diff --git a/.cvsignore b/.cvsignore index 61774c5..d63d682 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -netpbm-10.35.45.tar.bz2 +netpbm-10.35.48.tar.bz2 diff --git a/netpbm-10.22-security2.patch b/netpbm-10.22-security2.patch index a54ca41..68a02d0 100644 --- a/netpbm-10.22-security2.patch +++ b/netpbm-10.22-security2.patch @@ -1,6 +1,7 @@ ---- netpbm-10.28/converter/other/anytopnm.security2 2005-05-27 00:10:39.000000000 +0200 -+++ netpbm-10.28/converter/other/anytopnm 2005-06-10 09:42:48.609492080 +0200 -@@ -522,11 +522,7 @@ else +diff -up netpbm-10.35.48/converter/other/anytopnm.security2 netpbm-10.35.48/converter/other/anytopnm +--- netpbm-10.35.48/converter/other/anytopnm.security2 2008-08-03 22:07:04.000000000 +0200 ++++ netpbm-10.35.48/converter/other/anytopnm 2008-08-04 07:11:46.000000000 +0200 +@@ -506,11 +506,7 @@ else inputFile="-" fi @@ -11,9 +12,9 @@ -trap 'rm -rf $tempdir' 0 +tempdir=$(mktemp -d -t anytopnm.XXXXXXXXXX) || exit 1 - findAwk; - -@@ -549,9 +545,17 @@ if [ "$filetype" = "unknown" ]; then + # Take out all spaces + # Find the filename extension for last-ditch efforts later +@@ -536,9 +532,17 @@ if [ "$filetype" = "unknown" ]; then echo "$progname: unknown file type. " \ "'file' says mime type is '$mimeType', " 1>&2 echo "type description is '$typeDescription'" 1>&2 @@ -31,8 +32,97 @@ +fi + exit 0 ---- netpbm-10.28/editor/ppmfade.security2 2005-03-16 22:10:39.000000000 +0100 -+++ netpbm-10.28/editor/ppmfade 2005-06-10 09:02:04.545046352 +0200 +diff -up netpbm-10.35.48/editor/pamstretch-gen.security2 netpbm-10.35.48/editor/pamstretch-gen +--- netpbm-10.35.48/editor/pamstretch-gen.security2 2008-08-03 22:06:45.000000000 +0200 ++++ netpbm-10.35.48/editor/pamstretch-gen 2008-08-04 07:11:46.000000000 +0200 +@@ -31,10 +31,7 @@ if [ "$1" = "" ]; then + exit 1 + fi + +-tempdir="${TMPDIR-/tmp}/pamstretch-gen.$$" +-mkdir $tempdir || { echo "Could not create temporary file. Exiting."; exit 1;} +-chmod 700 $tempdir +-tempfile=$tempdir/pnmig ++tempfile=$(mktemp /tmp/pnmig.XXXXXXXXXX) || exit 1 + + trap 'rm -rf $tempdir' 0 1 3 15 + +diff -up netpbm-10.35.48/editor/pnmmargin.security2 netpbm-10.35.48/editor/pnmmargin +--- netpbm-10.35.48/editor/pnmmargin.security2 2008-08-03 22:06:45.000000000 +0200 ++++ netpbm-10.35.48/editor/pnmmargin 2008-08-04 07:11:46.000000000 +0200 +@@ -11,16 +11,11 @@ + # documentation. This software is provided "as is" without express or + # implied warranty. + +-tempdir="${TMPDIR-/tmp}/pnmmargin.$$" +-mkdir $tempdir || { echo "Could not create temporary file. Exiting."; exit 1;} +-chmod 700 $tempdir +- +-trap 'rm -rf $tempdir' 0 1 3 15 +- +-tmp1=$tempdir/pnmm1 +-tmp2=$tempdir/pnmm2 +-tmp3=$tempdir/pnmm3 +-tmp4=$tempdir/pnmm4 ++tmpdir=$(mktemp -d -t ppmmargin.XXXXXXX) || exit 1 ++tmp1="$tmpdir/tmp1" ++tmp2="$tmpdir/tmp2" ++tmp3="$tmpdir/tmp3" ++tmp4="$tmpdir/tmp4" + + color="-gofigure" + +@@ -39,6 +34,9 @@ while true ; do + shift + if [ ! ${1-""} ] ; then + echo "usage: $0 [-white|-black|-color ] [pnmfile]" 1>&2 ++ if [ -d "$tmpdir" ]; then ++ rm -rf "$tmpdir" ++ fi + exit 1 + fi + color="$1" +@@ -46,6 +44,9 @@ while true ; do + ;; + -* ) + echo "usage: $0 [-white|-black|-color ] [pnmfile]" 1>&2 ++ if [ -d "$tmpdir" ]; then ++ rm -rf "$tmpdir" ++ fi + exit 1 + ;; + * ) +@@ -56,6 +57,9 @@ done + + if [ ! ${1-""} ] ; then + echo "usage: $0 [-white|-black|-color ] [pnmfile]" 1>&2 ++ if [ -d "$tmpdir" ]; then ++ rm -rf "$tmpdir" ++ fi + exit 1 + fi + size="$1" +@@ -63,6 +67,9 @@ shift + + if [ ${2-""} ] ; then + echo "usage: $0 [-white|-black|-color ] [pnmfile]" 1>&2 ++ if [ -d "$tmpdir" ]; then ++ rm -rf "$tmpdir" ++ fi + exit 1 + fi + +@@ -86,3 +93,7 @@ pamflip -rotate90 $tmp2 > $tmp3 + # Cat things together. + pnmcat -lr $tmp2 $tmp1 $tmp2 > $tmp4 + pnmcat -tb $tmp3 $tmp4 $tmp3 ++ ++if [ -d "$tmpdir" ]; then ++ rm -rf "$tmpdir" ++fi +diff -up netpbm-10.35.48/editor/ppmfade.security2 netpbm-10.35.48/editor/ppmfade +--- netpbm-10.35.48/editor/ppmfade.security2 2008-08-03 22:06:45.000000000 +0200 ++++ netpbm-10.35.48/editor/ppmfade 2008-08-04 07:11:46.000000000 +0200 @@ -14,6 +14,7 @@ # #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- @@ -297,9 +387,10 @@ exit(0); ---- netpbm-10.28/editor/ppmquantall.security2 2005-03-17 00:44:03.000000000 +0100 -+++ netpbm-10.28/editor/ppmquantall 2005-06-10 09:02:04.547046048 +0200 -@@ -63,13 +63,8 @@ for i in ${files[@]}; do +diff -up netpbm-10.35.48/editor/ppmquantall.security2 netpbm-10.35.48/editor/ppmquantall +--- netpbm-10.35.48/editor/ppmquantall.security2 2008-08-03 22:06:45.000000000 +0200 ++++ netpbm-10.35.48/editor/ppmquantall 2008-08-04 07:11:46.000000000 +0200 +@@ -70,13 +70,8 @@ for i in ${files[@]}; do heights=(${heights[*]} `grep -v '^#' $i | sed '1d; s/.* //; 2q'`) done @@ -315,94 +406,9 @@ pnmcat -topbottom -jleft -white ${files[@]} | pnmquant $newcolors > $all if [ $? != 0 ]; then ---- netpbm-10.28/editor/pnmmargin.security2 2003-12-31 05:01:26.000000000 +0100 -+++ netpbm-10.28/editor/pnmmargin 2005-06-10 09:02:04.549045744 +0200 -@@ -11,16 +11,11 @@ - # documentation. This software is provided "as is" without express or - # implied warranty. - --tempdir="${TMPDIR-/tmp}/pnmmargin.$$" --mkdir $tempdir || { echo "Could not create temporary file. Exiting."; exit 1;} --chmod 700 $tempdir -- --trap 'rm -rf $tempdir' 0 1 3 15 -- --tmp1=$tempdir/pnmm1 --tmp2=$tempdir/pnmm2 --tmp3=$tempdir/pnmm3 --tmp4=$tempdir/pnmm4 -+tmpdir=$(mktemp -d -t ppmmargin.XXXXXXX) || exit 1 -+tmp1="$tmpdir/tmp1" -+tmp2="$tmpdir/tmp2" -+tmp3="$tmpdir/tmp3" -+tmp4="$tmpdir/tmp4" - - color="-gofigure" - -@@ -39,6 +34,9 @@ while true ; do - shift - if [ ! ${1-""} ] ; then - echo "usage: $0 [-white|-black|-color ] [pnmfile]" 1>&2 -+ if [ -d "$tmpdir" ]; then -+ rm -rf "$tmpdir" -+ fi - exit 1 - fi - color="$1" -@@ -46,6 +44,9 @@ while true ; do - ;; - -* ) - echo "usage: $0 [-white|-black|-color ] [pnmfile]" 1>&2 -+ if [ -d "$tmpdir" ]; then -+ rm -rf "$tmpdir" -+ fi - exit 1 - ;; - * ) -@@ -56,6 +57,9 @@ done - - if [ ! ${1-""} ] ; then - echo "usage: $0 [-white|-black|-color ] [pnmfile]" 1>&2 -+ if [ -d "$tmpdir" ]; then -+ rm -rf "$tmpdir" -+ fi - exit 1 - fi - size="$1" -@@ -63,6 +67,9 @@ shift - - if [ ${2-""} ] ; then - echo "usage: $0 [-white|-black|-color ] [pnmfile]" 1>&2 -+ if [ -d "$tmpdir" ]; then -+ rm -rf "$tmpdir" -+ fi - exit 1 - fi - -@@ -86,3 +93,7 @@ pamflip -rotate90 $tmp2 > $tmp3 - # Cat things together. - pnmcat -lr $tmp2 $tmp1 $tmp2 > $tmp4 - pnmcat -tb $tmp3 $tmp4 $tmp3 -+ -+if [ -d "$tmpdir" ]; then -+ rm -rf "$tmpdir" -+fi ---- netpbm-10.28/editor/pamstretch-gen.security2 2004-07-25 02:01:24.000000000 +0200 -+++ netpbm-10.28/editor/pamstretch-gen 2005-06-10 09:02:04.550045592 +0200 -@@ -31,10 +31,7 @@ if [ "$1" = "" ]; then - exit 1 - fi - --tempdir="${TMPDIR-/tmp}/pamstretch-gen.$$" --mkdir $tempdir || { echo "Could not create temporary file. Exiting."; exit 1;} --chmod 700 $tempdir --tempfile=$tempdir/pnmig -+tempfile=$(mktemp /tmp/pnmig.XXXXXXXXXX) || exit 1 - - trap 'rm -rf $tempdir' 0 1 3 15 - ---- netpbm-10.28/editor/ppmshadow.security2 2005-04-23 23:16:16.000000000 +0200 -+++ netpbm-10.28/editor/ppmshadow 2005-06-10 09:37:19.253561792 +0200 +diff -up netpbm-10.35.48/editor/ppmshadow.security2 netpbm-10.35.48/editor/ppmshadow +--- netpbm-10.35.48/editor/ppmshadow.security2 2008-08-03 22:06:45.000000000 +0200 ++++ netpbm-10.35.48/editor/ppmshadow 2008-08-04 07:11:46.000000000 +0200 @@ -72,9 +72,10 @@ sub makeConvolutionKernel($$) { diff --git a/netpbm-10.23-security.patch b/netpbm-10.23-security.patch index da10363..4c151cc 100644 --- a/netpbm-10.23-security.patch +++ b/netpbm-10.23-security.patch @@ -1,515 +1,216 @@ ---- netpbm-10.34/generator/pbmtext.c.security 2005-07-18 03:14:10.000000000 +0200 -+++ netpbm-10.34/generator/pbmtext.c 2006-06-22 12:45:18.000000000 +0200 -@@ -89,12 +89,14 @@ - - for (i = 1; i < argc; i++) { - if (i > 1) { -+ overflow_add(totaltextsize, 1); - totaltextsize += 1; - text = realloc(text, totaltextsize); - if (text == NULL) - pm_error("out of memory allocating space for input text"); - strcat(text, " "); - } -+ overflow_add(totaltextsize, strlen(argv[i])); - totaltextsize += strlen(argv[i]); - text = realloc(text, totaltextsize); - if (text == NULL) -@@ -581,6 +583,7 @@ - struct text input_text; - - if (cmdline_text) { -+ overflow_add(strlen(cmdline_text), 1); - allocTextArray(&input_text, 1, strlen(cmdline_text)); - strcpy(input_text.textArray[0], cmdline_text); - fix_control_chars(input_text.textArray[0], fn); -@@ -603,7 +606,9 @@ - while (fgets(buf, sizeof(buf), stdin) != NULL) { - fix_control_chars(buf, fn); - if (lineCount >= maxlines) { -+ overflow2(maxlines, 2); - maxlines *= 2; -+ overflow2(maxlines, sizeof(char *)); - text_array = (char**) realloc((char*) text_array, - maxlines * sizeof(char*)); - if (text_array == NULL) -@@ -689,6 +694,7 @@ - hmargin = fontP->maxwidth; - } else { - vmargin = fontP->maxheight; -+ overflow2(2, fontP->maxwidth); - hmargin = 2 * fontP->maxwidth; - } - } -@@ -705,6 +711,12 @@ - } else - formattedText = inputText; - -+ overflow2(2, vmargin); -+ overflow2(formattedText.lineCount, fontP->maxheight); -+ overflow2(formattedText.lineCount-1, cmdline.lspace); -+ overflow_add(vmargin * 2, formattedText.lineCount * fontP->maxheight); -+ overflow_add(vmargin * 2 + formattedText.lineCount * fontP->maxheight, (formattedText.lineCount-1) * cmdline.lspace); -+ - rows = 2 * vmargin + - formattedText.lineCount * fontP->maxheight + - (formattedText.lineCount-1) * cmdline.lspace; -@@ -712,6 +724,9 @@ - compute_image_width(formattedText, fontP, cmdline.space, - &maxwidth, &maxleftb); - -+ overflow2(2, hmargin); -+ overflow_add(2*hmargin, maxwidth); -+ - cols = 2 * hmargin + maxwidth; - bits = pbm_allocarray(cols, rows); +diff -up netpbm-10.35.46/analyzer/pgmhist.c.security netpbm-10.35.46/analyzer/pgmhist.c +--- netpbm-10.35.46/analyzer/pgmhist.c.security 2008-06-24 08:58:57.000000000 +0200 ++++ netpbm-10.35.46/analyzer/pgmhist.c 2008-06-24 09:04:21.000000000 +0200 +@@ -45,6 +45,7 @@ main( argc, argv ) + grayrow = pgm_allocrow( cols ); ---- netpbm-10.34/generator/pgmkernel.c.security 2003-07-06 22:03:29.000000000 +0200 -+++ netpbm-10.34/generator/pgmkernel.c 2006-06-22 12:45:18.000000000 +0200 -@@ -68,7 +68,7 @@ - kycenter = (fysize - 1) / 2.0; - ixsize = fxsize + 0.999; - iysize = fysize + 0.999; -- MALLOCARRAY(fkernel, ixsize * iysize); -+ fkernel = (double *) malloc3 (ixsize, iysize, sizeof(double)); - for (i = 0; i < iysize; i++) - for (j = 0; j < ixsize; j++) { - fkernel[i*ixsize+j] = 1.0 / (1.0 + w * sqrt((double) ---- netpbm-10.34/generator/pgmcrater.c.security 2005-12-22 10:28:49.000000000 +0100 -+++ netpbm-10.34/generator/pgmcrater.c 2006-06-22 12:45:18.000000000 +0200 -@@ -131,7 +131,7 @@ - /* Acquire the elevation array and initialize it to mean - surface elevation. */ + /* Build histogram. */ ++ overflow_add(maxval, 1); + MALLOCARRAY(hist, maxval + 1); + MALLOCARRAY(rcount, maxval + 1); + if ( hist == NULL || rcount == NULL ) +diff -up netpbm-10.35.46/analyzer/pgmtexture.c.security netpbm-10.35.46/analyzer/pgmtexture.c +--- netpbm-10.35.46/analyzer/pgmtexture.c.security 2008-06-24 08:58:57.000000000 +0200 ++++ netpbm-10.35.46/analyzer/pgmtexture.c 2008-06-24 09:04:21.000000000 +0200 +@@ -79,6 +79,9 @@ vector (int nl, int nh) + { + float *v; -- MALLOCARRAY(aux, SCRX * SCRY); -+ aux = (unsigned short *) malloc3(SCRX, SCRY, sizeof(short)); - if (aux == NULL) - pm_error("out of memory allocating elevation array"); ++ if(nh < nl) ++ pm_error("assert: h < l"); ++ overflow_add(nh - nl, 1); + MALLOCARRAY(v, (unsigned) (nh - nl + 1)); + if (v == NULL) + pm_error("Unable to allocate memory for a vector."); +@@ -95,6 +98,9 @@ matrix (int nrl, int nrh, int ncl, int n + float **m; ---- netpbm-10.34/generator/pbmpage.c.security 2005-08-27 19:27:19.000000000 +0200 -+++ netpbm-10.34/generator/pbmpage.c 2006-06-22 12:45:18.000000000 +0200 -@@ -170,6 +170,9 @@ - /* We round the allocated row space up to a multiple of 8 so the ugly - fast code below can work. - */ -+ -+ overflow_add(bitmap.Width, 7); -+ - pbmrow = pbm_allocrow(((bitmap.Width+7)/8)*8); - - bitmap_cursor = 0; ---- netpbm-10.34/generator/ppmrainbow.security 2003-01-04 01:40:56.000000000 +0100 -+++ netpbm-10.34/generator/ppmrainbow 2006-06-22 12:45:18.000000000 +0200 -@@ -11,7 +11,7 @@ - # set defaults - $Twid = 600; - $Thgt = 8; --$tmpdir = $ENV{"TMPDIR"} || "/tmp"; -+$tmpdir = $ENV{"TMPDIR"} || ".tmp"; - $norepeat = $FALSE; - $verbose = $FALSE; + /* allocate pointers to rows */ ++ if(nrh < nrl) ++ pm_error("assert: h < l"); ++ overflow_add(nrh - nrl, 1); + MALLOCARRAY(m, (unsigned) (nrh - nrl + 1)); + if (m == NULL) + pm_error("Unable to allocate memory for a matrix."); +@@ -102,6 +108,9 @@ matrix (int nrl, int nrh, int ncl, int n + m -= ncl; ---- netpbm-10.34/other/pnmcolormap.c.security 2005-12-21 05:35:06.000000000 +0100 -+++ netpbm-10.34/other/pnmcolormap.c 2006-06-22 12:45:18.000000000 +0200 -@@ -836,6 +836,7 @@ - pamP->width = intsqrt; - else - pamP->width = intsqrt + 1; -+ overflow_add(intsqrt, 1); - } + /* allocate rows and set pointers to them */ ++ if(nch < ncl) ++ pm_error("assert: h < l"); ++ overflow_add(nch - ncl, 1); + for (i = nrl; i <= nrh; i++) { - unsigned int const intQuotient = colormap.size / pamP->width; ---- netpbm-10.34/converter/pgm/psidtopgm.c.security 2005-08-27 20:38:40.000000000 +0200 -+++ netpbm-10.34/converter/pgm/psidtopgm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -78,6 +78,7 @@ - pm_error("bits/sample (%d) is too large.", bitspersample); - - pgm_writepgminit(stdout, cols, rows, maxval, 0); -+ overflow_add(cols, 7); - grayrow = pgm_allocrow((cols + 7) / 8 * 8); - for (row = 0; row < rows; ++row) { - unsigned int col; ---- netpbm-10.34/converter/pgm/lispmtopgm.c.security 2005-10-07 09:03:29.000000000 +0200 -+++ netpbm-10.34/converter/pgm/lispmtopgm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -58,6 +58,7 @@ - pm_error( "depth (%d bits) is too large", depth); - - pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 ); -+ overflow_add(cols, 7); - grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 ); - - for ( row = 0; row < rows; ++row ) -@@ -102,7 +103,9 @@ - - if ( *depthP == 0 ) - *depthP = 1; /* very old file */ -- -+ -+ overflow_add((int)colsP, 31); -+ - *padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP; - - if ( *colsP != (cols_32 - *padrightP) ) { ---- netpbm-10.34/converter/ppm/pjtoppm.c.security 2003-07-06 23:45:36.000000000 +0200 -+++ netpbm-10.34/converter/ppm/pjtoppm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -127,19 +127,21 @@ - case 'V': /* send plane */ - case 'W': /* send last plane */ - if (rows == -1 || r >= rows || image == NULL) { -- if (rows == -1 || r >= rows) -+ if (rows == -1 || r >= rows) { -+ overflow_add(rows, 100); - rows += 100; -+ } - if (image == NULL) { -- MALLOCARRAY(image, rows * planes); -- MALLOCARRAY(imlen, rows * planes); -+ image = (unsigned char **) -+ malloc3(rows , planes , sizeof(unsigned char *)); -+ imlen = (int *) malloc3(rows , planes, sizeof(int)); - } - else { -+ overflow2(rows,planes); - image = (unsigned char **) -- realloc(image, -- rows * planes * -+ realloc2(image, rows * planes, - sizeof(unsigned char *)); -- imlen = (int *) -- realloc(imlen, rows * planes * sizeof(int)); -+ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); - } - } - if (image == NULL || imlen == NULL) -@@ -212,8 +214,10 @@ - for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2) - for (cmd = image[p + r * planes][c], - val = image[p + r * planes][c+1]; -- cmd >= 0 && i < newcols; cmd--, i++) -+ cmd >= 0 && i < newcols; cmd--, i++) { - buf[i] = val; -+ overflow_add(i, 1); -+ } - cols = cols > i ? cols : i; - free(image[p + r * planes]); - /* -@@ -224,6 +228,7 @@ - image[p + r * planes] = (unsigned char *) realloc(buf, i); - } - } -+ overflow2(cols, 8); - cols *= 8; - } - ---- netpbm-10.34/converter/ppm/ppmtoicr.c.security 2003-02-22 23:05:03.000000000 +0100 -+++ netpbm-10.34/converter/ppm/ppmtoicr.c 2006-06-22 12:45:18.000000000 +0200 -@@ -169,7 +169,7 @@ - - if (rleflag) { - pm_message("sending run-length encoded picture data ..." ); -- testimage = (char*) malloc(rows*cols); -+ testimage = (char*) malloc2(rows, cols); - p = testimage; - for (i=0; i>3) * sizeof(int32 *); - int xsz = (Fsize_x>>3); -- -+ -+ overflow2((Fsize_y>>3), sizeof(int32 *)); - needs_init = FALSE; - for (y=0; y<3; y++) { - varDiff[y] = ratio[y] = total[y] = 0.0; -@@ -787,6 +788,7 @@ - fprintf(stderr, "Out of memory in BlockComputeSNR\n"); - exit(-1); - } -+ overflow2(xsz,4); - for (y = 0; y < ySize[0]>>3; y++) { - SignalY[y] = (int32 *) calloc(xsz,4); - SignalCr[y] = (int32 *) calloc(xsz,4); -@@ -945,27 +947,27 @@ - dctx = Fsize_x / DCTSIZE; - dcty = Fsize_y / DCTSIZE; + MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1)); +diff -up netpbm-10.35.46/converter/other/gemtopnm.c.security netpbm-10.35.46/converter/other/gemtopnm.c +--- netpbm-10.35.46/converter/other/gemtopnm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/gemtopnm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -106,6 +106,7 @@ main(argc, argv) -- dct = (Block **) malloc(sizeof(Block *) * dcty); -+ dct = (Block **) malloc2(sizeof(Block *), dcty); - ERRCHK(dct, "malloc"); - for (i = 0; i < dcty; i++) { -- dct[i] = (Block *) malloc(sizeof(Block) * dctx); -+ dct[i] = (Block *) malloc2(sizeof(Block), dctx); - ERRCHK(dct[i], "malloc"); - } + pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 ); -- dct_data = (dct_data_type **) malloc(sizeof(dct_data_type *) * dcty); -+ dct_data = (dct_data_type **) malloc2(sizeof(dct_data_type *), dcty); - ERRCHK(dct_data, "malloc"); - for (i = 0; i < dcty; i++) { -- dct_data[i] = (dct_data_type *) malloc(sizeof(dct_data_type) * dctx); -+ dct_data[i] = (dct_data_type *) malloc2(sizeof(dct_data_type), dctx); - ERRCHK(dct[i], "malloc"); - } ++ overflow_add(cols, padright); + { + /* allocate input row data structure */ + int plane; +diff -up netpbm-10.35.46/converter/other/jpegtopnm.c.security netpbm-10.35.46/converter/other/jpegtopnm.c +--- netpbm-10.35.46/converter/other/jpegtopnm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/jpegtopnm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -828,6 +828,7 @@ convertImage(FILE * + /* Calculate output image dimensions so we can allocate space */ + jpeg_calc_output_dimensions(cinfoP); -- dctr = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); -- dctb = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); -+ dctr = (Block **) malloc2(sizeof(Block *), (dcty >> 1)); -+ dctb = (Block **) malloc2(sizeof(Block *), (dcty >> 1)); - ERRCHK(dctr, "malloc"); - ERRCHK(dctb, "malloc"); - for (i = 0; i < (dcty >> 1); i++) { -- dctr[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); -- dctb[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); -+ dctr[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1)); -+ dctb[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1)); - ERRCHK(dctr[i], "malloc"); - ERRCHK(dctb[i], "malloc"); - } ---- netpbm-10.34/converter/ppm/ppmtopj.c.security 2005-10-07 09:01:27.000000000 +0200 -+++ netpbm-10.34/converter/ppm/ppmtopj.c 2006-06-22 12:45:18.000000000 +0200 -@@ -179,6 +179,7 @@ - pixels = ppm_readppm( ifp, &cols, &rows, &maxval ); ++ overflow2(cinfoP->output_width, cinfoP->output_components); + jpegbuffer = ((*cinfoP->mem->alloc_sarray) + ((j_common_ptr) cinfoP, JPOOL_IMAGE, + cinfoP->output_width * cinfoP->output_components, +diff -up netpbm-10.35.46/converter/other/pbmtopgm.c.security netpbm-10.35.46/converter/other/pbmtopgm.c +--- netpbm-10.35.46/converter/other/pbmtopgm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/pbmtopgm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -47,6 +47,7 @@ main(int argc, char *argv[]) { + "than the image height (%u rows)", height, rows); - pm_close( ifp ); -+ overflow2(cols,2); - obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char)); - cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char)); + outrow = pgm_allocrow(cols) ; ++ overflow2(width, height); + maxval = MIN(PGM_OVERALLMAXVAL, width*height); + pgm_writepgminit(stdout, cols, rows, maxval, 0) ; ---- netpbm-10.34/converter/ppm/imgtoppm.c.security 2002-09-06 18:30:03.000000000 +0200 -+++ netpbm-10.34/converter/ppm/imgtoppm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -84,6 +84,7 @@ - len = atoi((char*) buf ); - if ( fread( buf, len, 1, ifp ) != 1 ) - pm_error( "bad colormap buf" ); -+ overflow2(cmaplen, 3); - if ( cmaplen * 3 != len ) - { - pm_message( -@@ -105,6 +106,7 @@ - pm_error( "bad pixel data header" ); - buf[8] = '\0'; - len = atoi((char*) buf ); -+ overflow2(cols, rows); - if ( len != cols * rows ) - pm_message( - "pixel data length (%d) does not match image size (%d)", ---- netpbm-10.34/converter/ppm/ximtoppm.c.security 2005-10-07 08:59:40.000000000 +0200 -+++ netpbm-10.34/converter/ppm/ximtoppm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -111,6 +111,7 @@ - header->bits_channel = atoi(a_head.bits_per_channel); - header->alpha_flag = atoi(a_head.alpha_channel); - if (strlen(a_head.author)) { -+ overflow_add(strlen(a_head.author),1); - if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1, - 1))) { - pm_message("ReadXimHeader: can't calloc author string" ); -@@ -120,6 +121,7 @@ - strncpy(header->author, a_head.author, strlen(a_head.author)); - } - if (strlen(a_head.date)) { -+ overflow_add(strlen(a_head.date),1); - if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){ - pm_message("ReadXimHeader: can't calloc date string" ); - return(0); -@@ -128,6 +130,7 @@ - strncpy(header->date, a_head.date, strlen(a_head.date)); - } - if (strlen(a_head.program)) { -+ overflow_add(strlen(a_head.program),1); - if (!(header->program = calloc( - (unsigned int)strlen(a_head.program) + 1, 1))) { - pm_message("ReadXimHeader: can't calloc program string" ); -@@ -154,6 +157,7 @@ - if (header->nchannels == 3 && header->bits_channel == 8) - header->ncolors = 0; - else if (header->nchannels == 1 && header->bits_channel == 8) { -+ overflow2(header->ncolors, sizeof(Color)); - header->colors = (Color *)calloc((unsigned int)header->ncolors, - sizeof(Color)); - if (header->colors == NULL) { ---- netpbm-10.34/converter/ppm/pcxtoppm.c.security 2006-05-19 22:38:39.000000000 +0200 -+++ netpbm-10.34/converter/ppm/pcxtoppm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -408,6 +408,7 @@ - /* - * clear the pixel buffer - */ -+ overflow2(bytesperline, 8); - npixels = (bytesperline * 8) / bitsperpixel; - p = pixels; - while (--npixels >= 0) -@@ -469,6 +470,7 @@ +diff -up netpbm-10.35.46/converter/other/pngtopnm.c.security netpbm-10.35.46/converter/other/pngtopnm.c +--- netpbm-10.35.46/converter/other/pngtopnm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/pngtopnm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -985,19 +985,24 @@ convertpng(FILE * const ifp, + pm_error ("couldn't allocate space for image"); } - /* BytesPerLine should be >= BitsPerPixel * cols / 8 */ -+ overflow2(BytesPerLine, 8); - rawcols = BytesPerLine * 8 / BitsPerPixel; - if (headerCols > rawcols) { - pm_message("warning - BytesPerLine = %d, " ---- netpbm-10.34/converter/ppm/ppmtopict.c.security 2003-02-22 23:04:40.000000000 +0100 -+++ netpbm-10.34/converter/ppm/ppmtopict.c 2006-06-22 12:45:18.000000000 +0200 -@@ -245,6 +245,8 @@ - putShort(stdout, 0); /* mode */ - - /* Finally, write out the data. */ -+ overflow_add(cols/MAX_COUNT, 1); -+ overflow_add(cols, cols/MAX_COUNT+1); - packed = (char*) malloc((unsigned)(cols+cols/MAX_COUNT+1)); - oc = 0; - for (row = 0; row < rows; row++) ---- netpbm-10.34/converter/ppm/ppmtomitsu.c.security 2005-12-22 09:54:51.000000000 +0100 -+++ netpbm-10.34/converter/ppm/ppmtomitsu.c 2006-06-22 12:45:18.000000000 +0200 -@@ -166,6 +166,8 @@ - medias = MSize_User; +- if (info_ptr->bit_depth == 16) ++ if (info_ptr->bit_depth == 16) { ++ overflow2(2, info_ptr->width); + linesize = 2 * info_ptr->width; +- else ++ } else + linesize = info_ptr->width; - if (dpi300) { -+ overflow2(medias.maxcols, 2); -+ overflow2(medias.maxrows, 2); - medias.maxcols *= 2; - medias.maxrows *= 2; - } ---- netpbm-10.34/converter/ppm/ppmtoilbm.c.security 2006-05-27 04:58:42.000000000 +0200 -+++ netpbm-10.34/converter/ppm/ppmtoilbm.c 2006-06-22 12:56:24.000000000 +0200 -@@ -1251,6 +1251,7 @@ +- if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) ++ if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { ++ overflow2(2, linesize); + linesize *= 2; +- else +- if (info_ptr->color_type == PNG_COLOR_TYPE_RGB) ++ } else ++ if (info_ptr->color_type == PNG_COLOR_TYPE_RGB) { ++ overflow2(3, linesize); + linesize *= 3; +- else +- if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) ++ } else ++ if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) { ++ overflow2(4, linesize); + linesize *= 4; ++ } - maskmethod = 0; /* no masking - RGB8 uses genlock bits */ - compmethod = 4; /* RGB8 files are always compressed */ -+ overflow2(cols, 4); - MALLOCARRAY_NOFAIL(compr_row, cols * 4); + for (y = 0 ; y < info_ptr->height ; y++) { + png_image[y] = malloc (linesize); +diff -up netpbm-10.35.46/converter/other/pnmtoddif.c.security netpbm-10.35.46/converter/other/pnmtoddif.c +--- netpbm-10.35.46/converter/other/pnmtoddif.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/pnmtoddif.c 2008-06-24 09:04:21.000000000 +0200 +@@ -484,6 +484,7 @@ int main(int argc, char *argv[]) + switch (PNM_FORMAT_TYPE(format)) { + case PBM_TYPE: + ip.bits_per_pixel = 1; ++ overflow_add(cols, 7); + ip.bytes_per_line = (cols + 7) / 8; + ip.spectral = 2; + ip.components = 1; +@@ -499,6 +500,7 @@ int main(int argc, char *argv[]) + ip.polarity = 2; + break; + case PPM_TYPE: ++ overflow2(cols, 3); + ip.bytes_per_line = 3 * cols; + ip.bits_per_pixel = 24; + ip.spectral = 5; +diff -up netpbm-10.35.46/converter/other/pnmtojpeg.c.security netpbm-10.35.46/converter/other/pnmtojpeg.c +--- netpbm-10.35.46/converter/other/pnmtojpeg.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/pnmtojpeg.c 2008-06-24 09:04:21.000000000 +0200 +@@ -587,6 +587,8 @@ compute_rescaling_array(JSAMPLE ** const + const long half_maxval = maxval / 2; + long val; - if( maxval != 255 ) { -@@ -1339,6 +1340,7 @@ ++ overflow_add(maxval, 1); ++ overflow2(maxval+1, sizeof(JSAMPLE)); + *rescale_p = (JSAMPLE *) + (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE, + (size_t) (((long) maxval + 1L) * +@@ -665,6 +667,7 @@ convert_scanlines(struct jpeg_compress_s + */ - maskmethod = 0; /* no masking - RGBN uses genlock bits */ - compmethod = 4; /* RGBN files are always compressed */ -+ overflow2(cols, 2); - MALLOCARRAY_NOFAIL(compr_row, cols * 2); + /* Allocate the libpnm output and compressor input buffers */ ++ overflow2(cinfo_p->image_width, cinfo_p->input_components); + buffer = (*cinfo_p->mem->alloc_sarray) + ((j_common_ptr) cinfo_p, JPOOL_IMAGE, + (unsigned int) cinfo_p->image_width * cinfo_p->input_components, +@@ -932,7 +935,11 @@ read_scan_script (j_compress_ptr cinfo, + * want JPOOL_PERMANENT. + */ + const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info); +- jpeg_scan_info * const scan_info = ++ const jpeg_scan_info * scan_info; ++ ++ overflow2(nscans, sizeof(jpeg_scan_info)); ++ ++ scan_info = + (jpeg_scan_info *) + (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE, + scan_info_size); +diff -up netpbm-10.35.46/converter/other/pnmtops.c.security netpbm-10.35.46/converter/other/pnmtops.c +--- netpbm-10.35.46/converter/other/pnmtops.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/pnmtops.c 2008-06-24 09:04:21.000000000 +0200 +@@ -184,16 +184,20 @@ parseCommandLine(int argc, char ** argv, + cmdlineP->canturn = !noturn; + cmdlineP->showpage = !noshowpage; + ++ overflow2(width, 72); + cmdlineP->width = width * 72; ++ overflow2(height, 72); + cmdlineP->height = height * 72; - if( maxval != 15 ) { -@@ -1821,6 +1823,7 @@ - int i; - int *table; +- if (imagewidthSpec) ++ if (imagewidthSpec) { ++ overflow2(imagewidth, 72); + cmdlineP->imagewidth = imagewidth * 72; +- else ++ } else + cmdlineP->imagewidth = 0; +- if (imageheightSpec) ++ if (imageheightSpec) { ++ overflow2(imageheight, 72); + cmdlineP->imageheight = imageheight * 72; +- else ++ } else + cmdlineP->imageheight = 0; -+ overflow_add(oldmaxval, 1); - MALLOCARRAY_NOFAIL(table, oldmaxval + 1); - for(i = 0; i <= oldmaxval; i++ ) - table[i] = (i * newmaxval + oldmaxval/2) / oldmaxval; -@@ -2325,8 +2328,11 @@ - MALLOCARRAY_NOFAIL(coded_rowbuf, RowBytes(cols)); - for (i = 0; i < RowBytes(cols); ++i) - coded_rowbuf[i] = 0; -- if (DO_COMPRESS) -+ if (DO_COMPRESS) { -+ overflow2(cols,2); -+ overflow_add(cols*2,2); - MALLOCARRAY_NOFAIL(compr_rowbuf, WORSTCOMPR(RowBytes(cols))); -+ } + if (!cmdlineP->psfilter && +diff -up netpbm-10.35.46/converter/other/pnmtorle.c.security netpbm-10.35.46/converter/other/pnmtorle.c +--- netpbm-10.35.46/converter/other/pnmtorle.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/pnmtorle.c 2008-06-24 09:04:21.000000000 +0200 +@@ -19,6 +19,8 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * pnmtorle - A program which will convert pbmplus (ppm or pgm) images +diff -up netpbm-10.35.46/converter/other/pnmtosgi.c.security netpbm-10.35.46/converter/other/pnmtosgi.c +--- netpbm-10.35.46/converter/other/pnmtosgi.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/pnmtosgi.c 2008-06-24 09:04:21.000000000 +0200 +@@ -213,6 +213,22 @@ write_channels(cols, rows, channels, put } - - switch (mode) { ---- netpbm-10.34/converter/ppm/ilbmtoppm.c.security 2005-12-22 09:51:05.000000000 +0100 -+++ netpbm-10.34/converter/ppm/ilbmtoppm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -595,6 +595,7 @@ - rawtype *chp; - - cols = bmhdP->w; -+ overflow_add(cols, 15); - bytes = RowBytes(cols); - for( plane = 0; plane < nPlanes; plane++ ) { - int mask; -@@ -682,6 +683,23 @@ - Multipalette handling - ****************************************************************************/ + } +static void * -+xmalloc2(x, y) -+ int x; -+ int y; ++xmalloc2(int x, int y) +{ + void *mem; + @@ -517,246 +218,157 @@ + if( x * y == 0 ) + return NULL; + -+ mem = malloc2(x,y); ++ mem = malloc2(x, y); + if( mem == NULL ) + pm_error("out of memory allocating %d bytes", x * y); + return mem; +} + - ++ static void - multi_adjust(cmap, row, palchange) -@@ -1294,6 +1312,9 @@ - if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval ) - pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval)); - -+ overflow_add(redmaxval, 1); -+ overflow_add(greenmaxval, 1); -+ overflow_add(bluemaxval, 1); - MALLOCARRAY_NOFAIL(redtable, redmaxval +1); - MALLOCARRAY_NOFAIL(greentable, greenmaxval +1); - MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1); -@@ -1725,7 +1746,9 @@ - ChangeCount32 = *data++; - datasize -= 2; - -+ overflow_add(ChangeCount16, ChangeCount32); - changes = ChangeCount16 + ChangeCount32; -+ overflow_add(changes, 1); - for( i = 0; i < changes; i++ ) { - if( totalchanges >= PCHG->TotalChanges ) goto fail; - if( datasize < 2 ) goto fail; -@@ -1852,6 +1875,7 @@ - if( datasize < 2 ) goto fail; - changes = BIG_WORD(data); data += 2; datasize -= 2; - -+ overflow_add(changes, 1); - MALLOCARRAY_NOFAIL(cmap->mp_change[row], changes + 1); - for( i = 0; i < changes; i++ ) { - if( totalchanges >= PCHG->TotalChanges ) goto fail; -@@ -1965,6 +1989,9 @@ - cmap->mp_change[i] = NULL; - if( PCHG.StartLine < 0 ) { - int nch; -+ if(PCHG.MaxReg < PCHG.MinReg) -+ pm_error("assert: MinReg > MaxReg"); -+ overflow_add(PCHG.MaxReg-PCHG.MinReg, 2); - nch = PCHG.MaxReg - PCHG.MinReg +1; - MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1); - for( i = 0; i < nch; i++ ) -@@ -2041,6 +2068,7 @@ - if( typeid == ID_ILBM ) { - int isdeep; - -+ overflow_add(bmhdP->w, 15); - MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w)); - *viewportmodesP |= fakeviewport; /* -isham/-isehb */ + put_big_short(short s) + { +@@ -250,6 +266,7 @@ build_channels(FILE *ifp, int cols, int + #endif ---- netpbm-10.34/converter/ppm/sldtoppm.c.security 2006-06-18 04:53:22.000000000 +0200 -+++ netpbm-10.34/converter/ppm/sldtoppm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -306,7 +306,9 @@ + if( storage != STORAGE_VERBATIM ) { ++ overflow2(channels, rows); + MALLOCARRAY_NOFAIL(table, channels * rows); + MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols)); } +@@ -303,6 +320,8 @@ compress(temp, row, rows, cols, chan_no, + break; + case STORAGE_RLE: + tabrow = chan_no * rows + row; ++ overflow2(chan_no, rows); ++ overflow_add(chan_no* rows, row); + len = rle_compress(temp, cols); /* writes result into rletemp */ + channel[chan_no][row].length = len; + MALLOCARRAY(p, len); +diff -up netpbm-10.35.46/converter/other/rletopnm.c.security netpbm-10.35.46/converter/other/rletopnm.c +--- netpbm-10.35.46/converter/other/rletopnm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/rletopnm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -19,6 +19,8 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * rletopnm - A conversion program to convert from Utah's "rle" image format +diff -up netpbm-10.35.46/converter/other/sgitopnm.c.security netpbm-10.35.46/converter/other/sgitopnm.c +--- netpbm-10.35.46/converter/other/sgitopnm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/sgitopnm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -252,13 +252,17 @@ read_channels(ifp, head, table, func, oc - /* Allocate image buffer and clear it to black. */ -- -+ -+ overflow_add(ixdots,1); -+ overflow_add(iydots,1); - pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1); - PPM_ASSIGN(rgbcolor, 0, 0, 0); - ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0, ---- netpbm-10.34/converter/ppm/ppmtolj.c.security 2005-11-27 07:59:21.000000000 +0100 -+++ netpbm-10.34/converter/ppm/ppmtolj.c 2006-06-22 12:45:18.000000000 +0200 -@@ -181,7 +181,8 @@ - - ppm_readppminit( ifp, &cols, &rows, &maxval, &format ); - pixelrow = ppm_allocrow( cols ); -- -+ -+ overflow2(cols, 6); - obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char)); - cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char)); - if (mode == C_TRANS_MODE_DELTA) ---- netpbm-10.34/converter/ppm/ppmtopcx.c.security 2005-08-27 20:25:49.000000000 +0200 -+++ netpbm-10.34/converter/ppm/ppmtopcx.c 2006-06-22 12:45:18.000000000 +0200 -@@ -418,6 +418,8 @@ - else Planes = 1; - } + if (ochan < 0) { + maxchannel = (head->zsize < 3) ? head->zsize : 3; ++ overflow2(head->ysize, maxchannel); + MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel); + } else { + maxchannel = ochan + 1; + MALLOCARRAY_NOFAIL(image, head->ysize); } -+ overflow2(BitsPerPixel, cols); -+ overflow_add(BitsPerPixel * cols, 7); - BytesPerLine = ((cols * BitsPerPixel) + 7) / 8; - MALLOCARRAY_NOFAIL(indexRow, cols); - MALLOCARRAY_NOFAIL(planesrow, BytesPerLine); ---- netpbm-10.34/converter/ppm/Makefile.security 2006-06-22 12:45:17.000000000 +0200 -+++ netpbm-10.34/converter/ppm/Makefile 2006-06-22 12:45:18.000000000 +0200 -@@ -11,7 +11,7 @@ - - PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ - leaftoppm mtvtoppm neotoppm \ -- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ -+ pcxtoppm pc1toppm pi1toppm pjtoppm \ - ppmtoacad ppmtoarbtxt \ - ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \ - ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ ---- netpbm-10.34/converter/ppm/ppmtoxpm.c.security 2005-12-21 17:50:01.000000000 +0100 -+++ netpbm-10.34/converter/ppm/ppmtoxpm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -195,6 +195,7 @@ - unsigned int i; - - /* Allocate memory for printed number. Abort if error. */ -+ overflow_add(digits, 1); - if (!