From 055bdcea05ec69ce144e95cb4275c9c168f5ee50 Mon Sep 17 00:00:00 2001 From: giraffedata Date: Fri, 19 Nov 2021 00:39:39 +0000 Subject: Release 10.86.26 git-svn-id: http://svn.code.sf.net/p/netpbm/code/stable@4180 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- converter/other/sunicontopnm.c | 20 ++++++++++++++--- converter/pbm/escp2topbm.c | 19 +++++++++++++--- converter/pbm/mgrtopbm.c | 50 +++++++++++++++++++++++++++++++++++++----- converter/pbm/ybmtopbm.c | 31 ++++++++++++++------------ doc/HISTORY | 11 ++++++++++ editor/pamcut.c | 4 ++-- editor/pamrubber.c | 8 +++---- editor/pbmpscale.c | 6 ++--- editor/pnmcat.c | 3 ++- editor/pnmpad.c | 2 +- lib/libpbm2.c | 7 +++++- version.mk | 2 +- 12 files changed, 124 insertions(+), 39 deletions(-) diff --git a/converter/other/sunicontopnm.c b/converter/other/sunicontopnm.c index eff1be58..db26663e 100644 --- a/converter/other/sunicontopnm.c +++ b/converter/other/sunicontopnm.c @@ -12,10 +12,12 @@ /* Most icon images are monochrome: Depth=1 + Depth=8 images are extremely rare. At least some of these are color - images but we can't tell the palette color order. + images but we haven't found information on the palette color order. Output will be in pgm. Convert to ppm with pgmtoppm or pamlookup - if necessary. + if necessary. It is up to the user to provide the color palette in + a form acceptable by the above conversion utilities. */ #include @@ -93,12 +95,19 @@ ReadIconFileHeader(FILE * const file, if (*widthP <= 0) pm_error("invalid width (must be positive): %d", *widthP); + else if (*widthP % 8 > 0) + pm_message("warning: width not a multiple of 8: %d", *widthP); + /* We don't know whether widths which are not a multiple of 8 + are allowed. The program must gracefully handle this case + because sun icon files are easy to edit by hand. + */ if (*heightP <= 0) pm_error("invalid height (must be positive): %d", *heightP); } + int main(int argc, const char ** argv) { @@ -125,7 +134,7 @@ main(int argc, const char ** argv) { maxval = 1; pbm_writepbminit(stdout, cols, rows, 0); bitrow = pbm_allocrow_packed(cols); - colChars = cols / 8; + colChars = pbm_packed_bytes(cols); } else { assert(depth == 8); format = PGM_TYPE; @@ -166,6 +175,11 @@ main(int argc, const char ** argv) { pgm_writepgmrow(stdout, grayrow, cols, maxval, 0); } + if (format == PBM_TYPE) + pbm_freerow_packed(bitrow); + else + pgm_freerow(grayrow); + pm_close(ifP); pm_close(stdout); return 0; diff --git a/converter/pbm/escp2topbm.c b/converter/pbm/escp2topbm.c index 632e6345..8acd13d6 100644 --- a/converter/pbm/escp2topbm.c +++ b/converter/pbm/escp2topbm.c @@ -47,10 +47,17 @@ #include +#include #include "mallocvar.h" #include "pbm.h" +static unsigned int widthMax = 127 * 256 + 255; + /* Limit in official Epson manual */ + +static unsigned int const heightMax = 5120 * 200; + /* 5120 rows is sufficient for US legal at 360 DPI */ + #define ESC 033 @@ -120,6 +127,10 @@ readStripeHeader(unsigned int * const widthThisStripeP, pm_error("Error: Abnormal value in data block header: " "Says stripe has zero width or height"); + if (widthThisStripe > widthMax) + pm_error("Error: Abnormal width value in data block header: %u", + widthThisStripe); + if (compression != 0 && compression != 1) pm_error("Error: Unknown compression mode %u", compression); @@ -221,12 +232,10 @@ expandBitarray(unsigned char *** const bitarrayP, unsigned