Release 10.47.64

git-svn-id: http://svn.code.sf.net/p/netpbm/code/super_stable@2928 9d0c8265-081b-0410-96cb-a4ca84ce46f8
author: giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> 2017-03-28 01:50:27 +0000
committer: giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> 2017-03-28 01:50:27 +0000
commit: c49d14be332e9939e7f9583b8f81fe9b977341f4 (patch)
tree: 17a8d237b3be47e880c00d27f5f282e1ec13dcb2
parent: 1e50cc0a1c2b29f06f451b220556990a1e4fc89a (diff)
download: netpbm-mirror-c49d14be332e9939e7f9583b8f81fe9b977341f4.tar.gz
netpbm-mirror-c49d14be332e9939e7f9583b8f81fe9b977341f4.tar.xz
netpbm-mirror-c49d14be332e9939e7f9583b8f81fe9b977341f4.zip
8 files changed, 95 insertions, 29 deletions
diff --git a/converter/other/bmptopnm.c b/converter/other/bmptopnm.c
index 577944b0..88f8ccce 100644
--- a/converter/other/bmptopnm.c
+++ b/converter/other/bmptopnm.c
@@ -84,8 +84,8 @@ struct pixelformat {
 
 struct bmpInfoHeader {
     enum rowOrder rowOrder;
-    int cols;
-    int rows;
+    unsigned int cols;
+    unsigned int rows;
     unsigned int cBitCount;
         /* Number of bits in the BMP file that each pixel occupies. */
     enum bmpClass class;
@@ -283,13 +283,28 @@ static void
 readOs2InfoHeader(FILE *                 const ifP,
                   struct bmpInfoHeader * const headerP) {
 
+    unsigned short colsField, rowsField;
+    unsigned short planesField, bitCountField;
+
     headerP->class = C_OS2;
 
-    headerP->cols = GetShort(ifP);
-    headerP->rows = GetShort(ifP);
+    pm_readlittleshortu(ifP, &colsField);
+    if (colsField == 0)
+        pm_error("Invalid BMP file: says width is zero");
+    else
+        headerP->cols = colsField;
+    
+    pm_readlittleshortu(ifP, &rowsField);
+    if (rowsField == 0)
+        pm_error("Invalid BMP file: says height is zero");
+    else
+        headerP->rows = rowsField;
+
     headerP->rowOrder = BOTTOMUP;
-    headerP->cPlanes = GetShort(ifP);
-    headerP->cBitCount = GetShort(ifP);
+    pm_readlittleshortu(ifP, &planesField);
+    headerP->cPlanes = planesField;
+    pm_readlittleshortu(ifP, &bitCountField);
+    headerP->cBitCount = bitCountField;
     /* I actually don't know if the OS/2 BMP format allows
        cBitCount > 8 or if it does, what it means, but ppmtobmp
        creates such BMPs, more or less as a byproduct of creating
diff --git a/converter/other/giftopnm.c b/converter/other/giftopnm.c
index ce5c5b36..4cba5068 100644
--- a/converter/other/giftopnm.c
+++ b/converter/other/giftopnm.c
@@ -897,7 +897,21 @@ expandCodeOntoStack(struct decompressor * const decompP,
     if (incode < decompP->next_tableSlot) 
         code = incode;
     else {
-        /* It's a code that isn't in our translation table yet */
+        /* It's a code that isn't in our translation table yet
+        
+           The only thing it could legally be is one higher than the
+           highest one we've seen so far.
+        */
+        if (code > decompP->next_tableSlot) {
+            /* We just abort because we added this to stable code to fix
+               a bug and we don't want to disturb stable code more than we
+               have to.
+            */
+            pm_error("Error in GIF image: LZW string code %u "
+                     "is neither a previously defined one nor the "
+                     "next in sequence to define (%u)",
+                     code, decompP->next_tableSlot);
+        }
         pushStack(&decompP->stack, decompP->firstcode);
         code = decompP->prevcode;
     }
@@ -1560,6 +1574,9 @@ convertImage(FILE *           const ifP,
     if (verbose)
         reportImageInfo(cols, rows, useGlobalColormap, localColorMapSize,
                         interlaced);
+
+    if (cols == 0)
+        pm_error("Invalid GIF - width is zero");
         
     xels = pnm_allocarray(cols, rows);
     if (!xels)
diff --git a/converter/other/pnmtotiffcmyk.c b/converter/other/pnmtotiffcmyk.c
index 2e6ae935..b7e3228e 100644
--- a/converter/other/pnmtotiffcmyk.c
+++ b/converter/other/pnmtotiffcmyk.c
@@ -540,7 +540,6 @@ tiffOpen( Out* out, Root *r ) {
   short samplesperpixel = 4 ; /* cmyk has four values */
   uint16 bitspersample = MAXTIFFBITS ;
   short photometric = PHOTOMETRIC_SEPARATED ; /* ie cmyk */
-  int bytesperrow = r->nCols ;
 
   t->tiff = TIFFFdOpen( 1, "Standard Output", "w" ) ;
   if ( ! t->tiff ) {
@@ -548,11 +547,6 @@ tiffOpen( Out* out, Root *r ) {
     return ERR_TIFF ;
   }
 