(str = (char *) malloc(digits + 1))) - pm_error("out of memory"); +- if ( table ) ++ if ( table ) { ++ overflow2(head->xsize, 2); ++ overflow_add(head->xsize*2, 2); + MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize)); ++ } -@@ -312,6 +313,7 @@ - unsigned int charsPerPixel; - unsigned int xpmMaxval; - -+ if (includeTransparent) overflow_add(ncolors, 1); - MALLOCARRAY(cmap, cmapSize); - if (cmapP == NULL) - pm_error("Out of memory allocating %u bytes for a color map.", ---- netpbm-10.34/converter/ppm/ppmtopjxl.c.security 2005-12-22 09:54:12.000000000 +0100 -+++ netpbm-10.34/converter/ppm/ppmtopjxl.c 2006-06-22 12:45:18.000000000 +0200 -@@ -274,6 +274,8 @@ - pm_error("image too large; reduce with ppmscale"); - if (maxval > PCL_MAXVAL) - pm_error("color range too large; reduce with ppmcscale"); -+ if (cols < 0 || rows < 0) -+ pm_error("negative size is not possible"); + for( channel = 0; channel < maxchannel; channel++ ) { + #ifdef DEBUG +diff -up netpbm-10.35.46/converter/other/sirtopnm.c.security netpbm-10.35.46/converter/other/sirtopnm.c +--- netpbm-10.35.46/converter/other/sirtopnm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/sirtopnm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -69,6 +69,7 @@ char* argv[]; + } + break; + case PPM_TYPE: ++ overflow3(cols, rows, 3); + picsize = cols * rows * 3; + planesize = cols * rows; + if ( !( sirarray = (unsigned char*) malloc( picsize ) ) ) +diff -up netpbm-10.35.46/converter/other/tifftopnm.c.security netpbm-10.35.46/converter/other/tifftopnm.c +--- netpbm-10.35.46/converter/other/tifftopnm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/tifftopnm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -748,7 +748,8 @@ convertRasterByRows(FILE * const + if (scanbuf == NULL) + pm_error("can't allocate memory for scanline buffer"); - /* Figure out the colormap. */ - fprintf( stderr, "(Computing colormap..." ); fflush( stderr ); -@@ -294,6 +296,8 @@ - case 0: /* direct mode (no palette) */ - bpp = bitsperpixel(maxval); /* bits per pixel */ - bpg = bpp; bpb = bpp; -+ overflow2(bpp, 3); -+ overflow_add(bpp*3, 7); - bpp = (bpp*3+7)>>3; /* bytes per pixel now */ - bpr = (bpp<<3)-bpg-bpb; - bpp *= cols; /* bytes per row now */ -@@ -303,9 +307,13 @@ - case 3: case 7: pclindex++; - default: - bpp = 8/pclindex; -+ overflow_add(cols, bpp); -+ if(bpp == 0) -+ pm_error("assert: no bpp"); - bpp = (cols+bpp-1)/bpp; /* bytes per row */ - } +- MALLOCARRAY(samplebuf, cols * spp); ++ /* samplebuf is unsigned int * !!! */ ++ samplebuf = (unsigned int *) malloc3(cols , sizeof(unsigned int) , spp); + if (samplebuf == NULL) + pm_error ("can't allocate memory for row buffer"); -+ overflow2(bpp,2); - if ((inrow = (char *)malloc((unsigned)bpp)) == NULL || - (outrow = (char *)malloc((unsigned)bpp*2)) == NULL || - (runcnt = (signed char *)malloc((unsigned)bpp)) == NULL) ---- netpbm-10.34/converter/ppm/yuvtoppm.c.security 2003-07-06 22:32:09.000000000 +0200 -+++ netpbm-10.34/converter/ppm/yuvtoppm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -72,6 +72,7 @@ +diff -up netpbm-10.35.46/converter/other/xwdtopnm.c.security netpbm-10.35.46/converter/other/xwdtopnm.c +--- netpbm-10.35.46/converter/other/xwdtopnm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/other/xwdtopnm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -214,6 +214,9 @@ processX10Header(X10WDFileHeader * cons + *colorsP = pnm_allocrow( 2 ); + PNM_ASSIGN1( (*colorsP)[0], 0 ); + PNM_ASSIGN1( (*colorsP)[1], *maxvalP ); ++ overflow_add(h10P->pixmap_width, 15); ++ if(h10P->pixmap_width < 0) ++ pm_error("assert: negative width"); + *padrightP = + ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width; + *bits_per_itemP = 16; +@@ -560,6 +563,7 @@ processX11Header(X11WDFileHeader * cons - ppm_writeppminit(stdout, cols, rows, (pixval) 255, 0); - pixrow = ppm_allocrow(cols); -+ overflow_add(cols, 1); - MALLOCARRAY(yuvbuf, (cols+1)/2); - if (yuvbuf == NULL) - pm_error("Unable to allocate YUV buffer for %d columns.", cols); ---- netpbm-10.34/converter/ppm/picttoppm.c.security 2006-06-17 21:11:56.000000000 +0200 -+++ netpbm-10.34/converter/ppm/picttoppm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -1,3 +1,5 @@ -+#error "Unfixable. Don't ship me" -+ - /* - * picttoppm.c -- convert a MacIntosh PICT file to PPM format. - * ---- netpbm-10.34/converter/ppm/ppmtowinicon.c.security 2005-10-07 08:14:24.000000000 +0200 -+++ netpbm-10.34/converter/ppm/ppmtowinicon.c 2006-06-22 12:45:18.000000000 +0200 -@@ -12,6 +12,7 @@ + *colsP = h11FixedP->pixmap_width; + *rowsP = h11FixedP->pixmap_height; ++ overflow2(h11FixedP->bytes_per_line, 8); + *padrightP = + h11FixedP->bytes_per_line * 8 / h11FixedP->bits_per_pixel - + h11FixedP->pixmap_width; +diff -up netpbm-10.35.46/converter/pbm/icontopbm.c.security netpbm-10.35.46/converter/pbm/icontopbm.c +--- netpbm-10.35.46/converter/pbm/icontopbm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/icontopbm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -11,6 +11,7 @@ + */ - #include #include -+#include - - #include "winico.h" - #include "ppm.h" -@@ -218,6 +219,7 @@ - MALLOCARRAY_NOFAIL(rowData, rows); - icBitmap->xBytes = xBytes; - icBitmap->data = rowData; -+ overflow2(xBytes, rows); - icBitmap->size = xBytes * rows; - for (y=0;yxBytes = xBytes; - icBitmap->data = rowData; -+ overflow2(xBytes, rows); - icBitmap->size = xBytes * rows; ++#include - for (y=0;yxBytes = xBytes; - icBitmap->data = rowData; -+ overflow2(xBytes, rows); - icBitmap->size = xBytes * rows; + #include "nstring.h" + #include "pbm.h" +@@ -87,6 +88,11 @@ ReadIconFile(FILE * const + if ( *heightP <= 0 ) + pm_error( "invalid height (must be positive): %d", *heightP ); - for (y=0;ybitcount = bpp; - entry->ih = createInfoHeader(entry, xorBitmap, andBitmap); - entry->colors = palette->colors; -+ overflow2(4, entry->color_count); -+ overflow_add(xorBitmap->size, andBitmap->size); -+ overflow_add(xorBitmap->size + andBitmap->size, 40); -+ overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count); - entry->size_in_bytes = - xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count); - if (verbose) ---- netpbm-10.34/converter/ppm/xpmtoppm.c.security 2005-10-07 08:59:22.000000000 +0200 -+++ netpbm-10.34/converter/ppm/xpmtoppm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -700,6 +700,7 @@ - &ncolors, colorsP, &ptab); - *transparentP = -1; /* No transparency in version 1 */ ++ if ( *widthP > INT_MAX - 16 || *widthP < 0) ++ pm_error( "invalid width: %d", *widthP); ++ ++ overflow2(*widthP + 16, *heightP); ++ + data_length = BitmapSize( *widthP, *heightP ); + *dataP = (short unsigned int *) malloc( data_length ); + if ( *dataP == NULL ) +diff -up netpbm-10.35.46/converter/pbm/mdatopbm.c.security netpbm-10.35.46/converter/pbm/mdatopbm.c +--- netpbm-10.35.46/converter/pbm/mdatopbm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/mdatopbm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -245,10 +245,13 @@ main(int argc, char **argv) { + pm_readlittleshort(infile, &yy); nInCols = yy; } -+ overflow2(*widthP, *heightP); - totalpixels = *widthP * *heightP; - MALLOCARRAY(*dataP, totalpixels); - if (*dataP == NULL) ---- netpbm-10.34/converter/ppm/ppmtoeyuv.c.security 2005-12-22 09:53:14.000000000 +0100 -+++ netpbm-10.34/converter/ppm/ppmtoeyuv.c 2006-06-22 12:45:18.000000000 +0200 -@@ -114,6 +114,7 @@ - - int index; + ++ overflow2(nOutCols, 8); + nOutCols = 8 * nInCols; + nOutRows = nInRows; +- if (bScale) ++ if (bScale) { ++ overflow2(nOutRows, 2); + nOutRows *= 2; ++ } -+ overflow_add(maxval, 1); - MALLOCARRAY_NOFAIL(mult299 , maxval+1); - MALLOCARRAY_NOFAIL(mult587 , maxval+1); - MALLOCARRAY_NOFAIL(mult114 , maxval+1); ---- netpbm-10.34/converter/pbm/mgrtopbm.c.security 2005-02-20 20:58:25.000000000 +0100 -+++ netpbm-10.34/converter/pbm/mgrtopbm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -68,6 +68,8 @@ + data = pbm_allocarray(nOutCols, nOutRows); + +diff -up netpbm-10.35.46/converter/pbm/mgrtopbm.c.security netpbm-10.35.46/converter/pbm/mgrtopbm.c +--- netpbm-10.35.46/converter/pbm/mgrtopbm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/mgrtopbm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -68,6 +68,8 @@ getinit(FILE * const file, if (head.h_high < ' ' || head.l_high < ' ') pm_error("Invalid width field in MGR header"); @@ -765,9 +377,42 @@ *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' '); *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' '); *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP; ---- netpbm-10.34/converter/pbm/pbmtoascii.c.security 2002-07-30 17:42:53.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtoascii.c 2006-06-22 12:45:18.000000000 +0200 -@@ -115,9 +115,11 @@ +diff -up netpbm-10.35.46/converter/pbm/pbmto10x.c.security netpbm-10.35.46/converter/pbm/pbmto10x.c +--- netpbm-10.35.46/converter/pbm/pbmto10x.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmto10x.c 2008-06-24 09:04:21.000000000 +0200 +@@ -162,7 +162,7 @@ main(int argc, char * argv[]) { + res_60x72(); + + pm_close(ifp); +- exit(0); ++ return 0; + } + + +diff -up netpbm-10.35.46/converter/pbm/pbmto4425.c.security netpbm-10.35.46/converter/pbm/pbmto4425.c +--- netpbm-10.35.46/converter/pbm/pbmto4425.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmto4425.c 2008-06-24 09:04:21.000000000 +0200 +@@ -2,6 +2,7 @@ + + #include "nstring.h" + #include "pbm.h" ++#include + + static char bit_table[2][3] = { + {1, 4, 0x10}, +@@ -160,7 +161,7 @@ main(int argc, char * argv[]) { + xres = vmap_width * 2; + yres = vmap_height * 3; + +- vmap = malloc(vmap_width * vmap_height * sizeof(char)); ++ vmap = malloc3(vmap_width, vmap_height, sizeof(char)); + if(vmap == NULL) + { + pm_error( "Cannot allocate memory" ); +diff -up netpbm-10.35.46/converter/pbm/pbmtoascii.c.security netpbm-10.35.46/converter/pbm/pbmtoascii.c +--- netpbm-10.35.46/converter/pbm/pbmtoascii.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtoascii.c 2008-06-24 09:04:21.000000000 +0200 +@@ -115,9 +115,11 @@ char* argv[]; pm_usage( usage ); pbm_readpbminit( ifp, &cols, &rows, &format ); @@ -779,29 +424,111 @@ line = (char*) pm_allocrow( ccols + 1, sizeof(char) ); for ( row = 0; row < rows; row += gridy ) ---- netpbm-10.34/converter/pbm/pbmtox10bm.c.security 2005-10-07 09:10:10.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtox10bm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -57,6 +57,7 @@ +diff -up netpbm-10.35.46/converter/pbm/pbmtocmuwm.c.security netpbm-10.35.46/converter/pbm/pbmtocmuwm.c +--- netpbm-10.35.46/converter/pbm/pbmtocmuwm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtocmuwm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -43,6 +43,7 @@ main( argc, argv ) bitrow = pbm_allocrow( cols ); + + /* Round cols up to the nearest multiple of 8. */ ++ overflow_add(cols, 7); + padright = ( ( cols + 7 ) / 8 ) * 8 - cols; - /* Compute padding to round cols up to the nearest multiple of 16. */ + putinit( rows, cols ); +diff -up netpbm-10.35.46/converter/pbm/pbmtogem.c.security netpbm-10.35.46/converter/pbm/pbmtogem.c +--- netpbm-10.35.46/converter/pbm/pbmtogem.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtogem.c 2008-06-24 09:04:21.000000000 +0200 +@@ -123,6 +123,7 @@ putinit (rows, cols) + bitsperitem = 0; + bitshift = 7; + outcol = 0; ++ overflow_add(cols, 7); + outmax = (cols + 7) / 8; + outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); + lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); +diff -up netpbm-10.35.46/converter/pbm/pbmtogo.c.security netpbm-10.35.46/converter/pbm/pbmtogo.c +--- netpbm-10.35.46/converter/pbm/pbmtogo.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtogo.c 2008-06-24 09:04:21.000000000 +0200 +@@ -96,6 +96,7 @@ main( argc, argv ) + bitrow = pbm_allocrow(cols); + + /* Round cols up to the nearest multiple of 8. */ ++ overflow_add(cols, 7); + rucols = ( cols + 7 ) / 8; + bytesperrow = rucols; /* GraphOn uses bytes */ + rucols = rucols * 8; +diff -up netpbm-10.35.46/converter/pbm/pbmtoicon.c.security netpbm-10.35.46/converter/pbm/pbmtoicon.c +--- netpbm-10.35.46/converter/pbm/pbmtoicon.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtoicon.c 2008-06-24 09:04:21.000000000 +0200 +@@ -42,6 +42,7 @@ main( argc, argv ) + bitrow = pbm_allocrow( cols ); + + /* Round cols up to the nearest multiple of 16. */ + overflow_add(cols, 15); - padright = ( ( cols + 15 ) / 16 ) * 16 - cols; + pad = ( ( cols + 15 ) / 16 ) * 16 - cols; + padleft = pad / 2; + padright = pad - padleft; +diff -up netpbm-10.35.46/converter/pbm/pbmtolj.c.security netpbm-10.35.46/converter/pbm/pbmtolj.c +--- netpbm-10.35.46/converter/pbm/pbmtolj.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtolj.c 2008-06-24 09:04:21.000000000 +0200 +@@ -119,7 +119,11 @@ parseCommandLine(int argc, char ** argv, + static void + allocateBuffers(unsigned int const cols) { - printf( "#define %s_width %d\n", name, cols ); ---- netpbm-10.34/converter/pbm/pbmtoppa/pbmtoppa.c.security 2005-04-30 18:45:07.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtoppa/pbmtoppa.c 2006-06-22 12:45:18.000000000 +0200 -@@ -441,6 +441,7 @@ - pm_error("main(): unrecognized parameter '%s'", argv[argn]); - } ++ overflow_add(cols, 8); + rowBufferSize = (cols + 7) / 8; ++ overflow_add(rowBufferSize, 128); ++ overflow_add(rowBufferSize, rowBufferSize+128); ++ overflow_add(rowBufferSize+10, rowBufferSize/8); + packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1; + deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10; -+ overflow_add(Width, 7); - Pwidth=(Width+7)/8; - printer.fptr=out; +diff -up netpbm-10.35.46/converter/pbm/pbmtomacp.c.security netpbm-10.35.46/converter/pbm/pbmtomacp.c +--- netpbm-10.35.46/converter/pbm/pbmtomacp.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtomacp.c 2008-06-24 09:04:21.000000000 +0200 +@@ -104,6 +104,7 @@ char *argv[]; + if( !lflg ) + left = 0; + ++ overflow_add(left, MAX_COLS - 1); + if( rflg ) + { if( right - left >= MAX_COLS ) + right = left + MAX_COLS - 1; +@@ -114,6 +115,8 @@ char *argv[]; + if( !tflg ) + top = 0; + ++ overflow_add(top, MAX_LINES - 1); ++ + if( bflg ) + { if( bottom - top >= MAX_LINES ) + bottom = top + MAX_LINES - 1; +diff -up netpbm-10.35.46/converter/pbm/pbmtomda.c.security netpbm-10.35.46/converter/pbm/pbmtomda.c +--- netpbm-10.35.46/converter/pbm/pbmtomda.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtomda.c 2008-06-24 09:04:21.000000000 +0200 +@@ -179,6 +179,7 @@ int main(int argc, char **argv) + + nOutRowsUnrounded = bScale ? nInRows/2 : nInRows; + ++ overflow_add(nOutRowsUnrounded, 3); + nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4; + /* MDA wants rows a multiple of 4 */ + nOutCols = nInCols / 8; +diff -up netpbm-10.35.46/converter/pbm/pbmtomgr.c.security netpbm-10.35.46/converter/pbm/pbmtomgr.c +--- netpbm-10.35.46/converter/pbm/pbmtomgr.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtomgr.c 2008-06-24 09:04:21.000000000 +0200 +@@ -43,6 +43,7 @@ main( argc, argv ) + bitrow = pbm_allocrow( cols ); + + /* Round cols up to the nearest multiple of 8. */ ++ overflow_add(cols, 7); + padright = ( ( cols + 7 ) / 8 ) * 8 - cols; ---- netpbm-10.34/converter/pbm/pbmtoppa/pbm.c.security 2000-06-01 19:20:30.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtoppa/pbm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -105,6 +105,7 @@ + putinit( rows, cols ); +diff -up netpbm-10.35.46/converter/pbm/pbmtoppa/pbm.c.security netpbm-10.35.46/converter/pbm/pbmtoppa/pbm.c +--- netpbm-10.35.46/converter/pbm/pbmtoppa/pbm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtoppa/pbm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -105,6 +105,7 @@ int pbm_readline(pbm_stat* pbm,unsigned return 0; case P4: @@ -809,7 +536,7 @@ tmp=(pbm->width+7)/8; tmp2=fread(data,1,tmp,pbm->fptr); if(tmp2 == tmp) -@@ -129,7 +130,8 @@ +@@ -129,7 +130,8 @@ void pbm_unreadline (pbm_stat *pbm, void return; pbm->unread = 1; @@ -819,94 +546,76 @@ memcpy (pbm->revdata, data, (pbm->width+7)/8); pbm->current_line--; } ---- netpbm-10.34/converter/pbm/ybmtopbm.c.security 1993-10-04 10:10:35.000000000 +0100 -+++ netpbm-10.34/converter/pbm/ybmtopbm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -88,6 +88,7 @@ - pm_error( "EOF / read error" ); - - *depthP = 1; -+ overflow_add(*colsP, 15); - *padrightP = ( ( *colsP + 15 ) / 16 ) * 16 - *colsP; - bitsperitem = 0; +diff -up netpbm-10.35.46/converter/pbm/pbmtoppa/pbmtoppa.c.security netpbm-10.35.46/converter/pbm/pbmtoppa/pbmtoppa.c +--- netpbm-10.35.46/converter/pbm/pbmtoppa/pbmtoppa.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtoppa/pbmtoppa.c 2008-06-24 09:04:21.000000000 +0200 +@@ -441,6 +441,7 @@ main(int argc, char *argv[]) { + pm_error("main(): unrecognized parameter '%s'", argv[argn]); } ---- netpbm-10.34/converter/pbm/pbmtolj.c.security 2005-07-21 18:04:48.