diff --git a/.cvsignore b/.cvsignore index 4627381..0bc941f 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ -netpbm-nojbig-10.22.tar.bz2 -netpbmdoc-10.22.tar.bz2 +netpbm-nojbig-10.24.tar.bz2 +netpbmdoc-nojbig-10.24.tar.bz2 diff --git a/netpbm-10.23-security.patch b/netpbm-10.23-security.patch new file mode 100644 index 0000000..5bb8fd3 --- /dev/null +++ b/netpbm-10.23-security.patch @@ -0,0 +1,2674 @@ +--- netpbm-10.23/generator/ppmrainbow.security 2003-01-04 01:40:56.000000000 +0100 ++++ netpbm-10.23/generator/ppmrainbow 2004-08-04 13:39:34.331583072 +0200 +@@ -11,7 +11,7 @@ + # set defaults + $Twid = 600; + $Thgt = 8; +-$tmpdir = $ENV{"TMPDIR"} || "/tmp"; ++$tmpdir = $ENV{"TMPDIR"} || ".tmp"; + $norepeat = $FALSE; + $verbose = $FALSE; + +--- netpbm-10.23/generator/pgmkernel.c.security 2003-07-06 22:03:29.000000000 +0200 ++++ netpbm-10.23/generator/pgmkernel.c 2004-08-04 13:39:34.331583072 +0200 +@@ -68,7 +68,7 @@ + kycenter = (fysize - 1) / 2.0; + ixsize = fxsize + 0.999; + iysize = fysize + 0.999; +- MALLOCARRAY(fkernel, ixsize * iysize); ++ fkernel = (double *) malloc3 (ixsize, iysize, sizeof(double)); + for (i = 0; i < iysize; i++) + for (j = 0; j < ixsize; j++) { + fkernel[i*ixsize+j] = 1.0 / (1.0 + w * sqrt((double) +--- netpbm-10.23/generator/pbmpage.c.security 2003-07-09 20:48:11.000000000 +0200 ++++ netpbm-10.23/generator/pbmpage.c 2004-08-04 13:39:34.332582920 +0200 +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include "pbm.h" + + /* Support both US and A4. */ +@@ -161,6 +162,9 @@ + /* We round the allocated row space up to a multiple of 8 so the ugly + fast code below can work. + */ ++ ++ overflow_add(Width, 7); ++ + pbmrow = pbm_allocrow(((Width+7)/8)*8); + + bitmap_cursor = 0; +--- netpbm-10.23/generator/pbmtext.c.security 2004-03-20 22:10:46.000000000 +0100 ++++ netpbm-10.23/generator/pbmtext.c 2004-08-04 13:39:34.343581248 +0200 +@@ -89,12 +89,14 @@ + + for (i = 1; i < argc; i++) { + if (i > 1) { ++ overflow_add(totaltextsize, 1); + totaltextsize += 1; + text = realloc(text, totaltextsize); + if (text == NULL) + pm_error("out of memory allocating space for input text"); + strcat(text, " "); + } ++ overflow_add(totaltextsize, strlen(argv[i])); + totaltextsize += strlen(argv[i]); + text = realloc(text, totaltextsize); + if (text == NULL) +@@ -564,6 +566,7 @@ + struct text input_text; + + if (cmdline_text) { ++ overflow_add(strlen(cmdline_text), 1); + allocTextArray(&input_text, 1, strlen(cmdline_text)); + strcpy(input_text.textArray[0], cmdline_text); + fix_control_chars(input_text.textArray[0], fn); +@@ -586,7 +589,9 @@ + while (fgets(buf, sizeof(buf), stdin) != NULL) { + fix_control_chars(buf, fn); + if (lineCount >= maxlines) { ++ overflow2(maxlines, 2); + maxlines *= 2; ++ overflow2(maxlines, sizeof(char *)); + text_array = (char**) realloc((char*) text_array, + maxlines * sizeof(char*)); + if (text_array == NULL) +@@ -672,6 +677,7 @@ + hmargin = fn->maxwidth; + } else { + vmargin = fn->maxheight; ++ overflow2(2, fn->maxwidth); + hmargin = 2 * fn->maxwidth; + } + } +@@ -685,13 +691,20 @@ + freeTextArray(input_text); + } else + lp = input_text; +- ++ ++ overflow2(2, vmargin); ++ overflow2(lp.lineCount, fn->maxheight); ++ overflow2(lp.lineCount-1, cmdline.lspace); ++ overflow_add(vmargin * 2, lp.lineCount * fn->maxheight); ++ overflow_add(vmargin * 2 + lp.lineCount * fn->maxheight, (lp.lineCount-1) * cmdline.lspace); + rows = 2 * vmargin + + lp.lineCount * fn->maxheight + + (lp.lineCount-1) * cmdline.lspace; + + compute_image_width(lp, fn, cmdline.space, &maxwidth, &maxleftb); + ++ overflow2(2, hmargin); ++ overflow_add(2*hmargin, maxwidth); + cols = 2 * hmargin + maxwidth; + bits = pbm_allocarray(cols, rows); + +--- netpbm-10.23/generator/pgmcrater.c.security 2003-07-06 22:02:41.000000000 +0200 ++++ netpbm-10.23/generator/pgmcrater.c 2004-08-04 13:39:34.345580944 +0200 +@@ -131,7 +131,7 @@ + /* Acquire the elevation array and initialise it to mean + surface elevation. */ + +- MALLOCARRAY(aux, SCRX * SCRY); ++ aux = (unsigned short *) malloc3(SCRX, SCRY, sizeof(short)); + if (aux == NULL) + pm_error("out of memory allocating elevation array"); + +--- netpbm-10.23/converter/ppm/pcxtoppm.c.security 2004-04-19 23:30:42.000000000 +0200 ++++ netpbm-10.23/converter/ppm/pcxtoppm.c 2004-08-04 13:39:34.347580640 +0200 +@@ -376,6 +376,7 @@ + } + + /* BytesPerLine should be >= BitsPerPixel * cols / 8 */ ++ overflow2(BytesPerLine, 8); + rawcols = BytesPerLine * 8 / BitsPerPixel; + if( cols > rawcols ) { + pm_message("warning - BytesPerLine = %d, " +@@ -383,6 +384,7 @@ + BytesPerLine, rawcols); + cols = rawcols; + } ++ overflow2(Planes, BytesPerLine); + pcxrow = (unsigned char *) + pm_allocrow(Planes * BytesPerLine, sizeof(unsigned char)); + rawrow = (unsigned char *)pm_allocrow(rawcols, sizeof(unsigned char)); +@@ -578,6 +580,8 @@ + /* + * clear the pixel buffer + */ ++ ++ overflow2(bytesperline, 8); + npixels = (bytesperline * 8) / bitsperpixel; + p = pixels; + while (--npixels >= 0) +--- netpbm-10.23/converter/ppm/ppmtopcx.c.security 2004-04-22 00:53:00.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtopcx.c 2004-08-04 13:39:34.348580488 +0200 +@@ -374,6 +374,8 @@ + else Planes = 1; + } + } ++ overflow2(BitsPerPixel, cols); ++ overflow_add(BitsPerPixel * cols, 7); + BytesPerLine = ((cols * BitsPerPixel) + 7) / 8; + MALLOCARRAY_NOFAIL(indexRow, cols); + MALLOCARRAY_NOFAIL(planesrow, BytesPerLine); +--- netpbm-10.23/converter/ppm/imgtoppm.c.security 2002-09-06 18:30:03.000000000 +0200 ++++ netpbm-10.23/converter/ppm/imgtoppm.c 2004-08-04 13:39:34.349580336 +0200 +@@ -84,6 +84,7 @@ + len = atoi((char*) buf ); + if ( fread( buf, len, 1, ifp ) != 1 ) + pm_error( "bad colormap buf" ); ++ overflow2(cmaplen, 3); + if ( cmaplen * 3 != len ) + { + pm_message( +@@ -105,6 +106,7 @@ + pm_error( "bad pixel data header" ); + buf[8] = '\0'; + len = atoi((char*) buf ); ++ overflow2(cols, rows); + if ( len != cols * rows ) + pm_message( + "pixel data length (%d) does not match image size (%d)", +--- netpbm-10.23/converter/ppm/picttoppm.c.security 2004-03-31 21:19:44.000000000 +0200 ++++ netpbm-10.23/converter/ppm/picttoppm.c 2004-08-04 13:39:34.351580032 +0200 +@@ -1,3 +1,5 @@ ++#error "Unfixable. Don't ship me" ++ + /* + * picttoppm.c -- convert a MacIntosh PICT file to PPM format. + * +--- netpbm-10.23/converter/ppm/ppmtoxpm.c.security 2004-03-13 20:37:14.000000000 +0100 ++++ netpbm-10.23/converter/ppm/ppmtoxpm.c 2004-08-04 13:39:34.353579728 +0200 +@@ -180,6 +180,7 @@ + int i; + + /* Allocate memory for printed number. Abort if error. */ ++ overflow_add(digits, 1); + if (!(str = (char *) malloc(digits + 1))) + pm_error("out of memory"); + +@@ -236,6 +237,7 @@ + int mval; + cixel_map * cmap; /* malloc'ed */ + ++ overflow_add(ncolors,1); + MALLOCARRAY(cmap, ncolors + 1); + if (cmapP == NULL) + pm_error("Out of memory allocating %d bytes for a color map.", +--- netpbm-10.23/converter/ppm/ximtoppm.c.security 2004-03-13 20:36:46.000000000 +0100 ++++ netpbm-10.23/converter/ppm/ximtoppm.c 2004-08-04 13:39:34.354579576 +0200 +@@ -239,6 +239,7 @@ + header->bits_channel = atoi(a_head.bits_per_channel); + header->alpha_flag = atoi(a_head.alpha_channel); + if (strlen(a_head.author)) { ++ overflow_add(strlen(a_head.author),1); + if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1, + 1))) { + pm_message("ReadXimHeader: can't calloc author string" ); +@@ -248,6 +249,7 @@ + strncpy(header->author, a_head.author, strlen(a_head.author)); + } + if (strlen(a_head.date)) { ++ overflow_add(strlen(a_head.date),1); + if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){ + pm_message("ReadXimHeader: can't calloc date string" ); + return(0); +@@ -256,6 +258,7 @@ + strncpy(header->date, a_head.date, strlen(a_head.date)); + } + if (strlen(a_head.program)) { ++ overflow_add(strlen(a_head.program),1); + if (!(header->program = calloc( + (unsigned int)strlen(a_head.program) + 1, 1))) { + pm_message("ReadXimHeader: can't calloc program string" ); +@@ -282,6 +285,7 @@ + if (header->nchannels == 3 && header->bits_channel == 8) + header->ncolors = 0; + else if (header->nchannels == 1 && header->bits_channel == 8) { ++ overflow2(header->ncolors, sizeof(Color)); + header->colors = (Color *)calloc((unsigned int)header->ncolors, + sizeof(Color)); + if (header->colors == NULL) { +--- netpbm-10.23/converter/ppm/ilbmtoppm.c.security 2003-08-10 00:30:10.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ilbmtoppm.c 2004-08-04 13:39:34.356579272 +0200 +@@ -580,6 +580,7 @@ + rawtype *chp; + + cols = bmhd->w; ++ overflow_add(cols, 15); + bytes = RowBytes(cols); + for( plane = 0; plane < nPlanes; plane++ ) { + int mask; +@@ -620,6 +621,7 @@ + case mskNone: + break; + case mskHasMask: /* mask plane */ ++ overflow_add(cols, 15); + read_ilbm_plane(ifp, chunksizeP, RowBytes(cols), + bmhd->compression); + if( maskfile ) { +@@ -668,6 +670,23 @@ + Multipalette handling + ****************************************************************************/ + ++static void * ++xmalloc2(x, y) ++ int x; ++ int y; ++{ ++ void *mem; ++ ++ overflow2(x,y); ++ if( x * y == 0 ) ++ return NULL; ++ ++ mem = malloc2(x,y); ++ if( mem == NULL ) ++ pm_error("out of memory allocating %d bytes", x * y); ++ return mem; ++} ++ + + static void + multi_adjust(cmap, row, palchange) +@@ -1262,6 +1281,9 @@ + if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval ) + pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval)); + ++ overflow_add(redmaxval, 1); ++ overflow_add(greenmaxval, 1); ++ overflow_add(bluemaxval, 1); + MALLOCARRAY_NOFAIL(redtable, redmaxval +1); + MALLOCARRAY_NOFAIL(greentable, greenmaxval +1); + MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1); +@@ -1674,7 +1696,9 @@ + ChangeCount32 = *data++; + datasize -= 2; + ++ overflow_add(ChangeCount16, ChangeCount32); + changes = ChangeCount16 + ChangeCount32; ++ overflow_add(changes, 1); + for( i = 0; i < changes; i++ ) { + if( totalchanges >= PCHG->TotalChanges ) goto fail; + if( datasize < 2 ) goto fail; +@@ -1801,6 +1825,7 @@ + if( datasize < 2 ) goto fail; + changes = BIG_WORD(data); data += 2; datasize -= 2; + ++ overflow_add(changes, 1); + MALLOCARRAY_NOFAIL(cmap->mp_change[row], changes + 1); + for( i = 0; i < changes; i++ ) { + if( totalchanges >= PCHG->TotalChanges ) goto fail; +@@ -1913,6 +1938,9 @@ + cmap->mp_change[i] = NULL; + if( PCHG.StartLine < 0 ) { + int nch; ++ if(PCHG.MaxReg < PCHG.MinReg) ++ pm_error("assert: MinReg > MaxReg"); ++ overflow_add(PCHG.MaxReg-PCHG.MinReg, 2); + nch = PCHG.MaxReg - PCHG.MinReg +1; + MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1); + for( i = 0; i < nch; i++ ) +@@ -1990,6 +2018,7 @@ + if( typeid == ID_ILBM ) { + int isdeep; + ++ overflow_add(bmhd->w, 15); + MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhd->w)); + *viewportmodesP |= fakeviewport; /* -isham/-isehb */ + +--- netpbm-10.23/converter/ppm/ppmtopj.c.security 2002-09-06 18:32:14.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtopj.c 2004-08-04 13:39:34.357579120 +0200 +@@ -180,6 +180,7 @@ + pixels = ppm_readppm( ifp, &cols, &rows, &maxval ); + + pm_close( ifp ); ++ overflow2(cols,2); + obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char)); + cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char)); + +--- netpbm-10.23/converter/ppm/qrttoppm.c.security 1993-10-04 10:12:56.000000000 +0100 ++++ netpbm-10.23/converter/ppm/qrttoppm.c 2004-08-04 13:39:34.358578968 +0200 +@@ -46,7 +46,7 @@ + + ppm_writeppminit( stdout, cols, rows, maxval, 0 ); + pixelrow = ppm_allocrow( cols ); +- buf = (unsigned char *) malloc( 3 * cols ); ++ buf = (unsigned char *) malloc2( 3 , cols ); + if ( buf == (unsigned char *) 0 ) + pm_error( "out of memory" ); + +--- netpbm-10.23/converter/ppm/ppmtolj.c.security 2002-09-06 18:31:57.