From fed74115faf1c899c1621768a5db09527c667fae Mon Sep 17 00:00:00 2001 From: giraffedata Date: Sun, 28 Jun 2015 14:33:23 +0000 Subject: Release 10.47.57 git-svn-id: http://svn.code.sf.net/p/netpbm/code/stable@2575 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- buildtools/makepointerman | 10 ++++----- converter/other/pnmtopalm/palmtopnm.c | 11 +++++----- converter/other/pnmtopalm/pnmtopalm.c | 23 ++++++++++++++++++--- converter/pbm/escp2topbm.c | 14 +++++++++++-- converter/pbm/pbmtoepson.c | 2 +- converter/pbm/pbmtoescp2.c | 5 +++++ converter/pbm/pbmtogo.c | 6 +++--- converter/pbm/pbmtomatrixorbital.c | 2 +- converter/pbm/pbmtoppa/cutswath.c | 28 ++++++++++++++------------ converter/pbm/pbmtoppa/pbm.c | 1 + converter/pbm/pbmtoppa/pbmtoppa.c | 15 ++++++++++++-- converter/pbm/pbmtoppa/ppa.c | 13 ++++++------ converter/pgm/sbigtopgm.c | 3 ++- doc/HISTORY | 38 +++++++++++++++++++++++++++++++++++ version.mk | 2 +- 15 files changed, 130 insertions(+), 43 deletions(-) diff --git a/buildtools/makepointerman b/buildtools/makepointerman index 8fbb0f49..58d3a64c 100755 --- a/buildtools/makepointerman +++ b/buildtools/makepointerman @@ -74,11 +74,11 @@ print(MANPAGE "If that doesn't work, also try " . print(MANPAGE "emailing Bryan Henderson, bryanh\@giraffe-data.com.\n"); print(MANPAGE "\n"); -print(MANPAGE "Note that making the documentation available this way was\n"); -print(MANPAGE "a choice of the person who installed Netpbm on this system.\n"); -print(MANPAGE "It is also possible to install Netpbm such that you would\n"); -print(MANPAGE "simply see the documentation instead of the message you are\n"); -print(MANPAGE "reading now.\n"); +print(MANPAGE "Note that it is possible to install Netpbm with the\n"); +print(MANPAGE "documentation available differently. For example, you\n"); +print(MANPAGE "could simply see the documentation instead of the message\n"); +print(MANPAGE "you are reading now. The file 'doc/USERDOC' in the Netpbm\n"); +print(MANPAGE "source tree contains details."); print(MANPAGE "\n"); if ($format eq "nroff") { diff --git a/converter/other/pnmtopalm/palmtopnm.c b/converter/other/pnmtopalm/palmtopnm.c index 7e4ca453..88088817 100644 --- a/converter/other/pnmtopalm/palmtopnm.c +++ b/converter/other/pnmtopalm/palmtopnm.c @@ -820,15 +820,16 @@ readPackBitsRow16(FILE * const ifP, unsigned int k; unsigned short inval; pm_readlittleshortu(ifP, &inval); - for (k = 0; (k < runlength) && (j + k + 1 < bytesPerRow); k += 2) { - memcpy(palmrow + j + k, &inval, 2); + if (j + runlength <= bytesPerRow) { + for (k = 0; k < runlength; k += 2) + memcpy(palmrow + j + k, &inval, 2); } j += runlength; } else { /* We just read the stream of shorts as a stream of chars */ unsigned int const nonrunlength = (incount + 1) * 2; unsigned int k; - for (k = 0; (k < nonrunlength) && (j + k < bytesPerRow); ++k) { + for (k = 0; (k < nonrunlength) && (j + k <= bytesPerRow); ++k) { unsigned char inval; pm_readcharu(ifP, &inval); palmrow[j + k] = inval; @@ -860,13 +861,13 @@ readPackBitsRow(FILE * const ifP, unsigned int const runlength = -incount + 1; unsigned char inval; pm_readcharu(ifP, &inval); - if (j + runlength < bytesPerRow) + if (j + runlength <= bytesPerRow) memset(palmrow + j, inval, runlength); j += runlength; } else { unsigned int const nonrunlength = incount + 1; unsigned int