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtolj.c 2006-06-22 12:45:18.000000000 +0200 -@@ -119,7 +119,11 @@ - static void - allocateBuffers(unsigned int const cols) { - -+ overflow_add(cols, 8); - rowBufferSize = (cols + 7) / 8; -+ overflow_add(rowBufferSize, 128); -+ overflow_add(rowBufferSize, rowBufferSize+128); -+ overflow_add(rowBufferSize+10, rowBufferSize/8); - packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1; - deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10; ---- netpbm-10.34/converter/pbm/pbmto4425.c.security 2005-10-07 09:13:08.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmto4425.c 2006-06-22 12:45:18.000000000 +0200 -@@ -2,6 +2,7 @@ ++ overflow_add(Width, 7); + Pwidth=(Width+7)/8; + printer.fptr=out; - #include "nstring.h" - #include "pbm.h" -+#include +diff -up netpbm-10.35.46/converter/pbm/pbmtox10bm.c.security netpbm-10.35.46/converter/pbm/pbmtox10bm.c +--- netpbm-10.35.46/converter/pbm/pbmtox10bm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtox10bm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -57,6 +57,7 @@ main(int argc, char * argv[]) { + bitrow = pbm_allocrow( cols ); - static char bit_table[2][3] = { - {1, 4, 0x10}, -@@ -160,7 +161,7 @@ - xres = vmap_width * 2; - yres = vmap_height * 3; + /* Compute padding to round cols up to the nearest multiple of 16. */ ++ overflow_add(cols, 15); + padright = ( ( cols + 15 ) / 16 ) * 16 - cols; -- vmap = malloc(vmap_width * vmap_height * sizeof(char)); -+ vmap = malloc3(vmap_width, vmap_height, sizeof(char)); - if(vmap == NULL) - { - pm_error( "Cannot allocate memory" ); ---- netpbm-10.34/converter/pbm/icontopbm.c.security 2005-10-07 09:14:45.000000000 +0200 -+++ netpbm-10.34/converter/pbm/icontopbm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -11,6 +11,7 @@ - */ + printf( "#define %s_width %d\n", name, cols ); +diff -up netpbm-10.35.46/converter/pbm/pbmtoxbm.c.security netpbm-10.35.46/converter/pbm/pbmtoxbm.c +--- netpbm-10.35.46/converter/pbm/pbmtoxbm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtoxbm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -100,6 +100,7 @@ main(int argc, char * argv[]) { + bitrow = pbm_allocrow(cols); + + /* Compute padding to round cols up to the nearest multiple of 8. */ ++ overflow_add(cols, 8); + padright = ((cols + 7)/8) * 8 - cols; - #include -+#include + printf("#define %s_width %d\n", name, cols); +diff -up netpbm-10.35.46/converter/pbm/pbmtoybm.c.security netpbm-10.35.46/converter/pbm/pbmtoybm.c +--- netpbm-10.35.46/converter/pbm/pbmtoybm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtoybm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -45,6 +45,7 @@ main( argc, argv ) + bitrow = pbm_allocrow( cols ); + + /* Compute padding to round cols up to the nearest multiple of 16. */ ++ overflow_add(cols, 16); + padright = ( ( cols + 15 ) / 16 ) * 16 - cols; - #include "nstring.h" - #include "pbm.h" -@@ -87,6 +88,11 @@ - if ( *heightP <= 0 ) - pm_error( "invalid height (must be positive): %d", *heightP ); + putinit( cols, rows ); +diff -up netpbm-10.35.46/converter/pbm/pbmtozinc.c.security netpbm-10.35.46/converter/pbm/pbmtozinc.c +--- netpbm-10.35.46/converter/pbm/pbmtozinc.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pbmtozinc.c 2008-06-24 09:04:21.000000000 +0200 +@@ -65,6 +65,7 @@ main(int argc, char * argv[]) { + bitrow = pbm_allocrow( cols ); -+ if ( *widthP > INT_MAX - 16 || *widthP < 0) -+ pm_error( "invalid width: %d", *widthP); -+ -+ overflow2(*widthP + 16, *heightP); -+ - data_length = BitmapSize( *widthP, *heightP ); - *dataP = (short unsigned int *) malloc( data_length ); - if ( *dataP == NULL ) ---- netpbm-10.34/converter/pbm/pbmtogem.c.security 2000-06-09 09:07:05.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtogem.c 2006-06-22 12:45:18.000000000 +0200 -@@ -123,6 +123,7 @@ - bitsperitem = 0; - bitshift = 7; - outcol = 0; -+ overflow_add(cols, 7); - outmax = (cols + 7) / 8; - outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); - lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); ---- netpbm-10.34/converter/pbm/pbmtogo.c.security 2005-12-22 09:45:07.000000000 +0100 -+++ netpbm-10.34/converter/pbm/pbmtogo.c 2006-06-22 12:45:18.000000000 +0200 -@@ -91,6 +91,7 @@ - bitrow = pbm_allocrow(cols); + /* Compute padding to round cols up to the nearest multiple of 16. */ ++ overflow_add(cols, 16); + padright = ( ( cols + 15 ) / 16 ) * 16 - cols; - /* Round cols up to the nearest multiple of 8. */ -+ overflow_add(cols, 7); - rucols = ( cols + 7 ) / 8; - bytesperrow = rucols; /* GraphOn uses bytes */ - rucols = rucols * 8; ---- netpbm-10.34/converter/pbm/thinkjettopbm.l.security 2006-04-03 22:38:13.000000000 +0200 -+++ netpbm-10.34/converter/pbm/thinkjettopbm.l 2006-06-22 12:45:18.000000000 +0200 -@@ -106,7 +106,9 @@ + printf( "USHORT %s[] = {\n",name); +diff -up netpbm-10.35.46/converter/pbm/pktopbm.c.security netpbm-10.35.46/converter/pbm/pktopbm.c +--- netpbm-10.35.46/converter/pbm/pktopbm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/pktopbm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -277,6 +277,7 @@ main(int argc, char *argv[]) { + if (flagbyte == 7) { /* long form preamble */ + integer packetlength = get32() ; /* character packet length */ + car = get32() ; /* character number */ ++ overflow_add(packetlength, pktopbm_pkloc); + endofpacket = packetlength + pktopbm_pkloc; + /* calculate end of packet */ + if ((car >= MAXPKCHAR) || !filename[car]) { +diff -up netpbm-10.35.46/converter/pbm/thinkjettopbm.l.security netpbm-10.35.46/converter/pbm/thinkjettopbm.l +--- netpbm-10.35.46/converter/pbm/thinkjettopbm.l.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/thinkjettopbm.l 2008-06-24 09:04:21.000000000 +0200 +@@ -106,7 +106,9 @@ DIG [0-9] \033\*b{DIG}+W { int l; if (rowCount >= rowCapacity) { @@ -916,7 +625,7 @@ rows = realloc (rows, rowCapacity * sizeof *rows); if (rows == NULL) pm_error ("Out of memory."); -@@ -216,6 +218,8 @@ +@@ -216,6 +218,8 @@ yywrap (void) /* * Quite simple since ThinkJet bit arrangement matches PBM */ @@ -925,574 +634,742 @@ pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0); packed_bitrow = malloc(maxRowLength); ---- netpbm-10.34/converter/pbm/pbmtoxbm.c.security 2005-10-07 09:08:17.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtoxbm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -100,6 +100,7 @@ - bitrow = pbm_allocrow(cols); - - /* Compute padding to round cols up to the nearest multiple of 8. */ -+ overflow_add(cols, 8); - padright = ((cols + 7)/8) * 8 - cols; +diff -up netpbm-10.35.46/converter/pbm/ybmtopbm.c.security netpbm-10.35.46/converter/pbm/ybmtopbm.c +--- netpbm-10.35.46/converter/pbm/ybmtopbm.c.security 2008-06-24 08:59:23.000000000 +0200 ++++ netpbm-10.35.46/converter/pbm/ybmtopbm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -88,6 +88,7 @@ getinit( file, colsP, rowsP, depthP, pad + pm_error( "EOF / read error" ); - printf("#define %s_width %d\n", name, cols); ---- netpbm-10.34/converter/pbm/mdatopbm.c.security 2005-08-15 09:01:25.000000000 +0200 -+++ netpbm-10.34/converter/pbm/mdatopbm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -245,10 +245,13 @@ - pm_readlittleshort(infile, &yy); nInCols = yy; + *depthP = 1; ++ overflow_add(*colsP, 15); + *padrightP = ( ( *colsP + 15 ) / 16 ) * 16 - *colsP; + bitsperitem = 0; } - -+ overflow2(nOutCols, 8); - nOutCols = 8 * nInCols; - nOutRows = nInRows; -- if (bScale) -+ if (bScale) { -+ overflow2(nOutRows, 2); - nOutRows *= 2; -+ } +diff -up netpbm-10.35.46/converter/pgm/lispmtopgm.c.security netpbm-10.35.46/converter/pgm/lispmtopgm.c +--- netpbm-10.35.46/converter/pgm/lispmtopgm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/pgm/lispmtopgm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -58,6 +58,7 @@ main( argc, argv ) + pm_error( "depth (%d bits) is too large", depth); - data = pbm_allocarray(nOutCols, nOutRows); + pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 ); ++ overflow_add(cols, 7); + grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 ); + + for ( row = 0; row < rows; ++row ) +@@ -102,7 +103,9 @@ getinit( file, colsP, rowsP, depthP, pad ---- netpbm-10.34/converter/pbm/pbmtocmuwm.c.security 1993-10-04 10:10:46.000000000 +0100 -+++ netpbm-10.34/converter/pbm/pbmtocmuwm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -43,6 +43,7 @@ - bitrow = pbm_allocrow( cols ); + if ( *depthP == 0 ) + *depthP = 1; /* very old file */ +- ++ ++ overflow_add((int)colsP, 31); ++ + *padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP; - /* Round cols up to the nearest multiple of 8. */ + if ( *colsP != (cols_32 - *padrightP) ) { +diff -up netpbm-10.35.46/converter/pgm/psidtopgm.c.security netpbm-10.35.46/converter/pgm/psidtopgm.c +--- netpbm-10.35.46/converter/pgm/psidtopgm.c.security 2008-06-24 08:59:13.000000000 +0200 ++++ netpbm-10.35.46/converter/pgm/psidtopgm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -78,6 +78,7 @@ main(int argc, + pm_error("bits/sample (%d) is too large.", bitspersample); + + pgm_writepgminit(stdout, cols, rows, maxval, 0); + overflow_add(cols, 7); - padright = ( ( cols + 7 ) / 8 ) * 8 - cols; + grayrow = pgm_allocrow((cols + 7) / 8 * 8); + for (row = 0; row < rows; ++row) { + unsigned int col; +diff -up netpbm-10.35.46/converter/ppm/ilbmtoppm.c.security netpbm-10.35.46/converter/ppm/ilbmtoppm.c +--- netpbm-10.35.46/converter/ppm/ilbmtoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ilbmtoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -595,6 +595,7 @@ decode_row(FILE * const ifP, + rawtype *chp; - putinit( rows, cols ); ---- netpbm-10.34/converter/pbm/pbmtomda.c.security 2005-08-15 09:01:50.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtomda.c 2006-06-22 12:45:18.000000000 +0200 -@@ -179,6 +179,7 @@ + cols = bmhdP->w; ++ overflow_add(cols, 15); + bytes = RowBytes(cols); + for( plane = 0; plane < nPlanes; plane++ ) { + int mask; +@@ -682,6 +683,23 @@ decode_mask(FILE * const ifP, + Multipalette handling + ****************************************************************************/ + ++static void * ++xmalloc2(x, y) ++ int x; ++ int y; ++{ ++ void *mem; ++ ++ overflow2(x,y); ++ if( x * y == 0 ) ++ return NULL; ++ ++ mem = malloc2(x,y); ++ if( mem == NULL ) ++ pm_error("out of memory allocating %d bytes", x * y); ++ return mem; ++} ++ + + static void + multi_adjust(cmap, row, palchange) +@@ -1294,6 +1312,9 @@ dcol_to_ppm(FILE * const ifP, + if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval ) + pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval)); - nOutRowsUnrounded = bScale ? nInRows/2 : nInRows; ++ overflow_add(redmaxval, 1); ++ overflow_add(greenmaxval, 1); ++ overflow_add(bluemaxval, 1); + MALLOCARRAY_NOFAIL(redtable, redmaxval +1); + MALLOCARRAY_NOFAIL(greentable, greenmaxval +1); + MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1); +@@ -1725,7 +1746,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, data + ChangeCount32 = *data++; + datasize -= 2; -+ overflow_add(nOutRowsUnrounded, 3); - nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4; - /* MDA wants rows a multiple of 4 */ - nOutCols = nInCols / 8; ---- netpbm-10.34/converter/pbm/pbmtozinc.c.security 2005-10-07 09:08:07.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtozinc.c 2006-06-22 12:45:18.000000000 +0200 -@@ -65,6 +65,7 @@ - bitrow = pbm_allocrow( cols ); ++ overflow_add(ChangeCount16, ChangeCount32); + changes = ChangeCount16 + ChangeCount32; ++ overflow_add(changes, 1); + for( i = 0; i < changes; i++ ) { + if( totalchanges >= PCHG->TotalChanges ) goto fail; + if( datasize < 2 ) goto fail; +@@ -1852,6 +1875,7 @@ PCHG_ConvertBig(PCHG, cmap, mask, datasi + if( datasize < 2 ) goto fail; + changes = BIG_WORD(data); data += 2; datasize -= 2; - /* Compute padding to round cols up to the nearest multiple of 16. */ -+ overflow_add(cols, 16); - padright = ( ( cols + 15 ) / 16 ) * 16 - cols; ++ overflow_add(changes, 1); + MALLOCARRAY_NOFAIL(cmap->mp_change[row], changes + 1); + for( i = 0; i < changes; i++ ) { + if( totalchanges >= PCHG->TotalChanges ) goto fail; +@@ -1965,6 +1989,9 @@ read_pchg(FILE * const ifp, + cmap->mp_change[i] = NULL; + if( PCHG.StartLine < 0 ) { + int nch; ++ if(PCHG.MaxReg < PCHG.MinReg) ++ pm_error("assert: MinReg > MaxReg"); ++ overflow_add(PCHG.MaxReg-PCHG.MinReg, 2); + nch = PCHG.MaxReg - PCHG.MinReg +1; + MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1); + for( i = 0; i < nch; i++ ) +@@ -2041,6 +2068,7 @@ process_body( FILE * const ifp, + if( typeid == ID_ILBM ) { + int isdeep; - printf( "USHORT %s[] = {\n",name); ---- netpbm-10.34/converter/pbm/pbmtoicon.c.security 2002-07-30 17:47:48.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtoicon.c 2006-06-22 12:45:18.000000000 +0200 -@@ -42,6 +42,7 @@ - bitrow = pbm_allocrow( cols ); - - /* Round cols up to the nearest multiple of 16. */ -+ overflow_add(cols, 15); - pad = ( ( cols + 15 ) / 16 ) * 16 - cols; - padleft = pad / 2; - padright = pad - padleft; ---- netpbm-10.34/converter/pbm/pbmtomacp.c.security 2002-09-06 18:04:22.000000000 +0200 -+++ netpbm-10.34/converter/pbm/pbmtomacp.c 2006-06-22 12:45:18.000000000 +0200 -@@ -104,6 +104,7 @@ - if( !lflg ) - left = 0; ++ overflow_add(bmhdP->w, 15); + MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w)); + *viewportmodesP |= fakeviewport; /* -isham/-isehb */ -+ overflow_add(left, MAX_COLS - 1); - if( rflg ) - { if( right - left >= MAX_COLS ) - right = left + MAX_COLS - 1; -@@ -114,6 +115,8 @@ - if( !tflg ) - top = 0; +diff -up netpbm-10.35.46/converter/ppm/imgtoppm.c.security netpbm-10.35.46/converter/ppm/imgtoppm.c +--- netpbm-10.35.46/converter/ppm/imgtoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/imgtoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -84,6 +84,7 @@ main(int argc, char ** argv) { + len = atoi((char*) buf ); + if ( fread( buf, len, 1, ifp ) != 1 ) + pm_error( "bad colormap buf" ); ++ overflow2(cmaplen, 3); + if ( cmaplen * 3 != len ) + { + pm_message( +@@ -105,6 +106,7 @@ main(int argc, char ** argv) { + pm_error( "bad pixel data header" ); + buf[8] = '\0'; + len = atoi((char*) buf ); ++ overflow2(cols, rows); + if ( len != cols * rows ) + pm_message( + "pixel data length (%d) does not match image size (%d)", +diff -up netpbm-10.35.46/converter/ppm/Makefile.security netpbm-10.35.46/converter/ppm/Makefile +--- netpbm-10.35.46/converter/ppm/Makefile.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/Makefile 2008-06-24 09:04:21.000000000 +0200 +@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg -+ overflow_add(top, MAX_LINES - 1); + PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ + leaftoppm mtvtoppm neotoppm \ +- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ ++ pcxtoppm pc1toppm pi1toppm pjtoppm \ + ppmtoacad ppmtoarbtxt \ + ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \ + ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ +diff -up netpbm-10.35.46/converter/ppm/pcxtoppm.c.security netpbm-10.35.46/converter/ppm/pcxtoppm.c +--- netpbm-10.35.46/converter/ppm/pcxtoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/pcxtoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -408,6 +408,7 @@ pcx_planes_to_pixels(pixels, bitplanes, + /* + * clear the pixel buffer + */ ++ overflow2(bytesperline, 8); + npixels = (bytesperline * 8) / bitsperpixel; + p = pixels; + while (--npixels >= 0) +@@ -469,6 +470,7 @@ pcx_16col_to_ppm(FILE * const ifP, + } + + /* BytesPerLine should be >= BitsPerPixel * cols / 8 */ ++ overflow2(BytesPerLine, 8); + rawcols = BytesPerLine * 8 / BitsPerPixel; + if (headerCols > rawcols) { + pm_message("warning - BytesPerLine = %d, " +diff -up netpbm-10.35.46/converter/ppm/picttoppm.c.security netpbm-10.35.46/converter/ppm/picttoppm.c +--- netpbm-10.35.46/converter/ppm/picttoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/picttoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -1,3 +1,5 @@ ++#error "Unfixable. Don't ship me" + - if( bflg ) - { if( bottom - top >= MAX_LINES ) - bottom = top + MAX_LINES - 1; ---- netpbm-10.34/converter/pbm/pbmtomgr.c.security 1993-10-04 10:10:50.000000000 +0100 -+++ netpbm-10.34/converter/pbm/pbmtomgr.c 2006-06-22 12:45:18.000000000 +0200 -@@ -43,6 +43,7 @@ - bitrow = pbm_allocrow( cols ); - - /* Round cols up to the nearest multiple of 8. */ -+ overflow_add(cols, 7); - padright = ( ( cols + 7 ) / 8 ) * 8 - cols; + /* + * picttoppm.c -- convert a MacIntosh PICT file to PPM format. + * +diff -up netpbm-10.35.46/converter/ppm/pjtoppm.c.security netpbm-10.35.46/converter/ppm/pjtoppm.c +--- netpbm-10.35.46/converter/ppm/pjtoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/pjtoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -127,19 +127,21 @@ main(argc, argv) + case 'V': /* send plane */ + case 'W': /* send last plane */ + if (rows == -1 || r >= rows || image == NULL) { +- if (rows == -1 || r >= rows) ++ if (rows == -1 || r >= rows) { ++ overflow_add(rows, 100); + rows += 100; ++ } + if (image == NULL) { +- MALLOCARRAY(image, rows * planes); +- MALLOCARRAY(imlen, rows * planes); ++ image = (unsigned char **) ++ malloc3(rows , planes , sizeof(unsigned char *)); ++ imlen = (int *) malloc3(rows , planes, sizeof(int)); + } + else { ++ overflow2(rows,planes); + image = (unsigned char **) +- realloc(image, +- rows * planes * ++ realloc2(image, rows * planes, + sizeof(unsigned char *)); +- imlen = (int *) +- realloc(imlen, rows * planes * sizeof(int)); ++ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int)); + } + } + if (image == NULL || imlen == NULL) +@@ -212,8 +214,10 @@ main(argc, argv) + for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2) + for (cmd = image[p + r * planes][c], + val = image[p + r * planes][c+1]; +- cmd >= 0 && i < newcols; cmd--, i++) ++ cmd >= 0 && i < newcols; cmd--, i++) { + buf[i] = val; ++ overflow_add(i, 1); ++ } + cols = cols > i ? cols : i; + free(image[p + r * planes]); + /* +@@ -224,6 +228,7 @@ main(argc, argv) + image[p + r * planes] = (unsigned char *) realloc(buf, i); + } + } ++ overflow2(cols, 8); + cols *= 8; + } + +diff -up netpbm-10.35.46/converter/ppm/ppmtoeyuv.c.security netpbm-10.35.46/converter/ppm/ppmtoeyuv.c +--- netpbm-10.35.46/converter/ppm/ppmtoeyuv.