diff options
| -rw-r--r-- | doc/HISTORY | 3 | ||||
| -rw-r--r-- | editor/pnmpaste.c | 6 |
2 files changed, 6 insertions, 3 deletions
diff --git a/doc/HISTORY b/doc/HISTORY index 91e0e073..57b7d400 100644 --- a/doc/HISTORY +++ b/doc/HISTORY @@ -17,6 +17,9 @@ not yet BJH Release 10.75.00 pbmreduce: add -randomseed. + pnmpaste: fix possible invalid memory access. Introduced in + Netpbm 1.44 (September 2008). + pbmreduce: fix undefined behavior when scale factor argument is too big. Always present (pbmreduce was new in September 1989). diff --git a/editor/pnmpaste.c b/editor/pnmpaste.c index 1e29d933..c27e288c 100644 --- a/editor/pnmpaste.c +++ b/editor/pnmpaste.c @@ -201,8 +201,8 @@ insertShift(FILE * const ifP, Same as insertDirect(), but start merging 'offset' bits from the left end of 'destrow'. 'offset' is less than 8. - buffer[] is wide enough to hold a packed PBM row of *ifP plus one - byte of margin. + buffer[] is wide enough to hold a packed PBM row of *ifP plus two + bytes of margin. -----------------------------------------------------------------------------*/ unsigned int const shiftByteCt = pbm_packed_bytes(cols + offset); unsigned int const last = shiftByteCt - 1; @@ -268,7 +268,7 @@ pastePbm(FILE * const fpInset, Fast paste for PBM -----------------------------------------------------------------------------*/ unsigned char * const baserow = pbm_allocrow_packed(baseCols); - unsigned char * const buffer = pbm_allocrow_packed(insetCols+8); + unsigned char * const buffer = pbm_allocrow_packed(insetCols+16); unsigned int const shiftByteCt = insertCol / 8; unsigned int const shiftOffset = insertCol % 8; unsigned int const baseColByteCt = pbm_packed_bytes(baseCols); |