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtolj.c 2004-08-04 13:39:34.359578816 +0200 +@@ -182,6 +182,7 @@ + pixels = ppm_readppm( ifp, &cols, &rows, &maxval ); + + pm_close( ifp ); ++ overflow2(cols,6); + obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char)); + cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char)); + if (mode == C_TRANS_MODE_DELTA) +--- netpbm-10.23/converter/ppm/ppmtopict.c.security 2003-02-22 23:04:40.000000000 +0100 ++++ netpbm-10.23/converter/ppm/ppmtopict.c 2004-08-04 13:39:34.360578664 +0200 +@@ -245,6 +245,8 @@ + putShort(stdout, 0); /* mode */ + + /* Finally, write out the data. */ ++ overflow_add(cols/MAX_COUNT, 1); ++ overflow_add(cols, cols/MAX_COUNT+1); + packed = (char*) malloc((unsigned)(cols+cols/MAX_COUNT+1)); + oc = 0; + for (row = 0; row < rows; row++) +--- netpbm-10.23/converter/ppm/ppmtoicr.c.security 2003-02-22 23:05:03.000000000 +0100 ++++ netpbm-10.23/converter/ppm/ppmtoicr.c 2004-08-04 13:39:34.361578512 +0200 +@@ -169,7 +169,7 @@ + + if (rleflag) { + pm_message("sending run-length encoded picture data ..." ); +- testimage = (char*) malloc(rows*cols); ++ testimage = (char*) malloc2(rows, cols); + p = testimage; + for (i=0; i PCL_MAXVAL) + pm_error("color range too large; reduce with ppmcscale"); ++ if (cols < 0 || rows < 0) ++ pm_error("negative size is not possible"); + + /* Figure out the colormap. */ + fprintf( stderr, "(Computing colormap..." ); fflush( stderr ); +@@ -293,6 +295,8 @@ + case 0: /* direct mode (no palette) */ + bpp = bitsperpixel(maxval); /* bits per pixel */ + bpg = bpp; bpb = bpp; ++ overflow2(bpp, 3); ++ overflow_add(bpp*3, 7); + bpp = (bpp*3+7)>>3; /* bytes per pixel now */ + bpr = (bpp<<3)-bpg-bpb; + bpp *= cols; /* bytes per row now */ +@@ -302,9 +306,13 @@ + case 3: case 7: pclindex++; + default: + bpp = 8/pclindex; ++ overflow_add(cols, bpp); ++ if(bpp == 0) ++ pm_error("assert: no bpp"); + bpp = (cols+bpp-1)/bpp; /* bytes per row */ + } + ++ overflow2(bpp,2); + if ((inrow = (char *)malloc((unsigned)bpp)) == NULL || + (outrow = (char *)malloc((unsigned)bpp*2)) == NULL || + (runcnt = (signed char *)malloc((unsigned)bpp)) == NULL) +--- netpbm-10.23/converter/ppm/yuvtoppm.c.security 2003-07-06 22:32:09.000000000 +0200 ++++ netpbm-10.23/converter/ppm/yuvtoppm.c 2004-08-04 13:39:34.363578208 +0200 +@@ -72,6 +72,7 @@ + + ppm_writeppminit(stdout, cols, rows, (pixval) 255, 0); + pixrow = ppm_allocrow(cols); ++ overflow_add(cols, 1); + MALLOCARRAY(yuvbuf, (cols+1)/2); + if (yuvbuf == NULL) + pm_error("Unable to allocate YUV buffer for %d columns.", cols); +--- netpbm-10.23/converter/ppm/ppmtoeyuv.c.security 2003-07-07 00:22:35.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtoeyuv.c 2004-08-04 13:39:34.364578056 +0200 +@@ -113,6 +113,7 @@ + + int index; + ++ overflow_add(maxval, 1); + MALLOCARRAY_NOFAIL(mult299 , maxval+1); + MALLOCARRAY_NOFAIL(mult587 , maxval+1); + MALLOCARRAY_NOFAIL(mult114 , maxval+1); +--- netpbm-10.23/converter/ppm/ppmtowinicon.c.security 2004-05-01 21:00:55.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtowinicon.c 2004-08-04 13:39:34.366577752 +0200 +@@ -12,6 +12,7 @@ + + #include + #include ++#include + + #include "winico.h" + #include "ppm.h" +@@ -218,6 +219,7 @@ + MALLOCARRAY_NOFAIL(rowData, rows); + icBitmap->xBytes = xBytes; + icBitmap->data = rowData; ++ overflow2(xBytes, rows); + icBitmap->size = xBytes * rows; + for (y=0;yxBytes = xBytes; + icBitmap->data = rowData; ++ overflow2(xBytes, rows); + icBitmap->size = xBytes * rows; + + for (y=0;yxBytes = xBytes; + icBitmap->data = rowData; ++ overflow2(xBytes, rows); + icBitmap->size = xBytes * rows; + + for (y=0;ybitcount = bpp; + entry->ih = createInfoHeader(entry, xorBitmap, andBitmap); + entry->colors = palette->colors; ++ overflow2(4, entry->color_count); ++ overflow_add(xorBitmap->size, andBitmap->size); ++ overflow_add(xorBitmap->size + andBitmap->size, 40); ++ overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count); + entry->size_in_bytes = + xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count); + if (verbose) +@@ -731,12 +739,13 @@ + /* + * Add the entry to the entries array. + */ ++ overflow_add(MSIconData->count,1); + MSIconData->count++; + /* + * Perhaps I should use something that allocs a decent amount at start... + */ + MSIconData->entries = +- realloc (MSIconData->entries, MSIconData->count * sizeof(IC_Entry *)); ++ realloc2 (MSIconData->entries, MSIconData->count * sizeof(IC_Entry *)); + MSIconData->entries[MSIconData->count-1] = entry; + } + +--- netpbm-10.23/converter/ppm/ppmtompeg/iframe.c.security 2002-12-21 23:23:32.000000000 +0100 ++++ netpbm-10.23/converter/ppm/ppmtompeg/iframe.c 2004-08-04 13:39:34.368577448 +0200 +@@ -857,6 +857,7 @@ + int ysz = (Fsize_y>>3) * sizeof(int32 *); + int xsz = (Fsize_x>>3); + ++ overflow2(Fsize_y>>3, sizeof(int32 *)); + needs_init = FALSE; + for (y=0; y<3; y++) { + varDiff[y] = ratio[y] = total[y] = 0.0; +@@ -875,6 +876,7 @@ + fprintf(stderr, "Out of memory in BlockComputeSNR\n"); + exit(-1); + } ++ overflow2(xsz, 4); + for (y = 0; y < ySize[0]>>3; y++) { + SignalY[y] = (int32 *) calloc(xsz,4); + SignalCr[y] = (int32 *) calloc(xsz,4); +@@ -1030,27 +1032,27 @@ + dctx = Fsize_x / DCTSIZE; + dcty = Fsize_y / DCTSIZE; + +- dct = (Block **) malloc(sizeof(Block *) * dcty); ++ dct = (Block **) malloc2(sizeof(Block *), dcty); + ERRCHK(dct, "malloc"); + for (i = 0; i < dcty; i++) { +- dct[i] = (Block *) malloc(sizeof(Block) * dctx); ++ dct[i] = (Block *) malloc2(sizeof(Block), dctx); + ERRCHK(dct[i], "malloc"); + } + +- dct_data = (dct_data_type **) malloc(sizeof(dct_data_type *) * dcty); ++ dct_data = (dct_data_type **) malloc2(sizeof(dct_data_type *), dcty); + ERRCHK(dct_data, "malloc"); + for (i = 0; i < dcty; i++) { +- dct_data[i] = (dct_data_type *) malloc(sizeof(dct_data_type) * dctx); ++ dct_data[i] = (dct_data_type *) malloc2(sizeof(dct_data_type),dctx); + ERRCHK(dct[i], "malloc"); + } + +- dctr = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); +- dctb = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); ++ dctr = (Block **) malloc2(sizeof(Block *), (dcty >> 1)); ++ dctb = (Block **) malloc2(sizeof(Block *), (dcty >> 1)); + ERRCHK(dctr, "malloc"); + ERRCHK(dctb, "malloc"); + for (i = 0; i < (dcty >> 1); i++) { +- dctr[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); +- dctb[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); ++ dctr[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1)); ++ dctb[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1)); + ERRCHK(dctr[i], "malloc"); + ERRCHK(dctb[i], "malloc"); + } +--- netpbm-10.23/converter/ppm/ppmtompeg/jpeg.c.security 2002-10-17 16:49:49.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtompeg/jpeg.c 2004-08-04 13:39:34.369577296 +0200 +@@ -228,7 +228,7 @@ + exit(1); + } + +- inoffsets = (int *)malloc(no_frames*sizeof(int)); ++ inoffsets = (int *)malloc2(no_frames, sizeof(int)); + + if (fread (&(width),sizeof(int),1,inFile) != 1) + { +--- netpbm-10.23/converter/ppm/ppmtompeg/psearch.c.security 2002-10-14 04:22:16.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtompeg/psearch.c 2004-08-04 13:39:34.370577144 +0200 +@@ -217,7 +217,14 @@ + int const max_search = max(searchRangeP, searchRangeB); + + int index; +- ++ ++ overflow2(searchRangeP, 2); ++ overflow2(searchRangeB, 2); ++ overflow_add(searchRangeP*2, 3); ++ overflow_add(searchRangeB*2, 3); ++ overflow2(2*searchRangeB+3, sizeof(int)); ++ overflow2(2*searchRangeP+3, sizeof(int)); ++ + pmvHistogram = (int **) malloc((2*searchRangeP+3)*sizeof(int *)); + bbmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *)); + bfmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *)); +@@ -824,6 +831,9 @@ + int *columnTotals; + int rowTotal; + ++ overflow2(searchRangeP, 2); ++ overflow_add(searchRangeP*2, 3); ++ overflow2(searchRangeP*2+3, sizeof(int)); + columnTotals = (int *) calloc(2*searchRangeP+3, sizeof(int)); + + #ifdef COMPLETE_DISPLAY +@@ -871,6 +881,9 @@ + + fprintf(fpointer, "B-frame Backwards:\n"); + ++ overflow2(searchRangeB, 2); ++ overflow_add(searchRangeB*2, 3); ++ overflow2(searchRangeB*2+3, sizeof(int)); + columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int)); + + #ifdef COMPLETE_DISPLAY +@@ -918,6 +931,9 @@ + + fprintf(fpointer, "B-frame Forwards:\n"); + ++ overflow2(searchRangeB, 2); ++ overflow_add(searchRangeB*2, 3); ++ overflow2(searchRangeB*2+3, sizeof(int)); + columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int)); + + #ifdef COMPLETE_DISPLAY +--- netpbm-10.23/converter/ppm/ppmtompeg/frame.c.security 2004-05-16 02:47:26.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtompeg/frame.c 2004-08-04 13:39:34.372576840 +0200 +@@ -139,24 +139,25 @@ + omfrw->orig_y = NULL; + Fsize_x = out_x; + /* Allocate new frame memory */ +- omfrw->orig_y = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y); ++ omfrw->orig_y = (uint8 **) malloc2(sizeof(uint8 *) , Fsize_y); + ERRCHK(omfrw->orig_y, "malloc"); + for (y = 0; y < Fsize_y; y++) { +- omfrw->orig_y[y] = (uint8 *) malloc(sizeof(uint8) * out_x); ++ omfrw->orig_y[y] = (uint8 *) malloc2(sizeof(uint8) , out_x); + ERRCHK(omfrw->orig_y[y], "malloc"); + } + +- omfrw->orig_cr = (uint8 **) malloc(sizeof(int8 *) * Fsize_y / 2); ++ omfrw->orig_cr = (uint8 **) malloc2(sizeof(int8 *) , Fsize_y / 2); + ERRCHK(omfrw->orig_cr, "malloc"); ++ overflow2(out_x, sizeof(int8)); + for (y = 0; y < Fsize_y / 2; y++) { +- omfrw->orig_cr[y] = (uint8 *) malloc(sizeof(int8) * out_x / 2); ++ omfrw->orig_cr[y] = (uint8 *) malloc2(sizeof(int8) , out_x / 2); + ERRCHK(omfrw->orig_cr[y], "malloc"); + } + +- omfrw->orig_cb = (uint8 **) malloc(sizeof(int8 *) * Fsize_y / 2); ++ omfrw->orig_cb = (uint8 **) malloc2(sizeof(int8 *) , Fsize_y / 2); + ERRCHK(omfrw->orig_cb, "malloc"); + for (y = 0; y < Fsize_y / 2; y++) { +- omfrw->orig_cb[y] = (uint8 *) malloc(sizeof(int8) * out_x / 2); ++ omfrw->orig_cb[y] = (uint8 *) malloc2(sizeof(int8) , out_x / 2); + ERRCHK(omfrw->orig_cb[y], "malloc"); + } + +@@ -207,24 +208,26 @@ + Fsize_y = out_y; + + /* Allocate new frame memory */ +- omfrh->orig_y = (uint8 **) malloc(sizeof(uint8 *) * out_y); ++ omfrh->orig_y = (uint8 **) malloc2(sizeof(uint8 *), out_y); + ERRCHK(omfrh->orig_y, "malloc"); + for (y = 0; y < out_y; y++) { +- omfrh->orig_y[y] = (uint8 *) malloc(sizeof(uint8) * Fsize_x); ++ omfrh->orig_y[y] = (uint8 *) malloc2(sizeof(uint8) , Fsize_x); + ERRCHK(omfrh->orig_y[y], "malloc"); + } + +- omfrh->orig_cr = (uint8 **) malloc(sizeof(int8 *) * out_y / 2); ++ overflow2(out_y, sizeof(int8 *)); ++ omfrh->orig_cr = (uint8 **) malloc2(sizeof(int8 *) , out_y / 2); + ERRCHK(omfrh->orig_cr, "malloc"); ++ overflow2(sizeof(int8), Fsize_x); + for (y = 0; y < out_y / 2; y++) { +- omfrh->orig_cr[y] = (uint8 *) malloc(sizeof(int8) * Fsize_x / 2); ++ omfrh->orig_cr[y] = (uint8 *) malloc2(sizeof(int8) , Fsize_x / 2); + ERRCHK(omfrh->orig_cr[y], "malloc"); + } + +- omfrh->orig_cb = (uint8 **) malloc(sizeof(int8 *) * out_y / 2); ++ omfrh->orig_cb = (uint8 **) malloc2(sizeof(int8 *) , out_y / 2); + ERRCHK(omfrh->orig_cb, "malloc"); + for (y = 0; y < out_y / 2; y++) { +- omfrh->orig_cb[y] = (uint8 *) malloc(sizeof(int8) * Fsize_x / 2); ++ omfrh->orig_cb[y] = (uint8 *) malloc2(sizeof(int8) , Fsize_x / 2); + ERRCHK(omfrh->orig_cb[y], "malloc"); + } + +@@ -528,20 +531,20 @@ + dctx = Fsize_x / DCTSIZE; + dcty = Fsize_y / DCTSIZE; + +- frame->y_blocks = (Block **) malloc(sizeof(Block *) * dcty); ++ frame->y_blocks = (Block **) malloc2(sizeof(Block *), dcty); + ERRCHK(frame->y_blocks, "malloc"); + for (i = 0; i < dcty; i++) { +- frame->y_blocks[i] = (Block *) malloc(sizeof(Block) * dctx); ++ frame->y_blocks[i] = (Block *) malloc2(sizeof(Block), dctx); + ERRCHK(frame->y_blocks[i], "malloc"); + } + +- frame->cr_blocks = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); +- frame->cb_blocks = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); ++ frame->cr_blocks = (Block **) malloc2(sizeof(Block *) , (dcty >> 1)); ++ frame->cb_blocks = (Block **) malloc2(sizeof(Block *) , (dcty >> 1)); + ERRCHK(frame->cr_blocks, "malloc"); + ERRCHK(frame->cb_blocks, "malloc"); + for (i = 0; i < (dcty >> 1); i++) { +- frame->cr_blocks[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); +- frame->cb_blocks[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); ++ frame->cr_blocks[i] = (Block *) malloc2(sizeof(Block) , (dctx >> 1)); ++ frame->cb_blocks[i] = (Block *) malloc2(sizeof(Block) , (dctx >> 1)); + ERRCHK(frame->cr_blocks[i], "malloc"); + ERRCHK(frame->cb_blocks[i], "malloc"); + } +@@ -573,24 +576,24 @@ + /* + * first, allocate tons of memory + */ +- frame->orig_y = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y); ++ frame->orig_y = (uint8 **) malloc2(sizeof(uint8 *), Fsize_y); + ERRCHK(frame->orig_y, "malloc"); + for (y = 0; y < Fsize_y; y++) { +- frame->orig_y[y] = (uint8 *) malloc(sizeof(uint8) * Fsize_x); ++ frame->orig_y[y] = (uint8 *) malloc2(sizeof(uint8), Fsize_x); + ERRCHK(frame->orig_y[y], "malloc"); + } + +- frame->orig_cr = (uint8 **) malloc(sizeof(int8 *) * (Fsize_y >> 1)); ++ frame->orig_cr = (uint8 **) malloc2(sizeof(int8 *), (Fsize_y >> 1)); + ERRCHK(frame->orig_cr, "malloc"); + for (y = 0; y < (Fsize_y >> 1); y++) { +- frame->orig_cr[y] = (uint8 *) malloc(sizeof(int8) * (Fsize_x >> 1)); ++ frame->orig_cr[y] = (uint8 *) malloc2(sizeof(int8), (Fsize_x >> 1)); + ERRCHK(frame->orig_cr[y], "malloc"); + } + +- frame->orig_cb = (uint8 **) malloc(sizeof(int8 *) * (Fsize_y >> 1)); ++ frame->orig_cb = (uint8 **) malloc2(sizeof(int8 *), (Fsize_y >> 1)); + ERRCHK(frame->orig_cb, "malloc"); + for (y = 0; y < (Fsize_y >> 1); y++) { +- frame->orig_cb[y] = (uint8 *) malloc(sizeof(int8) * (Fsize_x >> 1)); ++ frame->orig_cb[y] = (uint8 *) malloc2(sizeof(int8), (Fsize_x >> 1)); + ERRCHK(frame->orig_cb[y], "malloc"); + } + +@@ -624,22 +627,24 @@ + return; + } + +- frame->halfX = (uint8 **) malloc(Fsize_y*sizeof(uint8 *)); ++ frame->halfX = (uint8 **) malloc2(Fsize_y, sizeof(uint8 *)); + ERRCHK(frame->halfX, "malloc"); +- frame->halfY = (uint8 **) malloc((Fsize_y-1)*sizeof(uint8 *)); ++ if(Fsize_y == 0 || Fsize_x == 0) ++ pm_error("assert: zero size"); ++ frame->halfY = (uint8 **) malloc2((Fsize_y-1), sizeof(uint8 *)); + ERRCHK(frame->halfY, "malloc"); +- frame->halfBoth = (uint8 **) malloc((Fsize_y-1)*sizeof(uint8 *)); ++ frame->halfBoth = (uint8 **) malloc2((Fsize_y-1), sizeof(uint8 *)); + ERRCHK(frame->halfBoth, "malloc"); + for ( y = 0; y < Fsize_y; y++ ) { +- frame->halfX[y] = (uint8 *) malloc((Fsize_x-1)*sizeof(uint8)); ++ frame->halfX[y] = (uint8 *) malloc2((Fsize_x-1), sizeof(uint8)); + ERRCHK(frame->halfX[y], "malloc"); + } + for ( y = 0; y < Fsize_y-1; y++ ) { +- frame->halfY[y] = (uint8 *) malloc(Fsize_x*sizeof(uint8)); ++ frame->halfY[y] = (uint8 *) malloc2(Fsize_x, sizeof(uint8)); + ERRCHK(frame->halfY[y], "malloc"); + } + for ( y = 0; y < Fsize_y-1; y++ ) { +- frame->halfBoth[y] = (uint8 *) malloc((Fsize_x-1)*sizeof(uint8)); ++ frame->halfBoth[y] = (uint8 *) malloc2((Fsize_x-1), sizeof(uint8)); + ERRCHK(frame->halfBoth[y], "malloc"); + } + } +@@ -673,24 +678,24 @@ + it for some reason, so do it this way at least for now -- more + flexible + */ +- frame->decoded_y = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y); ++ frame->decoded_y = (uint8 **) malloc2(sizeof(uint8 *), Fsize_y); + ERRCHK(frame->decoded_y, "malloc"); + for (y = 0; y < Fsize_y; y++) { +- frame->decoded_y[y] = (uint8 *) malloc(sizeof(uint8) * Fsize_x); ++ frame->decoded_y[y] = (uint8 *) malloc2(sizeof(uint8), Fsize_x); + ERRCHK(frame->decoded_y[y], "malloc"); + } + +- frame->decoded_cr = (uint8 **) malloc(sizeof(int8 *) * (Fsize_y >> 1)); ++ frame->decoded_cr = (uint8 **) malloc2(sizeof(int8 *), (Fsize_y >> 1)); + ERRCHK(frame->decoded_cr, "malloc"); + for (y = 0; y < (Fsize_y >> 1); y++) { +- frame->decoded_cr[y] = (uint8 *) malloc(sizeof(uint8) * (Fsize_x >> 1)); ++ frame->decoded_cr[y] = (uint8 *) malloc2(sizeof(uint8), (Fsize_x >> 1)); + ERRCHK(frame->decoded_cr[y], "malloc"); + } + +- frame->decoded_cb = (uint8 **) malloc(sizeof(int8 *) * (Fsize_y >> 1)); ++ frame->decoded_cb = (uint8 **) malloc2(sizeof(int8 *), (Fsize_y >> 1)); + ERRCHK(frame->decoded_cb, "malloc"); + for (y = 0; y < (Fsize_y >> 1); y++) { +- frame->decoded_cb[y] = (uint8 *) malloc(sizeof(uint8) * (Fsize_x >> 1)); ++ frame->decoded_cb[y] = (uint8 *) malloc2(sizeof(uint8), (Fsize_x >> 1)); + ERRCHK(frame->decoded_cb[y], "malloc"); + } + +--- netpbm-10.23/converter/ppm/ppmtompeg/parallel.c.security 2004-08-04 13:39:34.312585960 +0200 ++++ netpbm-10.23/converter/ppm/ppmtompeg/parallel.c 2004-08-04 13:39:34.374576536 +0200 +@@ -376,8 +376,8 @@ + free(bigBuffer); + } + +- bigBuffer = (unsigned char *) malloc(bigBufferSize* +- sizeof(unsigned char)); ++ bigBuffer = (unsigned char *) malloc2(bigBufferSize, ++ sizeof(unsigned char)); + } + + /* now read in the bytes */ +@@ -708,7 +708,7 @@ + + TransmitPortNum(parallelHostName, portNum, combinePortNum); + +- frameDone = (boolean *) malloc(numInputFiles*sizeof(boolean)); ++ frameDone = (boolean *) malloc2(numInputFiles, sizeof(boolean)); + memset((char *)frameDone, 0, numInputFiles*sizeof(boolean)); + + if ( (ofp = fopen(outputFileName, "wb")) == NULL ) { +@@ -1312,7 +1312,9 @@ + int clientSocket; + + /* should keep list of port numbers to notify when frames become ready */ +- ++ ++ overflow2(numInputFiles, sizeof(int)); ++ overflow2(numInputFiles, sizeof(boolean)); + ready = (boolean *) calloc(numInputFiles, sizeof(boolean)); + waitMachine = (int *) calloc(numInputFiles, sizeof(int)); + waitPort = (int *) malloc(numMachines*sizeof(int)); +--- netpbm-10.23/converter/ppm/ppmtompeg/rgbtoycc.c.security 2004-05-16 02:13:43.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtompeg/rgbtoycc.c 2004-08-04 13:39:34.375576384 +0200 +@@ -96,6 +96,8 @@ + } + table_maxval = maxval; + ++ overflow_add(table_maxval, 1); ++ overflow2(table_maxval+1, sizeof(float)); + mult299 = malloc((table_maxval+1)*sizeof(float)); + mult587 = malloc((table_maxval+1)*sizeof(float)); + mult114 = malloc((table_maxval+1)*sizeof(float)); +--- netpbm-10.23/converter/ppm/pjtoppm.c.security 2003-07-06 23:45:36.000000000 +0200 ++++ netpbm-10.23/converter/ppm/pjtoppm.c 2004-08-04 13:39:34.376576232 +0200 +@@ -127,19 +127,21 @@ + case 'V': /* send plane */ + case 'W': /* send last plane */ + if (rows == -1 || r >= rows || image == NULL) { +- if (rows == -1 || r >= rows) ++ if (rows == -1 || r >= rows) { ++ overflow_add(rows, 100); + rows += 100; ++ } + if (image == NULL) { +- MALLOCARRAY(image, rows * planes); +- MALLOCARRAY(imlen, rows * planes); ++ image = (unsigned char **) ++ malloc3(rows , planes , sizeof(unsigned char *)); ++ imlen = (int *) malloc3(rows , planes, sizeof(int)); + } + else { ++ overflow2(rows,planes); + image = (unsigned char **) +- realloc(image, +- rows * planes * ++ realloc2(image, rows * planes, + sizeof(unsigned char *)); +- imlen = (int *) +- realloc(imlen, rows * planes * sizeof(int)); ++ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); + } + } + if (image == NULL || imlen == NULL) +@@ -212,8 +214,10 @@ + for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2) + for (cmd = image[p + r * planes][c], + val = image[p + r * planes][c+1]; +- cmd >= 0 && i < newcols; cmd--, i++) ++ cmd >= 0 && i < newcols; cmd--, i++) { + buf[i] = val; ++ overflow_add(i, 1); ++ } + cols = cols > i ? cols : i; + free(image[p + r * planes]); + /* +@@ -224,6 +228,7 @@ + image[p + r * planes] = (unsigned char *) realloc(buf, i); + } + } ++ overflow2(cols, 8); + cols *= 8; + } + +--- netpbm-10.23/converter/ppm/xpmtoppm.c.security 2004-03-13 20:36:36.000000000 +0100 ++++ netpbm-10.23/converter/ppm/xpmtoppm.c 2004-08-04 13:39:34.377576080 +0200 +@@ -685,6 +685,7 @@ + &ncolors, colorsP, &ptab); + *transparentP = -1; /* No transparency in version 1 */ + } ++ overflow2(*widthP, *heightP); + totalpixels = *widthP * *heightP; + MALLOCARRAY(*dataP, totalpixels); + if (*dataP == NULL) +--- netpbm-10.23/converter/ppm/Makefile.security 2004-08-04 10:41:33.000000000 +0200 ++++ netpbm-10.23/converter/ppm/Makefile 2004-08-04 13:39:34.378575928 +0200 +@@ -11,7 +11,7 @@ + + PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ + leaftoppm mtvtoppm neotoppm \ +- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ ++ pcxtoppm pc1toppm pi1toppm pjtoppm \ + ppmtoacad ppmtoarbtxt \ + ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \ + ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ +--- netpbm-10.23/converter/ppm/ppmtomitsu.c.security 2003-07-06 23:04:25.000000000 +0200 ++++ netpbm-10.23/converter/ppm/ppmtomitsu.c 2004-08-04 13:39:34.380575624 +0200 +@@ -164,6 +164,8 @@ + medias = MSize_User; + + if (dpi300) { ++ overflow2(medias.maxcols, 2); ++ overflow2(medias.maxrows, 2); + medias.maxcols *= 2; + medias.maxrows *= 2; + } +--- netpbm-10.23/converter/ppm/ppmtoilbm.c.security 2004-03-20 06:06:39.000000000 +0100 ++++ netpbm-10.23/converter/ppm/ppmtoilbm.c 2004-08-04 13:39:34.382575320 +0200 +@@ -810,11 +810,15 @@ + + if( mode != MODE_CMAP ) { + register int i; ++ overflow_add(cols, 15); + MALLOCARRAY_NOFAIL(coded_rowbuf, RowBytes(cols)); + for( i = 0; i < RowBytes(cols); i++ ) + coded_rowbuf[i] = 0; +- if( DO_COMPRESS ) ++ if( DO_COMPRESS ) { ++ overflow2(cols,2); ++ overflow_add(cols *2, 2); + MALLOCARRAY_NOFAIL(compr_rowbuf, WORSTCOMPR(RowBytes(cols))); ++ } + } + + switch( mode ) { +@@ -1905,6 +1909,7 @@ + + maskmethod = 0; /* no masking - RGB8 uses genlock bits */ + compmethod = 4; /* RGB8 files are always compressed */ ++ overflow2(cols, 4); + MALLOCARRAY_NOFAIL(compr_row, cols * 4); + + if( maxval != 255 ) { +@@ -1993,6 +1998,7 @@ + + maskmethod = 0; /* no masking - RGBN uses genlock bits */ + compmethod = 4; /* RGBN files are always compressed */ ++ overflow2(cols, 2); + MALLOCARRAY_NOFAIL(compr_row, cols * 2); + + if( maxval != 15 ) { +@@ -2405,6 +2411,21 @@ + register unsigned char *inbuf = coded_rowbuf; + register unsigned char *outbuf = compr_rowbuf; + ++static void * ++xmalloc2(x,y) ++ int x; ++ int y; ++{ ++ void *mem; ++ ++ overflow2(x, y); ++ ++ mem = malloc2(x, y); ++ if( mem == NULL ) ++ pm_error("out of memory allocating %d bytes", x * y); ++ return mem; ++} ++ + + in=out=0; + while( in + #include ++#include + + static int dpi = 75; + static int floating = 0; /* suppress the ``ESC & l 0 E'' ? */ +@@ -123,7 +124,11 @@ + pbm_readpbminit( ifp, &cols, &rows, &format ); + bitrow = pbm_allocrow( cols ); + ++ overflow_add(cols, 8); + rowBufferSize = (cols + 7) / 8; ++ overflow_add(rowBufferSize, 128); ++ overflow_add(rowBufferSize, rowBufferSize+128); ++ overflow_add(rowBufferSize+10, rowBufferSize/8); + packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1; + deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10; + +--- netpbm-10.23/converter/pbm/mdatopbm.c.security 2004-03-20 05:09:15.000000000 +0100 ++++ netpbm-10.23/converter/pbm/mdatopbm.c 2004-08-04 13:39:34.389574256 +0200 +@@ -245,10 +245,13 @@ + pm_readlittleshort(infile, &yy); nInCols = yy; + } + ++ overflow2(nOutCols, 8); + nOutCols = 8 * nInCols; + nOutRows = nInRows; +- if (bScale) ++ if (bScale) { ++ overflow2(nOutRows, 2); + nOutRows *= 2; ++ } + + data = pbm_allocarray(nOutCols, nOutRows); + +--- netpbm-10.23/converter/pbm/pbmtomacp.c.security 2002-09-06 18:04:22.000000000 +0200 ++++ netpbm-10.23/converter/pbm/pbmtomacp.c 2004-08-04 13:39:34.390574104 +0200 +@@ -104,6 +104,7 @@ + if( !lflg ) + left = 0; + ++ overflow_add(left, MAX_COLS - 1); + if( rflg ) + { if( right - left >= MAX_COLS ) + right = left + MAX_COLS - 1; +@@ -114,6 +115,8 @@ + if( !tflg ) + top = 0; + ++ overflow_add(top, MAX_LINES - 1); ++ + if( bflg ) + { if( bottom - top >= MAX_LINES ) + bottom = top + MAX_LINES - 1; +--- netpbm-10.23/converter/pbm/ybmtopbm.c.security 1993-10-04 10:10:35.000000000 +0100 ++++ netpbm-10.23/converter/pbm/ybmtopbm.c 2004-08-04 13:39:34.391573952 +0200 +@@ -88,6 +88,7 @@ + pm_error( "EOF / read error" ); + + *depthP = 1; ++ overflow_add(*colsP, 15); + *padrightP = ( ( *colsP + 15 ) / 16 ) * 16 - *colsP; + bitsperitem = 0; + } +--- netpbm-10.23/converter/pbm/pbmto10x.c.security 2004-03-20 05:23:36.000000000 +0100 ++++ netpbm-10.23/converter/pbm/pbmto10x.c 2004-08-04 13:39:34.392573800 +0200 +@@ -162,7 +162,7 @@ + res_60x72(); + + pm_close(ifp); +- exit(0); ++ return 0; + } + + +--- netpbm-10.23/converter/pbm/pktopbm.c.security 2004-03-20 05:52:21.000000000 +0100 ++++ netpbm-10.23/converter/pbm/pktopbm.c 2004-08-04 13:39:34.393573648 +0200 +@@ -274,6 +274,7 @@ + if (flagbyte == 7) { /* long form preamble */ + integer packetlength = get32() ; /* character packet length */ + car = get32() ; /* character number */ ++ overflow_add(packetlength, pktopbm_pkloc); + endofpacket = packetlength + pktopbm_pkloc; + /* calculate end of packet */ + if ((car >= MAXPKCHAR) || !filename[car]) { +--- netpbm-10.23/converter/pbm/pbmtoybm.c.security 1993-10-04 10:10:43.000000000 +0100 ++++ netpbm-10.23/converter/pbm/pbmtoybm.c 2004-08-04 13:39:34.393573648 +0200 +@@ -45,6 +45,7 @@ + bitrow = pbm_allocrow( cols ); + + /* Compute padding to round cols up to the nearest multiple of 16. */ ++ overflow_add(cols, 16); + padright = ( ( cols + 15 ) / 16 ) * 16 - cols; + + putinit( cols, rows ); +--- netpbm-10.23/converter/pbm/pbmtogo.c.security 2002-07-30 17:47:49.000000000 +0200 ++++ netpbm-10.23/converter/pbm/pbmtogo.c 2004-08-04 13:39:34.395573344 +0200 +@@ -90,6 +90,7 @@ + bitrow = pbm_allocrow(cols); + + /* Round cols up to the nearest multiple of 8. */ ++ overflow_add(cols, 7); + rucols = ( cols + 7 ) / 8; + bytesperrow = rucols; /* GraphOn uses bytes */ + rucols = rucols * 8; +--- netpbm-10.23/converter/pbm/thinkjettopbm.l.security 2002-10-27 16:45:48.000000000 +0100 ++++ netpbm-10.23/converter/pbm/thinkjettopbm.l 2004-08-04 13:39:34.396573192 +0200 +@@ -90,7 +90,9 @@ + \033\*b{DIG}+W { + int l; + if (rowCount >= rowCapacity) { ++ overflow_add(rowCapacity, 100); + rowCapacity += 100; ++ overflow2(rowCapacity, sizeof *rows); + rows = realloc (rows, rowCapacity * sizeof *rows); + if (rows == NULL) + pm_error ("Out of memory."); +@@ -200,6 +202,8 @@ + /* + * Quite simple since ThinkJet bit arrangement matches PBM + */ ++ ++ overflow2(maxRowLength, 8); + pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0); + + packed_bitrow = malloc(maxRowLength); +--- netpbm-10.23/converter/pbm/pbmtomda.c.security 2004-01-11 22:11:22.000000000 +0100 ++++ netpbm-10.23/converter/pbm/pbmtomda.c 2004-08-04 13:39:34.397573040 +0200 +@@ -179,6 +179,7 @@ + + nOutRowsUnrounded = bScale ? nInRows/2 : nInRows; + ++ overflow_add(nOutRowsUnrounded, 3); + nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4; + /* MDA wants rows a multiple of 4 */ + nOutCols = nInCols / 8; +--- netpbm-10.23/converter/pbm/icontopbm.c.security 2003-01-08 20:19:42.000000000 +0100 ++++ netpbm-10.23/converter/pbm/icontopbm.c 2004-08-04 13:39:34.397573040 +0200 +@@ -12,6 +12,8 @@ + + #include + ++#include ++#include + #include "pbm.h" + + /* size in bytes of a bitmap */ +@@ -86,6 +88,11 @@ + if ( *heightP <= 0 ) + pm_error( "invalid height (must be positive): %d", *heightP ); + ++ if ( *widthP > INT_MAX - 16 || *widthP < 0) ++ pm_error( "invalid width: %d", *widthP); ++ ++ overflow2(*widthP + 16, *heightP); ++ + data_length = BitmapSize( *widthP, *heightP ); + *dataP = (short unsigned int *) malloc( data_length ); + if ( *dataP == NULL ) +--- netpbm-10.23/converter/pbm/pbmtoxbm.c.security 2004-03-13 20:37:59.000000000 +0100 ++++ netpbm-10.23/converter/pbm/pbmtoxbm.c 2004-08-04 13:39:34.399572736 +0200 +@@ -100,6 +100,7 @@ + bitrow = pbm_allocrow(cols); + + /* Compute padding to round cols up to the nearest multiple of 8. */ ++ overflow_add(cols, 8); + padright = ((cols + 7)/8) * 8 - cols; + + printf("#define %s_width %d\n", name, cols); +--- netpbm-10.23/converter/pbm/pbmtozinc.c.security 2002-07-30 17:47:45.000000000 +0200 ++++ netpbm-10.23/converter/pbm/pbmtozinc.c 2004-08-04 13:39:34.400572584 +0200 +@@ -66,6 +66,7 @@ + bitrow = pbm_allocrow( cols ); + + /* Compute padding to round cols up to the nearest multiple of 16. */ ++ overflow_add(cols, 16); + padright = ( ( cols + 15 ) / 16 ) * 16 - cols; + + printf( "USHORT %s[] = {\n",name); +--- netpbm-10.23/converter/pbm/pbmtoicon.c.security 2002-07-30 17:47:48.000000000 +0200 ++++ netpbm-10.23/converter/pbm/pbmtoicon.c 2004-08-04 13:39:34.401572432 +0200 +@@ -42,6 +42,7 @@ + bitrow = pbm_allocrow( cols ); + + /* Round cols up to the nearest multiple of 16. */ ++ overflow_add(cols, 15); + pad = ( ( cols + 15 ) / 16 ) * 16 - cols; + padleft = pad / 2; + padright = pad - padleft; +--- netpbm-10.23/converter/pbm/pbmto4425.c.security 2002-09-06 18:03:50.000000000 +0200 ++++ netpbm-10.23/converter/pbm/pbmto4425.c 2004-08-04 13:39:34.402572280 +0200 +@@ -1,6 +1,7 @@ + #include + + #include "pbm.h" ++#include + + /*extern char *sys_errlist[]; + char *malloc();*/ +@@ -72,7 +73,7 @@ + xres = vmap_width * 2; + yres = vmap_height * 3; + +- vmap = malloc(vmap_width * vmap_height * sizeof(char)); ++ vmap = malloc3(vmap_width, vmap_height, sizeof(char)); + if(vmap == NULL) + { + pm_error( "Cannot allocate memory" ); +--- netpbm-10.23/converter/pbm/pbmtocmuwm.c.security 1993-10-04 10:10:46.000000000 +0100 ++++ netpbm-10.23/converter/pbm/pbmtocmuwm.c 2004-08-04 13:39:34.403572128 +0200 +@@ -43,6 +43,7 @@ + bitrow = pbm_allocrow( cols ); + + /* Round cols up to the nearest multiple of 8. */ ++ overflow_add(cols, 7); + padright = ( ( cols + 7 ) / 8 ) * 8 - cols; + + putinit( rows, cols ); +--- netpbm-10.23/converter/pbm/pbmtoppa/pbm.c.security 2000-06-01 19:20:30.000000000 +0200 ++++ netpbm-10.23/converter/pbm/pbmtoppa/pbm.c 2004-08-04 13:39:34.406571672 +0200 +@@ -105,6 +105,7 @@ + return 0; + + case P4: ++ overflow_add(pbm->width, 7); + tmp=(pbm->width+7)/8; + tmp2=fread(data,1,tmp,pbm->fptr); + if(tmp2 == tmp) +@@ -129,7 +130,8 @@ + return; + + pbm->unread = 1; +- pbm->revdata = malloc ((pbm->width+7)/8); ++ overflow_add(pbm->width, 7); ++ pbm->revdata = malloc((pbm->width+7)/8); + memcpy (pbm->revdata, data, (pbm->width+7)/8); + pbm->current_line--; + } +--- netpbm-10.23/converter/pbm/pbmtoppa/pbmtoppa.c.security 2002-07-30 17:48:16.000000000 +0200 ++++ netpbm-10.23/converter/pbm/pbmtoppa/pbmtoppa.c 2004-08-04 13:39:34.408571368 +0200 +@@ -471,6 +471,7 @@ + } + } + ++ overflow_add(Width, 7); + Pwidth=(Width+7)/8; + printer.fptr=out; + +--- netpbm-10.23/converter/pbm/pbmtox10bm.c.security 2002-07-30 17:47:46.000000000 +0200 ++++ netpbm-10.23/converter/pbm/pbmtox10bm.c 2004-08-04 13:39:34.409571216 +0200 +@@ -57,6 +57,7 @@ + bitrow = pbm_allocrow( cols ); + + /* Compute padding to round cols up to the nearest multiple of 16. */ ++ overflow_add(cols, 15); + padright = ( ( cols + 15 ) / 16 ) * 16 - cols; + + printf( "#define %s_width %d\n", name, cols ); +--- netpbm-10.23/converter/pbm/pbmtogem.c.security 2000-06-09 09:07:05.000000000 +0200 ++++ netpbm-10.23/converter/pbm/pbmtogem.c 2004-08-04 13:39:34.411570912 +0200 +@@ -123,6 +123,7 @@ + bitsperitem = 0; + bitshift = 7; + outcol = 0; ++ overflow_add(cols, 7); + outmax = (cols + 7) / 8; + outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); + lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); +--- netpbm-10.23/converter/pbm/mgrtopbm.c.security 2003-01-08 20:20:10.000000000 +0100 ++++ netpbm-10.23/converter/pbm/mgrtopbm.c 2004-08-04 13:39:34.413570608 +0200 +@@ -68,6 +68,8 @@ + if (head.h_high < ' ' || head.l_high < ' ') + pm_error("Invalid width field in MGR header"); + ++ overflow_add(*colsP, pad); ++ + *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' '); + *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' '); + *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP; +--- netpbm-10.23/converter/other/sirtopnm.c.security 2002-01-04 18:22:45.000000000 +0100 ++++ netpbm-10.23/converter/other/sirtopnm.c 2004-08-04 13:39:34.414570456 +0200 +@@ -69,6 +69,7 @@ + } + break; + case PPM_TYPE: ++ overflow3(cols, rows, 3); + picsize = cols * rows * 3; + planesize = cols * rows; + if ( !( sirarray = (unsigned char*) malloc( picsize ) ) ) +--- netpbm-10.23/converter/other/pnmtosgi.c.security 2003-07-10 06:04:07.000000000 +0200 ++++ netpbm-10.23/converter/other/pnmtosgi.c 2004-08-04 13:39:34.416570152 +0200 +@@ -213,6 +213,22 @@ + } + } + ++static void * ++xmalloc2(int x, int y) ++{ ++ void *mem; ++ ++ overflow2(x,y); ++ if( x * y == 0 ) ++ return NULL; ++ ++ mem = malloc2(x, y); ++ if( mem == NULL ) ++ pm_error("out of memory allocating %d bytes", x * y); ++ return mem; ++} ++ ++ + static void + put_big_short(short s) + { +@@ -250,6 +266,7 @@ + #endif + + if( storage != STORAGE_VERBATIM ) { ++ overflow2(channels, rows); + MALLOCARRAY_NOFAIL(table, channels * rows); + MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols)); + } +@@ -303,6 +320,8 @@ + break; + case STORAGE_RLE: + tabrow = chan_no * rows + row; ++ overflow2(chan_no, rows); ++ overflow_add(chan_no* rows, row); + len = rle_compress(temp, cols); /* writes result into rletemp */ + channel[chan_no][row].length = len; + MALLOCARRAY(p, len); +--- netpbm-10.23/converter/other/xwdtopnm.c.security 2004-03-13 20:33:22.000000000 +0100 ++++ netpbm-10.23/converter/other/xwdtopnm.c 2004-08-04 13:39:34.419569696 +0200 +@@ -241,6 +241,9 @@ + *colorsP = pnm_allocrow( 2 ); + PNM_ASSIGN1( (*colorsP)[0], 0 ); + PNM_ASSIGN1( (*colorsP)[1], *maxvalP ); ++ overflow_add(h10P->pixmap_width, 15); ++ if(h10P->pixmap_width < 0) ++ pm_error("assert: negative width"); + *padrightP = + ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width; + *bits_per_itemP = 16; +@@ -250,9 +253,13 @@ + *formatP = PGM_TYPE; + *visualclassP = StaticGray; + *maxvalP = ( 1 << h10P->display_planes ) - 1; ++ overflow_add(*maxvalP, 1); + *colorsP = pnm_allocrow( *maxvalP + 1 ); + for ( i = 0; i <= *maxvalP; ++i ) + PNM_ASSIGN1( (*colorsP)[i], i ); ++ overflow_add(h10P->pixmap_width, 15); ++ if(h10P->pixmap_width < 0) ++ pm_error("assert: negative width"); + *padrightP = + ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width; + *bits_per_itemP = 16; +@@ -486,6 +493,7 @@ + + *colsP = h11P->pixmap_width; + *rowsP = h11P->pixmap_height; ++ overflow2(h11P->bytes_per_line, 8); + *padrightP = + h11P->bytes_per_line * 8 / h11P->bits_per_pixel - + h11P->pixmap_width; +--- netpbm-10.23/converter/other/rletopnm.c.security 2004-03-13 20:33:38.000000000 +0100 ++++ netpbm-10.23/converter/other/rletopnm.c 2004-08-04 13:39:34.421569392 +0200 +@@ -19,6 +19,8 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * rletopnm - A conversion program to convert from Utah's "rle" image format +--- netpbm-10.23/converter/other/pbmtopgm.c.security 2003-02-05 23:36:39.000000000 +0100 ++++ netpbm-10.23/converter/other/pbmtopgm.c 2004-08-04 13:39:34.422569240 +0200 +@@ -45,6 +45,7 @@ + "than the image height (%u rows)", height, rows); + + outrow = pgm_allocrow(cols) ; ++ overflow2(width, height); + maxval = MIN(PGM_OVERALLMAXVAL, width*height); + pgm_writepgminit(stdout, cols, rows, maxval, 0) ; + +--- netpbm-10.23/converter/other/sgitopnm.c.security 2003-07-10 05:42:28.000000000 +0200 ++++ netpbm-10.23/converter/other/sgitopnm.c 2004-08-04 13:39:34.423569088 +0200 +@@ -252,13 +252,17 @@ + + if (ochan < 0) { + maxchannel = (head->zsize < 3) ? head->zsize : 3; ++ overflow2(head->ysize, maxchannel); + MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel); + } else { + maxchannel = ochan + 1; + MALLOCARRAY_NOFAIL(image, head->ysize); + } +- if ( table ) ++ if ( table ) { ++ overflow2(head->xsize, 2); ++ overflow_add(head->xsize*2, 2); + MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize)); ++ } + + for( channel = 0; channel < maxchannel; channel++ ) { + #ifdef DEBUG +--- netpbm-10.23/converter/other/pnmtorle.c.security 2003-07-10 06:04:49.000000000 +0200 ++++ netpbm-10.23/converter/other/pnmtorle.c 2004-08-04 13:39:34.424568936 +0200 +@@ -19,6 +19,8 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * pnmtorle - A program which will convert pbmplus (ppm or pgm) images +--- netpbm-10.23/converter/other/pnmtops.c.security 2004-05-29 20:13:26.000000000 +0200 ++++ netpbm-10.23/converter/other/pnmtops.c 2004-08-04 13:39:34.425568784 +0200 +@@ -147,16 +147,24 @@ + + cmdlineP->center = !nocenter; + cmdlineP->canturn = !noturn; +- ++ ++ overflow2(width, 72); ++ overflow2(height, 72); + cmdlineP->width = width * 72; + cmdlineP->height = height * 72; +- ++ + if (imagewidth_spec) ++ { + cmdlineP->imagewidth = imagewidth * 72; ++ overflow2(imagewidth, 72); ++ } + else + cmdlineP->imagewidth = 0; + if (imageheight_spec) ++ { ++ overflow2(imageheight, 72); + cmdlineP->imageheight = imageheight * 72; ++ } + else + cmdlineP->imageheight = 0; + +--- netpbm-10.23/converter/other/pngtopnm.c.security 2004-04-04 02:18:34.000000000 +0200 ++++ netpbm-10.23/converter/other/pngtopnm.c 2004-08-04 13:39:34.427568480 +0200 +@@ -612,18 +612,30 @@ + } + + if (info_ptr->bit_depth == 16) ++ { ++ overflow2(2, info_ptr->width); + linesize = 2 * info_ptr->width; ++ } + else + linesize = info_ptr->width; + + if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) ++ { + linesize *= 2; ++ overflow2(2, linesize); ++ } + else + if (info_ptr->color_type == PNG_COLOR_TYPE_RGB) ++ { ++ overflow2(3, linesize); + linesize *= 3; ++ } + else + if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) ++ { ++ overflow2(4, linesize); + linesize *= 4; ++ } + + for (y = 0 ; y < info_ptr->height ; y++) { + png_image[y] = malloc (linesize); +--- netpbm-10.23/converter/other/pnmtoddif.c.security 2002-07-30 19:09:13.000000000 +0200 ++++ netpbm-10.23/converter/other/pnmtoddif.c 2004-08-04 13:39:34.428568328 +0200 +@@ -484,6 +484,7 @@ + switch (PNM_FORMAT_TYPE(format)) { + case PBM_TYPE: + ip.bits_per_pixel = 1; ++ overflow_add(cols, 7); + ip.bytes_per_line = (cols + 7) / 8; + ip.spectral = 2; + ip.components = 1; +@@ -499,6 +500,7 @@ + ip.polarity = 2; + break; + case PPM_TYPE: ++ overflow2(cols, 3); + ip.bytes_per_line = 3 * cols; + ip.bits_per_pixel = 24; + ip.spectral = 5; +--- netpbm-10.23/converter/other/tifftopnm.c.security 2004-03-13 20:33:29.000000000 +0100 ++++ netpbm-10.23/converter/other/tifftopnm.c 2004-08-04 13:39:34.429568176 +0200 +@@ -736,7 +736,7 @@ + if (scanbuf == NULL) + pm_error("can't allocate memory for scanline buffer"); + +- MALLOCARRAY(samplebuf, cols * spp); ++ samplebuf = (unsigned short *) malloc3(cols , sizeof(unsigned short) , spp); + if (samplebuf == NULL) + pm_error ("can't allocate memory for row buffer"); + +--- netpbm-10.23/converter/other/jpegtopnm.c.security 2004-05-16 19:04:47.000000000 +0200 ++++ netpbm-10.23/converter/other/jpegtopnm.c 2004-08-04 13:39:34.431567872 +0200 +@@ -819,6 +819,7 @@ + /* Calculate output image dimensions so we can allocate space */ + jpeg_calc_output_dimensions(cinfoP); + ++ overflow2(cinfoP->output_width, cinfoP->output_components); + jpegbuffer = ((*cinfoP->mem->alloc_sarray) + ((j_common_ptr) cinfoP, JPOOL_IMAGE, + cinfoP->output_width * cinfoP->output_components, +--- netpbm-10.23/converter/other/pnmtotiff.c.security 2003-05-19 18:39:10.000000000 +0200 ++++ netpbm-10.23/converter/other/pnmtotiff.c 2004-08-04 13:39:34.432567720 +0200 +@@ -611,11 +611,14 @@ + if (*bitspersampleP < 8) { + int samplesperbyte; + samplesperbyte = 8 / *bitspersampleP; ++ overflow2(cols, *samplesperpixelP); ++ overflow_add(cols * *samplesperpixelP, samplesperbyte); + *bytesperrowP = + (cols * *samplesperpixelP + samplesperbyte-1) / samplesperbyte; +- } else ++ } else { ++ overflow3( *samplesperpixelP, cols, *bitspersampleP); + *bytesperrowP = (cols * *samplesperpixelP * *bitspersampleP) / 8; +- ++ } + if (requested_rowsperstrip == -1 ) + *rowsperstripP = (8 * 1024) / *bytesperrowP; + else +--- netpbm-10.23/converter/other/pnmtopalm/palmcolormap.c.security 2003-02-04 04:44:00.000000000 +0100 ++++ netpbm-10.23/converter/other/pnmtopalm/palmcolormap.c 2004-08-04 13:39:34.433567568 +0200 +@@ -232,7 +232,7 @@ + return 0; + + colormap = malloc(sizeof(Colormap_s)); +- colormap->color_entries = malloc(sizeof(Color_s) * ncolors); ++ colormap->color_entries = malloc2(sizeof(Color_s), ncolors); + colormap->nentries = ncolors; + colormap->ncolors = ncolors; + +--- netpbm-10.23/converter/other/gemtopnm.c.security 2002-07-30 19:09:16.000000000 +0200 ++++ netpbm-10.23/converter/other/gemtopnm.c 2004-08-04 13:39:34.434567416 +0200 +@@ -106,6 +106,7 @@ + + pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 ); + ++ overflow_add(cols, padright); + { + /* allocate input row data structure */ + int plane; +--- netpbm-10.23/converter/other/pnmtojpeg.c.security 2004-08-04 13:39:34.325583984 +0200 ++++ netpbm-10.23/converter/other/pnmtojpeg.c 2004-08-04 13:41:41.079314488 +0200 +@@ -588,6 +588,8 @@ + const long half_maxval = maxval / 2; + long val; + ++ overflow_add(maxval, 1); ++ overflow2(maxval+1, sizeof(JSAMPLE)); + *rescale_p = (JSAMPLE *) + (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE, + (size_t) (((long) maxval + 1L) * +@@ -664,6 +666,7 @@ + */ + + /* Allocate the libpnm output and compressor input buffers */ ++ overflow2(cinfo_p->image_width, cinfo_p->input_components); + buffer = (*cinfo_p->mem->alloc_sarray) + ((j_common_ptr) cinfo_p, JPOOL_IMAGE, + (unsigned int) cinfo_p->image_width * cinfo_p->input_components, +@@ -931,7 +934,11 @@ + * want JPOOL_PERMANENT. + */ + const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info); +- const jpeg_scan_info * scan_info = ++ const jpeg_scan_info * scan_info; ++ ++ overflow2(nscans, sizeof(jpeg_scan_info)); ++ ++ scan_info = + (jpeg_scan_info *) + (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE, + scan_info_size); +--- netpbm-10.23/urt/rle.h.security 2002-03-13 16:32:34.000000000 +0100 ++++ netpbm-10.23/urt/rle.h 2004-08-04 13:39:34.438566808 +0200 +@@ -14,6 +14,9 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox ++ * Header declarations needed + */ + /* + * rle.h - Global declarations for Utah Raster Toolkit RLE programs. +@@ -169,6 +172,16 @@ + */ + extern rle_hdr rle_dflt_hdr; + ++/* ++ * Provided by pm library ++ */ ++ ++extern void overflow_add(int, int); ++extern void overflow2(int, int); ++extern void overflow3(int, int, int); ++extern void *malloc2(int, int); ++extern void *malloc3(int, int, int); ++extern void *realloc2(void *, int, int); + + /* Declare RLE library routines. */ + +--- netpbm-10.23/urt/rle_hdr.c.security 2000-06-09 09:49:51.000000000 +0200 ++++ netpbm-10.23/urt/rle_hdr.c 2004-08-04 13:39:34.439566656 +0200 +@@ -14,6 +14,8 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * rle_hdr.c - Functions to manipulate rle_hdr structures. +@@ -77,7 +79,10 @@ + /* Fill in with copies of the strings. */ + if ( the_hdr->cmd != pgmname ) + { +- char *tmp = (char *)malloc( strlen( pgmname ) + 1 ); ++ char *tmp ; ++ ++ overflow_add(strlen(pgmname), 1); ++ tmp = malloc( strlen( pgmname ) + 1 ); + RLE_CHECK_ALLOC( pgmname, tmp, 0 ); + strcpy( tmp, pgmname ); + the_hdr->cmd = tmp; +@@ -85,7 +90,9 @@ + + if ( the_hdr->file_name != fname ) + { +- char *tmp = (char *)malloc( strlen( fname ) + 1 ); ++ char *tmp; ++ overflow_add(strlen(fname), 1); ++ tmp = malloc( strlen( fname ) + 1 ); + RLE_CHECK_ALLOC( pgmname, tmp, 0 ); + strcpy( tmp, fname ); + the_hdr->file_name = tmp; +@@ -150,6 +157,7 @@ + if ( to_hdr->bg_color ) + { + int size = to_hdr->ncolors * sizeof(int); ++ overflow2(to_hdr->ncolors, sizeof(int)); + to_hdr->bg_color = (int *)malloc( size ); + RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" ); + memcpy( to_hdr->bg_color, from_hdr->bg_color, size ); +@@ -158,7 +166,7 @@ + if ( to_hdr->cmap ) + { + int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map); +- to_hdr->cmap = (rle_map *)malloc( size ); ++ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<cmaplen, sizeof(rle_map)); + RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" ); + memcpy( to_hdr->cmap, from_hdr->cmap, size ); + } +@@ -171,11 +179,16 @@ + int size = 0; + CONST_DECL char **cp; + for ( cp=to_hdr->comments; *cp; cp++ ) ++ { ++ overflow_add(size, 1); + size++; /* Count the comments. */ ++ } + /* Check if there are really any comments. */ + if ( size ) + { ++ overflow_add(size, 1); + size++; /* Copy the NULL pointer, too. */ ++ overflow2(size, sizeof(char *)); + size *= sizeof(char *); + to_hdr->comments = (CONST_DECL char **)malloc( size ); + RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" ); +--- netpbm-10.23/urt/Runput.c.security 2002-03-13 05:24:43.000000000 +0100 ++++ netpbm-10.23/urt/Runput.c 2004-08-04 13:39:34.440566504 +0200 +@@ -17,6 +17,8 @@ + * + * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire + * to have all "void" functions so declared. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * Runput.c - General purpose Run Length Encoding. +@@ -200,9 +202,11 @@ + if ( the_hdr->background != 0 ) + { + register int i; +- register rle_pixel *background = +- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); ++ register rle_pixel *background; + register int *bg_color; ++ ++ overflow_add(the_hdr->ncolors,1); ++ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) ); + /* + * If even number of bg color bytes, put out one more to get to + * 16 bit boundary. +@@ -222,7 +226,7 @@ + /* Big-endian machines are harder */ + register int i, nmap = (1 << the_hdr->cmaplen) * + the_hdr->ncmap; +- register char *h_cmap = (char *)malloc( nmap * 2 ); ++ register char *h_cmap = (char *)malloc2( nmap, 2 ); + if ( h_cmap == NULL ) + { + fprintf( stderr, +--- netpbm-10.23/urt/README.security 2000-06-02 22:53:04.000000000 +0200 ++++ netpbm-10.23/urt/README 2004-08-04 13:39:34.441566352 +0200 +@@ -18,3 +18,8 @@ + defines stdout as a variable, so that wouldn't compile. So I changed + it to NULL and added a line to rle_hdr_init to set that field to + 'stdout' dynamically. 