-  /* from pnmtotiff - default is to have 8kb strips */
-  if ( ! t->rowsperstrip ) {
-    t->rowsperstrip = ( 8 * 1024 ) / bytesperrow ;
-  }
-
   TIFFSetField( t->tiff, TIFFTAG_DOTRANGE, t->lowdotrange, t->highdotrange ) ;
   TIFFSetField( t->tiff, TIFFTAG_IMAGEWIDTH, (uint32)r->nCols ) ;
   TIFFSetField( t->tiff, TIFFTAG_IMAGELENGTH, (uint32)r->nRows ) ;
@@ -567,6 +561,9 @@ tiffOpen( Out* out, Root *r ) {
   TIFFSetField( t->tiff, TIFFTAG_DOCUMENTNAME, r->name ) ;
   TIFFSetField( t->tiff, TIFFTAG_IMAGEDESCRIPTION, "PNM -> CMYK tiff" ) ;
   TIFFSetField( t->tiff, TIFFTAG_SAMPLESPERPIXEL, samplesperpixel ) ;
+  if ( t->rowsperstrip == 0) {
+    t->rowsperstrip = TIFFDefaultStripSize(t->tiff, 0) ;
+  }
   TIFFSetField( t->tiff, TIFFTAG_ROWSPERSTRIP, t->rowsperstrip ) ;
   TIFFSetField( t->tiff, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG ) ;
 
diff --git a/converter/other/svgtopam.c b/converter/other/svgtopam.c
index c7eac8e6..68deb3e0 100644
--- a/converter/other/svgtopam.c
+++ b/converter/other/svgtopam.c
@@ -100,16 +100,23 @@ parseCommandLine(int argc,
 /*============================================================================
    Wrappers for libxml2 routines.
 
-   The difference is that these use conventional C data types and have
-   shorter names.
+   The difference is that these use conventional C data types, have shorter
+   names, and abort the program instead of returning a special value when they
+   fail.
 =============================================================================*/
 
 static const char *
 getAttribute(xmlTextReaderPtr const xmlReaderP,
              const char *     const attributeName) {
 
-    return (const char *)
+    const char * const rc = (const char *)
         xmlTextReaderGetAttribute(xmlReaderP, (const xmlChar *)attributeName);
+
+    if (rc == NULL)
+        pm_error("xmlTextReaderGetAttribute(\"%.256s\") failed.  ",
+                 attributeName);
+
+    return rc;
 }
 
 
@@ -117,7 +124,13 @@ getAttribute(xmlTextReaderPtr const xmlReaderP,
 static const char *
 currentNodeName(xmlTextReaderPtr const xmlReaderP) {
 
-    return (const char *)xmlTextReaderConstName(xmlReaderP);
+    const char * const rc = (const char *)
+        xmlTextReaderConstName(xmlReaderP);
+
+    if (rc == NULL)
+        pm_error("xmlTextReaderConstName() failed.  ");
+
+    return rc;
 }
 
 
diff --git a/converter/other/tifftopnm.c b/converter/other/tifftopnm.c
index 6665c7fd..4d40d117 100644
--- a/converter/other/tifftopnm.c
+++ b/converter/other/tifftopnm.c
@@ -521,12 +521,6 @@ analyzeImageType(TIFF *             const tif,
 
     bool grayscale; 
 
-    if (bps == 1 && spp == 1) {
-        if (cmdline.headerdump)
-            pm_message("bilevel");
-        grayscale = TRUE;
-        *maxvalP = 1;
-    } else {
         /* How come we don't deal with the photometric for the monochrome 
            case (make sure it's one we know)?  -Bryan 00.03.04
         */
@@ -632,7 +626,6 @@ analyzeImageType(TIFF *             const tif,
         default:
             pm_error("unknown photometric: %d", photomet);
         }
-    }
     if (*maxvalP > PNM_OVERALLMAXVAL)
         pm_error("bits/sample (%d) in the input image is too large.",
                  bps);
@@ -1477,6 +1470,13 @@ convertRasterInMemory(pnmOut *       const pnmOutP,
             /* Note that TIFFRGBAImageGet() converts any bits per sample
                to 8.  Maxval of the raster it returns is always 255.
             */
+            if (cols > UINT_MAX/rows) {
+                pm_message("%u rows of %u columns is too large to compute",
+                           rows, cols);
+                *statusP = CONV_OOM;
+                return;
+            }
+
             MALLOCARRAY(raster, cols * rows);
             if (raster == NULL) {
                 pm_message("Unable to allocate space for a raster of %u "
diff --git a/doc/HISTORY b/doc/HISTORY
index 8775db62..40e81300 100644
--- a/doc/HISTORY
+++ b/doc/HISTORY
@@ -4,6 +4,34 @@ Netpbm.
 CHANGE HISTORY 
 --------------
 
