diff options
author | giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> | 2015-06-01 03:01:44 +0000 |
---|---|---|
committer | giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> | 2015-06-01 03:01:44 +0000 |
commit | 4e879f6f72bd8eeea85a7dcaf96d378fe8dec387 (patch) | |
tree | 7b4b40da80d6bee460fea9bec4d48f6d3907bc7d | |
parent | 540f24f52ffff3a5c48f97222a309fd5a35cbf2c (diff) | |
download | netpbm-mirror-4e879f6f72bd8eeea85a7dcaf96d378fe8dec387.tar.gz netpbm-mirror-4e879f6f72bd8eeea85a7dcaf96d378fe8dec387.tar.xz netpbm-mirror-4e879f6f72bd8eeea85a7dcaf96d378fe8dec387.zip |
Fix buffer overrun, double free
git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@2539 9d0c8265-081b-0410-96cb-a4ca84ce46f8
-rw-r--r-- | converter/pbm/pbmtoppa/cutswath.c | 28 | ||||
-rw-r--r-- | converter/pbm/pbmtoppa/pbm.c | 1 | ||||
-rw-r--r-- | converter/pbm/pbmtoppa/pbmtoppa.c | 15 | ||||
-rw-r--r-- | converter/pbm/pbmtoppa/ppa.c | 13 | ||||
-rw-r--r-- | doc/HISTORY | 3 |
5 files changed, 39 insertions, 21 deletions
diff --git a/converter/pbm/pbmtoppa/cutswath.c b/converter/pbm/pbmtoppa/cutswath.c index 0d44ce45..d3f15c03 100644 --- a/converter/pbm/pbmtoppa/cutswath.c +++ b/converter/pbm/pbmtoppa/cutswath.c @@ -39,13 +39,15 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat int shift; ppa_nozzle_data nozzles[2]; + ppa = NULL; + /* shift = 6 if DPI==300 */ /* shift = 12 if DPI==600 */ shift = ( prn->DPI == 300 ? 6:12 ) ; /* safeguard against the user freeing these */ - sweep_data->image_data=NULL; - sweep_data->nozzle_data=NULL; + sweep_data->image_data = NULL; + sweep_data->nozzle_data = NULL; /* read the data from the input file */ width8 = (pbm->width + 7) / 8; @@ -66,7 +68,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data)) { fprintf(stderr,"cutswath(): A-could not read top margin\n"); - free(data); + free (data); data=NULL; return 0; } @@ -77,10 +79,10 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data)) { fprintf(stderr,"cutswath(): could not clear bottom margin\n"); - free(data); + free (data); data=NULL; return 0; } - free(data); + free (data); data=NULL; return 1; } @@ -95,7 +97,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data+width8*numlines)) { fprintf(stderr,"cutswath(): B-could not read next line\n"); - free(data); + free (data); data=NULL; return 0; } if(!got_nonblank) @@ -130,7 +132,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat { fprintf (stderr, "Ack! newleft=%d, newright=%d, left=%d, right=%d\n", newleft, newright, left, right); - free (data); + free (data); data=NULL; return 0; } @@ -177,13 +179,13 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data)) { fprintf(stderr,"cutswath(): could not clear bottom margin\n"); - free(data); + free (data); data=NULL; return 0; } - free(data); + free (data); data=NULL; return 1; } - free(data); + free (data); data=NULL; return 0; /* error, since didn't get to lower margin, yet blank */ } @@ -197,7 +199,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data+width8*numlines)) { fprintf(stderr,"cutswath(): C-could not read next line\n"); - free(data); + free (data); data=NULL; return 0; } numlines++; @@ -225,7 +227,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if ((ppa = malloc ((p_width8+2*shift) * numlines)) == NULL) { fprintf(stderr,"cutswath(): could not malloc ppa storage\n"); - free (data); + free (data); data=NULL; return 0; } @@ -292,7 +294,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat } /* done with data */ - free(data); + free (data); data=NULL; /* place 0's in the last 12 columns */ memset (place, 0, numlines/2 * shift); diff --git a/converter/pbm/pbmtoppa/pbm.c b/converter/pbm/pbmtoppa/pbm.c index 5c9798f2..2f8a42b1 100644 --- a/converter/pbm/pbmtoppa/pbm.c +++ b/converter/pbm/pbmtoppa/pbm.c @@ -91,6 +91,7 @@ int pbm_readline(pbm_stat* pbm,unsigned char* data) pbm->current_line++; pbm->unread = 0; free (pbm->revdata); + pbm->revdata = NULL; return 1; } diff --git a/converter/pbm/pbmtoppa/pbmtoppa.c b/converter/pbm/pbmtoppa/pbmtoppa.c index 85a98529..f43c08a8 100644 --- a/converter/pbm/pbmtoppa/pbmtoppa.c +++ b/converter/pbm/pbmtoppa/pbmtoppa.c @@ -63,9 +63,14 @@ print_pbm(FILE * const in) { ppa_init_page(&printer); ppa_load_page(&printer); - sweeps[0].direction = right_to_left; + sweeps[0].direction = right_to_left; + sweeps[0].image_data = NULL; + sweeps[0].nozzle_data = NULL; sweeps[0].next=&sweeps[1]; - sweeps[1].direction = left_to_right; + + sweeps[1].direction = left_to_right; + sweeps[1].image_data = NULL; + sweeps[1].nozzle_data = NULL; sweeps[1].next=&sweeps[0]; current_sweep=0; @@ -88,6 +93,8 @@ print_pbm(FILE * const in) { ppa_print_sweep(&printer, &sweeps[previous_sweep]); free(sweeps[previous_sweep].image_data); free(sweeps[previous_sweep].nozzle_data); + sweeps[previous_sweep].image_data = NULL; + sweeps[previous_sweep].nozzle_data = NULL; } previous_sweep=current_sweep; current_sweep= current_sweep==0 ? 1 : 0; @@ -106,6 +113,10 @@ print_pbm(FILE * const in) { free(sweeps[0].nozzle_data); free(sweeps[1].image_data); free(sweeps[1].nozzle_data); + sweeps[0].image_data = NULL; + sweeps[0].nozzle_data = NULL; + sweeps[1].image_data = NULL; + sweeps[1].nozzle_data = NULL; ppa_eject_page(&printer); diff --git a/converter/pbm/pbmtoppa/ppa.c b/converter/pbm/pbmtoppa/ppa.c index 8363d927..aa30d684 100644 --- a/converter/pbm/pbmtoppa/ppa.c +++ b/converter/pbm/pbmtoppa/ppa.c @@ -389,7 +389,9 @@ static void __inline__ place_2bytes(int x,unsigned char* y) static void __inline__ place_4bytes(int x,unsigned char* y) { place_2bytes(x>>16,y); place_2bytes(x,y+2); } -#define do_compress_data (1) +#define do_compress_data (1) /* Compress. */ +/* The no-compression case has not been well tested 2015.05.31 */ + void ppa_print_sweep(ppa_stat* prn,ppa_sweep_data* data) { unsigned char* pc, *tpc; @@ -403,11 +405,9 @@ void ppa_print_sweep(ppa_stat* prn,ppa_sweep_data* data) int nozzle_data_size; int MF; /* Multiplicative Factor -- quick hack */ - pc=data->image_data; - if(do_compress_data) { - if(!(pc=malloc((datasize/64+1)*65))) + if( !( pc = malloc( datasize * 2 + 1 )) ) /* Worst case + margin */ { fprintf(stderr,"ppa_print_sweep(): could not malloc storage for compressed data\n"); exit(-1); @@ -416,12 +416,13 @@ void ppa_print_sweep(ppa_stat* prn,ppa_sweep_data* data) } /* send image data 16k at a time */ - for(i=0, tpc=pc; i<datasize; tpc+=16384, i+=16384) + for(i=0, tpc= do_compress_data ? pc : data->image_data; + i<datasize; tpc+=16384, i+=16384) vlink_put(prn->fptr, 0, datasize-i > 16384 ? 16384 : datasize-i, tpc); /* memory leak fix courtesy of John McKown */ if (do_compress_data) - free (pc); + free (pc); /* construct sweep packet */ switch(prn->version) diff --git a/doc/HISTORY b/doc/HISTORY index 58df18ab..82ecfd04 100644 --- a/doc/HISTORY +++ b/doc/HISTORY @@ -10,6 +10,9 @@ not yet BJH Release 10.71.00 crashes program. Always broken (-protocol was new in Netpbm 10.23 (July 2004). + pbmtoppa: fix buffer overruns, double-free crashes. Always + broken (pbmtoppa was new in Netpbm 9.1 (March 2000). + pbmtomatrixorbital: fix bug: fails if you specify the input file name argument. Always broken. (pbmtomatrixorbital was new in Netpbm 10.18 (Setpember 2003). |