diff -up netpbm-10.58.01/converter/other/jpegtopnm.c.security-code netpbm-10.58.01/converter/other/jpegtopnm.c --- netpbm-10.58.01/converter/other/jpegtopnm.c.security-code 2012-04-09 15:31:40.000000000 +0200 +++ netpbm-10.58.01/converter/other/jpegtopnm.c 2012-04-09 15:40:03.184620028 +0200 @@ -861,6 +861,8 @@ convertImage(FILE * /* Calculate output image dimensions so we can allocate space */ jpeg_calc_output_dimensions(cinfoP); + overflow2(cinfoP->output_width, cinfoP->output_components); + /* Start decompressor */ jpeg_start_decompress(cinfoP); diff -up netpbm-10.58.01/converter/other/pnmtoddif.c.security-code netpbm-10.58.01/converter/other/pnmtoddif.c --- netpbm-10.58.01/converter/other/pnmtoddif.c.security-code 2012-04-09 15:31:42.000000000 +0200 +++ netpbm-10.58.01/converter/other/pnmtoddif.c 2012-04-09 15:40:03.185620015 +0200 @@ -632,6 +632,7 @@ main(int argc, char *argv[]) { switch (PNM_FORMAT_TYPE(format)) { case PBM_TYPE: ip.bits_per_pixel = 1; + overflow_add(cols, 7); ip.bytes_per_line = (cols + 7) / 8; ip.spectral = 2; ip.components = 1; @@ -647,6 +648,7 @@ main(int argc, char *argv[]) { ip.polarity = 2; break; case PPM_TYPE: + overflow2(cols, 3); ip.bytes_per_line = 3 * cols; ip.bits_per_pixel = 24; ip.spectral = 5; diff -up netpbm-10.58.01/converter/other/pnmtorle.c.security-code netpbm-10.58.01/converter/other/pnmtorle.c --- netpbm-10.58.01/converter/other/pnmtorle.c.security-code 2012-04-09 15:31:42.000000000 +0200 +++ netpbm-10.58.01/converter/other/pnmtorle.c 2012-04-09 15:40:03.188619976 +0200 @@ -19,6 +19,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * pnmtorle - A program which will convert pbmplus (ppm or pgm) images diff -up netpbm-10.58.01/converter/other/rletopnm.c.security-code netpbm-10.58.01/converter/other/rletopnm.c --- netpbm-10.58.01/converter/other/rletopnm.c.security-code 2012-04-09 15:31:42.000000000 +0200 +++ netpbm-10.58.01/converter/other/rletopnm.c 2012-04-09 15:40:03.189619963 +0200 @@ -19,6 +19,8 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox */ /* * rletopnm - A conversion program to convert from Utah's "rle" image format diff -up netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code netpbm-10.58.01/converter/pbm/pbmtogem.c --- netpbm-10.58.01/converter/pbm/pbmtogem.c.security-code 2012-04-09 15:31:45.000000000 +0200 +++ netpbm-10.58.01/converter/pbm/pbmtogem.c 2012-04-09 15:40:03.193619915 +0200 @@ -79,6 +79,7 @@ putinit (int const rows, int const cols) bitsperitem = 0; bitshift = 7; outcol = 0; + overflow_add(cols, 7); outmax = (cols + 7) / 8; outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char)); diff -up netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code netpbm-10.58.01/converter/pbm/pbmtogo.c --- netpbm-10.58.01/converter/pbm/pbmtogo.c.security-code 2012-04-09 15:31:45.000000000 +0200 +++ netpbm-10.58.01/converter/pbm/pbmtogo.c 2012-04-09 15:40:03.193619915 +0200 @@ -158,6 +158,7 @@ main(int argc, bitrow = pbm_allocrow(cols); /* Round cols up to the nearest multiple of 8. */ + overflow_add(cols, 7); rucols = ( cols + 7 ) / 8; bytesperrow = rucols; /* GraphOn uses bytes */ rucols = rucols * 8; diff -up netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code netpbm-10.58.01/converter/pbm/pbmtolj.c --- netpbm-10.58.01/converter/pbm/pbmtolj.c.security-code 2012-04-09 15:31:45.000000000 +0200 +++ netpbm-10.58.01/converter/pbm/pbmtolj.c 2012-04-09 15:40:03.194619902 +0200 @@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv, static void allocateBuffers(unsigned int const cols) { + overflow_add(cols, 8); rowBufferSize = (cols + 7) / 8; + overflow_add(rowBufferSize, 