2000.06.02 BJH. ++ ++Redid the code to check for maths overflows and other crawly horrors. ++Removed pipe through and compress support (unsafe) ++ ++Alan Cox +--- netpbm-10.23/urt/rle_putcom.c.security 2000-05-19 01:12:22.000000000 +0200 ++++ netpbm-10.23/urt/rle_putcom.c 2004-08-04 13:39:34.442566200 +0200 +@@ -14,6 +14,8 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * rle_putcom.c - Add a picture comment to the header struct. +@@ -89,19 +91,22 @@ + + if ( the_hdr->comments == NULL ) + { +- the_hdr->comments = (CONST_DECL char **)malloc( 2 * sizeof(char *) ); ++ the_hdr->comments = (CONST_DECL char **)malloc2( 2, sizeof(char *) ); + the_hdr->comments[0] = value; + the_hdr->comments[1] = NULL; + } + else + { + for ( i = 2, cp = the_hdr->comments; *cp != NULL; i++, cp++ ) ++ { ++ overflow_add(i, 1); + if ( match( value, *cp ) != NULL ) + { + v = *cp; + *cp = value; + return v; + } ++ } + /* Not found */ + /* Can't realloc because somebody else might be pointing to this + * comments block. Of course, if this were true, then the +@@ -111,7 +116,7 @@ + * could copy the pointers, too. + */ + old_comments = the_hdr->comments; +- the_hdr->comments = (CONST_DECL char **)malloc(i * sizeof(char *) ); ++ the_hdr->comments = (CONST_DECL char **)malloc2(i , sizeof(char *) ); + the_hdr->comments[--i] = NULL; + the_hdr->comments[--i] = value; + for ( i--; i >= 0; i-- ) +--- netpbm-10.23/urt/rle_addhist.c.security 2003-01-08 20:35:44.000000000 +0100 ++++ netpbm-10.23/urt/rle_addhist.c 2004-08-04 13:39:34.443566048 +0200 +@@ -14,6 +14,8 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * rle_addhist.c - Add to the HISTORY comment in header +@@ -69,19 +71,29 @@ + + length=0; + for(i=0;argv[i];i++) ++ { ++ overflow_add(length, strlen(argv[i])); ++ overflow_add(length+1, strlen(argv[i])); + length+= strlen(argv[i]) +1; /* length of each arg plus space. */ +- ++ } + (void)time (&temp); + timedate=ctime(&temp); + length+= strlen(timedate); /* length of date and time in ASCII. */ + ++ overflow_add(strlen(padding), 4); ++ overflow_add(strlen(histoire), strlen(padding) + 4); ++ overflow_add(length, strlen(histoire) + strlen(padding) + 4); + length+= strlen(padding) + 3 + strlen(histoire) + 1; /* length of padding, "on " and length of history name plus "="*/ + if(in_hdr) /* if we are interested in the old comments... */ + old=rle_getcom(histoire,in_hdr); /* get old comment. */ + +- if((old) && (*old)) length+= strlen(old); /* add length if there. */ ++ if((old) && (*old)) ++ { ++ overflow_add(length, strlen(old)); ++ length+= strlen(old); /* add length if there. */ ++ } + +- length++; /*Cater for the null. */ ++ overflow_add(length, 1); + + if((newc=(char *)malloc((unsigned int) length)) == NULL)return; + +@@ -95,5 +107,4 @@ + (void)strcat(newc,padding); /* to line up multiple histories.*/ + + (void)rle_putcom(newc,out_hdr); +- + } +--- netpbm-10.23/urt/scanargs.c.security 2003-01-08 20:38:25.000000000 +0100 ++++ netpbm-10.23/urt/scanargs.c 2004-08-04 13:39:34.444565896 +0200 +@@ -38,6 +38,8 @@ + * + * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire + * to have all "void" functions so declared. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + + #include "rle.h" +@@ -65,8 +67,8 @@ + /* + * Storage allocation macros + */ +-#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) ) +-#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) ) ++#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) ) ++#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) ) + + #if defined(c_plusplus) && !defined(USE_PROTOTYPES) + #define USE_PROTOTYPES +--- netpbm-10.23/urt/rle_open_f.c.security 2002-06-18 04:16:32.000000000 +0200 ++++ netpbm-10.23/urt/rle_open_f.c 2004-08-04 13:39:34.445565744 +0200 +@@ -6,6 +6,9 @@ + * University of Michigan + * Date: 11/14/89 + * Copyright (c) 1990, University of Michigan ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox ++ * Killed of crazy unsafe pipe/compress stuff + */ + + #include "rle.h" +@@ -118,7 +121,7 @@ + + cp = file_name + strlen( (char*) file_name ) - 2; + /* Pipe case. */ +- if ( *file_name == '|' ) ++ if ( *file_name == '|' && 0 /* BOLLOCKS ARE WE DOING THIS ANY MORE */) + { + int thepid; /* PID from my_popen */ + if ( (fp = my_popen( file_name + 1, mode, &thepid )) == NULL ) +@@ -138,9 +141,10 @@ + } + + /* Compress case. */ +- else if ( cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) ++ else if ( /* SMOKING SOMETHING */ 0 && cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) + { + int thepid; /* PID from my_popen. */ ++ overflow_add(20, strlen(file_name)); + combuf = (char *)malloc( 20 + strlen( file_name ) ); + if ( combuf == NULL ) + { +--- netpbm-10.23/urt/rle_getrow.c.security 2002-03-13 05:24:04.000000000 +0100 ++++ netpbm-10.23/urt/rle_getrow.c 2004-08-04 13:39:34.446565592 +0200 +@@ -17,6 +17,8 @@ + * + * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire + * to have all "void" functions so declared. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * rle_getrow.c - Read an RLE file in. +@@ -100,10 +102,8 @@ + + if ( !(setup.h_flags & H_NO_BACKGROUND) && setup.h_ncolors > 0 ) + { +- the_hdr->bg_color = (int *)malloc( +- (unsigned)(sizeof(int) * setup.h_ncolors) ); +- bg_color = (rle_pixel *)malloc( +- (unsigned)(1 + (setup.h_ncolors / 2) * 2) ); ++ the_hdr->bg_color = (int *)malloc2(sizeof(int), setup.h_ncolors); ++ bg_color = (rle_pixel *)malloc2(1 + (setup.h_ncolors / 2),2); + RLE_CHECK_ALLOC( the_hdr->cmd, the_hdr->bg_color && bg_color, + "background color" ); + fread( (char *)bg_color, 1, 1 + (setup.h_ncolors / 2) * 2, infile ); +@@ -145,9 +145,8 @@ + register int i; + register char *maptemp; + +- the_hdr->cmap = (rle_map *)malloc( +- (unsigned)(sizeof(rle_map) * maplen) ); +- maptemp = (char *)malloc( 2 * maplen ); ++ the_hdr->cmap = (rle_map *)malloc2(sizeof(rle_map), maplen); ++ maptemp = (char *)malloc2(2, maplen); + if ( the_hdr->cmap == NULL || maptemp == NULL ) + { + fprintf( stderr, +@@ -170,6 +169,8 @@ + register char * cp; + + VAXSHORT( comlen, infile ); /* get comment length */ ++ ++ overflow_add(comlen, 1); + evenlen = (comlen + 1) & ~1; /* make it even */ + if ( evenlen ) + { +@@ -190,7 +191,7 @@ + i++; /* extra for NULL pointer at end */ + /* Get space to put pointers to comments */ + the_hdr->comments = +- (CONST_DECL char **)malloc( (unsigned)(i * sizeof(char *)) ); ++ (CONST_DECL char **)malloc2(i, sizeof(char *)); + if ( the_hdr->comments == NULL ) + { + fprintf( stderr, +--- netpbm-10.23/analyzer/pgmtexture.c.security 2003-08-07 18:18:16.000000000 +0200 ++++ netpbm-10.23/analyzer/pgmtexture.c 2004-08-04 13:39:34.447565440 +0200 +@@ -75,7 +75,10 @@ + { + float *v; + +- MALLOCARRAY(v, (unsigned) (nh - nl + 1)); ++ overflow_add(nh, 1); ++ if(nh < nl) ++ pm_error("assert: h < l"); ++ v = (float *) malloc2 ((nh - nl + 1), sizeof (float)); + if (v == NULL) + pm_error("Unable to allocate memory for a vector."); + return v - nl; +@@ -91,16 +94,22 @@ + float **m; + + /* allocate pointers to rows */ +- MALLOCARRAY(m, (unsigned) (nrh - nrl + 1)); ++ overflow_add(nrh, 1); ++ if(nrh < nrl) ++ pm_error("assert: nrh < nrl"); ++ m = (float **) malloc2(nrh - nrl + 1, sizeof (float *)); + if (m == NULL) + pm_error("Unable to allocate memory for a matrix."); + + m -= ncl; + ++ if(nch < ncl) ++ pm_error("assert: nch < ncl"); ++ overflow_add(nch, 1); + /* allocate rows and set pointers to them */ + for (i = nrl; i <= nrh; i++) + { +- MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1)); ++ m[i] = (float *) malloc2(nch - ncl + 1, sizeof (float)); + if (m[i] == NULL) + pm_error("Unable to allocate memory for a matrix row."); + m[i] -= ncl; +--- netpbm-10.23/analyzer/pgmhist.c.security 2003-07-06 21:23:19.000000000 +0200 ++++ netpbm-10.23/analyzer/pgmhist.c 2004-08-04 13:39:34.448565288 +0200 +@@ -45,6 +45,7 @@ + grayrow = pgm_allocrow( cols ); + + /* Build histogram. */ ++ overflow_add(maxval, 1); + MALLOCARRAY(hist, maxval + 1); + MALLOCARRAY(rcount, maxval + 1); + if ( hist == NULL || rcount == NULL ) +--- netpbm-10.23/lib/libpam.c.security 2004-06-12 21:31:17.000000000 +0200 ++++ netpbm-10.23/lib/libpam.c 2004-08-04 13:39:34.449565136 +0200 +@@ -257,7 +257,8 @@ + themselves. Each tuple consists of 'depth' samples. + */ + +- tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytes_per_tuple)); ++ overflow_add(sizeof(tuple *), bytes_per_tuple); ++ tuplerow = malloc2(pamP->width, sizeof(tuple *) + bytes_per_tuple); + if (tuplerow == NULL) + pm_error("Out of memory allocating space for a tuple row of\n" + "%d tuples by %d samples per tuple by %d bytes per sample.", +--- netpbm-10.23/lib/libpm.c.security 2004-06-16 04:33:57.000000000 +0200 ++++ netpbm-10.23/lib/libpm.c 2004-08-04 13:39:34.451564832 +0200 +@@ -31,6 +31,7 @@ + /* This makes the the x64() functions available on AIX */ + + #include ++#include + #include "version.h" + #include "compile.h" + #include "nstring.h" +@@ -115,7 +116,7 @@ + pm_allocrow(int const cols, int const size) { + char * itrow; + +- itrow = malloc( cols * size ); ++ itrow = (char*) malloc2( cols , size ); + if ( itrow == NULL ) + pm_error( "out of memory allocating a row" ); + return itrow; +@@ -155,7 +156,7 @@ + if ( rowIndex == NULL ) + pm_error("out of memory allocating row index (%u rows) for an array", + rows); +- rowheap = malloc( rows * cols * size ); ++ rowheap = (char*) malloc3( rows, cols, size ); + if ( rowheap == NULL ) { + /* We couldn't get the whole heap in one block, so try fragmented + format. +@@ -1164,4 +1165,53 @@ + } + + ++/* ++ * Maths wrapping ++ */ ++ ++void overflow2(int a, int b) ++{ ++ if(a < 0 || b < 0) ++ pm_error("object too large"); ++ if(b == 0) ++ return; ++ if(a > INT_MAX / b) ++ pm_error("object too large"); ++} ++ ++void overflow3(int a, int b, int c) ++{ ++ overflow2(a,b); ++ overflow2(a*b, c); ++} ++ ++void overflow_add(int a, int b) ++{ ++ if( a > INT_MAX - b) ++ pm_error("object too large"); ++} ++ ++void *malloc2(int a, int b) ++{ ++ overflow2(a, b); ++ if(a*b == 0) ++ pm_error("Zero byte allocation"); ++ return malloc(a*b); ++} ++ ++void *malloc3(int a, int b, int c) ++{ ++ overflow3(a, b, c); ++ if(a*b*c == 0) ++ pm_error("Zero byte allocation"); ++ return malloc(a*b*c); ++} ++ ++void *realloc2(void * a, int b, int c) ++{ ++ overflow2(b, c); ++ if(b*c == 0) ++ pm_error("Zero byte allocation"); ++ return realloc(a, b*c); ++} + +--- netpbm-10.23/lib/pm.h.security 2004-05-01 05:19:41.000000000 +0200 ++++ netpbm-10.23/lib/pm.h 2004-08-04 13:39:34.451564832 +0200 +@@ -287,6 +287,12 @@ + + + ++void *malloc2(int, int); ++void *malloc3(int, int, int); ++void overflow2(int, int); ++void overflow3(int, int, int); ++void overflow_add(int, int); ++ + #endif + + +--- netpbm-10.23/lib/libpbm1.c.security 2003-11-14 09:25:55.000000000 +0100 ++++ netpbm-10.23/lib/libpbm1.c 2004-08-04 13:39:34.452564680 +0200 +@@ -58,6 +58,7 @@ + pm_message("pm_filepos passed to pm_check() is %u bytes", + sizeof(pm_filepos)); + #endif ++ overflow2(bytes_per_row, rows); + pm_check(file, check_type, need_raster_size, retval_p); + } + } +--- netpbm-10.23/lib/libpbm5.c.security 2004-03-18 04:47:05.000000000 +0100 ++++ netpbm-10.23/lib/libpbm5.c 2004-08-04 13:39:34.453564528 +0200 +@@ -788,11 +788,13 @@ + if ( glyph == NULL ) + pm_error( "out of memory allocating glyphs" ); + +- bmap = (char*) malloc( fn->maxwidth * fn->maxheight * nCharsInFont ); ++ bmap = (char*) malloc3( fn->maxwidth, fn->maxheight, nCharsInFont ); + if ( bmap == (char*) 0) + pm_error( "out of memory allocating glyph data" ); + + /* Now fill in the 0,0 coords. */ ++ overflow2(char_height, 2); ++ overflow2(char_width, 2); + row = cell_height * 2; + col = cell_width * 2; + for (i = 0; i < firstCodePoint; ++i) +--- netpbm-10.23/lib/libpbmvms.c.security 2000-05-26 20:34:55.000000000 +0200 ++++ netpbm-10.23/lib/libpbmvms.c 2004-08-04 13:39:34.455564224 +0200 +@@ -1,3 +1,5 @@ ++#warning "NOT AUDITED" ++ + /*************************************************************************** + This file contains library routines needed to build Netpbm for VMS. + However, as of 2000.05.26, when these were split out of libpbm1.c +--- netpbm-10.23/lib/libpammap.c.security 2004-04-12 00:21:27.000000000 +0200 ++++ netpbm-10.23/lib/libpammap.c 2004-08-04 13:39:34.456564072 +0200 +@@ -98,6 +98,8 @@ + */ + struct tupleint_list_item * retval; + ++ overflow2(pamP->depth, sizeof(sample)); ++ overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample)); + unsigned int const size = + sizeof(*retval) - sizeof(retval->tupleint.tuple) + + pamP->depth * sizeof(sample); +@@ -315,7 +317,11 @@ + as a single malloc block and suballocate internally. + */ + +- pool = malloc(mainTableSize + size * tupleIntSize); ++ overflow2(pamP->depth, sizeof(sample)); ++ overflow_add(pamP->depth*sizeof(sample), ++ sizeof(struct tupleint) - sizeof(sample)); ++ overflow_add(mainTableSize, size); ++ pool = malloc2(mainTableSize + size, tupleIntSize); + + retval = (tupletable) pool; + +--- netpbm-10.23/editor/pnmcut.c.security 2002-07-30 19:47:37.000000000 +0200 ++++ netpbm-10.23/editor/pnmcut.c 2004-08-04 