#! /bin/sh -e
## 16_CAN-2005-0639.dpatch
##
## DP: Description: Fix integer overflows in new.c.
## DP: Author: Debian security team
## DP: Upstream status: Not submitted
## DP: Date: 2005-03-18
if [ $# -ne 1 ]; then
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1
fi
case "$1" in
-patch) patch -f --no-backup-if-mismatch -p1 < $0;;
-unpatch) patch -f --no-backup-if-mismatch -R -p1 < $0;;
*)
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1;;
esac
exit 0
@DPATCH@
diff -urNad --exclude=CVS --exclude=.svn ./new.c /tmp/dpep-work.Yefw4q/xloadimage-4.1/new.c
--- ./new.c 1993-10-28 17:24:14.000000000 +0000
+++ /tmp/dpep-work.Yefw4q/xloadimage-4.1/new.c 2005-10-08 04:12:37.000000000 +0100
@@ -63,6 +63,18 @@
}
+static unsigned int ovmul(unsigned int a, unsigned int b)
+{
+ unsigned int r;
+
+ r = a * b;
+ if (r / a != b) {
+ memoryExhausted();
+ }
+
+ return r;
+}
+
void goodImage(image, func)
Image *image;
char *func;
@@ -128,7 +140,7 @@
image->height= height;
image->depth= 1;
linelen= (width / 8) + (width % 8 ? 1 : 0); /* thanx johnh@amcc.com */
- image->data= (unsigned char *)lcalloc(linelen * height);
+ image->data= (unsigned char *)lcalloc(ovmul(linelen, height));
return(image);
}
@@ -149,7 +161,7 @@
image->height= height;
image->depth= depth;
image->pixlen= pixlen;
- image->data= (unsigned char *)lmalloc(width * height * pixlen);
+ image->data= (unsigned char *)lmalloc(ovmul(ovmul(width, height), pixlen));
return(image);
}
@@ -165,6 +177,7 @@
image->height= height;
image->depth= 24;
image->pixlen= 3;
+ image->data= (unsigned char *)lmalloc(ovmul(ovmul(width, height), 3));
image->data= (unsigned char *)lmalloc(width * height * 3);
return(image);
}