViewingConditions_write malloc() failed"); + return icp->errc = 2; +@@ -9660,6 +9907,8 @@ static int icmCrdInfo_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmCrdInfo_write malloc() failed"); + return icp->errc = 2; +@@ -9977,6 +10226,8 @@ static int icmHeader_write( + int rv = 0; + + len = p->get_size(p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->calloc(icp->al,1,len)) == NULL) { /* Zero it - some CMS are fussy */ + sprintf(icp->err,"icmHeader_write calloc() failed"); + return icp->errc = 2; +@@ -10563,13 +10814,23 @@ static int icc_read_x( + } + + p->count = read_UInt32Number(tcbuf); /* Tag count */ ++ if (p->count > 100) { ++ sprintf(p->err,"icc_read: too many table tags"); ++ return p->errc = 1; ++ } + if (p->count > 0) { + char *bp, *buf; +- if ((p->data = (icmTag *) p->al->malloc(p->al, p->count * sizeof(icmTag))) == NULL) { ++ if ((p->data = (icmTag *) p->al->calloc(p->al, p->count, sizeof(icmTag))) == NULL) { + sprintf(p->err,"icc_read: Tag table malloc() failed"); + return p->errc = 2; + } + ++ if (p->count > (UINT_MAX - 4) / 12) { ++ sprintf(p->err,"icc_read: overflow"); ++ p->al->free(p->al, p->data); ++ p->data = NULL; ++ return p->errc = 1; ++ } + len = 4 + p->count * 12; + if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) { + sprintf(p->err,"icc_read: Tag table read buffer malloc() failed"); +@@ -10592,6 +10853,14 @@ static int icc_read_x( + p->data[i].sig = (icTagSignature)read_SInt32Number(bp + 0); + p->data[i].offset = read_UInt32Number(bp + 4); + p->data[i].size = read_UInt32Number(bp + 8); ++ if (p->data[i].offset + p->data[i].size > ++ p->header->size) { ++ sprintf(p->err,"icc_read: tag out of bounds"); ++ p->al->free(p->al, p->data); ++ p->data = NULL; ++ p->al->free(p->al, buf); ++ return p->errc = 1; ++ } + if ( p->fp->seek(p->fp, of + p->data[i].offset) != 0 + || p->fp->read(p->fp, tcbuf, 1, 4) != 4) { + sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers"); +@@ -10728,9 +10997,19 @@ static unsigned int icc_get_size( + } + + size += p->header->get_size(p->header); ++ if (p->errc) ++ return (unsigned int) -1; + /* Assume header is aligned */ ++ if (p->count > (UINT_MAX - 4 - size) / 12) { ++ p->errc = 1; ++ return (unsigned int) -1; ++ } + size += 4 + p->count * 12; /* Tag table length */ + size = DO_ALIGN(size); ++ if (size == 0) { ++ p->errc = 1; ++ return (unsigned int) -1; ++ } + + /* Reset touched flag for each tag type */ + for (i = 0; i < p->count; i++) { +@@ -10744,8 +11023,13 @@ static unsigned int icc_get_size( + /* Get size for each tag type, skipping links */ + for (i = 0; i < p->count; i++) { + if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */ +- size += p->data[i].objp->get_size(p->data[i].objp); ++ unsigned int obj_size; + size = DO_ALIGN(size); ++ obj_size = p->data[i].objp->get_size(p->data[i].objp); ++ if (size == 0 || p->errc || ++ obj_size > UINT_MAX - size) ++ return (unsigned int) -1; ++ size += obj_size; + p->data[i].objp->touched = 1; /* Don't account for this again */ + } + } +@@ -10787,11 +11071,27 @@ static int icc_write_x( + } + + size += p->header->get_size(p->header); ++ if (p->errc) ++ return p->errc; ++ + /* Assume header is aligned */ + ++ if (p->count > (UINT_MAX - 4 - len) / 12) { ++ sprintf(p->err,"icc_write: too many tags"); ++ return p->errc = 1; ++ } + len = 4 + p->count * 12; /* Tag table length */ +- len = DO_ALIGN(size + len) - size; /* Aligned size */ +- size = DO_ALIGN(size + len); ++ if (size > (UINT_MAX - len)) { ++ sprintf(p->err,"icc_write: overflow writing tag table"); ++ return p->errc = 1; ++ } ++ len = DO_ALIGN(size + len); ++ if (len == 0) { ++ sprintf(p->err,"icc_write: overflow writing tag table"); ++ return p->errc = 1; ++ } ++ len -= size; /* Aligned size */ ++ size = DO_ALIGN(size + len); /* now known not to overflow */ + + /* Allocate memory buffer for tag table */ + if ((buf = (char *) p->al->calloc(p->al, 1, len)) == NULL) { +@@ -10821,9 +11121,19 @@ static int icc_write_x( + if (p->data[i].objp->touched == 0) { /* Allocate space for tag type */ + p->data[i].offset = size; /* Profile relative target */ + p->data[i].size = p->data[i].objp->get_size(p->data[i].objp); ++ if (p->errc || p->data[i].size > UINT_MAX - size) { ++ sprintf(p->err,"icc_write: internal error - overflow?"); ++ p->al->free(p->al, buf); ++ return p->errc = 1; ++ } + size += p->data[i].size; + p->data[i].pad = DO_ALIGN(size) - size; + size = DO_ALIGN(size); ++ if (size == 0) { ++ sprintf(p->err,"icc_write: overflow"); ++ p->al->free(p->al, buf); ++ return p->errc = 1; ++ } + p->data[i].objp->touched = 1; /* Allocated space for it */ + } else { /* must be linked - copy allocation */ + unsigned int k; +@@ -11058,6 +11368,16 @@ static icmBase *icc_add_tag( + } + + /* Make space in tag table for new tag item */ ++ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) { ++ sprintf(p->err,"icc_add_tag: overflow"); ++ p->errc = 1; ++ return NULL; ++ } ++ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) { ++ sprintf(p->err,"icc_link_tag: overflow"); ++ p->errc = 1; ++ return NULL; ++ } + if (p->data == NULL) + tp = (icmBase *)p->al->malloc(p->al, (p->count+1) * sizeof(icmTag)); + else +@@ -16161,7 +16481,9 @@ double *chmax /* device return chann + + lut = ll->lut; + gp = lut->clutTable; /* Base of grid array */ +- size = uipow(lut->clutPoints,lut->inputChan); ++ if (uipow(lut->clutPoints,lut->inputChan,&size) || size < 0) { ++ return -1.0; ++ } + for (i = 0; i < size; i++) { + double tot, vv[MAX_CHAN]; + diff --git a/argyllcms.spec b/argyllcms.spec index 6c7da1f..441b5b3 100644 --- a/argyllcms.spec +++ b/argyllcms.spec @@ -1,10 +1,11 @@ -%define alphaversion Beta8 -%define alphatag .%{alphaversion} -%define archivename argyllV%{version}%{?alphaversion}_src.zip +#define alphaversion Beta8 +#define alphatag .%{alphaversion} + +%define archivename Argyll_V%{version}%{?alphaversion}_src.zip Name: argyllcms -Version: 0.70 -Release: 0.10%{?alphatag}%{?dist} +Version: 1.0.3 +Release: 3%{?alphatag}%{?dist} Summary: ICC compatible color management system Group: User Interface/X @@ -12,20 +13,17 @@ License: GPLv3 and MIT URL: http://www.%{name}.com/ Source0: %{url}%{archivename} -Source1: %{name}-0.70-19-color.fdi -Source2: %{name}-0.70-color-device-file.policy -Patch0: %{name}-0.70-build.patch -# Patch by Stefan Brüns, bz421921#c18 -Patch1: %{name}-0.70-printf.patch -# Patch by Stefan Brüns, bz421921#c24 -Patch2: %{name}-0.70-scanin-doublefree-fix.patch +# Many thanks to Alastair M. Robinson! +Patch1: http://www.blackfiveservices.co.uk/Argyll_V1.0.1_autotools.patch.gz +Patch2: %{name}-1.0.3-remove-libusb-fork-check.patch # Patch applied for legal reasons -Patch3: %{name}-0.70-legal.patch +Patch4: %{name}-1.0.2-legal.patch +Patch5: argyllcms-CVE-2009-0583,0584.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) -BuildRequires: jam, libtiff-devel, libusb-devel +BuildRequires: libtiff-devel, libusb-devel BuildRequires: libX11-devel, libXext-devel, libXxf86vm-devel, libXinerama-devel -BuildRequires: libXScrnSaver-devel +BuildRequires: libXScrnSaver-devel, libXrandr-devel Requires: udev, PolicyKit @@ -60,108 +58,42 @@ This package contains the Argyll color management system documentation. %prep -%setup -q -c -# Remove useless bundled libs to make sure we don't accidentally include them -rm -fr tiff libusb libusbw -# Make argyllcms actually build on a modern Linux system -%patch0 -p1 -b .build - -# Code fixes -%patch1 -p1 -b .printf -%patch2 -p1 -b .scanin - +%setup -q -n Argyll_V%{version} +# Autotools support +%patch1 -p1 -b .auto +# Use the system libusb. If there is a ***REPORTED*** problem the distro will fix it +%patch2 -p1 -b .sysusb # Legal patch required -%patch3 -p1 -b .legal - -%build -CCOPTFLAG="%{optflags}" -PATH=$PATH:. -export CCOPTFLAG PATH +%patch4 -p1 -b .legal +%patch5 -p0 -%define jam jam -d x -f../Jambase %{?