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtoeyuv.c 2008-06-24 09:04:21.000000000 +0200 +@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva - putinit( rows, cols ); ---- netpbm-10.34/converter/pbm/pbmto10x.c.security 2004-03-20 05:23:36.000000000 +0100 -+++ netpbm-10.34/converter/pbm/pbmto10x.c 2006-06-22 12:45:18.000000000 +0200 -@@ -162,7 +162,7 @@ - res_60x72(); + int index; + ++ overflow_add(maxval, 1); + MALLOCARRAY_NOFAIL(mult299 , maxval+1); + MALLOCARRAY_NOFAIL(mult587 , maxval+1); + MALLOCARRAY_NOFAIL(mult114 , maxval+1); +diff -up netpbm-10.35.46/converter/ppm/ppmtoicr.c.security netpbm-10.35.46/converter/ppm/ppmtoicr.c +--- netpbm-10.35.46/converter/ppm/ppmtoicr.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtoicr.c 2008-06-24 09:04:21.000000000 +0200 +@@ -169,7 +169,7 @@ char* argv[]; + + if (rleflag) { + pm_message("sending run-length encoded picture data ..." ); +- testimage = (char*) malloc(rows*cols); ++ testimage = (char*) malloc2(rows, cols); + p = testimage; + for (i=0; i= MAXPKCHAR) || !filename[car]) { ---- netpbm-10.34/converter/other/pngtopnm.c.security 2005-10-29 19:40:03.000000000 +0200 -+++ netpbm-10.34/converter/other/pngtopnm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -985,19 +985,24 @@ - pm_error ("couldn't allocate space for image"); ++ overflow_add(oldmaxval, 1); + MALLOCARRAY_NOFAIL(table, oldmaxval + 1); + for(i = 0; i <= oldmaxval; i++ ) + table[i] = (i * newmaxval + oldmaxval/2) / oldmaxval; +@@ -2325,8 +2328,11 @@ main(int argc, char ** argv) { + MALLOCARRAY_NOFAIL(coded_rowbuf, RowBytes(cols)); + for (i = 0; i < RowBytes(cols); ++i) + coded_rowbuf[i] = 0; +- if (DO_COMPRESS) ++ if (DO_COMPRESS) { ++ overflow2(cols,2); ++ overflow_add(cols*2,2); + MALLOCARRAY_NOFAIL(compr_rowbuf, WORSTCOMPR(RowBytes(cols))); ++ } } + + switch (mode) { +diff -up netpbm-10.35.46/converter/ppm/ppmtolj.c.security netpbm-10.35.46/converter/ppm/ppmtolj.c +--- netpbm-10.35.46/converter/ppm/ppmtolj.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtolj.c 2008-06-24 09:04:21.000000000 +0200 +@@ -181,7 +181,8 @@ int main(int argc, char *argv[]) { -- if (info_ptr->bit_depth == 16) -+ if (info_ptr->bit_depth == 16) { -+ overflow2(2, info_ptr->width); - linesize = 2 * info_ptr->width; -- else -+ } else - linesize = info_ptr->width; - -- if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) -+ if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { -+ overflow2(2, linesize); - linesize *= 2; -- else -- if (info_ptr->color_type == PNG_COLOR_TYPE_RGB) -+ } else -+ if (info_ptr->color_type == PNG_COLOR_TYPE_RGB) { -+ overflow2(3, linesize); - linesize *= 3; -- else -- if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) -+ } else -+ if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) { -+ overflow2(4, linesize); - linesize *= 4; -+ } + ppm_readppminit( ifp, &cols, &rows, &maxval, &format ); + pixelrow = ppm_allocrow( cols ); +- ++ ++ overflow2(cols, 6); + obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char)); + cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char)); + if (mode == C_TRANS_MODE_DELTA) +diff -up netpbm-10.35.46/converter/ppm/ppmtomitsu.c.security netpbm-10.35.46/converter/ppm/ppmtomitsu.c +--- netpbm-10.35.46/converter/ppm/ppmtomitsu.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtomitsu.c 2008-06-24 09:04:21.000000000 +0200 +@@ -166,6 +166,8 @@ int main( argc, argv ) + medias = MSize_User; - for (y = 0 ; y < info_ptr->height ; y++) { - png_image[y] = malloc (linesize); ---- netpbm-10.34/converter/other/tifftopnm.c.security 2006-01-05 18:05:31.000000000 +0100 -+++ netpbm-10.34/converter/other/tifftopnm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -748,7 +748,8 @@ - if (scanbuf == NULL) - pm_error("can't allocate memory for scanline buffer"); + if (dpi300) { ++ overflow2(medias.maxcols, 2); ++ overflow2(medias.maxrows, 2); + medias.maxcols *= 2; + medias.maxrows *= 2; + } +diff -up netpbm-10.35.46/converter/ppm/ppmtompeg/iframe.c.security netpbm-10.35.46/converter/ppm/ppmtompeg/iframe.c +--- netpbm-10.35.46/converter/ppm/ppmtompeg/iframe.c.security 2008-06-24 08:59:19.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtompeg/iframe.c 2008-06-24 09:04:21.000000000 +0200 +@@ -768,7 +768,8 @@ BlockComputeSNR(MpegFrame * const curren + if (needs_init) { + int ysz = (Fsize_y>>3) * sizeof(int32 *); + int xsz = (Fsize_x>>3); +- ++ ++ overflow2((Fsize_y>>3), sizeof(int32 *)); + needs_init = FALSE; + for (y=0; y<3; y++) { + varDiff[y] = ratio[y] = total[y] = 0.0; +@@ -787,6 +788,7 @@ BlockComputeSNR(MpegFrame * const curren + fprintf(stderr, "Out of memory in BlockComputeSNR\n"); + exit(-1); + } ++ overflow2(xsz,4); + for (y = 0; y < ySize[0]>>3; y++) { + SignalY[y] = (int32 *) calloc(xsz,4); + SignalCr[y] = (int32 *) calloc(xsz,4); +@@ -945,27 +947,27 @@ AllocDctBlocks(void) { + dctx = Fsize_x / DCTSIZE; + dcty = Fsize_y / DCTSIZE; -- MALLOCARRAY(samplebuf, cols * spp); -+ /* samplebuf is unsigned int * !!! */ -+ samplebuf = (unsigned int *) malloc3(cols , sizeof(unsigned int) , spp); - if (samplebuf == NULL) - pm_error ("can't allocate memory for row buffer"); +- dct = (Block **) malloc(sizeof(Block *) * dcty); ++ dct = (Block **) malloc2(sizeof(Block *), dcty); + ERRCHK(dct, "malloc"); + for (i = 0; i < dcty; i++) { +- dct[i] = (Block *) malloc(sizeof(Block) * dctx); ++ dct[i] = (Block *) malloc2(sizeof(Block), dctx); + ERRCHK(dct[i], "malloc"); + } ---- netpbm-10.34/converter/other/pnmtoddif.c.security 2002-07-30 19:09:13.000000000 +0200 -+++ netpbm-10.34/converter/other/pnmtoddif.c 2006-06-22 12:45:18.000000000 +0200 -@@ -484,6 +484,7 @@ - switch (PNM_FORMAT_TYPE(format)) { - case PBM_TYPE: - ip.bits_per_pixel = 1; -+ overflow_add(cols, 7); - ip.bytes_per_line = (cols + 7) / 8; - ip.spectral = 2; - ip.components = 1; -@@ -499,6 +500,7 @@ - ip.polarity = 2; - break; - case PPM_TYPE: -+ overflow2(cols, 3); - ip.bytes_per_line = 3 * cols; - ip.bits_per_pixel = 24; - ip.spectral = 5; ---- netpbm-10.34/converter/other/xwdtopnm.c.security 2006-02-22 01:28:19.000000000 +0100 -+++ netpbm-10.34/converter/other/xwdtopnm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -214,6 +214,9 @@ - *colorsP = pnm_allocrow( 2 ); - PNM_ASSIGN1( (*colorsP)[0], 0 ); - PNM_ASSIGN1( (*colorsP)[1], *maxvalP ); -+ overflow_add(h10P->pixmap_width, 15); -+ if(h10P->pixmap_width < 0) -+ pm_error("assert: negative width"); - *padrightP = - ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width; - *bits_per_itemP = 16; -@@ -544,6 +551,7 @@ +- dct_data = (dct_data_type **) malloc(sizeof(dct_data_type *) * dcty); ++ dct_data = (dct_data_type **) malloc2(sizeof(dct_data_type *), dcty); + ERRCHK(dct_data, "malloc"); + for (i = 0; i < dcty; i++) { +- dct_data[i] = (dct_data_type *) malloc(sizeof(dct_data_type) * dctx); ++ dct_data[i] = (dct_data_type *) malloc2(sizeof(dct_data_type), dctx); + ERRCHK(dct[i], "malloc"); + } - *colsP = h11FixedP->pixmap_width; - *rowsP = h11FixedP->pixmap_height; -+ overflow2(h11FixedP->bytes_per_line, 8); - *padrightP = - h11FixedP->bytes_per_line * 8 / h11FixedP->bits_per_pixel - - h11FixedP->pixmap_width; ---- netpbm-10.34/converter/other/pnmtorle.c.security 2005-05-22 19:01:43.000000000 +0200 -+++ netpbm-10.34/converter/other/pnmtorle.c 2006-06-22 12:45:18.000000000 +0200 -@@ -19,6 +19,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ - /* - * pnmtorle - A program which will convert pbmplus (ppm or pgm) images ---- netpbm-10.34/converter/other/pnmtops.c.security 2006-02-25 18:37:25.000000000 +0100 -+++ netpbm-10.34/converter/other/pnmtops.c 2006-06-22 12:45:18.000000000 +0200 -@@ -184,16 +184,20 @@ - cmdlineP->canturn = !noturn; - cmdlineP->showpage = !noshowpage; - -+ overflow2(width, 72); - cmdlineP->width = width * 72; -+ overflow2(height, 72); - cmdlineP->height = height * 72; +- dctr = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); +- dctb = (Block **) malloc(sizeof(Block *) * (dcty >> 1)); ++ dctr = (Block **) malloc2(sizeof(Block *), (dcty >> 1)); ++ dctb = (Block **) malloc2(sizeof(Block *), (dcty >> 1)); + ERRCHK(dctr, "malloc"); + ERRCHK(dctb, "malloc"); + for (i = 0; i < (dcty >> 1); i++) { +- dctr[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); +- dctb[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1)); ++ dctr[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1)); ++ dctb[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1)); + ERRCHK(dctr[i], "malloc"); + ERRCHK(dctb[i], "malloc"); + } +diff -up netpbm-10.35.46/converter/ppm/ppmtompeg/parallel.c.security netpbm-10.35.46/converter/ppm/ppmtompeg/parallel.c +--- netpbm-10.35.46/converter/ppm/ppmtompeg/parallel.c.security 2008-06-24 08:59:19.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtompeg/parallel.c 2008-06-24 09:04:21.000000000 +0200 +@@ -2161,7 +2161,9 @@ DecodeServer(int const numInput + const char * error; -- if (imagewidthSpec) -+ if (imagewidthSpec) { -+ overflow2(imagewidth, 72); - cmdlineP->imagewidth = imagewidth * 72; -- else -+ } else - cmdlineP->imagewidth = 0; -- if (imageheightSpec) -+ if (imageheightSpec) { -+ overflow2(imageheight, 72); - cmdlineP->imageheight = imageheight * 72; -- else -+ } else - cmdlineP->imageheight = 0; + /* should keep list of port numbers to notify when frames become ready */ +- ++ ++ overflow2(numInputFiles, sizeof(int)); ++ overflow2(numInputFiles, sizeof(boolean)); + ready = (boolean *) calloc(numInputFiles, sizeof(boolean)); + waitMachine = (int *) calloc(numInputFiles, sizeof(int)); + waitPort = (int *) malloc(numMachines*sizeof(int)); +diff -up netpbm-10.35.46/converter/ppm/ppmtompeg/psearch.c.security netpbm-10.35.46/converter/ppm/ppmtompeg/psearch.c +--- netpbm-10.35.46/converter/ppm/ppmtompeg/psearch.c.security 2008-06-24 08:59:19.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtompeg/psearch.c 2008-06-24 09:04:21.000000000 +0200 +@@ -214,7 +214,14 @@ SetSearchRange(int const pixelsP, int co + int const max_search = max(searchRangeP, searchRangeB); - if (!cmdlineP->psfilter && ---- netpbm-10.34/converter/other/pnmtojpeg.c.security 2006-06-18 20:35:52.000000000 +0200 -+++ netpbm-10.34/converter/other/pnmtojpeg.c 2006-06-22 12:45:18.000000000 +0200 -@@ -587,6 +587,8 @@ - const long half_maxval = maxval / 2; - long val; + int index; +- ++ ++ overflow2(searchRangeP, 2); ++ overflow2(searchRangeB, 2); ++ overflow_add(searchRangeP*2, 3); ++ overflow_add(searchRangeB*2, 3); ++ overflow2(2*searchRangeB+3, sizeof(int)); ++ overflow2(2*searchRangeP+3, sizeof(int)); ++ + pmvHistogram = (int **) malloc((2*searchRangeP+3)*sizeof(int *)); + bbmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *)); + bfmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *)); +@@ -798,6 +805,9 @@ ShowPMVHistogram(fpointer) + int *columnTotals; + int rowTotal; -+ overflow_add(maxval, 1); -+ overflow2(maxval+1, sizeof(JSAMPLE)); - *rescale_p = (JSAMPLE *) - (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE, - (size_t) (((long) maxval + 1L) * -@@ -665,6 +667,7 @@ - */ ++ overflow2(searchRangeP, 2); ++ overflow_add(searchRangeP*2, 3); ++ overflow2(searchRangeP*2+3, sizeof(int)); + columnTotals = (int *) calloc(2*searchRangeP+3, sizeof(int)); - /* Allocate the libpnm output and compressor input buffers */ -+ overflow2(cinfo_p->image_width, cinfo_p->input_components); - buffer = (*cinfo_p->mem->alloc_sarray) - ((j_common_ptr) cinfo_p, JPOOL_IMAGE, - (unsigned int) cinfo_p->image_width * cinfo_p->input_components, -@@ -932,7 +935,11 @@ - * want JPOOL_PERMANENT. - */ - const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info); -- jpeg_scan_info * const scan_info = -+ const jpeg_scan_info * scan_info; -+ -+ overflow2(nscans, sizeof(jpeg_scan_info)); -+ -+ scan_info = - (jpeg_scan_info *) - (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE, - scan_info_size); ---- netpbm-10.34/converter/other/jpegtopnm.c.security 2005-10-07 08:57:11.000000000 +0200 -+++ netpbm-10.34/converter/other/jpegtopnm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -828,6 +828,7 @@ - /* Calculate output image dimensions so we can allocate space */ - jpeg_calc_output_dimensions(cinfoP); + #ifdef COMPLETE_DISPLAY +@@ -845,6 +855,9 @@ ShowBBMVHistogram(fpointer) -+ overflow2(cinfoP->output_width, cinfoP->output_components); - jpegbuffer = ((*cinfoP->mem->alloc_sarray) - ((j_common_ptr) cinfoP, JPOOL_IMAGE, - cinfoP->output_width * cinfoP->output_components, ---- netpbm-10.34/converter/other/pbmtopgm.c.security 2005-12-03 18:42:41.000000000 +0100 -+++ netpbm-10.34/converter/other/pbmtopgm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -47,6 +47,7 @@ - "than the image height (%u rows)", height, rows); + fprintf(fpointer, "B-frame Backwards:\n"); - outrow = pgm_allocrow(cols) ; -+ overflow2(width, height); - maxval = MIN(PGM_OVERALLMAXVAL, width*height); - pgm_writepgminit(stdout, cols, rows, maxval, 0) ; ++ overflow2(searchRangeB, 2); ++ overflow_add(searchRangeB*2, 3); ++ overflow2(searchRangeB*2+3, sizeof(int)); + columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int)); ---- netpbm-10.34/converter/other/pnmtosgi.c.security 2003-07-10 06:04:07.000000000 +0200 -+++ netpbm-10.34/converter/other/pnmtosgi.c 2006-06-22 12:45:18.000000000 +0200 -@@ -213,6 +213,22 @@ - } - } + #ifdef COMPLETE_DISPLAY +@@ -892,6 +905,9 @@ ShowBFMVHistogram(fpointer) -+static void * -+xmalloc2(int x, int y) -+{ -+ void *mem; -+ -+ overflow2(x,y); -+ if( x * y == 0 ) -+ return NULL; -+ -+ mem = malloc2(x, y); -+ if( mem == NULL ) -+ pm_error("out of memory allocating %d bytes", x * y); -+ return mem; -+} -+ -+ - static void - put_big_short(short s) - { -@@ -250,6 +266,7 @@ - #endif + fprintf(fpointer, "B-frame Forwards:\n"); - if( storage != STORAGE_VERBATIM ) { -+ overflow2(channels, rows); - MALLOCARRAY_NOFAIL(table, channels * rows); - MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols)); ++ overflow2(searchRangeB, 2); ++ overflow_add(searchRangeB*2, 3); ++ overflow2(searchRangeB*2+3, sizeof(int)); + columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int)); + + #ifdef COMPLETE_DISPLAY +diff -up netpbm-10.35.46/converter/ppm/ppmtompeg/rgbtoycc.c.security netpbm-10.35.46/converter/ppm/ppmtompeg/rgbtoycc.c +--- netpbm-10.35.46/converter/ppm/ppmtompeg/rgbtoycc.c.security 2008-06-24 08:59:19.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtompeg/rgbtoycc.c 2008-06-24 09:04:21.000000000 +0200 +@@ -72,6 +72,8 @@ compute_mult_tables(const pixval maxval) + } + table_maxval = maxval; + ++ overflow_add(table_maxval, 1); ++ overflow2(table_maxval+1, sizeof(float)); + mult299 = malloc((table_maxval+1)*sizeof(float)); + mult587 = malloc((table_maxval+1)*sizeof(float)); + mult114 = malloc((table_maxval+1)*sizeof(float)); +diff -up netpbm-10.35.46/converter/ppm/ppmtopcx.c.security netpbm-10.35.46/converter/ppm/ppmtopcx.c +--- netpbm-10.35.46/converter/ppm/ppmtopcx.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtopcx.c 2008-06-24 09:04:21.000000000 +0200 +@@ -418,6 +418,8 @@ ppmTo16ColorPcx(pixel ** cons + else Planes = 1; + } } -@@ -303,6 +320,8 @@ - break; - case STORAGE_RLE: - tabrow = chan_no * rows + row; -+ overflow2(chan_no, rows); -+ overflow_add(chan_no* rows, row); - len = rle_compress(temp, cols); /* writes result into rletemp */ - channel[chan_no][row].length = len; - MALLOCARRAY(p, len); ---- netpbm-10.34/converter/other/rletopnm.c.security 2005-11-13 22:40:02.000000000 +0100 -+++ netpbm-10.34/converter/other/rletopnm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -19,6 +19,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ - /* - * rletopnm - A conversion program to convert from Utah's "rle" image format ---- netpbm-10.34/converter/other/sirtopnm.c.security 2002-01-04 18:22:45.000000000 +0100 -+++ netpbm-10.34/converter/other/sirtopnm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -69,6 +69,7 @@ - } - break; - case PPM_TYPE: -+ overflow3(cols, rows, 3); - picsize = cols * rows * 3; - planesize = cols * rows; - if ( !( sirarray = (unsigned char*) malloc( picsize ) ) ) ---- netpbm-10.34/converter/other/gemtopnm.c.security 2005-08-27 19:30:45.000000000 +0200 -+++ netpbm-10.34/converter/other/gemtopnm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -106,6 +106,7 @@ ++ overflow2(BitsPerPixel, cols); ++ overflow_add(BitsPerPixel * cols, 7); + BytesPerLine = ((cols * BitsPerPixel) + 7) / 8; + MALLOCARRAY_NOFAIL(indexRow, cols); + MALLOCARRAY_NOFAIL(planesrow, BytesPerLine); +diff -up netpbm-10.35.46/converter/ppm/ppmtopict.c.security netpbm-10.35.46/converter/ppm/ppmtopict.c +--- netpbm-10.35.46/converter/ppm/ppmtopict.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtopict.c 2008-06-24 09:04:21.000000000 +0200 +@@ -245,6 +245,8 @@ char *argv[]; + putShort(stdout, 0); /* mode */ - pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 ); + /* Finally, write out the data. */ ++ overflow_add(cols/MAX_COUNT, 1); ++ overflow_add(cols, cols/MAX_COUNT+1); + packed = (char*) malloc((unsigned)(cols+cols/MAX_COUNT+1)); + oc = 0; + for (row = 0; row < rows; row++) +diff -up netpbm-10.35.46/converter/ppm/ppmtopj.c.security netpbm-10.35.46/converter/ppm/ppmtopj.c +--- netpbm-10.35.46/converter/ppm/ppmtopj.