k; - for (k = 0; k < nonrunlength && j + k < bytesPerRow; ++k) { + for (k = 0; k < nonrunlength && j + k <= bytesPerRow; ++k) { unsigned char inval; pm_readcharu(ifP, &inval); palmrow[j + k] = inval; diff --git a/converter/other/pnmtopalm/pnmtopalm.c b/converter/other/pnmtopalm/pnmtopalm.c index 3d20788c..90737b78 100644 --- a/converter/other/pnmtopalm/pnmtopalm.c +++ b/converter/other/pnmtopalm/pnmtopalm.c @@ -689,15 +689,32 @@ destroyBuffer(struct seqBuffer * const bufferP) { static void addByteToBuffer(struct seqBuffer * const bufferP, unsigned char const newByte) { +/*----------------------------------------------------------------------------- + Append one byte to buffer, expanding with realloc() whenever necessary. + + Buffer is initially 4096 bytes. It is doubled with each expansion. + A combination of large image size (maximum 65535 x 65535), high + resolution (each pixel can occupy more than one byte) and poor + compression can lead to an arithmetic overflow. + Abort with error if an arithmetic overflow is detected during doubling. +-----------------------------------------------------------------------------*/ assert(bufferP->allocatedSize >= bufferP->occupiedSize); if (bufferP->allocatedSize == bufferP->occupiedSize) { - bufferP->allocatedSize *= 2; - REALLOCARRAY(bufferP->buffer, bufferP->allocatedSize); + unsigned int const newSize = bufferP->allocatedSize * 2; + + if (newSize <= bufferP->allocatedSize) + pm_error("Image too large. Arithmetic overflow trying to " + "expand buffer beyond %u bytes.", + bufferP->allocatedSize); + + REALLOCARRAY(bufferP->buffer, newSize); if (bufferP->buffer == NULL) pm_error("Couldn't (re)allocate %u bytes of memory " - "for buffer.", bufferP->allocatedSize); + "for buffer.", newSize); + + bufferP->allocatedSize = newSize; } bufferP->buffer[bufferP->occupiedSize++] = newByte; } diff --git a/converter/pbm/escp2topbm.c b/converter/pbm/escp2topbm.c index 049ed23c..28296da9 100644 --- a/converter/pbm/escp2topbm.c +++ b/converter/pbm/escp2topbm.c @@ -48,6 +48,8 @@ dec_epson_rle(unsigned const int k, } dpos += i; } + if(dpos > k) + pm_error("Corrupt compressed block"); return pos; /* return number of treated input bytes */ } @@ -96,6 +98,7 @@ main(int argc, /* filter out raster data */ height = 0; /* initial value */ + width = 0; /* initial value */ pos = 0; /* initial value */ opos = 0; /* initial value */ @@ -104,9 +107,16 @@ main(int argc, if (input[pos] == '\x1b' && input[pos+1] == '.') { unsigned int const k = input[pos+5] * ((input[pos+7] * 256 + input[pos+6] + 7) / 8); + unsigned int const margin = 256; + if(input[pos+5] == 0) + pm_error("Abnormal height value in escape sequence"); height += input[pos+5]; - width = input[pos+7] * 256 + input[pos+6]; - REALLOCARRAY(output, opos + k); + if(width == 0) /* initialize */ + width = input[pos+7] * 256 + input[pos+6]; + else if(width != input[pos+7] * 256 + input[pos+6]) + pm_error("Abnormal width value in escape sequence"); + + REALLOCARRAY(output, opos + k + margin); if (output == NULL) pm_error("Cannot allocate memory"); diff --git a/converter/pbm/pbmtoepson.c b/converter/pbm/pbmtoepson.c index b485d888..86185d15 100644 --- a/converter/pbm/pbmtoepson.c +++ b/converter/pbm/pbmtoepson.c @@ -69,7 +69,7 @@ parseCommandLine(int argc, MALLOCARRAY_NOFAIL(option_def, 100); option_def_index = 0; /* incremented by OPTENT3 */ - OPTENT3(0, "protocol", OPT_UINT, &protocol, + OPTENT3(0, "protocol", OPT_STRING, &protocol, &protocolSpec, 0); OPTENT3(0, "dpi", OPT_UINT, &cmdlineP->dpi, &dpiSpec, 0); diff --git a/converter/pbm/pbmtoescp2.c b/converter/pbm/pbmtoescp2.c index 973c8781..e280b3df 100644 --- a/converter/pbm/pbmtoescp2.c +++ b/converter/pbm/pbmtoescp2.c @@ -165,6 +165,11 @@ main(int argc, char* argv[]) { for (idx = 0; idx < 24 && row+idx < rows; ++idx) pbm_readpbmrow_packed(ifP,bytes+idx*pbm_packed_bytes(cols), cols,format); + /* Add delimiter to end of rows, using inverse of final + data byte to prevent match. */ + *(bytes+idx*pbm_packed_bytes(cols)) = + ~ *(bytes+idx*pbm_packed_bytes(cols)-1); + /* Write raster data. */ if (cmdline.compress != 0) { /* compressed */ diff --git a/converter/pbm/pbmtogo.c b/converter/pbm/pbmtogo.c index b4f3f372..23b2ee9a 100644 --- a/converter/pbm/pbmtogo.c +++ b/converter/pbm/pbmtogo.c @@ -164,7 +164,7 @@ main(int argc, padright = rucols - cols; for (i = 0; i < GRAPHON_WIDTH_BYTES; ++i ) - buffer[i] = 0; + buffer[i] = oldscanline[i] = 0; putinit(); /* Start donwloading screen raster */ @@ -215,7 +215,7 @@ main(int argc, { olditem = buffer[nbyte++]; ucount++; - } while ((olditem != buffer[nbyte]) + } while (nbyte < bytesperrow && (olditem != buffer[nbyte]) && (ucount < MIN(bytesperrow, MAX_REPEAT))); if ((ucount != MAX_REPEAT) && (nbyte != bytesperrow)) { @@ -246,7 +246,7 @@ main(int argc, { olditem = buffer[nbyte++]; ecount++; - } while ((olditem == buffer[nbyte]) + } while (nbyte < bytesperrow && (olditem == buffer[nbyte]) && (ecount < MIN(bytesperrow, MAX_REPEAT))); if (ecount > 1) { diff --git a/converter/pbm/pbmtomatrixorbital.c b/converter/pbm/pbmtomatrixorbital.c index 79347978..96e1406a 100644 --- a/converter/pbm/pbmtomatrixorbital.c +++ b/converter/pbm/pbmtomatrixorbital.c @@ -60,7 +60,7 @@ main(int argc, char * argv[]) { pbm_init(&argc, argv); - if (argc-1 > 0) + if (argc-1 > 1) pm_error("Too many arguments (%d). The only valid argument is an " "input file name.", argc-1); else if (argc-1 == 1) diff --git a/converter/pbm/pbmtoppa/cutswath.c b/converter/pbm/pbmtoppa/cutswath.c index 0d44ce45..d3f15c03 100644 --- a/converter/pbm/pbmtoppa/cutswath.c +++ b/converter/pbm/pbmtoppa/cutswath.c @@ -39,13 +39,15 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat int shift; ppa_nozzle_data nozzles[2]; + ppa = NULL; + /* shift = 6 if DPI==300 */ /* shift = 12 if DPI==600 */ shift = ( prn->DPI == 300 ? 6:12 ) ; /* safeguard against the user freeing these */ - sweep_data->image_data=NULL; - sweep_data->nozzle_data=NULL; + sweep_data->image_data = NULL; + sweep_data->nozzle_data = NULL; /* read the data from the input file */ width8 = (pbm->width + 7) / 8; @@ -66,7 +68,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data)) { fprintf(stderr,"cutswath(): A-could not read top margin\n"); - free(data); + free (data); data=NULL; return 0; } @@ -77,10 +79,10 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data)) { fprintf(stderr,"cutswath(): could not clear bottom margin\n"); - free(data); + free (data); data=NULL; return 0; } - free(data); + free (data); data=NULL; return 1; } @@ -95,7 +97,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data+width8*numlines)) { fprintf(stderr,"cutswath(): B-could not read next