Release 10.35.96

git-svn-id: http://svn.code.sf.net/p/netpbm/code/super_stable@2582 9d0c8265-081b-0410-96cb-a4ca84ce46f8

2 files changed, 26 insertions, 8 deletions

diff --git a/converter/other/pnmtopalm/palmtopnm.c b/converter/other/pnmtopalm/palmtopnm.c
index 82d1f6fb..ee43be7a 100644
--- a/converter/other/pnmtopalm/palmtopnm.c
+++ b/converter/other/pnmtopalm/palmtopnm.c
@@ -819,15 +819,16 @@ readPackBitsRow16(FILE *          const ifP,
             unsigned int k;
             unsigned short inval;
             pm_readlittleshortu(ifP, &inval);
-            for (k = 0; (k < runlength) && (j + k + 1 < bytesPerRow); k += 2) {
-                memcpy(palmrow + j + k, &inval, 2);
+            if (j + runlength <= bytesPerRow) {
+                for (k = 0; k < runlength; k += 2)
+                    memcpy(palmrow + j + k, &inval, 2);
             }
             j += runlength;
         } else {
             /* We just read the stream of shorts as a stream of chars */
             unsigned int const nonrunlength = (incount + 1) * 2;
             unsigned int k;
-            for (k = 0; (k < nonrunlength) && (j + k < bytesPerRow); ++k) {
+            for (k = 0; (k < nonrunlength) && (j + k <= bytesPerRow); ++k) {
                 unsigned char inval;
                 pm_readcharu(ifP, &inval);
                 palmrow[j + k] = inval;
@@ -859,13 +860,13 @@ readPackBitsRow(FILE *          const ifP,
             unsigned int const runlength = -incount + 1;
             unsigned char inval;
             pm_readcharu(ifP, &inval);
-            if (j + runlength < bytesPerRow) 
+            if (j + runlength <= bytesPerRow)
                 memset(palmrow + j, inval, runlength);
             j += runlength;
         } else {
             unsigned int const nonrunlength = incount + 1;
             unsigned int k;
-            for (k = 0; k < nonrunlength && j + k < bytesPerRow; ++k) {
+            for (k = 0; k < nonrunlength && j + k <= bytesPerRow; ++k) {
                 unsigned char inval;
                 pm_readcharu(ifP, &inval);
                 palmrow[j + k] = inval;
diff --git a/converter/other/pnmtopalm/pnmtopalm.c b/converter/other/pnmtopalm/pnmtopalm.c
index f5f6e44a..d5f79619 100644
--- a/converter/other/pnmtopalm/pnmtopalm.c
+++ b/converter/other/pnmtopalm/pnmtopalm.c
@@ -688,15 +688,32 @@ destroyBuffer(struct seqBuffer * const bufferP) {
 static void
 addByteToBuffer(struct seqBuffer * const bufferP,
                 unsigned char      const newByte) {
+/*-----------------------------------------------------------------------------
+  Append one byte to buffer, expanding with realloc() whenever necessary.
+
+  Buffer is initially 4096 bytes.  It is doubled with each expansion.
+  A combination of large image size (maximum 65535 x 65535), high
+  resolution (each pixel can occupy more than one byte) and poor
+  compression can lead to an arithmetic overflow.
+  Abort with error if an arithmetic overflow is detected during doubling.
+-----------------------------------------------------------------------------*/
 
     assert(bufferP->allocatedSize >= bufferP->occupiedSize);
 
     if (bufferP->allocatedSize == bufferP->occupiedSize) {
-        bufferP->allocatedSize *= 2;
-        REALLOCARRAY(bufferP->buffer, bufferP->allocatedSize);
+        unsigned int const newSize = bufferP->allocatedSize * 2;
+
+        if (newSize <= bufferP->allocatedSize)
+            pm_error("Image too large.  Arithmetic overflow trying to "
+                     "expand buffer beyond %u bytes.",
+                     bufferP->allocatedSize);
+
+        REALLOCARRAY(bufferP->buffer, newSize);
         if (bufferP->buffer == NULL)
             pm_error("Couldn't (re)allocate %u bytes of memory "
-                     "for buffer.", bufferP->allocatedSize);
+                     "for buffer.", newSize);
+
+        bufferP->allocatedSize = newSize;
     }
     bufferP->buffer[bufferP->occupiedSize++] = newByte;
 }