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtopj.c 2008-06-24 09:04:21.000000000 +0200 +@@ -179,6 +179,7 @@ char *argv[]; + pixels = ppm_readppm( ifp, &cols, &rows, &maxval ); -+ overflow_add(cols, padright); - { - /* allocate input row data structure */ - int plane; ---- netpbm-10.34/converter/other/sgitopnm.c.security 2005-08-27 19:33:09.000000000 +0200 -+++ netpbm-10.34/converter/other/sgitopnm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -252,13 +252,17 @@ + pm_close( ifp ); ++ overflow2(cols,2); + obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char)); + cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char)); - if (ochan < 0) { - maxchannel = (head->zsize < 3) ? head->zsize : 3; -+ overflow2(head->ysize, maxchannel); - MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel); - } else { - maxchannel = ochan + 1; - MALLOCARRAY_NOFAIL(image, head->ysize); - } -- if ( table ) -+ if ( table ) { -+ overflow2(head->xsize, 2); -+ overflow_add(head->xsize*2, 2); - MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize)); -+ } +diff -up netpbm-10.35.46/converter/ppm/ppmtopjxl.c.security netpbm-10.35.46/converter/ppm/ppmtopjxl.c +--- netpbm-10.35.46/converter/ppm/ppmtopjxl.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtopjxl.c 2008-06-24 09:04:21.000000000 +0200 +@@ -274,6 +274,8 @@ main(argc, argv) + pm_error("image too large; reduce with ppmscale"); + if (maxval > PCL_MAXVAL) + pm_error("color range too large; reduce with ppmcscale"); ++ if (cols < 0 || rows < 0) ++ pm_error("negative size is not possible"); - for( channel = 0; channel < maxchannel; channel++ ) { - #ifdef DEBUG ---- netpbm-10.34/analyzer/pgmhist.c.security 2003-07-06 21:23:19.000000000 +0200 -+++ netpbm-10.34/analyzer/pgmhist.c 2006-06-22 12:45:18.000000000 +0200 -@@ -45,6 +45,7 @@ - grayrow = pgm_allocrow( cols ); + /* Figure out the colormap. */ + fprintf( stderr, "(Computing colormap..." ); fflush( stderr ); +@@ -294,6 +296,8 @@ main(argc, argv) + case 0: /* direct mode (no palette) */ + bpp = bitsperpixel(maxval); /* bits per pixel */ + bpg = bpp; bpb = bpp; ++ overflow2(bpp, 3); ++ overflow_add(bpp*3, 7); + bpp = (bpp*3+7)>>3; /* bytes per pixel now */ + bpr = (bpp<<3)-bpg-bpb; + bpp *= cols; /* bytes per row now */ +@@ -303,9 +307,13 @@ main(argc, argv) + case 3: case 7: pclindex++; + default: + bpp = 8/pclindex; ++ overflow_add(cols, bpp); ++ if(bpp == 0) ++ pm_error("assert: no bpp"); + bpp = (cols+bpp-1)/bpp; /* bytes per row */ + } - /* Build histogram. */ -+ overflow_add(maxval, 1); - MALLOCARRAY(hist, maxval + 1); - MALLOCARRAY(rcount, maxval + 1); - if ( hist == NULL || rcount == NULL ) ---- netpbm-10.34/analyzer/pgmtexture.c.security 2005-12-22 10:17:08.000000000 +0100 -+++ netpbm-10.34/analyzer/pgmtexture.c 2006-06-22 12:45:18.000000000 +0200 -@@ -79,6 +79,9 @@ - { - float *v; ++ overflow2(bpp,2); + if ((inrow = (char *)malloc((unsigned)bpp)) == NULL || + (outrow = (char *)malloc((unsigned)bpp*2)) == NULL || + (runcnt = (signed char *)malloc((unsigned)bpp)) == NULL) +diff -up netpbm-10.35.46/converter/ppm/ppmtowinicon.c.security netpbm-10.35.46/converter/ppm/ppmtowinicon.c +--- netpbm-10.35.46/converter/ppm/ppmtowinicon.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtowinicon.c 2008-06-24 09:04:21.000000000 +0200 +@@ -12,6 +12,7 @@ -+ if(nh < nl) -+ pm_error("assert: h < l"); -+ overflow_add(nh - nl, 1); - MALLOCARRAY(v, (unsigned) (nh - nl + 1)); - if (v == NULL) - pm_error("Unable to allocate memory for a vector."); -@@ -95,6 +98,9 @@ - float **m; + #include + #include ++#include - /* allocate pointers to rows */ -+ if(nrh < nrl) -+ pm_error("assert: h < l"); -+ overflow_add(nrh - nrl, 1); - MALLOCARRAY(m, (unsigned) (nrh - nrl + 1)); - if (m == NULL) - pm_error("Unable to allocate memory for a matrix."); -@@ -102,6 +108,9 @@ - m -= ncl; + #include "winico.h" + #include "ppm.h" +@@ -218,6 +219,7 @@ createAndBitmap (gray ** const ba, int c + MALLOCARRAY_NOFAIL(rowData, rows); + icBitmap->xBytes = xBytes; + icBitmap->data = rowData; ++ overflow2(xBytes, rows); + icBitmap->size = xBytes * rows; + for (y=0;yxBytes = xBytes; + icBitmap->data = rowData; ++ overflow2(xBytes, rows); + icBitmap->size = xBytes * rows; - /* allocate rows and set pointers to them */ -+ if(nch < ncl) -+ pm_error("assert: h < l"); -+ overflow_add(nch - ncl, 1); - for (i = nrl; i <= nrh; i++) - { - MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1)); ---- netpbm-10.34/lib/libpbm1.c.security 2005-02-05 19:41:54.000000000 +0100 -+++ netpbm-10.34/lib/libpbm1.c 2006-06-22 12:45:18.000000000 +0200 -@@ -56,6 +56,7 @@ - pm_message("pm_filepos passed to pm_check() is %u bytes", - sizeof(pm_filepos)); - #endif -+ overflow2(bytes_per_row, rows); - pm_check(file, check_type, need_raster_size, retval_p); + for (y=0;yxBytes = xBytes; + icBitmap->data = rowData; ++ overflow2(xBytes, rows); + icBitmap->size = xBytes * rows; + + for (y=0;ybitcount = bpp; + entry->ih = createInfoHeader(entry, xorBitmap, andBitmap); + entry->colors = palette->colors; ++ overflow2(4, entry->color_count); ++ overflow_add(xorBitmap->size, andBitmap->size); ++ overflow_add(xorBitmap->size + andBitmap->size, 40); ++ overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count); + entry->size_in_bytes = + xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count); + if (verbose) +diff -up netpbm-10.35.46/converter/ppm/ppmtoxpm.c.security netpbm-10.35.46/converter/ppm/ppmtoxpm.c +--- netpbm-10.35.46/converter/ppm/ppmtoxpm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ppmtoxpm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -195,6 +195,7 @@ genNumstr(unsigned int const input, int + unsigned int i; + + /* Allocate memory for printed number. Abort if error. */ ++ overflow_add(digits, 1); + if (!(str = (char *) malloc(digits + 1))) + pm_error("out of memory"); + +@@ -312,6 +313,7 @@ genCmap(colorhist_vector const chv, + unsigned int charsPerPixel; + unsigned int xpmMaxval; + ++ if (includeTransparent) overflow_add(ncolors, 1); + MALLOCARRAY(cmap, cmapSize); + if (cmapP == NULL) + pm_error("Out of memory allocating %u bytes for a color map.", +diff -up netpbm-10.35.46/converter/ppm/qrttoppm.c.security netpbm-10.35.46/converter/ppm/qrttoppm.c +--- netpbm-10.35.46/converter/ppm/qrttoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/qrttoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -46,7 +46,7 @@ main( argc, argv ) + + ppm_writeppminit( stdout, cols, rows, maxval, 0 ); + pixelrow = ppm_allocrow( cols ); +- buf = (unsigned char *) malloc( 3 * cols ); ++ buf = (unsigned char *) malloc2( 3 , cols ); + if ( buf == (unsigned char *) 0 ) + pm_error( "out of memory" ); + +diff -up netpbm-10.35.46/converter/ppm/sldtoppm.c.security netpbm-10.35.46/converter/ppm/sldtoppm.c +--- netpbm-10.35.46/converter/ppm/sldtoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/sldtoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -306,7 +306,9 @@ static void slider(slvec, slflood) + } + + /* Allocate image buffer and clear it to black. */ +- ++ ++ overflow_add(ixdots,1); ++ overflow_add(iydots,1); + pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1); + PPM_ASSIGN(rgbcolor, 0, 0, 0); + ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0, +diff -up netpbm-10.35.46/converter/ppm/ximtoppm.c.security netpbm-10.35.46/converter/ppm/ximtoppm.c +--- netpbm-10.35.46/converter/ppm/ximtoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/ximtoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -111,6 +111,7 @@ ReadXimHeader(FILE * const in_fp, + header->bits_channel = atoi(a_head.bits_per_channel); + header->alpha_flag = atoi(a_head.alpha_channel); + if (strlen(a_head.author)) { ++ overflow_add(strlen(a_head.author),1); + if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1, + 1))) { + pm_message("ReadXimHeader: can't calloc author string" ); +@@ -120,6 +121,7 @@ ReadXimHeader(FILE * const in_fp, + strncpy(header->author, a_head.author, strlen(a_head.author)); } - } ---- netpbm-10.34/lib/pm.h.security 2006-05-19 22:39:07.000000000 +0200 -+++ netpbm-10.34/lib/pm.h 2006-06-22 12:45:18.000000000 +0200 -@@ -340,4 +340,11 @@ - #endif - - -+void *malloc2(int, int); -+void *malloc3(int, int, int); -+#define overflow2(a,b) __overflow2(a,b) -+void __overflow2(int, int); -+void overflow3(int, int, int); -+void overflow_add(int, int); -+ - #endif ---- netpbm-10.34/lib/libpammap.c.security 2005-12-03 18:01:03.000000000 +0100 -+++ netpbm-10.34/lib/libpammap.c 2006-06-22 12:45:18.000000000 +0200 -@@ -102,6 +102,8 @@ - */ - struct tupleint_list_item * retval; + if (strlen(a_head.date)) { ++ overflow_add(strlen(a_head.date),1); + if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){ + pm_message("ReadXimHeader: can't calloc date string" ); + return(0); +@@ -128,6 +130,7 @@ ReadXimHeader(FILE * const in_fp, + strncpy(header->date, a_head.date, strlen(a_head.date)); + } + if (strlen(a_head.program)) { ++ overflow_add(strlen(a_head.program),1); + if (!(header->program = calloc( + (unsigned int)strlen(a_head.program) + 1, 1))) { + pm_message("ReadXimHeader: can't calloc program string" ); +@@ -154,6 +157,7 @@ ReadXimHeader(FILE * const in_fp, + if (header->nchannels == 3 && header->bits_channel == 8) + header->ncolors = 0; + else if (header->nchannels == 1 && header->bits_channel == 8) { ++ overflow2(header->ncolors, sizeof(Color)); + header->colors = (Color *)calloc((unsigned int)header->ncolors, + sizeof(Color)); + if (header->colors == NULL) { +diff -up netpbm-10.35.46/converter/ppm/xpmtoppm.c.security netpbm-10.35.46/converter/ppm/xpmtoppm.c +--- netpbm-10.35.46/converter/ppm/xpmtoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/xpmtoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -700,6 +700,7 @@ ReadXPMFile(FILE * const stream, int * c + &ncolors, colorsP, &ptab); + *transparentP = -1; /* No transparency in version 1 */ + } ++ overflow2(*widthP, *heightP); + totalpixels = *widthP * *heightP; + MALLOCARRAY(*dataP, totalpixels); + if (*dataP == NULL) +diff -up netpbm-10.35.46/converter/ppm/yuvtoppm.c.security netpbm-10.35.46/converter/ppm/yuvtoppm.c +--- netpbm-10.35.46/converter/ppm/yuvtoppm.c.security 2008-06-24 08:59:20.000000000 +0200 ++++ netpbm-10.35.46/converter/ppm/yuvtoppm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -72,6 +72,7 @@ main(argc, argv) -+ overflow2(pamP->depth, sizeof(sample)); -+ overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample)); - unsigned int const size = - sizeof(*retval) - sizeof(retval->tupleint.tuple) - + pamP->depth * sizeof(sample); ---- netpbm-10.34/lib/libpam.c.security 2006-04-23 03:50:53.000000000 +0200 -+++ netpbm-10.34/lib/libpam.c 2006-06-22 12:45:18.000000000 +0200 -@@ -221,7 +221,8 @@ - int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample); - tuple * tuplerow; + ppm_writeppminit(stdout, cols, rows, (pixval) 255, 0); + pixrow = ppm_allocrow(cols); ++ overflow_add(cols, 1); + MALLOCARRAY(yuvbuf, (cols+1)/2); + if (yuvbuf == NULL) + pm_error("Unable to allocate YUV buffer for %d columns.", cols); +diff -up netpbm-10.35.46/editor/pamcut.c.security netpbm-10.35.46/editor/pamcut.c +--- netpbm-10.35.46/editor/pamcut.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pamcut.c 2008-06-24 09:04:21.000000000 +0200 +@@ -514,6 +514,8 @@ cutOneImage(FILE * const ifP + outpam.width = rightcol-leftcol+1; + outpam.height = bottomrow-toprow+1; -- tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple)); -+ overflow_add(sizeof(tuple *), bytesPerTuple); -+ tuplerow = malloc2(pamP->width, sizeof(tuple *) + bytesPerTuple); - - if (tuplerow != NULL) { - /* Now we initialize the pointers to the individual tuples ---- netpbm-10.34/lib/libpm.c.security 2006-06-18 19:46:31.000000000 +0200 -+++ netpbm-10.34/lib/libpm.c 2006-06-22 12:45:18.000000000 +0200 -@@ -36,6 +36,7 @@ - /* This makes the the x64() functions available on AIX */ ++ overflow_add(rightcol, 1); ++ overflow_add(toprow, 1); + pnm_writepaminit(&outpam); - #include -+#include - #include - #include - #include -@@ -205,7 +206,7 @@ - if (rowIndex == NULL) - pm_error("out of memory allocating row index (%u rows) for an array", - rows); -- rowheap = malloc(rows * cols * size); -+ rowheap = malloc3(rows, cols, size); - if (rowheap == NULL) { - /* We couldn't get the whole heap in one block, so try fragmented - format. -@@ -1483,4 +1484,53 @@ - } + /* Write out top padding */ +diff -up netpbm-10.35.46/editor/pamoil.c.security netpbm-10.35.46/editor/pamoil.c +--- netpbm-10.35.46/editor/pamoil.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pamoil.c 2008-06-24 09:04:21.000000000 +0200 +@@ -112,6 +112,7 @@ main(int argc, char *argv[] ) { + tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type)); + pm_close(ifp); ++ overflow_add(inpam.maxval, 1); + MALLOCARRAY(hist, inpam.maxval + 1); + if (hist == NULL) + pm_error("Unable to allocate memory for histogram."); +diff -up netpbm-10.35.46/editor/pbmclean.c.security netpbm-10.35.46/editor/pbmclean.c +--- netpbm-10.35.46/editor/pbmclean.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pbmclean.c 2008-06-24 09:04:21.000000000 +0200 +@@ -150,7 +150,7 @@ nextrow(FILE * const ifd, + inrow[0] = inrow[1]; + inrow[1] = inrow[2]; + inrow[2] = shuffle ; +- if (row+1 < rows) { ++ if (row <= rows) { + /* Read the "next" row in from the file. Allocate buffer if needed */ + if (inrow[2] == NULL) + inrow[2] = pbm_allocrow(cols); +diff -up netpbm-10.35.46/editor/pbmlife.c.security netpbm-10.35.46/editor/pbmlife.c +--- netpbm-10.35.46/editor/pbmlife.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pbmlife.c 2008-06-24 09:04:21.000000000 +0200 +@@ -54,7 +54,7 @@ char* argv[]; + prevrow = thisrow; + thisrow = nextrow; + nextrow = temprow; +- if ( row < rows - 1 ) ++ if ( row <= rows ) + pbm_readpbmrow( ifp, nextrow, cols, format ); -+/* -+ * Maths wrapping -+ */ -+ -+void __overflow2(int a, int b) -+{ -+ if(a < 0 || b < 0) -+ pm_error("object too large"); -+ if(b == 0) -+ return; -+ if(a > INT_MAX / b) -+ pm_error("object too large"); -+} -+ -+void overflow3(int a, int b, int c) -+{ -+ overflow2(a,b); -+ overflow2(a*b, c); -+} -+ -+void overflow_add(int a, int b) -+{ -+ if( a > INT_MAX - b) -+ pm_error("object too large"); -+} -+ -+void *malloc2(int a, int b) -+{ -+ overflow2(a, b); -+ if(a*b == 0) -+ pm_error("Zero byte allocation"); -+ return malloc(a*b); -+} -+ -+void *malloc3(int a, int b, int c) -+{ -+ overflow3(a, b, c); -+ if(a*b*c == 0) -+ pm_error("Zero byte allocation"); -+ return malloc(a*b*c); -+} -+ -+void *realloc2(void * a, int b, int c) -+{ -+ overflow2(b, c); -+ if(b*c == 0) -+ pm_error("Zero byte allocation"); -+ return realloc(a, b*c); -+} + for ( col = 0; col < cols; ++col ) +diff -up netpbm-10.35.46/editor/pbmpscale.c.security netpbm-10.35.46/editor/pbmpscale.c +--- netpbm-10.35.46/editor/pbmpscale.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pbmpscale.c 2008-06-24 09:04:21.000000000 +0200 +@@ -109,6 +109,7 @@ main(argc, argv) + inrow[0] = inrow[1] = inrow[2] = NULL; + pbm_readpbminit(ifd, &columns, &rows, &format) ; ---- netpbm-10.34/lib/libpbmvms.c.security 2005-08-27 19:24:54.000000000 +0200 -+++ netpbm-10.34/lib/libpbmvms.c 2006-06-22 12:45:18.000000000 +0200 -@@ -1,3 +1,5 @@ -+#warning "NOT AUDITED" -+ - /*************************************************************************** - This file contains library routines needed to build Netpbm for VMS. - However, as of 2000.05.26, when these were split out of libpbm1.c ---- netpbm-10.34/editor/pbmreduce.c.security 2003-07-06 21:41:49.000000000 +0200 -+++ netpbm-10.34/editor/pbmreduce.c 2006-06-22 12:45:18.000000000 +0200 -@@ -93,6 +93,7 @@ ++ overflow2(columns, scale); + outrow = pbm_allocrow(columns*scale) ; + MALLOCARRAY(flags, columns); + if (flags == NULL) +diff -up netpbm-10.35.46/editor/pbmreduce.c.security netpbm-10.35.46/editor/pbmreduce.c +--- netpbm-10.35.46/editor/pbmreduce.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pbmreduce.c 2008-06-24 09:04:21.000000000 +0200 +@@ -93,6 +93,7 @@ main( argc, argv ) if ( halftone == QT_FS ) { /* Initialize Floyd-Steinberg. */ @@ -1500,50 +1377,10 @@ MALLOCARRAY(thiserr, newcols + 2); MALLOCARRAY(nexterr, newcols + 2); if ( thiserr == NULL || nexterr == NULL ) ---- netpbm-10.34/editor/pnmindex.csh.security 2000-09-14 07:37:35.000000000 +0200 -+++ netpbm-10.34/editor/pnmindex.csh 2006-06-22 12:45:18.000000000 +0200 -@@ -1,5 +1,8 @@ - #!/bin/csh -f - # -+echo "Unsafe code, needs debugging, do not ship" -+exit 1 -+# - # pnmindex - build a visual index of a bunch of anymaps - # - # Copyright (C) 1991 by Jef Poskanzer. ---- netpbm-10.34/editor/pnmscalefixed.c.security 2002-07-30 19:52:49.000000000 +0200 -+++ netpbm-10.34/editor/pnmscalefixed.c 2006-06-22 12:45:18.000000000 +0200 -@@ -209,6 +209,8 @@ - const int rows, const int cols, - int * newrowsP, int * newcolsP) { - -+ overflow2(rows, cols); -+ - if (cmdline.pixels) { - if (rows * cols <= cmdline.pixels) { - *newrowsP = rows; -@@ -260,6 +262,8 @@ - - if (*newcolsP < 1) *newcolsP = 1; - if (*newrowsP < 1) *newrowsP = 1; -+ -+ overflow2(*newcolsP, *newrowsP); - } - - -@@ -441,6 +445,9 @@ - unfilled. We can address that by stretching, whereas the other - case would require throwing away some of the input. - */ -+ -+ overflow2(newcols, SCALE); -+ overflow2(newrows, SCALE); - sxscale = SCALE * newcols / cols; - syscale = SCALE * newrows / rows; - ---- netpbm-10.34/editor/pnmcut.c.security 2002-07-30 19:47:37.000000000 +0200 -+++ netpbm-10.34/editor/pnmcut.c 2006-06-22 12:45:18.000000000 +0200 -@@ -373,6 +373,7 @@ +diff -up netpbm-10.35.46/editor/pnmcut.c.security netpbm-10.35.46/editor/pnmcut.c +--- netpbm-10.35.46/editor/pnmcut.