line\n"); - free(data); + free (data); data=NULL; return 0; } if(!got_nonblank) @@ -130,7 +132,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat { fprintf (stderr, "Ack! newleft=%d, newright=%d, left=%d, right=%d\n", newleft, newright, left, right); - free (data); + free (data); data=NULL; return 0; } @@ -177,13 +179,13 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data)) { fprintf(stderr,"cutswath(): could not clear bottom margin\n"); - free(data); + free (data); data=NULL; return 0; } - free(data); + free (data); data=NULL; return 1; } - free(data); + free (data); data=NULL; return 0; /* error, since didn't get to lower margin, yet blank */ } @@ -197,7 +199,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if(!pbm_readline(pbm,data+width8*numlines)) { fprintf(stderr,"cutswath(): C-could not read next line\n"); - free(data); + free (data); data=NULL; return 0; } numlines++; @@ -225,7 +227,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat if ((ppa = malloc ((p_width8+2*shift) * numlines)) == NULL) { fprintf(stderr,"cutswath(): could not malloc ppa storage\n"); - free (data); + free (data); data=NULL; return 0; } @@ -292,7 +294,7 @@ cut_pbm_swath(pbm_stat* pbm,ppa_stat* prn,int maxlines,ppa_sweep_data* sweep_dat } /* done with data */ - free(data); + free (data); data=NULL; /* place 0's in the last 12 columns */ memset (place, 0, numlines/2 * shift); diff --git a/converter/pbm/pbmtoppa/pbm.c b/converter/pbm/pbmtoppa/pbm.c index 5c9798f2..2f8a42b1 100644 --- a/converter/pbm/pbmtoppa/pbm.c +++ b/converter/pbm/pbmtoppa/pbm.c @@ -91,6 +91,7 @@ int pbm_readline(pbm_stat* pbm,unsigned char* data) pbm->current_line++; pbm->unread = 0; free (pbm->revdata); + pbm->revdata = NULL; return 1; } diff --git a/converter/pbm/pbmtoppa/pbmtoppa.c b/converter/pbm/pbmtoppa/pbmtoppa.c index 85a98529..f43c08a8 100644 --- a/converter/pbm/pbmtoppa/pbmtoppa.c +++ b/converter/pbm/pbmtoppa/pbmtoppa.c @@ -63,9 +63,14 @@ print_pbm(FILE * const in) { ppa_init_page(&printer); ppa_load_page(&printer); - sweeps[0].direction = right_to_left; + sweeps[0].direction = right_to_left; + sweeps[0].image_data = NULL; + sweeps[0].nozzle_data = NULL; sweeps[0].next=&sweeps[1]; - sweeps[1].direction = left_to_right; + + sweeps[1].direction = left_to_right; + sweeps[1].image_data = NULL; + sweeps[1].nozzle_data = NULL; sweeps[1].next=&sweeps[0]; current_sweep=0; @@ -88,6 +93,8 @@ print_pbm(FILE * const in) { ppa_print_sweep(&printer, &sweeps[previous_sweep]); free(sweeps[previous_sweep].image_data); free(sweeps[previous_sweep].nozzle_data); + sweeps[previous_sweep].image_data = NULL; + sweeps[previous_sweep].nozzle_data = NULL; } previous_sweep=current_sweep; current_sweep= current_sweep==0 ? 1 : 0; @@ -106,6 +113,10 @@ print_pbm(FILE * const in) { free(sweeps[0].nozzle_data); free(sweeps[1].image_data); free(sweeps[1].nozzle_data); + sweeps[0].image_data = NULL; + sweeps[0].nozzle_data = NULL; + sweeps[1].image_data = NULL; + sweeps[1].nozzle_data = NULL; ppa_eject_page(&printer); diff --git a/converter/pbm/pbmtoppa/ppa.c b/converter/pbm/pbmtoppa/ppa.c index 8363d927..aa30d684 100644 --- a/converter/pbm/pbmtoppa/ppa.c +++ b/converter/pbm/pbmtoppa/ppa.c @@ -389,7 +389,9 @@ static void __inline__ place_2bytes(int x,unsigned char* y) static void __inline__ place_4bytes(int x,unsigned char* y) { place_2bytes(x>>16,y); place_2bytes(x,y+2); } -#define do_compress_data (1) +#define do_compress_data (1) /* Compress. */ +/* The no-compression case has not been well tested 2015.05.31 */ + void ppa_print_sweep(ppa_stat* prn,ppa_sweep_data* data) { unsigned char* pc, *tpc; @@ -403,11 +405,9 @@ void ppa_print_sweep(ppa_stat* prn,ppa_sweep_data* data) int nozzle_data_size; int MF; /* Multiplicative Factor -- quick hack */ - pc=data->image_data; - if(do_compress_data) { - if(!