13:39:34.457563920 +0200 +@@ -373,6 +373,7 @@ + toprow, leftcol, bottomrow, rightcol); + } + ++ overflow_add(rightcol, 1); + output_cols = rightcol-leftcol+1; + output_row = pnm_allocrow(output_cols); + +--- netpbm-10.23/editor/pnmscalefixed.c.security 2002-07-30 19:52:49.000000000 +0200 ++++ netpbm-10.23/editor/pnmscalefixed.c 2004-08-04 13:39:34.458563768 +0200 +@@ -209,6 +209,8 @@ + const int rows, const int cols, + int * newrowsP, int * newcolsP) { + ++ overflow2(rows, cols); ++ + if (cmdline.pixels) { + if (rows * cols <= cmdline.pixels) { + *newrowsP = rows; +@@ -260,6 +262,8 @@ + + if (*newcolsP < 1) *newcolsP = 1; + if (*newrowsP < 1) *newrowsP = 1; ++ ++ overflow2(*newcolsP, *newrowsP); + } + + +@@ -441,6 +445,9 @@ + unfilled. We can address that by stretching, whereas the other + case would require throwing away some of the input. + */ ++ ++ overflow2(newcols, SCALE); ++ overflow2(newrows, SCALE); + sxscale = SCALE * newcols / cols; + syscale = SCALE * newrows / rows; + +--- netpbm-10.23/editor/pnmshear.c.security 2002-12-11 21:00:02.000000000 +0100 ++++ netpbm-10.23/editor/pnmshear.c 2004-08-04 13:39:34.459563616 +0200 +@@ -12,6 +12,7 @@ + + #include + #include ++#include + + #include "pnm.h" + #include "shhopt.h" +@@ -198,6 +199,11 @@ + if ( shearfac < 0.0 ) + shearfac = -shearfac; + ++ if(rows * shearfac >= INT_MAX-1) ++ pm_error("image too large"); ++ ++ overflow_add(rows * shearfac, cols+1); ++ + newcols = rows * shearfac + cols + 0.999999; + + pnm_writepnminit( stdout, newcols, rows, newmaxval, newformat, 0 ); +--- netpbm-10.23/editor/pamoil.c.security 2004-05-29 20:01:02.000000000 +0200 ++++ netpbm-10.23/editor/pamoil.c 2004-08-04 13:39:34.460563464 +0200 +@@ -112,6 +112,7 @@ + tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type)); + pm_close(ifp); + ++ overflow_add(inpam.maxval, 1); + MALLOCARRAY(hist, inpam.maxval + 1); + if (hist == NULL) + pm_error("Unable to allocate memory for histogram."); +--- netpbm-10.23/editor/pnmhisteq.c.security 2002-07-30 19:47:36.000000000 +0200 ++++ netpbm-10.23/editor/pnmhisteq.c 2004-08-04 13:39:34.461563312 +0200 +@@ -210,6 +210,7 @@ + user has specified an input map file, read it in at + this point. */ + ++ overflow_add(maxval, 1); + lumahist = (long *) pm_allocrow(maxval + 1, sizeof(long)); + memset((char *) lumahist, 0, (maxval + 1) * sizeof(long)); + +--- netpbm-10.23/editor/pnmpaste.c.security 2002-07-30 19:47:35.000000000 +0200 ++++ netpbm-10.23/editor/pnmpaste.c 2004-08-04 13:39:34.462563160 +0200 +@@ -100,11 +100,16 @@ + "y is too large -- the second anymap has only %d rows", + rows2 ); + ++ overflow_add(x, cols2); ++ overflow_add(y, rows2); + if ( x < 0 ) + x += cols2; + if ( y < 0 ) + y += rows2; + ++ overflow_add(x, cols1); ++ overflow_add(y, rows1); ++ + if ( x + cols1 > cols2 ) + pm_error( "x + width is too large by %d pixels", x + cols1 - cols2 ); + if ( y + rows1 > rows2 ) +--- netpbm-10.23/editor/pnmgamma.c.security 2004-06-16 04:28:06.000000000 +0200 ++++ netpbm-10.23/editor/pnmgamma.c 2004-08-04 13:39:34.463563008 +0200 +@@ -274,6 +274,7 @@ + xelval **rtableP, xelval **gtableP, xelval **btableP) { + + /* Allocate space for the tables. */ ++ overflow_add(maxval, 1); + MALLOCARRAY(*rtableP, maxval+1); + MALLOCARRAY(*gtableP, maxval+1); + MALLOCARRAY(*btableP, maxval+1); +--- netpbm-10.23/editor/ppmdither.c.security 2004-08-04 13:39:34.326583832 +0200 ++++ netpbm-10.23/editor/ppmdither.c 2004-08-04 13:39:34.465562704 +0200 +@@ -111,6 +111,9 @@ + (dith_dim * sizeof(int *)) + /* pointers */ + (dith_dim * dith_dim * sizeof(int)); /* data */ + ++ overflow2(dith_dim, sizeof(int *)); ++ overflow3(dith_dim, dith_dim, sizeof(int)); ++ overflow_add(dith_dim * sizeof(int *), dith_dim * dith_dim * sizeof(int)); + dith_mat = (unsigned int **) malloc(dith_mat_sz); + + if (dith_mat == NULL) +@@ -165,7 +168,8 @@ + if (dith_nb < 2) + pm_error("too few shades for blue, minimum of 2"); + +- MALLOCARRAY(*colormapP, dith_nr * dith_ng * dith_nb); ++ overflow2(dith_nr, dith_ng); ++ colormapP = malloc3(dith_nr * dith_ng, dith_nb, sizeof(pixel)); + if (*colormapP == NULL) + pm_error("Unable to allocate space for the color lookup table " + "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb); +--- netpbm-10.23/editor/pbmreduce.c.security 2003-07-06 21:41:49.000000000 +0200 ++++ netpbm-10.23/editor/pbmreduce.c 2004-08-04 13:39:34.466562552 +0200 +@@ -93,6 +93,7 @@ + + if ( halftone == QT_FS ) { + /* Initialize Floyd-Steinberg. */ ++ overflow_add(newcols, 2); + MALLOCARRAY(thiserr, newcols + 2); + MALLOCARRAY(nexterr, newcols + 2); + if ( thiserr == NULL || nexterr == NULL ) +--- netpbm-10.23/editor/pnmremap.c.security 2004-05-29 20:00:54.000000000 +0200 ++++ netpbm-10.23/editor/pnmremap.c 2004-08-04 13:39:34.469562096 +0200 +@@ -228,6 +228,7 @@ + + unsigned int const fserrSize = pamP->width + 2; + ++ overflow_add(pamP->width, 2); + MALLOCARRAY(fserrP->thiserr, pamP->depth); + if (fserrP->thiserr == NULL) + pm_error("Out of memory allocating Floyd-Steinberg structures"); +@@ -267,6 +268,7 @@ + + int col; + ++ overflow_add(pamP->width, 2); + for (col = 0; col < pamP->width + 2; ++col) { + unsigned int plane; + for (plane = 0; plane < pamP->depth; ++plane) +--- netpbm-10.23/editor/pbmpscale.c.security 2003-07-06 21:41:04.000000000 +0200 ++++ netpbm-10.23/editor/pbmpscale.c 2004-08-04 13:39:34.470561944 +0200 +@@ -109,6 +109,7 @@ + inrow[0] = inrow[1] = inrow[2] = NULL; + pbm_readpbminit(ifd, &columns, &rows, &format) ; + ++ overflow2(columns, scale); + outrow = pbm_allocrow(columns*scale) ; + MALLOCARRAY(flags, columns); + if (flags == NULL) +--- netpbm-10.23/editor/pnmcrop.c.security 2002-07-30 19:47:37.000000000 +0200 ++++ netpbm-10.23/editor/pnmcrop.c 2004-08-04 13:39:34.471561792 +0200 +@@ -379,6 +379,8 @@ + + xelrow = pnm_allocrow(cols); + ++ overflow_add(right, 1); ++ overflow_add(bottom, 1); + newcols = right - left + 1; + newrows = bottom - top + 1; + pnm_writepnminit(stdout, newcols, newrows, maxval, format, 0); +--- netpbm-10.23/editor/pbmlife.c.security 1993-10-04 10:10:37.000000000 +0100 ++++ netpbm-10.23/editor/pbmlife.c 2004-08-04 13:39:34.474561336 +0200 +@@ -54,7 +54,7 @@ + prevrow = thisrow; + thisrow = nextrow; + nextrow = temprow; +- if ( row < rows - 1 ) ++ if ( row <= rows ) + pbm_readpbmrow( ifp, nextrow, cols, format ); + + for ( col = 0; col < cols; ++col ) +--- netpbm-10.23/editor/pnmenlarge.c.security 2004-07-12 19:23:23.000000000 +0200 ++++ netpbm-10.23/editor/pnmenlarge.c 2004-08-04 13:39:34.477560880 +0200 +@@ -51,6 +51,9 @@ + + pnm_readpnminit(ifP, &cols, &rows, &maxval, &format); + xelrow = pnm_allocrow(cols); ++ ++ overflow2(cols, n); ++ overflow2(rows, n); + pnm_writepnminit(stdout, cols * n, rows * n, maxval, format, 0); + newxelrow = pnm_allocrow(cols * n); + +--- netpbm-10.23/editor/pamcut.c.security 2004-07-12 17:33:40.000000000 +0200 ++++ netpbm-10.23/editor/pamcut.c 2004-08-04 13:39:34.480560424 +0200 +@@ -379,6 +379,8 @@ + outpam.width = rightcol-leftcol+1; + outpam.height = bottomrow-toprow+1; + ++ overflow_add(rightcol, 1); ++ overflow_add(toprow, 1); + pnm_writepaminit(&outpam); + + outputRow = pnm_allocpamrow(&outpam); +--- netpbm-10.23/editor/pnmpad.c.security 2004-05-16 00:02:15.000000000 +0200 ++++ netpbm-10.23/editor/pnmpad.c 2004-08-04 13:39:34.482560120 +0200 +@@ -356,6 +356,8 @@ + + computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad); + ++ overflow_add(cols, lpad); ++ overflow_add(cols + lpad, rpad); + newcols = cols + lpad + rpad; + xelrow = pnm_allocrow(newcols); + bgrow = pnm_allocrow(newcols); +--- netpbm-10.23/editor/pbmclean.c.security 2002-07-30 19:47:41.000000000 +0200 ++++ netpbm-10.23/editor/pbmclean.c 2004-08-04 13:39:34.484559816 +0200 +@@ -147,7 +147,7 @@ + inrow[0] = inrow[1]; + inrow[1] = inrow[2]; + inrow[2] = shuffle ; +- if (row+1 < rows) { ++ if (row <= rows) { + /* Read the "next" row in from the file. Allocate buffer if neeeded */ + if (inrow[2] == NULL) + inrow[2] = pbm_allocrow(cols); +--- netpbm-10.23/editor/pnmindex.csh.security 2000-09-14 07:37:35.000000000 +0200 ++++ netpbm-10.23/editor/pnmindex.csh 2004-08-04 13:39:34.486559512 +0200 +@@ -1,5 +1,8 @@ + #!/bin/csh -f + # ++echo "Unsafe code, needs debugging, do not ship" ++exit 1 ++# + # pnmindex - build a visual index of a bunch of anymaps + # + # Copyright (C) 1991 by Jef Poskanzer. +--- netpbm-10.23/editor/pnmrotate.c.security 2004-02-02 20:19:52.000000000 +0100 ++++ netpbm-10.23/editor/pnmrotate.c 2004-08-04 13:39:34.488559208 +0200 +@@ -11,6 +11,7 @@ + */ + + #include ++#include + + #include "pnm.h" + #include "shhopt.h" +@@ -572,11 +573,18 @@ + yshearfac = sin(cmdline.angle); + if (yshearfac < 0.0) + yshearfac = -yshearfac; ++ overflow2(rows, xshearfac); ++ overflow_add(cols, 1); ++ overflow_add(rows * xshearfac, cols); + tempcols = rows * xshearfac + cols + 0.999999; + yshearjunk = (tempcols - cols) * yshearfac; + newrows = tempcols * yshearfac + rows + 0.999999; + x2shearjunk = (newrows - rows - yshearjunk) * xshearfac; + newrows -= 2 * yshearjunk; ++ ++ if(newrows * xshearfac + tempcols + 0.999999 - 2 * x2shearjunk > INT_MAX) ++ pm_error("image too large"); ++ + newcols = newrows * xshearfac + tempcols + 0.999999 - 2 * x2shearjunk; + direction = cmdline.angle > 0 ? COUNTERCLOCKWISE : CLOCKWISE; + +--- netpbm-10.23/doc/COPYRIGHT.PATENT.security 2004-05-01 01:54:22.000000000 +0200 ++++ netpbm-10.23/doc/COPYRIGHT.PATENT 2004-08-04 13:39:34.489559056 +0200 +@@ -33,6 +33,11 @@ + all the above to be modified by "to the best of the Netpbm + maintainer's knowledge." + ++These security fixes for netpbm are (c) Copyright 2002 Red Hat Inc. ++Red Hat has not fixed those items with patent claims or commercial ++use restrictions. These changes include NO WARRANTY and are provided ++under the Open Software License v.1 (see file OPENLICENSE). ++ + + + PATENTS +--- netpbm-10.23/other/pnmcolormap.c.security 2004-05-29 20:14:20.000000000 +0200 ++++ netpbm-10.23/other/pnmcolormap.c 2004-08-04 13:39:34.490558904 +0200 +@@ -786,6 +786,7 @@ + pamP->width = intsqrt; + else + pamP->width = intsqrt + 1; ++ overflow_add(intsqrt, 1); + } + { + unsigned int const intQuotient = colormapSize / pamP->width; +--- /dev/null 2004-02-23 22:02:56.000000000 +0100 ++++ netpbm-10.23/OPENLICENSE 2004-08-04 13:39:34.491558752 +0200 +@@ -0,0 +1,163 @@ ++ The Open Software License ++ v. 1.1 ++ ++This Open Software License (the "License") applies to any original work of ++authorship (the "Original Work") whose owner (the "Licensor") has placed the ++following notice immediately following the copyright notice for the Original ++Work: ++ ++Licensed under the Open Software License version 1.1 ++ ++1) Grant of Copyright License. Licensor hereby grants You a world-wide, ++royalty-free, non-exclusive, perpetual, non-sublicenseable license to do the ++following: ++ ++a) to reproduce the Original Work in copies; ++ ++b) to prepare derivative works ("Derivative Works") based upon the Original ++Work; ++ ++c) to distribute copies of the Original Work and Derivative Works to the ++public, with the proviso that copies of Original Work or Derivative Works that ++You distribute shall be licensed under the Open Software License; ++ ++d) to perform the Original Work publicly; and ++ ++e) to display the Original Work publicly. ++ ++2) Grant of Patent License. Licensor hereby grants You a world-wide, ++royalty-free, non-exclusive, perpetual, non-sublicenseable license, under ++patent claims owned or controlled by the Licensor that are embodied in the ++Original Work as furnished by the Licensor ("Licensed Claims") to make, use, ++sell and offer for sale the Original Work. Licensor hereby grants You a ++world-wide, royalty-free, non-exclusive, perpetual, non-sublicenseable license ++under the Licensed Claims to