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pnmcut.c 2008-06-24 09:04:21.000000000 +0200 +@@ -373,6 +373,7 @@ main(int argc, char *argv[]) { toprow, leftcol, bottomrow, rightcol); } @@ -1551,37 +1388,44 @@ output_cols = rightcol-leftcol+1; output_row = pnm_allocrow(output_cols); ---- netpbm-10.34/editor/pamoil.c.security 2005-08-15 09:05:44.000000000 +0200 -+++ netpbm-10.34/editor/pamoil.c 2006-06-22 12:45:18.000000000 +0200 -@@ -112,6 +112,7 @@ - tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type)); - pm_close(ifp); - -+ overflow_add(inpam.maxval, 1); - MALLOCARRAY(hist, inpam.maxval + 1); - if (hist == NULL) - pm_error("Unable to allocate memory for histogram."); ---- netpbm-10.34/editor/pnmremap.c.security 2006-02-25 19:18:47.000000000 +0100 -+++ netpbm-10.34/editor/pnmremap.c 2006-06-22 12:45:18.000000000 +0200 -@@ -284,6 +284,7 @@ - - unsigned int const fserrSize = pamP->width + 2; +diff -up netpbm-10.35.46/editor/pnmgamma.c.security netpbm-10.35.46/editor/pnmgamma.c +--- netpbm-10.35.46/editor/pnmgamma.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pnmgamma.c 2008-06-24 09:04:21.000000000 +0200 +@@ -586,6 +586,7 @@ createGammaTables(enum transferFunction + xelval ** const btableP) { -+ overflow_add(pamP->width, 2); - MALLOCARRAY(fserrP->thiserr, pamP->depth); - if (fserrP->thiserr == NULL) - pm_error("Out of memory allocating Floyd-Steinberg structures " -@@ -327,6 +328,7 @@ + /* Allocate space for the tables. */ ++ overflow_add(maxval, 1); + MALLOCARRAY(*rtableP, maxval+1); + MALLOCARRAY(*gtableP, maxval+1); + MALLOCARRAY(*btableP, maxval+1); +diff -up netpbm-10.35.46/editor/pnmhisteq.c.security netpbm-10.35.46/editor/pnmhisteq.c +--- netpbm-10.35.46/editor/pnmhisteq.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pnmhisteq.c 2008-06-24 09:04:21.000000000 +0200 +@@ -102,6 +102,7 @@ computeLuminosityHistogram(xel * const * + unsigned int pixelCount; + unsigned int * lumahist; - int col; - -+ overflow_add(pamP->width, 2); - for (col = 0; col < pamP->width + 2; ++col) { - unsigned int plane; - for (plane = 0; plane < pamP->depth; ++plane) ---- netpbm-10.34/editor/pnmpad.c.security 2005-05-22 20:30:30.000000000 +0200 -+++ netpbm-10.34/editor/pnmpad.c 2006-06-22 12:45:18.000000000 +0200 -@@ -358,6 +358,8 @@ ++ overflow_add(maxval, 1); + MALLOCARRAY(lumahist, maxval + 1); + if (lumahist == NULL) + pm_error("Out of storage allocating array for %u histogram elements", +diff -up netpbm-10.35.46/editor/pnmindex.csh.security netpbm-10.35.46/editor/pnmindex.csh +--- netpbm-10.35.46/editor/pnmindex.csh.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pnmindex.csh 2008-06-24 09:04:21.000000000 +0200 +@@ -1,5 +1,8 @@ + #!/bin/csh -f + # ++echo "Unsafe code, needs debugging, do not ship" ++exit 1 ++# + # pnmindex - build a visual index of a bunch of anymaps + # + # Copyright (C) 1991 by Jef Poskanzer. +diff -up netpbm-10.35.46/editor/pnmpad.c.security netpbm-10.35.46/editor/pnmpad.c +--- netpbm-10.35.46/editor/pnmpad.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pnmpad.c 2008-06-24 09:04:21.000000000 +0200 +@@ -358,6 +358,8 @@ main(int argc, char ** argv) { computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad); @@ -1589,32 +1433,11 @@ + overflow_add(cols + lpad, rpad); newcols = cols + lpad + rpad; xelrow = pnm_allocrow(newcols); - bgrow = pnm_allocrow(newcols); ---- netpbm-10.34/editor/pamcut.c.security 2006-01-30 18:22:43.000000000 +0100 -+++ netpbm-10.34/editor/pamcut.c 2006-06-22 12:45:18.000000000 +0200 -@@ -514,6 +514,8 @@ - outpam.width = rightcol-leftcol+1; - outpam.height = bottomrow-toprow+1; - -+ overflow_add(rightcol, 1); -+ overflow_add(toprow, 1); - pnm_writepaminit(&outpam); - - /* Write out top padding */ ---- netpbm-10.34/editor/pbmlife.c.security 1993-10-04 10:10:37.000000000 +0100 -+++ netpbm-10.34/editor/pbmlife.c 2006-06-22 12:45:18.000000000 +0200 -@@ -54,7 +54,7 @@ - prevrow = thisrow; - thisrow = nextrow; - nextrow = temprow; -- if ( row < rows - 1 ) -+ if ( row <= rows ) - pbm_readpbmrow( ifp, nextrow, cols, format ); - - for ( col = 0; col < cols; ++col ) ---- netpbm-10.34/editor/pnmpaste.c.security 2005-12-22 10:24:24.000000000 +0100 -+++ netpbm-10.34/editor/pnmpaste.c 2006-06-22 12:45:18.000000000 +0200 -@@ -101,11 +101,16 @@ + bgrow = pnm_allocrow(newcols); +diff -up netpbm-10.35.46/editor/pnmpaste.c.security netpbm-10.35.46/editor/pnmpaste.c +--- netpbm-10.35.46/editor/pnmpaste.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pnmpaste.c 2008-06-24 09:04:21.000000000 +0200 +@@ -101,11 +101,16 @@ main( argc, argv ) "y is too large -- the second anymap has only %d rows", rows2 ); @@ -1631,61 +1454,59 @@ if ( x + cols1 > cols2 ) pm_error( "x + width is too large by %d pixels", x + cols1 - cols2 ); if ( y + rows1 > rows2 ) ---- netpbm-10.34/editor/pbmclean.c.security 2006-02-02 01:13:33.000000000 +0100 -+++ netpbm-10.34/editor/pbmclean.c 2006-06-22 12:45:18.000000000 +0200 -@@ -150,7 +150,7 @@ - inrow[0] = inrow[1]; - inrow[1] = inrow[2]; - inrow[2] = shuffle ; -- if (row+1 < rows) { -+ if (row <= rows) { - /* Read the "next" row in from the file. Allocate buffer if needed */ - if (inrow[2] == NULL) - inrow[2] = pbm_allocrow(cols); ---- netpbm-10.34/editor/ppmdither.c.security 2003-07-06 21:54:02.000000000 +0200 -+++ netpbm-10.34/editor/ppmdither.c 2006-06-22 12:45:18.000000000 +0200 -@@ -111,6 +111,9 @@ - (dith_dim * sizeof(int *)) + /* pointers */ - (dith_dim * dith_dim * sizeof(int)); /* data */ +diff -up netpbm-10.35.46/editor/pnmremap.c.security netpbm-10.35.46/editor/pnmremap.c +--- netpbm-10.35.46/editor/pnmremap.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pnmremap.c 2008-06-24 09:04:21.000000000 +0200 +@@ -279,6 +279,7 @@ initFserr(struct pam * const pamP, -+ overflow2(dith_dim, sizeof(int *)); -+ overflow3(dith_dim, dith_dim, sizeof(int)); -+ overflow_add(dith_dim * sizeof(int *), dith_dim * dith_dim * sizeof(int)); - dith_mat = (unsigned int **) malloc(dith_mat_sz); + unsigned int const fserrSize = pamP->width + 2; - if (dith_mat == NULL) -@@ -165,7 +168,8 @@ - if (dith_nb < 2) - pm_error("too few shades for blue, minimum of 2"); ++ overflow_add(pamP->width, 2); + MALLOCARRAY(fserrP->thiserr, pamP->depth); + if (fserrP->thiserr == NULL) + pm_error("Out of memory allocating Floyd-Steinberg structures " +@@ -322,6 +323,7 @@ floydInitRow(struct pam * const pamP, st -- MALLOCARRAY(*colormapP, dith_nr * dith_ng * dith_nb); -+ overflow2(dith_nr, dith_ng); -+ *colormapP = malloc3(dith_nr * dith_ng, dith_nb, sizeof(pixel)); - if (*colormapP == NULL) - pm_error("Unable to allocate space for the color lookup table " - "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb); ---- netpbm-10.34/editor/pnmgamma.c.security 2006-02-18 23:34:16.000000000 +0100 -+++ netpbm-10.34/editor/pnmgamma.c 2006-06-22 12:45:18.000000000 +0200 -@@ -586,6 +586,7 @@ - xelval ** const btableP) { + int col; + ++ overflow_add(pamP->width, 2); + for (col = 0; col < pamP->width + 2; ++col) { + unsigned int plane; + for (plane = 0; plane < pamP->depth; ++plane) +diff -up netpbm-10.35.46/editor/pnmscalefixed.c.security netpbm-10.35.46/editor/pnmscalefixed.c +--- netpbm-10.35.46/editor/pnmscalefixed.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pnmscalefixed.c 2008-06-24 09:04:21.000000000 +0200 +@@ -209,6 +209,8 @@ compute_output_dimensions(const struct c + const int rows, const int cols, + int * newrowsP, int * newcolsP) { - /* Allocate space for the tables. */ -+ overflow_add(maxval, 1); - MALLOCARRAY(*rtableP, maxval+1); - MALLOCARRAY(*gtableP, maxval+1); - MALLOCARRAY(*btableP, maxval+1); ---- netpbm-10.34/editor/pnmhisteq.c.security 2005-09-11 00:59:13.000000000 +0200 -+++ netpbm-10.34/editor/pnmhisteq.c 2006-06-22 12:45:18.000000000 +0200 -@@ -102,6 +102,7 @@ - unsigned int pixelCount; - unsigned int * lumahist; ++ overflow2(rows, cols); ++ + if (cmdline.pixels) { + if (rows * cols <= cmdline.pixels) { + *newrowsP = rows; +@@ -260,6 +262,8 @@ compute_output_dimensions(const struct c -+ overflow_add(maxval, 1); - MALLOCARRAY(lumahist, maxval + 1); - if (lumahist == NULL) - pm_error("Out of storage allocating array for %u histogram elements", ---- netpbm-10.34/editor/pnmshear.c.security 2005-08-15 08:17:16.000000000 +0200 -+++ netpbm-10.34/editor/pnmshear.c 2006-06-22 12:45:18.000000000 +0200 + if (*newcolsP < 1) *newcolsP = 1; + if (*newrowsP < 1) *newrowsP = 1; ++ ++ overflow2(*newcolsP, *newrowsP); + } + + +@@ -441,6 +445,9 @@ main(int argc, char **argv ) { + unfilled. We can address that by stretching, whereas the other + case would require throwing away some of the input. + */ ++ ++ overflow2(newcols, SCALE); ++ overflow2(newrows, SCALE); + sxscale = SCALE * newcols / cols; + syscale = SCALE * newrows / rows; + +diff -up netpbm-10.35.46/editor/pnmshear.c.security netpbm-10.35.46/editor/pnmshear.c +--- netpbm-10.35.46/editor/pnmshear.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/pnmshear.c 2008-06-24 09:04:21.000000000 +0200 @@ -14,6 +14,7 @@ #include @@ -1694,7 +1515,7 @@ #include "pnm.h" #include "shhopt.h" -@@ -196,6 +197,11 @@ +@@ -196,6 +197,11 @@ main(int argc, char * argv[]) { if ( shearfac < 0.0 ) shearfac = -shearfac; @@ -1706,103 +1527,305 @@ newcols = rows * shearfac + cols + 0.999999; pnm_writepnminit( stdout, newcols, rows, newmaxval, newformat, 0 ); ---- netpbm-10.34/editor/pbmpscale.c.security 2005-08-15 09:06:55.000000000 +0200 -+++ netpbm-10.34/editor/pbmpscale.c 2006-06-22 12:45:18.000000000 +0200 -@@ -109,6 +109,7 @@ - inrow[0] = inrow[1] = inrow[2] = NULL; - pbm_readpbminit(ifd, &columns, &rows, &format) ; +diff -up netpbm-10.35.46/editor/ppmdither.c.security netpbm-10.35.46/editor/ppmdither.c +--- netpbm-10.35.46/editor/ppmdither.c.security 2008-06-24 08:58:59.000000000 +0200 ++++ netpbm-10.35.46/editor/ppmdither.c 2008-06-24 09:04:21.000000000 +0200 +@@ -111,6 +111,9 @@ dith_matrix(unsigned int const dith_dim) + (dith_dim * sizeof(int *)) + /* pointers */ + (dith_dim * dith_dim * sizeof(int)); /* data */ -+ overflow2(columns, scale); - outrow = pbm_allocrow(columns*scale) ; - MALLOCARRAY(flags, columns); - if (flags == NULL) ---- netpbm-10.34/urt/scanargs.c.security 2003-01-08 20:38:25.000000000 +0100 -+++ netpbm-10.34/urt/scanargs.c 2006-06-22 12:45:18.000000000 +0200 -@@ -38,6 +38,8 @@ - * - * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire - * to have all "void" functions so declared. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ ++ overflow2(dith_dim, sizeof(int *)); ++ overflow3(dith_dim, dith_dim, sizeof(int)); ++ overflow_add(dith_dim * sizeof(int *), dith_dim * dith_dim * sizeof(int)); + dith_mat = (unsigned int **) malloc(dith_mat_sz); - #include "rle.h" -@@ -65,8 +67,8 @@ - /* - * Storage allocation macros - */ --#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) ) --#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) ) -+#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) ) -+#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) ) + if (dith_mat == NULL) +@@ -165,7 +168,8 @@ dith_setup(const unsigned int dith_power + if (dith_nb < 2) + pm_error("too few shades for blue, minimum of 2"); + +- MALLOCARRAY(*colormapP, dith_nr * dith_ng * dith_nb); ++ overflow2(dith_nr, dith_ng); ++ *colormapP = malloc3(dith_nr * dith_ng, dith_nb, sizeof(pixel)); + if (*colormapP == NULL) + pm_error("Unable to allocate space for the color lookup table " + "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb); +diff -up netpbm-10.35.46/generator/pbmpage.c.security netpbm-10.35.46/generator/pbmpage.c +--- netpbm-10.35.46/generator/pbmpage.c.security 2008-06-24 08:58:57.000000000 +0200 ++++ netpbm-10.35.46/generator/pbmpage.c 2008-06-24 09:04:21.000000000 +0200 +@@ -170,6 +170,9 @@ outputPbm(FILE * const file, + /* We round the allocated row space up to a multiple of 8 so the ugly + fast code below can work. + */ ++ ++ overflow_add(bitmap.Width, 7); ++ + pbmrow = pbm_allocrow(((bitmap.Width+7)/8)*8); + + bitmap_cursor = 0; +diff -up netpbm-10.35.46/generator/pbmtext.c.security netpbm-10.35.46/generator/pbmtext.c +--- netpbm-10.35.46/generator/pbmtext.c.security 2008-06-24 08:58:57.000000000 +0200 ++++ netpbm-10.35.46/generator/pbmtext.c 2008-06-24 09:05:49.000000000 +0200 +@@ -89,12 +89,14 @@ parse_command_line(int argc, char ** arg + + for (i = 1; i < argc; i++) { + if (i > 1) { ++ overflow_add(totaltextsize, 1); + totaltextsize += 1; + text = realloc(text, totaltextsize); + if (text == NULL) + pm_error("out of memory allocating space for input text"); + strcat(text, " "); + } ++ overflow_add(totaltextsize, strlen(argv[i])); + totaltextsize += strlen(argv[i]); + text = realloc(text, totaltextsize); + if (text == NULL) +@@ -575,6 +577,7 @@ getText(const char cmdline_text + struct text input_text; + + if (cmdline_text) { ++ overflow_add(strlen(cmdline_text), 1); + allocTextArray(&input_text, 1, strlen(cmdline_text)*8); + strcpy(input_text.textArray[0], cmdline_text); + fix_control_chars(input_text.textArray[0], fn); +@@ -600,7 +603,9 @@ getText(const char cmdline_text + "Cannot process.", (sizeof(buf)-1)/8); + fix_control_chars(buf, fn); + if (lineCount >= maxlines) { ++ overflow2(maxlines, 2); + maxlines *= 2; ++ overflow2(maxlines, sizeof(char *)); + text_array = (char**) realloc((char*) text_array, + maxlines * sizeof(char*)); + if (text_array == NULL) +@@ -686,6 +691,7 @@ main(int argc, char *argv[]) { + hmargin = fontP->maxwidth; + } else { + vmargin = fontP->maxheight; ++ overflow2(2, fontP->maxwidth); + hmargin = 2 * fontP->maxwidth; + } + } +@@ -702,6 +708,12 @@ main(int argc, char *argv[]) { + } else + formattedText = inputText; + ++ overflow2(2, vmargin); ++ overflow2(formattedText.lineCount, fontP->maxheight); ++ overflow2(formattedText.lineCount-1, cmdline.lspace); ++ overflow_add(vmargin * 2, formattedText.lineCount * fontP->maxheight); ++ overflow_add(vmargin * 2 + formattedText.lineCount * fontP->maxheight, (formattedText.lineCount-1) * cmdline.lspace); ++ + rows = 2 * vmargin + + formattedText.lineCount * fontP->maxheight + + (formattedText.lineCount-1) * cmdline.lspace; +@@ -709,6 +721,9 @@ main(int argc, char *argv[]) { + compute_image_width(formattedText, fontP, cmdline.space, + &maxwidth, &maxleftb); + ++ overflow2(2, hmargin); ++ overflow_add(2*hmargin, maxwidth); ++ + cols = 2 * hmargin + maxwidth; + + if (cols == 0 || rows == 0) +diff -up netpbm-10.35.46/generator/pgmcrater.c.security netpbm-10.35.46/generator/pgmcrater.c +--- netpbm-10.35.46/generator/pgmcrater.c.security 2008-06-24 08:58:57.000000000 +0200 ++++ netpbm-10.35.46/generator/pgmcrater.c 2008-06-24 09:04:21.000000000 +0200 +@@ -131,7 +131,7 @@ static void gencraters() + /* Acquire the elevation array and initialize it to mean + surface elevation. */ + +- MALLOCARRAY(aux, SCRX * SCRY); ++ aux = (unsigned short *) malloc3(SCRX, SCRY, sizeof(short)); + if (aux == NULL) + pm_error("out of memory allocating elevation array"); + +diff -up netpbm-10.35.46/generator/pgmkernel.c.security netpbm-10.35.46/generator/pgmkernel.c +--- netpbm-10.35.46/generator/pgmkernel.c.security 2008-06-24 08:58:57.000000000 +0200 ++++ netpbm-10.35.46/generator/pgmkernel.c 2008-06-24 09:04:21.000000000 +0200 +@@ -68,7 +68,7 @@ main ( argc, argv ) + kycenter = (fysize - 1) / 2.0; + ixsize = fxsize + 0.999; + iysize = fysize + 0.999; +- MALLOCARRAY(fkernel, ixsize * iysize); ++ fkernel = (double *) malloc3 (ixsize, iysize, sizeof(double)); + for (i = 0; i < iysize; i++) + for (j = 0; j < ixsize; j++) { + fkernel[i*ixsize+j] = 1.0 / (1.0 + w * sqrt((double) +diff -up netpbm-10.35.46/generator/ppmrainbow.security netpbm-10.35.46/generator/ppmrainbow +--- netpbm-10.35.46/generator/ppmrainbow.security 2008-06-24 08:58:57.000000000 +0200 ++++ netpbm-10.35.46/generator/ppmrainbow 2008-06-24 09:04:21.000000000 +0200 +@@ -11,7 +11,7 @@ my ($Twid, $Thgt, $tmpdir, $norepeat, $v + # set defaults + $Twid = 600; + $Thgt = 8; +-$tmpdir = $ENV{"TMPDIR"} || "/tmp"; ++$tmpdir = $ENV{"TMPDIR"} || ".tmp"; + $norepeat = $FALSE; + $verbose = $FALSE; + +diff -up netpbm-10.35.46/lib/libpam.c.security netpbm-10.35.46/lib/libpam.c +--- netpbm-10.35.46/lib/libpam.c.security 2008-06-24 08:59:03.000000000 +0200 ++++ netpbm-10.35.46/lib/libpam.c 2008-06-24 09:04:21.000000000 +0200 +@@ -236,7 +236,8 @@ allocPamRow(const struct pam * const pam + int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample); + tuple * tuplerow; + +- tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple)); ++ overflow_add(sizeof(tuple *), bytesPerTuple); ++ tuplerow = malloc2(pamP->width, sizeof(tuple *) + bytesPerTuple); + + if (tuplerow != NULL) { + /* Now we initialize the pointers to the individual tuples +diff -up netpbm-10.35.46/lib/libpammap.c.security netpbm-10.35.46/lib/libpammap.c +--- netpbm-10.35.46/lib/libpammap.c.security 2008-06-24 08:59:03.000000000 +0200 ++++ netpbm-10.35.46/lib/libpammap.c 2008-06-24 09:04:21.000000000 +0200 +@@ -102,6 +102,8 @@ allocTupleIntListItem(struct pam * const + */ + struct tupleint_list_item * retval; + ++ overflow2(pamP->depth, sizeof(sample)); ++ overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample)); + unsigned int const size = + sizeof(*retval) - sizeof(retval->tupleint.tuple) + + pamP->depth * sizeof(sample); +diff -up netpbm-10.35.46/lib/libpbm1.c.security