_smp_mflags} +# Salvage policy files +mv libusb/19-color.fdi . +mv libusb/color-device-file.policy . -# Patching and running makeall.ksh would be easier, but that would hide build -# errors from rpm. If the build process was a real DAG a single for loop would -# be sufficient - -for dir in numlib plot icc cgats ; do - pushd $dir - %{jam} - popd -done - -pushd rspl - %{jam} librspl.a -popd - -pushd xicc - %{jam} libxicc.a libxcolorants.a -popd - -pushd gamut - %{jam} -popd +# Remove useless bundled libs to make sure we don't accidentally include them +rm -fr tiff libusb libusbw -pushd spectro - %{jam} libinsttypes.a -popd +chmod u+x configure -for dir in xicc imdi target scanin profile link tweak render spectro rspl ; do - pushd $dir - %{jam} - popd -done +%build +%configure +make %install rm -rf %{buildroot} -# Use upstream's install logic targetting a temp dir so files can be re-sorted -# sanely later - -PATH=$PATH:. -DOTDOT=$PWD/tmp - -export DOTDOT PATH - -for dir in gamut icc imdi link profile render scanin spectro target tweak xicc -do - pushd $dir - %{jam} install - popd -done - -# No business in bin -rm $DOTDOT/bin/*.txt -mv $DOTDOT/bin/*.gam . - -# Licensing madness -install -p -m 0644 icc/License.txt License-icc.txt -install -p -m 0644 cgats/License.txt License-cgats.txt - -ln -s ArgyllDoc.html doc/index.html - -# Little CMS conflict -mv $DOTDOT/bin/icclink $DOTDOT/bin/icclink-%{name} - -# Actual install phase - -install -d -m 0755 %{buildroot}%{_bindir} -install -p -m 0755 tmp/bin/* %{buildroot}%{_bindir} - -install -d -m 0755 %{buildroot}%{_datadir}/%{name} -install -p -m 0644 ref/* scanin/QPcard_201.c* *.gam \ - %{buildroot}%{_datadir}/%{name} -rm %{buildroot}%{_datadir}/%{name}/afiles +make install DESTDIR=%{buildroot} # Do some device permission magic install -d -m 0755 %{buildroot}%{_datadir}/hal/fdi/policy/10osvendor/ -install -p -m 0644 %{SOURCE1} \ - %{buildroot}%{_datadir}/hal/fdi/policy/10osvendor/19-color.fdi +install -p -m 0644 19-color.fdi \ + %{buildroot}%{_datadir}/hal/fdi/policy/10osvendor/ install -d -m 0755 %{buildroot}%{_datadir}/PolicyKit/policy/ -install -p -m 0644 %{SOURCE2} \ - %{buildroot}%{_datadir}/PolicyKit/policy/color-device-file.policy +install -p -m 0644 color-device-file.policy \ + %{buildroot}%{_datadir}/PolicyKit/policy/ %clean @@ -173,11 +105,11 @@ rm -rf %{buildroot} %doc *.txt %attr(0755,root,root) %{_bindir}/* -%dir %{_datadir}/%{name} -%{_datadir}/%{name}/* +%{_datadir}/color/argyll %{_datadir}/hal/fdi/policy/10osvendor/19-color.fdi %{_datadir}/PolicyKit/policy/color-device-file.policy +%exclude %{_datadir}/doc %files doc %defattr(0644,root,root,0755) @@ -185,6 +117,31 @@ rm -rf %{buildroot} %changelog +* Mon Mar 23 2009 Jon Ciesla - 1.0.3-3 +- Patch for ICC library CVE-2009-{0583, 0584} by Tim Waugh. + +* Mon Feb 23 2009 Fedora Release Engineering - 1.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Sep 3 2008 Nicolas Mailhot +- 1.0.3-1 +⌨ Bugfix release + +* Mon Sep 1 2008 Nicolas Mailhot +- 1.0.2-1 +ᾢ Bugfix release + +* Sun Jul 27 2008 Nicolas Mailhot +- 1.0.1-1 +☻ Lots of workarounds dropped — Argyll continues progressing towards “normal + package” state +☺ No more jam hell ☡, autotooling patch by Alastair M. Robinson ♥♥♥ +♿ New workaround added for private libusb check ⚔ We build againt system + libusb, and will fix ⚕ any problem people care to report +⁜ Re-applied some patches still not merged upstream, including the legal ⚖ one +⚙ It builds, what can go wrong⁉ +⁂ Changed Huey policy file. Huey users, please test + * Wed Mar 26 2008 Tom "spot" Callaway - patch applied for legal reasons diff --git a/sources b/sources index 6f1a938..156fd78 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -5cdc5e6cbb794a06c97f484fd8f9053f argyllV0.70Beta8_src.zip +cdb94385421c2fae1cf6fb068069cd9e Argyll_V1.0.1_autotools.patch.gz +01915869a2fda1fdaa91174edf57a0c6 Argyll_V1.0.3_src.zip