128); + overflow_add(rowBufferSize, rowBufferSize+128); + overflow_add(rowBufferSize+10, rowBufferSize/8); packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1; deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10; diff -up netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code netpbm-10.58.01/converter/pbm/pbmtomda.c --- netpbm-10.58.01/converter/pbm/pbmtomda.c.security-code 2012-04-09 15:31:45.000000000 +0200 +++ netpbm-10.58.01/converter/pbm/pbmtomda.c 2012-04-09 15:40:03.195619889 +0200 @@ -179,6 +179,7 @@ int main(int argc, char **argv) nOutRowsUnrounded = bScale ? nInRows/2 : nInRows; + overflow_add(nOutRowsUnrounded, 3); nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4; /* MDA wants rows a multiple of 4 */ nOutCols = nInCols / 8; diff -up netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code netpbm-10.58.01/converter/pbm/pbmtoxbm.c --- netpbm-10.58.01/converter/pbm/pbmtoxbm.c.security-code 2012-04-09 15:31:45.000000000 +0200 +++ netpbm-10.58.01/converter/pbm/pbmtoxbm.c 2012-04-09 15:40:03.196619876 +0200 @@ -335,6 +335,8 @@ convertRaster(FILE * const ifP, unsigned char * bitrow; unsigned int row; + + overflow_add(cols, padright); putinit(xbmVersion); diff -up netpbm-10.58.01/converter/ppm/Makefile.security-code netpbm-10.58.01/converter/ppm/Makefile --- netpbm-10.58.01/converter/ppm/Makefile.security-code 2012-04-09 15:31:44.000000000 +0200 +++ netpbm-10.58.01/converter/ppm/Makefile 2012-04-09 15:40:03.202619802 +0200 @@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \ leaftoppm mtvtoppm neotoppm \ - pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \ + pcxtoppm pc1toppm pi1toppm pjtoppm \ ppmtoacad ppmtoapplevol ppmtoarbtxt ppmtoascii \ ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \ ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \ diff -up netpbm-10.58.01/converter/ppm/picttoppm.c.security-code netpbm-10.58.01/converter/ppm/picttoppm.c --- netpbm-10.58.01/converter/ppm/picttoppm.c.security-code 2012-04-09 15:31:44.000000000 +0200 +++ netpbm-10.58.01/converter/ppm/picttoppm.c 2012-04-09 15:40:03.205619763 +0200 @@ -1,3 +1,5 @@ +#error "Unfixable. Don't ship me" + /* * picttoppm.c -- convert a MacIntosh PICT file to PPM format. * diff -up netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code netpbm-10.58.01/converter/ppm/ppmtoeyuv.c --- netpbm-10.58.01/converter/ppm/ppmtoeyuv.c.security-code 2012-04-09 15:31:42.000000000 +0200 +++ netpbm-10.58.01/converter/ppm/ppmtoeyuv.c 2012-04-09 15:40:03.206619751 +0200 @@ -114,6 +114,7 @@ create_multiplication_tables(const pixva int index; + overflow_add(maxval, 1); MALLOCARRAY_NOFAIL(mult299 , maxval+1); MALLOCARRAY_NOFAIL(mult587 , maxval+1); MALLOCARRAY_NOFAIL(mult114 , maxval+1); diff -up netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code netpbm-10.58.01/converter/ppm/ppmtoilbm.c --- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.security-code 2012-04-09 15:31:42.000000000 +0200 +++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2012-04-09 15:40:03.208619727 +0200 @@ -1220,6 +1220,7 @@ ppm_to_rgb8(ifP, cols, rows, maxval) maskmethod = 0; /* no masking - RGB8 uses genlock bits */ compmethod = 4; /* RGB8 files are always compressed */ + overflow2(cols, 4); MALLOCARRAY_NOFAIL(compr_row, cols * 4); if( maxval != 255 ) { @@ -1308,6 +1309,7 @@ ppm_to_rgbn(ifP, cols, rows, maxval) maskmethod = 0; /* no masking - RGBN uses genlock bits */ compmethod = 4; /* RGBN files are always compressed */ + overflow2(cols, 2); MALLOCARRAY_NOFAIL(compr_row, cols * 2); if( maxval != 15 ) { diff -up netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code netpbm-10.58.01/converter/ppm/ppmtomitsu.c --- netpbm-10.58.01/converter/ppm/ppmtomitsu.c.security-code 2012-04-09 15:31:44.000000000 +0200 +++ netpbm-10.58.01/converter/ppm/ppmtomitsu.c 2012-04-09 15:40:03.210619702 +0200 @@ -685,6 +685,8 @@ main(int argc, char * argv[]) { medias = MSize_User; if (dpi300) { + overflow2(medias.maxcols, 2); + overflow2(medias.maxrows, 2); medias.maxcols *= 2; medias.maxrows *= 2; } diff -up netpbm-10.58.01/editor/pamcut.c.security-code netpbm-10.58.01/editor/pamcut.c --- netpbm-10.58.01/editor/pamcut.c.security-code 2012-04-09 15:31:33.000000000 +0200 +++ netpbm-10.58.01/editor/pamcut.c 2012-04-09 15:40:03.218619602 +0200 @@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP outpam = inpam; /* Initial value -- most fields should be same */ outpam.file = ofP; + overflow_add(rightcol, 1); + overflow_add(bottomrow, 1); outpam.width = rightcol - leftcol + 1; outpam.height = bottomrow - toprow + 1; diff -up netpbm-10.58.01/editor/pnmgamma.c.security-code netpbm-10.58.01/editor/pnmgamma.c --- netpbm-10.58.01/editor/pnmgamma.c.security-code 2012-04-09 15:31:34.000000000 +0200 +++ netpbm-10.58.01/editor/pnmgamma.c 2012-04-09 15:40:03.220619577 +0200 @@ -586,6 +586,7 @@ createGammaTables(enum transferFunction xelval ** const btableP) { /* Allocate space for the tables. */ + overflow_add(maxval, 1); MALLOCARRAY(*rtableP, maxval+1); MALLOCARRAY(*gtableP, maxval+1); MALLOCARRAY(*btableP, maxval+1); diff -up netpbm-10.58.01/editor/pnmhisteq.c.security-code netpbm-10.58.01/editor/pnmhisteq.c --- netpbm-10.58.01/editor/pnmhisteq.c.security-code 2012-04-09 15:31:33.000000000 +0200 +++ netpbm-10.58.01/editor/pnmhisteq.c 2012-04-09 15:40:03.220619577 +0200 @@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const * unsigned int pixelCount; unsigned int * lumahist; + overflow_add(maxval, 1); MALLOCARRAY(lumahist, maxval + 1); if (lumahist == NULL) pm_error("Out of storage allocating array for %u histogram elements", diff -up netpbm-10.58.01/editor/pnmpad.c.security-code netpbm-10.58.01/editor/pnmpad.c --- netpbm-10.58.01/editor/pnmpad.c.security-code 2012-04-09 15:31:34.000000000 +0200 +++ netpbm-10.58.01/editor/pnmpad.c 2012-04-09 15:40:03.221619564 +0200 @@ -527,6 +527,8 @@ main(int argc, const char ** argv) { computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad); + overflow_add(cols, lpad); + overflow_add(cols + lpad, rpad); newcols = cols + lpad + rpad; if (PNM_FORMAT_TYPE(format) == PBM_TYPE) diff -up netpbm-10.58.01/editor/specialty/pamoil.c.security-code netpbm-10.58.01/editor/specialty/pamoil.c --- netpbm-10.58.01/editor/specialty/pamoil.c.security-code 2012-04-09 15:31:33.000000000 +0200 +++ netpbm-10.58.01/editor/specialty/pamoil.c 2012-04-09 15:40:03.224619526 +0200 @@ -112,6 +112,7 @@ main(int argc, char *argv[] ) { tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type)); pm_close(ifp); + overflow_add(inpam.maxval, 1); MALLOCARRAY(hist, inpam.maxval + 1); if (hist == NULL) pm_error("Unable to allocate memory for histogram."); diff -up netpbm-10.58.01/lib/libpm.c.security-code netpbm-10.58.01/lib/libpm.c --- netpbm-10.58.01/lib/libpm.c.security-code 2012-04-09 15:31:38.000000000 +0200 +++ netpbm-10.58.01/lib/libpm.c 2012-04-09 15:40:03.229619464 +0200 @@ -808,4 +808,53 @@ pm_parse_height(const char * const arg) } +/* + * Maths wrapping + */ + +void __overflow2(int a, int b) +{ + if(a < 0 || b < 0) + pm_error("object too large"); + if(b == 0) + return; + if(a > INT_MAX / b) + pm_error("object too large"); +} + +void overflow3(int a, int b, int c) +{ + overflow2(a,b); + overflow2(a*b, c); +} + +void overflow_add(int a, int b) +{ + if( a > INT_MAX - b) + pm_error("object too large"); +} + +void *malloc2(int a, int