netpbm-10.35.46/lib/libpbm1.c +--- netpbm-10.35.46/lib/libpbm1.c.security 2008-06-24 08:59:03.000000000 +0200 ++++ netpbm-10.35.46/lib/libpbm1.c 2008-06-24 09:04:21.000000000 +0200 +@@ -56,6 +56,7 @@ pbm_check(FILE * file, const enum pm_che + pm_message("pm_filepos passed to pm_check() is %u bytes", + sizeof(pm_filepos)); + #endif ++ overflow2(bytes_per_row, rows); + pm_check(file, check_type, need_raster_size, retval_p); + } + } +diff -up netpbm-10.35.46/lib/libpbmvms.c.security netpbm-10.35.46/lib/libpbmvms.c +--- netpbm-10.35.46/lib/libpbmvms.c.security 2008-06-24 08:59:03.000000000 +0200 ++++ netpbm-10.35.46/lib/libpbmvms.c 2008-06-24 09:04:21.000000000 +0200 +@@ -1,3 +1,5 @@ ++#warning "NOT AUDITED" ++ + /*************************************************************************** + This file contains library routines needed to build Netpbm for VMS. + However, as of 2000.05.26, when these were split out of libpbm1.c +diff -up netpbm-10.35.46/lib/libpm.c.security netpbm-10.35.46/lib/libpm.c +--- netpbm-10.35.46/lib/libpm.c.security 2008-06-24 08:59:03.000000000 +0200 ++++ netpbm-10.35.46/lib/libpm.c 2008-06-24 09:04:21.000000000 +0200 +@@ -36,6 +36,7 @@ + /* This makes the the x64() functions available on AIX */ + + #include ++#include + #include + #include + #include +@@ -213,7 +214,7 @@ pm_allocarray(int const cols, int const + if (rowIndex == NULL) + pm_error("out of memory allocating row index (%u rows) for an array", + rows); +- rowheap = malloc(rows * cols * size); ++ rowheap = malloc3(rows, cols, size); + if (rowheap == NULL) { + /* We couldn't get the whole heap in one block, so try fragmented + format. +@@ -1491,4 +1492,53 @@ pm_check(FILE * const file + } - #if defined(c_plusplus) && !defined(USE_PROTOTYPES) - #define USE_PROTOTYPES ---- netpbm-10.34/urt/rle.h.security 2005-12-24 05:46:05.000000000 +0100 -+++ netpbm-10.34/urt/rle.h 2006-06-22 12:45:18.000000000 +0200 -@@ -14,6 +14,9 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox -+ * Header declarations needed - */ - /* - * rle.h - Global declarations for Utah Raster Toolkit RLE programs. -@@ -166,6 +169,17 @@ - */ - extern rle_hdr rle_dflt_hdr; -+/* -+ * Provided by pm library ++/* ++ * Maths wrapping + */ + -+extern void overflow_add(int, int); -+#define overflow2(a,b) __overflow2(a,b) -+extern void __overflow2(int, int); -+extern void overflow3(int, int, int); -+extern void *malloc2(int, int); -+extern void *malloc3(int, int, int); -+extern void *realloc2(void *, int, int); - - /* Declare RLE library routines. */ ++void __overflow2(int a, int b) ++{ ++ if(a < 0 || b < 0) ++ pm_error("object too large"); ++ if(b == 0) ++ return; ++ if(a > INT_MAX / b) ++ pm_error("object too large"); ++} ++ ++void overflow3(int a, int b, int c) ++{ ++ overflow2(a,b); ++ overflow2(a*b, c); ++} ++ ++void overflow_add(int a, int b) ++{ ++ if( a > INT_MAX - b) ++ pm_error("object too large"); ++} ++ ++void *malloc2(int a, int b) ++{ ++ overflow2(a, b); ++ if(a*b == 0) ++ pm_error("Zero byte allocation"); ++ return malloc(a*b); ++} ++ ++void *malloc3(int a, int b, int c) ++{ ++ overflow3(a, b, c); ++ if(a*b*c == 0) ++ pm_error("Zero byte allocation"); ++ return malloc(a*b*c); ++} ++ ++void *realloc2(void * a, int b, int c) ++{ ++ overflow2(b, c); ++ if(b*c == 0) ++ pm_error("Zero byte allocation"); ++ return realloc(a, b*c); ++} ---- netpbm-10.34/urt/rle_open_f.c.security 2005-10-17 00:16:48.000000000 +0200 -+++ netpbm-10.34/urt/rle_open_f.c 2006-06-22 12:45:18.000000000 +0200 -@@ -6,6 +6,9 @@ - * University of Michigan - * Date: 11/14/89 - * Copyright (c) 1990, University of Michigan -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox -+ * Killed of crazy unsafe pipe/compress stuff - */ +diff -up netpbm-10.35.46/lib/pm.h.security netpbm-10.35.46/lib/pm.h +--- netpbm-10.35.46/lib/pm.h.security 2008-06-24 08:59:03.000000000 +0200 ++++ netpbm-10.35.46/lib/pm.h 2008-06-24 09:04:21.000000000 +0200 +@@ -343,4 +343,11 @@ pm_arg0toprogname(const char arg0[]); + #endif - #define _XOPEN_SOURCE /* Make sure fdopen() is in stdio.h */ -@@ -188,7 +191,7 @@ - - cp = file_name + strlen( (char*) file_name ) - 2; - /* Pipe case. */ -- if ( *file_name == '|' ) -+ if ( *file_name == '|' && 0 /* BOLLOCKS ARE WE DOING THIS ANY MORE */) - { - int thepid; /* PID from my_popen */ - if ( (fp = my_popen( file_name + 1, mode, &thepid )) == NULL ) -@@ -203,9 +206,10 @@ - } - /* Compress case. */ -- else if ( cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) -+ else if ( /* SMOKING SOMETHING */ 0 && cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) - { - int thepid; /* PID from my_popen. */ -+ overflow_add(20, strlen(file_name)); - combuf = (char *)malloc( 20 + strlen( file_name ) ); - if ( combuf == NULL ) - { ---- netpbm-10.34/urt/rle_addhist.c.security 2005-10-17 00:15:58.000000000 +0200 -+++ netpbm-10.34/urt/rle_addhist.c 2006-06-22 12:45:18.000000000 +0200 ++void *malloc2(int, int); ++void *malloc3(int, int, int); ++#define overflow2(a,b) __overflow2(a,b) ++void __overflow2(int, int); ++void overflow3(int, int, int); ++void overflow_add(int, int); ++ + #endif +diff -up netpbm-10.35.46/other/pnmcolormap.c.security netpbm-10.35.46/other/pnmcolormap.c +--- netpbm-10.35.46/other/pnmcolormap.c.security 2008-06-24 08:58:56.000000000 +0200 ++++ netpbm-10.35.46/other/pnmcolormap.c 2008-06-24 09:04:21.000000000 +0200 +@@ -839,6 +839,7 @@ colormapToSquare(struct pam * const pamP + pamP->width = intsqrt; + else + pamP->width = intsqrt + 1; ++ overflow_add(intsqrt, 1); + } + { + unsigned int const intQuotient = colormap.size / pamP->width; +diff -up netpbm-10.35.46/urt/README.security netpbm-10.35.46/urt/README +--- netpbm-10.35.46/urt/README.security 2008-06-24 08:59:24.000000000 +0200 ++++ netpbm-10.35.46/urt/README 2008-06-24 09:04:21.000000000 +0200 +@@ -18,3 +18,8 @@ in its initializer in the original. But + defines stdout as a variable, so that wouldn't compile. So I changed + it to NULL and added a line to rle_hdr_init to set that field to + 'stdout' dynamically. 2000.06.02 BJH. ++ ++Redid the code to check for maths overflows and other crawly horrors. ++Removed pipe through and compress support (unsafe) ++ ++Alan Cox +diff -up netpbm-10.35.46/urt/rle_addhist.c.security netpbm-10.35.46/urt/rle_addhist.c +--- netpbm-10.35.46/urt/rle_addhist.c.security 2008-06-24 08:59:24.000000000 +0200 ++++ netpbm-10.35.46/urt/rle_addhist.c 2008-06-24 09:04:21.000000000 +0200 @@ -14,6 +14,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, @@ -1812,7 +1835,7 @@ */ /* * rle_addhist.c - Add to the HISTORY comment in header -@@ -76,13 +78,19 @@ +@@ -76,13 +78,19 @@ rle_addhist(char * argv[], return; length = 0; @@ -1833,7 +1856,7 @@ length += strlen(padding) + 3 + strlen(histoire) + 1; /* length of padding, "on " and length of history name plus "="*/ if (in_hdr) /* if we are interested in the old comments... */ -@@ -90,9 +98,12 @@ +@@ -90,9 +98,12 @@ rle_addhist(char * argv[], else old = NULL; @@ -1847,8 +1870,29 @@ ++length; /*Cater for the null. */ MALLOCARRAY(newc, length); ---- netpbm-10.34/urt/rle_hdr.c.security 2005-10-17 00:16:33.000000000 +0200 -+++ netpbm-10.34/urt/rle_hdr.c 2006-06-22 12:45:18.000000000 +0200 +diff -up netpbm-10.35.46/urt/rle_getrow.c.security netpbm-10.35.46/urt/rle_getrow.c +--- netpbm-10.35.46/urt/rle_getrow.c.security 2008-06-24 08:59:24.000000000 +0200 ++++ netpbm-10.35.46/urt/rle_getrow.c 2008-06-24 09:04:21.000000000 +0200 +@@ -17,6 +17,8 @@ + * + * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire + * to have all "void" functions so declared. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * rle_getrow.c - Read an RLE file in. +@@ -168,6 +170,7 @@ rle_get_setup(rle_hdr * const the_hdr) { + register char * cp; + + VAXSHORT( comlen, infile ); /* get comment length */ ++ overflow_add(comlen, 1); + evenlen = (comlen + 1) & ~1; /* make it even */ + if ( evenlen ) + { +diff -up netpbm-10.35.46/urt/rle_hdr.c.security netpbm-10.35.46/urt/rle_hdr.c +--- netpbm-10.35.46/urt/rle_hdr.c.security 2008-06-24 08:59:24.000000000 +0200 ++++ netpbm-10.35.46/urt/rle_hdr.c 2008-06-24 09:04:21.000000000 +0200 @@ -14,6 +14,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, @@ -1858,7 +1902,7 @@ */ /* * rle_hdr.c - Functions to manipulate rle_hdr structures. -@@ -79,7 +81,10 @@ +@@ -79,7 +81,10 @@ int img_num; /* Fill in with copies of the strings. */ if ( the_hdr->cmd != pgmname ) { @@ -1870,7 +1914,7 @@ RLE_CHECK_ALLOC( pgmname, tmp, 0 ); strcpy( tmp, pgmname ); the_hdr->cmd = tmp; -@@ -87,7 +92,9 @@ +@@ -87,7 +92,9 @@ int img_num; if ( the_hdr->file_name != fname ) { @@ -1881,7 +1925,7 @@ RLE_CHECK_ALLOC( pgmname, tmp, 0 ); strcpy( tmp, fname ); the_hdr->file_name = tmp; -@@ -152,6 +159,7 @@ +@@ -152,6 +159,7 @@ rle_hdr *from_hdr, *to_hdr; if ( to_hdr->bg_color ) { int size = to_hdr->ncolors * sizeof(int); @@ -1889,7 +1933,7 @@ to_hdr->bg_color = (int *)malloc( size ); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" ); memcpy( to_hdr->bg_color, from_hdr->bg_color, size ); -@@ -160,7 +168,7 @@ +@@ -160,7 +168,7 @@ rle_hdr *from_hdr, *to_hdr; if ( to_hdr->cmap ) { int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map); @@ -1898,7 +1942,7 @@ RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" ); memcpy( to_hdr->cmap, from_hdr->cmap, size ); } -@@ -173,11 +181,16 @@ +@@ -173,11 +181,16 @@ rle_hdr *from_hdr, *to_hdr; int size = 0; CONST_DECL char **cp; for ( cp=to_hdr->comments; *cp; cp++ ) @@ -1915,19 +1959,102 @@ size *= sizeof(char *); to_hdr->comments = (CONST_DECL char **)malloc( size ); RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" ); ---- netpbm-10.34/urt/README.security 2000-06-02 22:53:04.000000000 +0200 -+++ netpbm-10.34/urt/README 2006-06-22 12:45:18.000000000 +0200 -@@ -18,3 +18,8 @@ - defines stdout as a variable, so that wouldn't compile. So I changed - it to NULL and added a line to rle_hdr_init to set that field to - 'stdout' dynamically. 2000.06.02 BJH. -+ -+Redid the code to check for maths overflows and other crawly horrors. -+Removed pipe through and compress support (unsafe) -+ -+Alan Cox ---- netpbm-10.34/urt/Runput.c.security 2005-10-16 23:36:29.000000000 +0200 -+++ netpbm-10.34/urt/Runput.c 2006-06-22 12:45:18.000000000 +0200 +diff -up netpbm-10.35.46/urt/rle.h.security netpbm-10.35.46/urt/rle.h +--- netpbm-10.35.46/urt/rle.h.security 2008-06-24 08:59:24.000000000 +0200 ++++ netpbm-10.35.46/urt/rle.h 2008-06-24 09:04:21.000000000 +0200 +@@ -14,6 +14,9 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox ++ * Header declarations needed + */ + /* + * rle.h - Global declarations for Utah Raster Toolkit RLE programs. +@@ -166,6 +169,17 @@ rle_hdr /* End of typedef. * + */ + extern rle_hdr rle_dflt_hdr; + ++/* ++ * Provided by pm library ++ */ ++ ++extern void overflow_add(int, int); ++#define overflow2(a,b) __overflow2(a,b) ++extern void __overflow2(int, int); ++extern void overflow3(int, int, int); ++extern void *malloc2(int, int); ++extern void *malloc3(int, int, int); ++extern void *realloc2(void *, int, int); + + /* Declare RLE library routines. */ + +diff -up netpbm-10.35.46/urt/rle_open_f.c.security netpbm-10.35.46/urt/rle_open_f.c +--- netpbm-10.35.46/urt/rle_open_f.c.security 2008-06-24 08:59:24.000000000 +0200 ++++ netpbm-10.35.46/urt/rle_open_f.c 2008-06-24 09:04:21.000000000 +0200 +@@ -6,6 +6,9 @@ + * University of Michigan + * Date: 11/14/89 + * Copyright (c) 1990, University of Michigan ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox ++ * Killed of crazy unsafe pipe/compress stuff + */ + + #define _XOPEN_SOURCE /* Make sure fdopen() is in stdio.h */ +@@ -188,7 +191,7 @@ rle_open_f_noexit(const char * const pro + + cp = file_name + strlen( (char*) file_name ) - 2; + /* Pipe case. */ +- if ( *file_name == '|' ) ++ if ( *file_name == '|' && 0 /* BOLLOCKS ARE WE DOING THIS ANY MORE */) + { + int thepid; /* PID from my_popen */ + if ( (fp = my_popen( file_name + 1, mode, &thepid )) == NULL ) +@@ -203,9 +206,10 @@ rle_open_f_noexit(const char * const pro + } + + /* Compress case. */ +- else if ( cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) ++ else if ( /* SMOKING SOMETHING */ 0 && cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) + { + int thepid; /* PID from my_popen. */ ++ overflow_add(20, strlen(file_name)); + combuf = (char *)malloc( 20 + strlen( file_name ) ); + if ( combuf == NULL ) + { +diff -up netpbm-10.35.46/urt/rle_putcom.c.security netpbm-10.35.46/urt/rle_putcom.c +--- netpbm-10.35.46/urt/rle_putcom.c.security 2008-06-24 08:59:24.000000000 +0200 ++++ netpbm-10.35.46/urt/rle_putcom.c 2008-06-24 09:04:21.000000000 +0200 +@@ -14,6 +14,8 @@ + * If you modify this software, you should include a notice giving the + * name of the person performing the modification, the date of modification, + * and the reason for such modification. ++ * ++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox + */ + /* + * rle_putcom.c - Add a picture comment to the header struct. +@@ -98,12 +100,14 @@ rle_putcom(const char * const value, + const char * v; + const char ** old_comments; + int i; +- for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) ++ for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) { ++ overflow_add(i, 1); + if (match(value, *cp) != NULL) { + v = *cp; + *cp = value; + return v; + } ++ } + /* Not found */ + /* Can't realloc because somebody else might be pointing to this + * comments block. Of course, if this were true, then the +diff -up netpbm-10.35.46/urt/Runput.c.security netpbm-10.35.46/urt/Runput.c +--- netpbm-10.35.46/urt/Runput.c.security 2008-06-24 08:59:24.000000000 +0200 ++++ netpbm-10.35.46/urt/Runput.c 2008-06-24 09:04:21.000000000 +0200 @@ -17,6 +17,8 @@ * * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire @@ -1937,7 +2064,7 @@ */ /* * Runput.c - General purpose Run Length Encoding. -@@ -202,9 +204,11 @@ +@@ -202,9 +204,11 @@ RunSetup(rle_hdr * the_hdr) if ( the_hdr->background != 0 ) { register int i; @@ -1951,7 +2078,7 @@ /* * If even number of bg color bytes, put out one more to get to * 16 bit boundary. -@@ -224,7 +228,7 @@ +@@ -224,7 +228,7 @@ RunSetup(rle_hdr * the_hdr) /* Big-endian machines are harder */ register int i, nmap = (1 << the_hdr->cmaplen) * the_hdr->ncmap; @@ -1960,49 +2087,26 @@ if ( h_cmap == NULL ) { fprintf( stderr, ---- netpbm-10.34/urt/rle_getrow.c.security 2005-10-16 23:47:53.000000000 +0200 -+++ netpbm-10.34/urt/rle_getrow.c 2006-06-22 12:45:18.000000000 +0200 -@@ -17,6 +17,8 @@ +diff -up netpbm-10.35.46/urt/scanargs.c.security netpbm-10.35.46/urt/scanargs.c +--- netpbm-10.35.46/urt/scanargs.c.security 2008-06-24 08:59:24.000000000 +0200 ++++ netpbm-10.35.46/urt/scanargs.c 2008-06-24 09:04:21.000000000 +0200 +@@ -38,6 +38,8 @@ * * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire * to have all "void" functions so declared. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ - /* - * rle_getrow.c - Read an RLE file in. -@@ -168,6 +170,7 @@ - register char * cp; - VAXSHORT( comlen, infile ); /* get comment length */ -+ overflow_add(comlen, 1); - evenlen = (comlen + 1) & ~1; /* make it even */ - if ( evenlen ) - { ---- netpbm-10.34/urt/rle_putcom.c.security 2005-10-07 18:01:42.000000000 +0200 -+++ netpbm-10.34/urt/rle_putcom.c 2006-06-22 12:45:18.000000000 +0200 -@@ -14,6 +14,8 @@ - * If you modify this software, you should include a notice giving the - * name of the person performing the modification, the date of modification, - * and the reason for such modification. -+ * -+ * 2002-12-19: Fix maths wrapping bugs. Alan Cox - */ + #include "rle.h" +@@ -65,8 +67,8 @@ typedef int *ptr; /* - * rle_putcom.c - Add a picture comment to the header struct. -@@ -98,12 +100,14 @@ - const char * v; - const char ** old_comments; - int i; -- for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) -+ for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) { -+ overflow_add(i, 1); - if (match(value, *cp) != NULL) { - v = *cp; - *cp = value; - return v; - } -+ } - /* Not found */ - /* Can't realloc because somebody else might be pointing to this - * comments block. Of course, if this were true, then the + * Storage allocation macros + */ +-#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) ) +-#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) ) ++#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) ) ++#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) ) + + #if defined(c_plusplus) && !defined(USE_PROTOTYPES) + #define USE_PROTOTYPES diff --git a/netpbm.spec b/netpbm.spec index ad32172..a4c974f 100644 --- a/netpbm.spec +++ b/netpbm.spec @@ -1,6 +1,6 @@ Summary: A library for handling different graphics file formats Name: netpbm -Version: 10.35.45 +Version: 10.35.48 Release: 1%{?dist} License: Assorted licenses, see %{_docdir}/%{name}-%{version}/copyright_summary Group: System Environment/Libraries @@ -214,6 +214,12 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/netpbm/ %changelog +* Mon Aug 4 2008 Jindrich Novy 10.35.48-1 +- update to 10.35.48 +- fixes buffer overrun in pamperspective and pngtopnm output format +- fixes pbmtext, pamtotga, pamtouil and pnmtopclxl +- update .security2 patch so that it applies with fuzz==0 + * Mon Jun 9 2008 Jindrich Novy 10.35.45-1 - update to 10.35.45 - fixes anytopnm, pamtohtmltbl, xvminitoppm, pbmtogo, tgatoppm, diff --git a/sources b/sources index 5664ee8..f9ae4fc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e4f3a911b8e4e90196aefe5209523cda netpbm-10.35.45.tar.bz2 +c49e34643a1d353e74877d4abe5fdb63 netpbm-10.35.48.tar.bz2