int * const bitarraySizeP) { unsigned int const heightIncrement = 5120; - unsigned int const heightMax = 5120 * 200; - /* 5120 rows is sufficient for US legal at 360 DPI */ *bitarraySizeP += heightIncrement; if (*bitarraySizeP > heightMax) - pm_error("Image too tall"); + pm_error("Error: Image too tall"); else REALLOCARRAY_NOFAIL(*bitarrayP, *bitarraySizeP); } @@ -326,6 +335,10 @@ main(int argc, width, widthThisStripe); } height += rowsThisStripe; + assert(height <= INT_MAX - 10); + /* Becuse image height is tested in expandBitarray() + with a more stringent condition. + */ if (height > bitarraySize) expandBitarray(&bitarray, &bitarraySize); diff --git a/converter/pbm/mgrtopbm.c b/converter/pbm/mgrtopbm.c index 9f7004a1..712e3be9 100644 --- a/converter/pbm/mgrtopbm.c +++ b/converter/pbm/mgrtopbm.c @@ -15,6 +15,48 @@ +static void +interpHdrWidth(struct b_header const head, + unsigned int * const colsP) { + + if (head.h_wide < ' ' || head.l_wide < ' ') + pm_error("Invalid width field in MGR header"); + else { + unsigned int const maxDimension = 4095; + + unsigned int const cols = + (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' '); + + if (cols == 0 || cols > maxDimension) + pm_error("Invalid width value (%u) in MGR header", cols); + else + *colsP = cols; + } +} + + + +static void +interpHdrHeight(struct b_header const head, + unsigned int * const rowsP) { + + if (head.h_high < ' ' || head.l_high < ' ') + pm_error("Invalid height field in MGR header"); + else { + unsigned int const maxDimension = 4095; + + unsigned int const rows = + (((int)head.h_high - ' ') << 6) + ((int)head.l_high - ' '); + + if (rows == 0 || rows > maxDimension) + pm_error("Invalid height value (%u) in MGR header", rows); + else + *rowsP = rows; + } +} + + + static void readMgrHeader(FILE * const ifP, unsigned int * const colsP, @@ -60,13 +102,9 @@ readMgrHeader(FILE * const ifP, pad = 0; /* should never reach here */ } - if (head.h_wide < ' ' || head.l_wide < ' ') - pm_error("Invalid width field in MGR header"); - if (head.h_high < ' ' || head.l_high < ' ') - pm_error("Invalid width field in MGR header"); + interpHdrWidth (head, colsP); + interpHdrHeight(head, rowsP); - *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' '); - *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' '); *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP; } diff --git a/converter/pbm/ybmtopbm.c b/converter/pbm/ybmtopbm.c index 2a429086..ea7e66a7 100644 --- a/converter/pbm/ybmtopbm.c +++ b/converter/pbm/ybmtopbm.c @@ -20,44 +20,47 @@ static short const ybmMagic = ( ( '!' << 8 ) | '!' ); static void getinit(FILE * const ifP, - short * const colsP, - short * const rowsP, - short * const depthP) { + unsigned int * const colsP, + unsigned int * const rowsP, + int * const depthP) { - short magic; + short int magic; + short int cols, rows; int rc; rc = pm_readbigshort(ifP, &magic); if (rc == -1) pm_error("EOF / read error"); - - if (magic != ybmMagic) + else if (magic != ybmMagic) pm_error("bad magic number in YBM file"); - rc = pm_readbigshort(ifP, colsP); + rc = pm_readbigshort(ifP, &cols); if (rc == -1 ) pm_error("EOF / read error"); + else if (cols <= 0) + pm_error("invalid width value in YBM file"); - rc = pm_readbigshort(ifP, rowsP); + rc = pm_readbigshort(ifP, &rows); if (rc == -1) pm_error("EOF / read error"); + else if (rows <= 0) + pm_error("invalid