diff options
| author | giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> | 2015-06-19 02:27:11 +0000 |
|---|---|---|
| committer | giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> | 2015-06-19 02:27:11 +0000 |
| commit | 5603cd4a2191c72089235878f43185c0d06848aa (patch) | |
| tree | e667e764670de6582cd750d89250c385d704e468 /converter/other/pnmtopalm/pnmtopalm.c | |
| parent | 28e1c9957bcb17d99d19b968e847398a3530c463 (diff) | |
| download | netpbm-mirror-5603cd4a2191c72089235878f43185c0d06848aa.tar.gz netpbm-mirror-5603cd4a2191c72089235878f43185c0d06848aa.tar.xz netpbm-mirror-5603cd4a2191c72089235878f43185c0d06848aa.zip | |
Fix arithmetic overflow with ridiculously large image
git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@2554 9d0c8265-081b-0410-96cb-a4ca84ce46f8
Diffstat (limited to 'converter/other/pnmtopalm/pnmtopalm.c')
| -rw-r--r-- | converter/other/pnmtopalm/pnmtopalm.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/converter/other/pnmtopalm/pnmtopalm.c b/converter/other/pnmtopalm/pnmtopalm.c index 7740a3ac..6e290777 100644 --- a/converter/other/pnmtopalm/pnmtopalm.c +++ b/converter/other/pnmtopalm/pnmtopalm.c @@ -689,15 +689,32 @@ destroyBuffer(struct seqBuffer * const bufferP) { static void addByteToBuffer(struct seqBuffer * const bufferP, unsigned char const newByte) { +/*----------------------------------------------------------------------------- + Append one byte to buffer, expanding with realloc() whenever necessary. + + Buffer is initially 4096 bytes. It is doubled with each expansion. + A combination of large image size (maximum 65535 x 65535), high + resolution (each pixel can occupy more than one byte) and poor + compression can lead to an arithmetic overflow. + Abort with error if an arithmetic overflow is detected during doubling. +-----------------------------------------------------------------------------*/ assert(bufferP->allocatedSize >= bufferP->occupiedSize); if (bufferP->allocatedSize == bufferP->occupiedSize) { - bufferP->allocatedSize *= 2; - REALLOCARRAY(bufferP->buffer, bufferP->allocatedSize); + unsigned int const newSize = bufferP->allocatedSize * 2; + + if (newSize <= bufferP->allocatedSize) + pm_error("Image too large. Arithmetic overflow trying to " + "expand buffer beyond %u bytes.", + bufferP->allocatedSize); + + REALLOCARRAY(bufferP->buffer, newSize); if (bufferP->buffer == NULL) pm_error("Couldn't (re)allocate %u bytes of memory " - "for buffer.", bufferP->allocatedSize); + "for buffer.", newSize); + + bufferP->allocatedSize = newSize; } bufferP->buffer[bufferP->occupiedSize++] = newByte; } |