From 248dc249bb616696380855714b2335079db32b9c Mon Sep 17 00:00:00 2001
From: giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>
Date: Sun, 29 Jan 2017 04:10:14 +0000
Subject: Release 10.73.07

git-svn-id: http://svn.code.sf.net/p/netpbm/code/stable@2885 9d0c8265-081b-0410-96cb-a4ca84ce46f8
---
 converter/other/svgtopam.c  | 21 +++++++++++++++++----
 converter/other/tifftopnm.c |  7 +++++++
 doc/HISTORY                 |  9 +++++++++
 version.mk                  |  2 +-
 4 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/converter/other/svgtopam.c b/converter/other/svgtopam.c
index 137f4732..58e7928f 100644
--- a/converter/other/svgtopam.c
+++ b/converter/other/svgtopam.c
@@ -102,16 +102,23 @@ parseCommandLine(int argc,
 /*============================================================================
    Wrappers for libxml2 routines.
 
-   The difference is that these use conventional C data types and have
-   shorter names.
+   The difference is that these use conventional C data types, have shorter
+   names, and abort the program instead of returning a special value when they
+   fail.
 =============================================================================*/
 
 static const char *
 getAttribute(xmlTextReaderPtr const xmlReaderP,
              const char *     const attributeName) {
 
-    return (const char *)
+    const char * const rc = (const char *)
         xmlTextReaderGetAttribute(xmlReaderP, (const xmlChar *)attributeName);
+
+    if (rc == NULL)
+        pm_error("xmlTextReaderGetAttribute(\"%.256s\") failed.  ",
+                 attributeName);
+
+    return rc;
 }
 
 
@@ -119,7 +126,13 @@ getAttribute(xmlTextReaderPtr const xmlReaderP,
 static const char *
 currentNodeName(xmlTextReaderPtr const xmlReaderP) {
 
-    return (const char *)xmlTextReaderConstName(xmlReaderP);
+    const char * const rc = (const char *)
+        xmlTextReaderConstName(xmlReaderP);
+
+    if (rc == NULL)
+        pm_error("xmlTextReaderConstName() failed.  ");
+
+    return rc;
 }
 
 
diff --git a/converter/other/tifftopnm.c b/converter/other/tifftopnm.c
index 0d6494f9..b112aa82 100644
--- a/converter/other/tifftopnm.c
+++ b/converter/other/tifftopnm.c
@@ -1498,6 +1498,13 @@ convertRasterInMemory(pnmOut *           const pnmOutP,
             /* Note that TIFFRGBAImageGet() converts any bits per sample
                to 8.  Maxval of the raster it returns is always 255.
             */
+            if (cols > UINT_MAX/rows) {
+                pm_message("%u rows of %u columns is too large to compute",
+                           rows, cols);
+                *statusP = CONV_OOM;
+                return;
+            }
+
             MALLOCARRAY(raster, cols * rows);
             if (raster == NULL) {
                 pm_message("Unable to allocate space for a raster of %u "
diff --git a/doc/HISTORY b/doc/HISTORY
index c8128db2..7c1098dc 100644
--- a/doc/HISTORY
+++ b/doc/HISTORY
@@ -4,6 +4,15 @@ Netpbm.
 CHANGE HISTORY 
 --------------
 
+16.01.29 BJH  Release 10.73.07
+
+              tifftopnm: Fix memory corruption when image is more pixels
+              than can be represented as a C unsigned integer.  Broken in
+              Netpbm 10.11 (October 2002).
+
+              svgtopam: Fix crash when out of memory.  Always broken
+              (svgtopam was new in Netpbm 10.33 (March 2006)).
+
 16.12.25 BJH  Release 10.73.06
 
               pbmtoascii: fix bogus assertion failure.  Introduced in 
diff --git a/version.mk b/version.mk
index 07f813d8..772b2ceb 100644
--- a/version.mk
+++ b/version.mk
@@ -1,3 +1,3 @@
 NETPBM_MAJOR_RELEASE = 10
 NETPBM_MINOR_RELEASE = 73
-NETPBM_POINT_RELEASE = 6
+NETPBM_POINT_RELEASE = 7
-- 
cgit 1.4.1