(pc=malloc((datasize/64+1)*65))) + if( !( pc = malloc( datasize * 2 + 1 )) ) /* Worst case + margin */ { fprintf(stderr,"ppa_print_sweep(): could not malloc storage for compressed data\n"); exit(-1); @@ -416,12 +416,13 @@ void ppa_print_sweep(ppa_stat* prn,ppa_sweep_data* data) } /* send image data 16k at a time */ - for(i=0, tpc=pc; iimage_data; + ifptr, 0, datasize-i > 16384 ? 16384 : datasize-i, tpc); /* memory leak fix courtesy of John McKown */ if (do_compress_data) - free (pc); + free (pc); /* construct sweep packet */ switch(prn->version) diff --git a/converter/pgm/sbigtopgm.c b/converter/pgm/sbigtopgm.c index 8e933752..ef8b8202 100644 --- a/converter/pgm/sbigtopgm.c +++ b/converter/pgm/sbigtopgm.c @@ -123,7 +123,8 @@ int main(argc, argv) pm_error("malformed SBIG file header at character %d", hdr - header); } *cp = 0; - if (strncmp(hdr, "ST-", 3) == 0) { + if (strncmp(hdr, "ST-", 3) == 0) || + (hdr == &hdr[0] && strstr(hdr,"Image") != NULL)) { char *ep = strchr(hdr + 3, ' '); if (ep != NULL) { diff --git a/doc/HISTORY b/doc/HISTORY index a45cdb69..27df344d 100644 --- a/doc/HISTORY +++ b/doc/HISTORY @@ -4,6 +4,44 @@ Netpbm. CHANGE HISTORY -------------- +15.06.28 BJH Release 10.47.57 + + palmtopnm: Fix distorted output with PackBits compressed input. + Always broken (Ability to convert PackBits input was new in + Netpbm 10.27 (March 2005). + + pnmtopalm: Fix arithmetic overflow with ridiculously large + image. Introduced after Netpbm 10.26 (January 2005) but before + Netpbm 10.35 (August 2006). + + pbmtoepson: fix -protocol option - never works and sometimes + crashes program. Always broken (-protocol was new in Netpbm + 10.23 (July 2004). + + pbmtoppa: fix buffer overruns, double-free crashes. Always + broken (pbmtoppa was new in Netpbm 9.1 (March 2000). + + pbmtomatrixorbital: fix bug: fails if you specify the input + file name argument. Always broken. (pbmtomatrixorbital was + new in Netpbm 10.18 (Setpember 2003). + + sbigtopgm: fix detection of camera type. Always broken + (sbigtopgm was new in Netpbm 8.3 (March 2000)). + + pbmtogo: Fix bug: garbage first row. Broken at least since + November 1989. + + pbmtogo: Fix bug: buffer overrun with certain input. Broken + at least since November 1989. + + pbmtoescp2: Fix bug: overrun on certain input. Always broken + (pbmtoescp2 was new in Netpbm 10.18 (September 2003)). + + Build: improve text of pointer man pages. + + escp2topbm: Fix buffer overrun on certain input. Always broken + (escp2topbm was new in Netpbm 10.18 (September 2003)). + 15.05.24 BJH Release 10.47.56 libnetpbm: pm_stripeq: fix bug: wild pointer access when diff --git a/version.mk b/version.mk index a687c653..fbf4ea4d 100644 --- a/version.mk +++ b/version.mk @@ -1,3 +1,3 @@ NETPBM_MAJOR_RELEASE = 10 NETPBM_MINOR_RELEASE = 47 -NETPBM_POINT_RELEASE = 56 +NETPBM_POINT_RELEASE = 57 -- cgit 1.4.1