diff options
| -rw-r--r-- | converter/pbm/escp2topbm.c | 14 | ||||
| -rw-r--r-- | doc/HISTORY | 3 |
2 files changed, 15 insertions, 2 deletions
diff --git a/converter/pbm/escp2topbm.c b/converter/pbm/escp2topbm.c index 049ed23c..28296da9 100644 --- a/converter/pbm/escp2topbm.c +++ b/converter/pbm/escp2topbm.c @@ -48,6 +48,8 @@ dec_epson_rle(unsigned const int k, } dpos += i; } + if(dpos > k) + pm_error("Corrupt compressed block"); return pos; /* return number of treated input bytes */ } @@ -96,6 +98,7 @@ main(int argc, /* filter out raster data */ height = 0; /* initial value */ + width = 0; /* initial value */ pos = 0; /* initial value */ opos = 0; /* initial value */ @@ -104,9 +107,16 @@ main(int argc, if (input[pos] == '\x1b' && input[pos+1] == '.') { unsigned int const k = input[pos+5] * ((input[pos+7] * 256 + input[pos+6] + 7) / 8); + unsigned int const margin = 256; + if(input[pos+5] == 0) + pm_error("Abnormal height value in escape sequence"); height += input[pos+5]; - width = input[pos+7] * 256 + input[pos+6]; - REALLOCARRAY(output, opos + k); + if(width == 0) /* initialize */ + width = input[pos+7] * 256 + input[pos+6]; + else if(width != input[pos+7] * 256 + input[pos+6]) + pm_error("Abnormal width value in escape sequence"); + + REALLOCARRAY(output, opos + k + margin); if (output == NULL) pm_error("Cannot allocate memory"); diff --git a/doc/HISTORY b/doc/HISTORY index 5b5eccf7..00143e06 100644 --- a/doc/HISTORY +++ b/doc/HISTORY @@ -21,6 +21,9 @@ not yet BJH Release 10.71.00 pbmtoescp2: Fix bug: overrun on certain input. Always broken (pbmtoescp2 was new in Netpbm 10.18 (September 2003). + escp2topbm: Fix buffer overrun on certain input. Always broken + (escp2topbm was new in Netpbm 10.18 (September 2003). + libnetpbm: pm_stripeq: fix bug: wild pointer access when comparator is shorter than comparand. Doesn't affect function, but could cause crash or privacy exposure. Affects reading of a |