height value in YBM file"); + *colsP = (unsigned int) cols; + *rowsP = (unsigned int) rows; *depthP = 1; } - - - int main(int argc, const char * argv[]) { FILE * ifP; bit * bitrow; - short rows, cols; + unsigned int rows, cols; unsigned int row; - short depth; + int depth; const char * inputFile; pm_proginit(&argc, argv); @@ -76,7 +79,7 @@ main(int argc, const char * argv[]) { getinit(ifP, &cols, &rows, &depth); if (depth != 1) - pm_error("YBM file has depth of %u, must be 1", (unsigned)depth); + pm_error("YBM file has depth of %u, must be 1", (unsigned int) depth); pbm_writepbminit(stdout, cols, rows, 0); diff --git a/doc/HISTORY b/doc/HISTORY index f2a40e42..5632bbe4 100644 --- a/doc/HISTORY +++ b/doc/HISTORY @@ -4,6 +4,17 @@ Netpbm. CHANGE HISTORY -------------- +21.11.19 BJH Release 10.86.26 + + pamrubber: Fix bug: random behavior with -quad when you specify + both points for source or target and the second one is lower in + the image than the first. Always broken (Pamrubber was new in + Netpbm 10.54 (March 2011)). + + sunicontopnm, escp2topbm, mgrtopbm, ybmtopbm, pamcut, pbmpscale, + pnmcat, pnmpad: Fix arithmetic overrun with ridiculously large + image. + 21.10.17 BJH Release 10.86.25 pamtogif: Fix bug: doesn't ignore the input alpha mask when user diff --git a/editor/pamcut.c b/editor/pamcut.c index db5b5b3d..1c7cb4a7 100644 --- a/editor/pamcut.c +++ b/editor/pamcut.c @@ -686,7 +686,7 @@ extractRowsPBM(const struct pam * const inpamP, if (leftcol > 0) { totalWidth = MAX(rightcol+1, inpamP->width) + 7; - if (totalWidth > INT_MAX) + if (totalWidth > INT_MAX - 10) /* Prevent overflows in pbm_allocrow_packed() */ pm_error("Specified right edge is too far " "from the right end of input image"); @@ -695,7 +695,7 @@ extractRowsPBM(const struct pam * const inpamP, writeOffset = leftcol; } else { totalWidth = -leftcol + MAX(rightcol+1, inpamP->width); - if (totalWidth > INT_MAX) + if (totalWidth > INT_MAX - 10) pm_error("Specified left/right edge is too far " "from the left/right end of input image"); diff --git a/editor/pamrubber.c b/editor/pamrubber.c index a5748104..7169dbcf 100644 --- a/editor/pamrubber.c +++ b/editor/pamrubber.c @@ -1007,10 +1007,10 @@ prepQuad(void) { } else if ((oldCP[0].x > oldCP[1].x) && (oldCP[0].y < oldCP[1].y)) { /* top-right and bottom-left */ quad1 = quadRect(oldCP[1].x, oldCP[0].x, oldCP[0].y, oldCP[1].y); - } else if ((oldCP[0].x < oldCP[1].x) && (oldCP[0].y < oldCP[1].y)) { + } else if ((oldCP[0].x < oldCP[1].x) && (oldCP[0].y > oldCP[1].y)) { /* bottom-left and top-right */ quad1 = quadRect(oldCP[0].x, oldCP[1].x, oldCP[1].y, oldCP[0].y); - } else if ((oldCP[0].x > oldCP[1].x) && (oldCP[0].y < oldCP[1].y)) { + } else if ((oldCP[0].x > oldCP[1].x) && (oldCP[0].y > oldCP[1].y)) { /* bottom-right and top-left */ quad1 = quadRect(oldCP[1].x, oldCP[0].x, oldCP[1].y, oldCP[0].y); } @@ -1021,10 +1021,10 @@ prepQuad(void) { } else if ((newCP[0].x > newCP[1].x) && (newCP[0].y < newCP[1].y)) { /* top-right and bottom-left */ quad2 = quadRect(newCP[1].x, newCP[0].x, newCP[0].y, newCP[1].y); - } else if ((newCP[0].x < newCP[1].x) && (newCP[0].y < newCP[1].y)) { + } else if ((newCP[0].x < newCP[1].x) && (newCP[0].y > newCP[1].y)) { /* bottom-left and top-right */ quad2 = quadRect(newCP[0].x, newCP[1].x, newCP[1].y, newCP[0].y); - } else if ((newCP[0].x > newCP[1].x) && (newCP[0].y < newCP[1].y)) { + } else