+17.03.28 BJH  Release 10.47.64
+
+              tifftonm: Fix incorrect PBM output with two-color paletted TIFF
+              image.  Broken in primordial Netpbm, ca 1990.
+
+              giftopnm: Fix buffer overflow/crash with invalid GIF input.
+              Broken since primorial Netpbm.
+
+              bmptopnm: Fix buffer overflow/crash with negative height or
+              width in OS/2 BMP.  Broken since primordial Netpbm.
+
+              tifftopnm: Fix memory corruption when image is more pixels
+              than can be represented as a C unsigned integer.  Broken in
+              Netpbm 10.11 (October 2002).
+
+              tifftopnmcmyk: Default rows per strip to the TIFF library
+              default instead of whatever yields 8K strips.
+
+              tifftopnmcmyk: Fix bug: fails with very wide images and no
+              -rowsperstrip.  Always broken.  (Tifftopnmcmyk was new in Netpbm
+              8.2 (March 2000).
+
+              svgtopam: Fix crash when out of memory.  Always broken
+              (svgtopam was new in Netpbm 10.33 (March 2006)).
+
+              libnetpbm: ppmd_fill_path: remove debug trace.  Always broken
+              (ppmd_fill_path was new in Netpbm 10.34 (June 2006).
+
 16.09.26 BJH  Release 10.47.63
 
               Build: Add warning when libpng versions is later than 1.4, since
diff --git a/lib/path.c b/lib/path.c
index 79985109..5a1d4988 100644
--- a/lib/path.c
+++ b/lib/path.c
@@ -269,7 +269,6 @@ pushStack(fillStack * const stackP,
     assert(stackP->topOfStack < stackP->stackSize);
 
     stackP->stack[stackP->topOfStack++] = newPoint;
-pm_message("pushed (%u, %u) at %u", newPoint.x, newPoint.y, stackP->topOfStack-1);
 }
 
 
@@ -282,7 +281,6 @@ popStack(fillStack * const stackP) {
     assert(stackP->topOfStack < stackP->stackSize);
 
     retval = stackP->stack[--stackP->topOfStack];
-pm_message("popped (%u, %u) at %u", retval.x, retval.y, stackP->topOfStack);
     return retval;
 }
 
@@ -321,7 +319,6 @@ drawFillLine(ppmd_point const begPoint,
 
     assert(begPoint.y == endPoint.y);
 
-pm_message("filling from (%u, %u) to (%u, %u)", begPoint.x, begPoint.y, endPoint.x, endPoint.y);
     row = begPoint.y;
 
     if (begPoint.x <= endPoint.x) {
@@ -350,7 +347,6 @@ fillPoint(fillStack * const stackP,
    Fill the image in 'pixels' with color 'color' and update *stackP as
    required.
 -----------------------------------------------------------------------------*/
-pm_message("filling point (%u, %u)", point.x, point.y);
     if (inStackDirection(stackP, point)) {
         pushStack(stackP, point);
         pixels[point.y][point.x] = color;
diff --git a/version.mk b/version.mk
index 3f375b5e..d9504c0e 100644
--- a/version.mk
+++ b/version.mk
@@ -1,3 +1,3 @@
 NETPBM_MAJOR_RELEASE = 10
 NETPBM_MINOR_RELEASE = 47
-NETPBM_POINT_RELEASE = 63
+NETPBM_POINT_RELEASE = 64
author	giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>	2017-03-28 01:50:27 +0000
committer	giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>	2017-03-28 01:50:27 +0000
commit	c49d14be332e9939e7f9583b8f81fe9b977341f4 (patch)
tree	17a8d237b3be47e880c00d27f5f282e1ec13dcb2
parent	1e50cc0a1c2b29f06f451b220556990a1e4fc89a (diff)
download	netpbm-mirror-c49d14be332e9939e7f9583b8f81fe9b977341f4.tar.gz netpbm-mirror-c49d14be332e9939e7f9583b8f81fe9b977341f4.tar.xz netpbm-mirror-c49d14be332e9939e7f9583b8f81fe9b977341f4.zip