--- icc/icc.c.orig 2009-04-08 08:38:40.000000000 -0400 +++ icc/icc.c 2009-04-08 08:54:08.000000000 -0400 @@ -3312,7 +3312,7 @@ static int icmCurve_lookup_fwd( rv |= 1; } ix = (unsigned int)floor(val); /* Coordinate */ - if (ix > (p->size-2)) + if (ix < 0 || ix > (p->size-2)) ix = (p->size-2); w = val - (double)ix; /* weight */ val = p->data[ix]; @@ -3334,6 +3334,11 @@ static int icmTable_setup_bwd( ) { unsigned int i; + if (size > INT_MAX - 2) + /* Although rt->size is unsigned long, the rt data + * structure uses int data types to store indices. */ + return 2; + rt->size = size; /* Stash pointers to these away */ rt->data = data; @@ -3352,7 +3357,7 @@ static int icmTable_setup_bwd( rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */ /* Initialize the reverse lookup structures, and get overall min/max */ - if ((rt->rlists = (unsigned int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(unsigned int *))) == NULL) { + if ((rt->rlists = (unsigned int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) { return 2; } @@ -3365,6 +3370,16 @@ static int icmTable_setup_bwd( int t; t = s; s = e; e = t; } + + /* s and e should both be in the range [0,rt->rsize] + * now, but let's not rely on floating point + * calculations -- double-check. */ + if (s < 0) + s = 0; + if (e < 0) + e = 0; + if (s >= rt->rsize) + s = rt->rsize-1; if (e >= rt->rsize) e = rt->rsize-1; @@ -3383,6 +3398,9 @@ static int icmTable_setup_bwd( as = rt->rlists[j][0]; /* Allocate space for this list */ nf = rt->rlists[j][1]; /* Next free location in list */ if (nf >= as) { /* need to expand space */ + if (as > INT_MAX / 2 / sizeof (int)) + return 2; + as *= 2; rt->rlists[j] = (unsigned int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(unsigned int) * as); if (rt->rlists[j] == NULL) { @@ -3434,7 +3452,7 @@ static int icmTable_lookup_bwd( val = rsize_1; ix = (int)floor(val); /* Coordinate */ - if (ix > (rt->size-2)) + if (ix < 0 || ix > (rt->size-2)) ix = (rt->size-2); if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */ /* For each candidate forward range */ @@ -3461,6 +3479,7 @@ static int icmTable_lookup_bwd( /* We have failed to find an exact value, so return the nearest value */ /* (This is slow !) */ val = fabs(ival - rt->data[0]); + /* rt->size is known to be < INT_MAX */ for (k = 0, i = 1; i < rt->size; i++) { double er; er = fabs(ival - rt->data[i]); @@ -4704,7 +4723,7 @@ double *in /* Input array[inputChan] */ rv |= 1; } ix = (int)floor(val); /* Grid coordinate */ - if (ix > (p->inputEnt-2)) + if (ix < 0 || ix > (p->inputEnt-2)) ix = (p->inputEnt-2); w = val - (double)ix; /* weight */ val = table[ix]; @@ -4764,7 +4783,7 @@ double *in /* Input array[outputChan] * rv |= 1; } x = (int)floor(val); /* Grid coordinate */ - if (x > clutPoints_2) + if (x < 0 || x > clutPoints_2) x = clutPoints_2; co[e] = val - (double)x; /* 1.0 - weight */ gp += x * p->dinc[e]; /* Add index offset for base of cube */ @@ -4838,7 +4857,7 @@ double *in /* Input array[outputChan] * rv |= 1; } x = (int)floor(val); /* Grid coordinate */ - if (x > clutPoints_2) + if (x < 0 || x > clutPoints_2) x = clutPoints_2; co[e] = val - (double)x; /* 1.0 - weight */ gp += x * p->dinc[e]; /* Add index offset for base of cube */ @@ -4957,7 +4976,7 @@ double *in /* Input array[outputChan] * rv |= 1; } x = (int)floor(val); /* Grid coordinate */ - if (x > clutPoints_2) + if (x < 0 || x > clutPoints_2) x = clutPoints_2; co[e] = val - (double)x; /* 1.0 - weight */ gp += x * p->dinc[e]; /* Add index offset for base of cube */ @@ -5070,7 +5089,7 @@ double *in /* Input array[outputChan] * rv |= 1; } ix = (int)floor(val); /* Grid coordinate */ - if (ix > (p->outputEnt-2)) + if (ix < 0 || ix > (p->outputEnt-2)) ix = (p->outputEnt-2); w = val - (double)ix; /* weight */ val = table[ix]; @@ -7887,7 +7906,7 @@ static int icmTextDescription_allocate( if (p->size != p->_size) { if (p->desc != NULL) icp->al->free(icp->al, p->desc); - if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { + if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed"); return icp->errc = 2; } @@ -9061,7 +9080,7 @@ static int icmUcrBg_allocate( if (p->size != p->_size) { if (p->string != NULL) icp->al->free(icp->al, p->string); - if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { + if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed"); return icp->errc = 2; } @@ -9515,7 +9534,7 @@ static double icmVideoCardGamma_lookup( else if (val0 > inputEnt_1) val0 = inputEnt_1; ix = (int)floor(val0); /* Coordinate */ - if (ix > (p->u.table.entryCount-2)) + if (ix < 0 || ix > (p->u.table.entryCount-2)) ix = (p->u.table.entryCount-2); w = val0 - (double)ix; /* weight */ if (p->u.table.entrySize == 1) { @@ -10061,7 +10080,7 @@ static int icmCrdInfo_allocate( if (p->ppsize != p->_ppsize) { if (p->ppname != NULL) icp->al->free(icp->al, p->ppname); - if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) { + if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) { sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed"); return icp->errc = 2; } @@ -10071,7 +10090,7 @@ static int icmCrdInfo_allocate( if (p->crdsize[t] != p->_crdsize[t]) { if (p->crdname[t] != NULL) icp->al->free(icp->al, p->crdname[t]); - if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) { + if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) { sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t); return icp->errc = 2; }