b) +{ + overflow2(a, b); + if(a*b == 0) + pm_error("Zero byte allocation"); + return malloc(a*b); +} + +void *malloc3(int a, int b, int c) +{ + overflow3(a, b, c); + if(a*b*c == 0) + pm_error("Zero byte allocation"); + return malloc(a*b*c); +} + +void *realloc2(void * a, int b, int c) +{ + overflow2(b, c); + if(b*c == 0) + pm_error("Zero byte allocation"); + return realloc(a, b*c); +} diff -up netpbm-10.58.01/lib/pm.h.security-code netpbm-10.58.01/lib/pm.h --- netpbm-10.58.01/lib/pm.h.security-code 2012-04-09 15:31:38.000000000 +0200 +++ netpbm-10.58.01/lib/pm.h 2012-04-09 15:40:03.229619464 +0200 @@ -432,4 +432,11 @@ pm_parse_height(const char * const arg); #endif +void *malloc2(int, int); +void *malloc3(int, int, int); +#define overflow2(a,b) __overflow2(a,b) +void __overflow2(int, int); +void overflow3(int, int, int); +void overflow_add(int, int); + #endif diff -up netpbm-10.58.01/other/pnmcolormap.c.security-code netpbm-10.58.01/other/pnmcolormap.c --- netpbm-10.58.01/other/pnmcolormap.c.security-code 2012-04-09 15:31:32.000000000 +0200 +++ netpbm-10.58.01/other/pnmcolormap.c 2012-04-09 15:40:03.230619451 +0200 @@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP pamP->width = intsqrt; else pamP->width = intsqrt + 1; + overflow_add(intsqrt, 1); } { unsigned int const intQuotient = colormap.size / pamP->width; diff -up netpbm-10.58.01/urt/rle.h.security-code netpbm-10.58.01/urt/rle.h --- netpbm-10.58.01/urt/rle.h.security-code 2012-04-09 15:31:45.000000000 +0200 +++ netpbm-10.58.01/urt/rle.h 2012-04-09 15:40:03.233619414 +0200 @@ -14,6 +14,9 @@ * If you modify this software, you should include a notice giving the * name of the person performing the modification, the date of modification, * and the reason for such modification. + * + * 2002-12-19: Fix maths wrapping bugs. Alan Cox + * Header declarations needed */ /* * rle.h - Global declarations for Utah Raster Toolkit RLE programs. @@ -160,6 +163,17 @@ rle_hdr /* End of typedef. * */ extern rle_hdr rle_dflt_hdr; +/* + * Provided by pm library + */ + +extern void overflow_add(int, int); +#define overflow2(a,b) __overflow2(a,b) +extern void __overflow2(int, int); +extern void overflow3(int, int, int); +extern void *malloc2(int, int); +extern void *malloc3(int, int, int); +extern void *realloc2(void *, int, int); /* Declare RLE library routines. */ --- netpbm-10.58.01/lib/libpbm1.c.orig 2014-06-16 21:12:28.499230631 -0400 +++ netpbm-10.58.01/lib/libpbm1.c 2014-06-16 21:12:55.932519324 -0400 @@ -78,6 +78,7 @@ } else { pm_filepos const bytesPerRow = (cols+7)/8; pm_filepos const needRasterSize = rows * bytesPerRow; + overflow2(bytesPerRow, rows); pm_check(fileP, checkType, needRasterSize, retvalP); } } --- netpbm-10.58.01/converter/ppm/ppmtoilbm.c.orig 2014-06-16 21:23:40.061473868 -0400 +++ netpbm-10.58.01/converter/ppm/ppmtoilbm.c 2014-06-16 21:23:44.701466379 -0400 @@ -185,6 +185,7 @@ unsigned int i; int * table; + overflow_add(oldmaxval, 1); MALLOCARRAY_NOFAIL(table, oldmaxval + 1); for (i = 0; i <= oldmaxval; ++i) table[i] = ROUNDDIV(i * newmaxval, oldmaxval); --- netpbm-10.58.01/converter/other/sgitopnm.c.orig 2014-07-08 16:57:30.878754976 -0400 +++ netpbm-10.58.01/converter/other/sgitopnm.c 2014-07-08 17:07:52.727745725 -0400 @@ -372,10 +372,14 @@ MALLOCARRAY_NOFAIL(image, head->ysize); } else { maxchannel = 3; + overflow2(head->ysize, maxchannel); MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel); } - if (table) + if (table) { + overflow2(head->xsize, 2); + overflow_add(head->xsize*2, 2); MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize)); + } for (channel = 0; channel < maxchannel; ++channel) { unsigned int row;