From 2ec45a90b13b406f4028963b7985f3070550e7cf Mon Sep 17 00:00:00 2001 From: giraffedata Date: Sun, 24 Apr 2016 01:51:34 +0000 Subject: Fix buffer overrun git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@2716 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- doc/HISTORY | 3 +++ editor/pnmpaste.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/HISTORY b/doc/HISTORY index 91e0e073..57b7d400 100644 --- a/doc/HISTORY +++ b/doc/HISTORY @@ -17,6 +17,9 @@ not yet BJH Release 10.75.00 pbmreduce: add -randomseed. + pnmpaste: fix possible invalid memory access. Introduced in + Netpbm 1.44 (September 2008). + pbmreduce: fix undefined behavior when scale factor argument is too big. Always present (pbmreduce was new in September 1989). diff --git a/editor/pnmpaste.c b/editor/pnmpaste.c index 1e29d933..c27e288c 100644 --- a/editor/pnmpaste.c +++ b/editor/pnmpaste.c @@ -201,8 +201,8 @@ insertShift(FILE * const ifP, Same as insertDirect(), but start merging 'offset' bits from the left end of 'destrow'. 'offset' is less than 8. - buffer[] is wide enough to hold a packed PBM row of *ifP plus one - byte of margin. + buffer[] is wide enough to hold a packed PBM row of *ifP plus two + bytes of margin. -----------------------------------------------------------------------------*/ unsigned int const shiftByteCt = pbm_packed_bytes(cols + offset); unsigned int const last = shiftByteCt - 1; @@ -268,7 +268,7 @@ pastePbm(FILE * const fpInset, Fast paste for PBM -----------------------------------------------------------------------------*/ unsigned char * const baserow = pbm_allocrow_packed(baseCols); - unsigned char * const buffer = pbm_allocrow_packed(insetCols+8); + unsigned char * const buffer = pbm_allocrow_packed(insetCols+16); unsigned int const shiftByteCt = insertCol / 8; unsigned int const shiftOffset = insertCol % 8; unsigned int const baseColByteCt = pbm_packed_bytes(baseCols); -- cgit 1.4.1