make, use, sell and offer for sale Derivative Works. ++ ++3) Grant of Source Code License. The term "Source Code" means the preferred ++form of the Original Work for making modifications to it and all available ++documentation describing how to modify the Original Work. Licensor hereby ++agrees to provide a machine-readable copy of the Source Code of the Original ++Work along with each copy of the Original Work that Licensor distributes. ++Licensor reserves the right to satisfy this obligation by placing a ++machine-readable copy of the Source Code in an information repository reasonably ++calculated to permit inexpensive and convenient access by You for as long as ++ Licensor continues to distribute the Original Work, and by publishing the ++address of that information repository in a notice immediately following the ++copyright notice that applies to the Original Work. ++ ++ ++4) Exclusions From License Grant. Nothing in this License shall be deemed to ++grant any rights to trademarks, copyrights, patents, trade secrets or any ++other intellectual property of Licensor except as expressly stated herein. No ++patent license is granted to make, use, sell or offer to sell embodiments of ++any patent claims other than the Licensed Claims defined in Section 2. No ++right is granted to the trademarks of Licensor even if such marks are included ++in the Original Work. Nothing in this License shall be interpreted to prohibit ++Licensor from licensing under different terms from this License any Original ++Work that Licensor otherwise would have a right to license. ++ ++5) External Deployment. The term "External Deployment" means the use or ++distribution of the Original Work or Derivative Works in any way such that the ++Original Work or Derivative Works may be used by anyone other than You, ++whether the Original Work or Derivative Works are distributed to those persons ++or made available as an application intended for use over a computer network. ++As an express condition for the grants of license hereunder, You agree that ++any External Deployment by You of a Derivative Work shall be deemed a ++distribution and shall be licensed to all under the terms of this License, as ++prescribed in section 1(c) herein. ++ ++6) Attribution Rights. You must retain, in the Source Code of any Derivative ++Works that You create, all copyright, patent or trademark notices from the ++Source Code of the Original Work, as well as any notices of licensing and any ++descriptive text identified therein as an "Attribution Notice." You must cause ++the Source Code for any Derivative Works that You create to carry a prominent ++Attribution Notice reasonably calculated to inform recipients that You have ++modified the Original Work. ++ ++7) Warranty and Disclaimer of Warranty. Licensor warrants that the copyright ++in and to the Original Work is owned by the Licensor or that the Original Work ++is distributed by Licensor under a valid current license from the copyright ++owner. Except as expressly stated in the immediately proceeding sentence, the ++Original Work is provided under this License on an "AS IS" BASIS and WITHOUT ++WARRANTY, either express or implied, including, without limitation, the ++warranties of NON-INFRINGEMENT, MERCHANTABILITY or FITNESS FOR A PARTICULAR ++PURPOSE. THE ENTIRE RISK AS TO THE QUALITY OF THE ORIGINAL WORK IS WITH YOU. ++This DISCLAIMER OF WARRANTY constitutes an essential part of this License. No ++license to Original Work is granted hereunder except under this disclaimer. ++ ++8) Limitation of Liability. Under no circumstances and under no legal theory, ++whether in tort (including negligence), contract, or otherwise, shall the ++Licensor be liable to any person for any direct, indirect, special, incidental, ++or consequential damages of any character arising as a result of this License ++or the use of the Original Work including, without limitation, damages for ++loss of goodwill, work stoppage, computer failure or malfunction, or any and ++all other commercial damages or losses. This limitation of liability shall not ++apply to liability for death or personal injury resulting from Licensor's ++negligence to the extent applicable law prohibits such limitation. Some ++jurisdictions do not allow the exclusion or limitation of incidental or ++consequential damages, so this exclusion and limitation may not apply to You. ++ ++ ++9) Acceptance and Termination. If You distribute copies of the Original Work ++or a Derivative Work, You must make a reasonable effort under the circumstances ++to obtain the express and volitional assent of recipients to the terms of this ++License. Nothing else but this License (or another written agreement between ++Licensor and You) grants You permission to create Derivative Works based upon ++the Original Work or to exercise any of the rights granted in Sections 1 herein, ++and any attempt to do so except under the terms of this License (or another ++written agreement between Licensor and You) is expressly prohibited by U.S. ++copyright law, the equivalent laws of other countries, and by international ++treaty. Therefore, by exercising any of the rights granted to You in Sections ++1 herein, You indicate Your acceptance of this License and all of its terms and ++conditions. This License shall terminate immediately and you may no longer ++exercise any of the rights granted to You by this License upon Your failure to ++honor the proviso in Section 1(c) herein. ++ ++10) Mutual Termination for Patent Action. This License shall terminate ++automatically and You may no longer exercise any of the rights granted to You ++by this License if You file a lawsuit in any court alleging that any OSI ++Certified open source software that is licensed under any license containing ++this "Mutual Termination for Patent Action" clause infringes any patent claims ++that are essential to use that software. ++ ++11) Jurisdiction, Venue and Governing Law. Any action or suit relating to this ++License may be brought only in the courts of a jurisdiction wherein the Licensor ++resides or in which Licensor conducts its primary business, and under the laws ++of that jurisdiction excluding its conflict-of-law provisions. The application ++of the United Nations Convention on Contracts for the International Sale of ++Goods is expressly excluded. Any use of the Original Work outside the scope of ++this License or after its termination shall be subject to the requirements and ++penalties of the U.S. Copyright Act, 17 U.S.C. � 101 et seq., the equivalent ++laws of other countries, and international treaty. This section shall survive ++the termination of this License. ++ ++12) Attorneys Fees. In any action to enforce the terms of this License or ++seeking damages relating thereto, the prevailing party shall be entitled to ++recover its costs and expenses, including, without limitation, reasonable ++attorneys' fees and costs incurred in connection with such action, including ++any appeal of such action. This section shall survive the termination of this ++License. ++ ++13) Miscellaneous. This License represents the complete agreement concerning ++the subject matter hereof. If any provision of this License is held to be ++unenforceable, such provision shall be reformed only to the extent necessary ++to make it enforceable. ++ ++14) Definition of "You" in This License. "You" throughout this License, ++whether in upper or lower case, means an individual or a legal entity exercising ++rights under, and complying with all of the terms of, this License. For legal ++entities, "You" includes any entity that controls, is controlled by, or is under ++common control with you. For purposes of this definition, "control" means (i) ++the power, direct or indirect, to cause the direction or management of such ++entity, whether by contract or otherwise, or (ii) ownership of fifty percent ++(50%) or more of the outstanding shares, or (iii) beneficial ownership of such ++entity. ++ ++15) Right to Use. You may use the Original Work in all ways not otherwise ++restricted or conditioned by this License or by law, and Licensor promises not ++to interfere with or be responsible for such uses by You. ++ ++This license is Copyright (C) 2002 Lawrence E. Rosen. All rights reserved. ++Permission is hereby granted to copy and distribute this license without ++modification. This license may not be modified without the express written ++permission of its copyright owner. diff --git a/netpbm.spec b/netpbm.spec index c480212..5d37686 100644 --- a/netpbm.spec +++ b/netpbm.spec @@ -1,22 +1,24 @@ Summary: A library for handling different graphics file formats. Name: netpbm -Version: 10.22 +Version: 10.24 Release: 2 License: freeware Group: System Environment/Libraries +URL: http://netpbm.sourceforge.net/ Source0: netpbm-nojbig-%{version}.tar.bz2 -Source1: netpbmdoc-%{version}.tar.bz2 +Source1: netpbmdoc-nojbig-%{version}.tar.bz2 Patch1: netpbm-10.17-time.patch Patch2: netpbm-9.24-strip.patch -Patch3: netpbm-10.22-security.patch -Patch4: netpbm-10.18-manpath.patch -Patch5: netpbm-10.19-message.patch -Patch6: netpbm-10.22-security2.patch -Patch7: netpbm-10.19-gcc34.patch -Patch8: netpbm-10.22-cmapsize.patch -Patch9: netpbm-10.22-tempdir.patch -Patch10: netpbm-10.22-nestedfunc.patch -Patch11: netpbm-10.22-initvar.patch +Patch3: netpbm-10.18-manpath.patch +Patch4: netpbm-10.19-message.patch +Patch5: netpbm-10.22-security2.patch +Patch6: netpbm-10.22-cmapsize.patch +Patch7: netpbm-10.22-initvar.patch +Patch8: netpbm-10.23-gcc34.patch +Patch9: netpbm-10.23-security.patch +Patch10: netpbm-10.23-pngtopnm.patch +Patch11: netpbm-10.23-malloc.patch +Patch12: netpbm-10.24-misc.patch Buildroot: %{_tmppath}/%{name}-root BuildPrereq: libjpeg-devel, libpng-devel, libtiff-devel, perl Obsoletes: libgr @@ -62,15 +64,16 @@ netpbm-progs. You'll also need to install the netpbm package. %setup -q %patch1 -p1 -b .time %patch2 -p1 -b .strip -%patch3 -p1 -b .security -%patch4 -p1 -b .manpath -%patch5 -p1 -b .message -%patch6 -p1 -b .security2 -%patch7 -p1 -b .gcc34 -%patch8 -p1 -b .cmapsize -%patch9 -p1 -b .tempdir -%patch10 -p1 -b .nestedfunc -%patch11 -p1 -b .initvar +%patch3 -p1 -b .manpath +%patch4 -p1 -b .message +%patch5 -p1 -b .security2 +%patch6 -p1 -b .cmapsize +%patch7 -p1 -b .initvar +%patch8 -p1 -b .gcc34 +%patch9 -p1 -b .security +%patch10 -p1 -b .pngtopnm +%patch11 -p1 -b .malloc +%patch12 -p1 -b .misc ##mv shhopt/shhopt.h shhopt/pbmshhopt.h ##perl -pi -e 's|shhopt.h|pbmshhopt.h|g' `find -name "*.c" -o -name "*.h"` ./GNUmakefile @@ -159,6 +162,25 @@ rm -rf $RPM_BUILD_ROOT/usr/pkginfo %{_mandir}/man5/* %changelog +* Wed Aug 18 2004 Jindrich Novy 10.24-2 +- added patch to fix compile crash for 64bit machines +- various hacks related to .security patch + +* Mon Aug 16 2004 Jindrich Novy 10.24-1 +- updated to 10.24 +- updated docs + +* Thu Aug 05 2004 Jindrich Novy 10.23-2 +- added pngtopnm patch +- added malloc patch + +* Tue Aug 03 2004 Jindrich Novy 10.23-1 +- updated to netpbm-10.23 upsteam (and removed jbig, hpcd) +- $TMPDIR patch removed, obsolete +- updated gcc34 patch +- removed nestedfunc patch, already applied in upstream version +- updated security patch to conform to 10.23 (mostly in ppmtompeg/frame.c) + * Fri Jul 02 2004 Phil Knirsch 10.22-2 - Fixed Zero byte allocation error in bmptopnm (#123169) - Honour the $TMPDIR in ppmfade (#117247) diff --git a/sources b/sources index 84e93da..5650d05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -93f8d101750ca74d5bde73a3b11208d4 netpbm-nojbig-10.22.tar.bz2 -28f43bf7c4b48697b849e21721c4e9c9 netpbmdoc-10.22.tar.bz2 +2e7da91018d07138dbb258c05c2c7172 netpbm-nojbig-10.24.tar.bz2 +a157f3e7729d2d40bcaa59d4a224a517 netpbmdoc-nojbig-10.24.tar.bz2