diff options
| -rw-r--r-- | converter/other/tifftopnm.c | 7 | ||||
| -rw-r--r-- | doc/HISTORY | 6 | ||||
| -rw-r--r-- | version.mk | 2 |
3 files changed, 14 insertions, 1 deletions
diff --git a/converter/other/tifftopnm.c b/converter/other/tifftopnm.c index fb0a7739..5c0797fc 100644 --- a/converter/other/tifftopnm.c +++ b/converter/other/tifftopnm.c @@ -1508,6 +1508,13 @@ convertRasterInMemory(pnmOut * const pnmOutP, /* Note that TIFFRGBAImageGet() converts any bits per sample to 8. Maxval of the raster it returns is always 255. */ + if (cols > UINT_MAX/rows) { + pm_message("%u rows of %u columns is too large to compute", + rows, cols); + *statusP = CONV_OOM; + return; + } + MALLOCARRAY(raster, cols * rows); if (raster == NULL) { pm_message("Unable to allocate space for a raster of %u " diff --git a/doc/HISTORY b/doc/HISTORY index b4379b3c..2c300b42 100644 --- a/doc/HISTORY +++ b/doc/HISTORY @@ -4,6 +4,12 @@ Netpbm. CHANGE HISTORY -------------- +17.01.24 Release 10.77.02 + + tifftopnm: Fix memory corruption when image is more pixels + than can be represented as a C unsigned integer. Broken in + Netpbm 10.11 (October 2002). + 17.01.11 BJH Release 10.77.01 svgtopam: Fix crash when out of memory. Always broken diff --git a/version.mk b/version.mk index 214296c5..5bb55213 100644 --- a/version.mk +++ b/version.mk @@ -1,3 +1,3 @@ NETPBM_MAJOR_RELEASE = 10 NETPBM_MINOR_RELEASE = 77 -NETPBM_POINT_RELEASE = 1 +NETPBM_POINT_RELEASE = 2 |