if ((newCP[0].x > newCP[1].x) && (newCP[0].y > newCP[1].y)) { /* bottom-right and top-left */ quad2 = quadRect(newCP[1].x, newCP[0].x, newCP[1].y, newCP[0].y); } diff --git a/editor/pbmpscale.c b/editor/pbmpscale.c index 9ab89350..3b6935b2 100644 --- a/editor/pbmpscale.c +++ b/editor/pbmpscale.c @@ -141,7 +141,7 @@ validateComputableDimensions(unsigned int const width, See validateComputetableSize() in libpam.c and pbm_readpbminitrest() in libpbm2.c -----------------------------------------------------------------------------*/ - unsigned int const maxWidthHeight = INT_MAX - 2; + unsigned int const maxWidthHeight = INT_MAX - 10; unsigned int const maxScaleFactor = maxWidthHeight / MAX(height, width); if (scaleFactor > maxScaleFactor) @@ -154,8 +154,8 @@ validateComputableDimensions(unsigned int const width, static void writeBitSpan(unsigned char * const packedBitrow, - int const cols, - int const offset, + unsigned int const cols, + unsigned int const offset, int const color) { /*---------------------------------------------------------------------------- Write white (color="0") or black (="1") bits into packedBitrow[], diff --git a/editor/pnmcat.c b/editor/pnmcat.c index a26dcf3e..217f6b57 100644 --- a/editor/pnmcat.c +++ b/editor/pnmcat.c @@ -367,7 +367,8 @@ getPbmImageInfo(struct imgInfo const img[], switch (backcolor) { case BACK_AUTO: { bit bgBit; - img2[i].proberow = pbm_allocrow_packed(img[i].cols+7); + img2[i].proberow = + pbm_allocrow_packed((unsigned int)img[i].cols + 7); pbm_readpbmrow_bitoffset( img[i].ifP, img2[i].proberow, img[i].cols, img[i].format, img2[i].offset % 8); diff --git a/editor/pnmpad.c b/editor/pnmpad.c index 9c7a77e5..7cc53b69 100644 --- a/editor/pnmpad.c +++ b/editor/pnmpad.c @@ -11,7 +11,7 @@ #include "shhopt.h" #include "pnm.h" -#define MAX_WIDTHHEIGHT INT_MAX-10 +#define MAX_WIDTHHEIGHT ((INT_MAX)-10) /* The maximum width or height value we can handle without risking arithmetic overflow */ diff --git a/lib/libpbm2.c b/lib/libpbm2.c index 2fec4788..a611bec5 100644 --- a/lib/libpbm2.c +++ b/lib/libpbm2.c @@ -216,6 +216,9 @@ pbm_readpbmrow_bitoffset(FILE * const ifP, Read it into packedBits[], preserving surrounding image data. Logic not tested for negative offsets. + + Because we are reading in packed mode large cols and offset values are + acceptable; dividing by 8 prevents overflows. -----------------------------------------------------------------------------*/ unsigned int const rsh = offset % 8; unsigned int const lsh = (8 - rsh) % 8; @@ -224,13 +227,15 @@ pbm_readpbmrow_bitoffset(FILE * const ifP, Aligned to nearest byte boundary to the left, so the first few bits might contain original data, not output. */ - unsigned int const last = pbm_packed_bytes(cols+rsh) - 1; + unsigned int const last = pbm_packed_bytes((unsigned int)cols + rsh) - 1; /* Position within window of rightmost byte after shift */ /* The original leftmost and rightmost chars. */ unsigned char const origHead = window[0]; unsigned char const origEnd = window[last]; + assert(cols > 0 && pbm_packed_bytes(cols) > 0); + pbm_readpbmrow_packed(ifP, window, cols, format); if (rsh > 0) { diff --git a/version.mk b/version.mk index 968ef50f..f863d233 100644 --- a/version.mk +++ b/version.mk @@ -1,3 +1,3 @@ NETPBM_MAJOR_RELEASE = 10 NETPBM_MINOR_RELEASE = 86 -NETPBM_POINT_RELEASE = 25 +NETPBM_POINT_RELEASE = 26 -- cgit 1.4.1