From 18f7275cb7726939aacbffd59ee23ea5aa7929b3 Mon Sep 17 00:00:00 2001 From: giraffedata Date: Sun, 28 Jun 2015 15:12:40 +0000 Subject: Release 10.35.96 git-svn-id: http://svn.code.sf.net/p/netpbm/code/super_stable@2582 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- converter/other/pnmtopalm/palmtopnm.c | 11 ++++++----- converter/other/pnmtopalm/pnmtopalm.c | 23 ++++++++++++++++++++--- 2 files changed, 26 insertions(+), 8 deletions(-) (limited to 'converter/other/pnmtopalm') diff --git a/converter/other/pnmtopalm/palmtopnm.c b/converter/other/pnmtopalm/palmtopnm.c index 82d1f6fb..ee43be7a 100644 --- a/converter/other/pnmtopalm/palmtopnm.c +++ b/converter/other/pnmtopalm/palmtopnm.c @@ -819,15 +819,16 @@ readPackBitsRow16(FILE * const ifP, unsigned int k; unsigned short inval; pm_readlittleshortu(ifP, &inval); - for (k = 0; (k < runlength) && (j + k + 1 < bytesPerRow); k += 2) { - memcpy(palmrow + j + k, &inval, 2); + if (j + runlength <= bytesPerRow) { + for (k = 0; k < runlength; k += 2) + memcpy(palmrow + j + k, &inval, 2); } j += runlength; } else { /* We just read the stream of shorts as a stream of chars */ unsigned int const nonrunlength = (incount + 1) * 2; unsigned int k; - for (k = 0; (k < nonrunlength) && (j + k < bytesPerRow); ++k) { + for (k = 0; (k < nonrunlength) && (j + k <= bytesPerRow); ++k) { unsigned char inval; pm_readcharu(ifP, &inval); palmrow[j + k] = inval; @@ -859,13 +860,13 @@ readPackBitsRow(FILE * const ifP, unsigned int const runlength = -incount + 1; unsigned char inval; pm_readcharu(ifP, &inval); - if (j + runlength < bytesPerRow) + if (j + runlength <= bytesPerRow) memset(palmrow + j, inval, runlength); j += runlength; } else { unsigned int const nonrunlength = incount + 1; unsigned int k; - for (k = 0; k < nonrunlength && j + k < bytesPerRow; ++k) { + for (k = 0; k < nonrunlength && j + k <= bytesPerRow; ++k) { unsigned char inval; pm_readcharu(ifP, &inval); palmrow[j + k] = inval; diff --git a/converter/other/pnmtopalm/pnmtopalm.c b/converter/other/pnmtopalm/pnmtopalm.c index f5f6e44a..d5f79619 100644 --- a/converter/other/pnmtopalm/pnmtopalm.c +++ b/converter/other/pnmtopalm/pnmtopalm.c @@ -688,15 +688,32 @@ destroyBuffer(struct seqBuffer * const bufferP) { static void addByteToBuffer(struct seqBuffer * const bufferP, unsigned char const newByte) { +/*----------------------------------------------------------------------------- + Append one byte to buffer, expanding with realloc() whenever necessary. + + Buffer is initially 4096 bytes. It is doubled with each expansion. + A combination of large image size (maximum 65535 x 65535), high + resolution (each pixel can occupy more than one byte) and poor + compression can lead to an arithmetic overflow. + Abort with error if an arithmetic overflow is detected during doubling. +-----------------------------------------------------------------------------*/ assert(bufferP->allocatedSize >= bufferP->occupiedSize); if (bufferP->allocatedSize == bufferP->occupiedSize) { - bufferP->allocatedSize *= 2; - REALLOCARRAY(bufferP->buffer, bufferP->allocatedSize); + unsigned int const newSize = bufferP->allocatedSize * 2; + + if (newSize <= bufferP->allocatedSize) + pm_error("Image too large. Arithmetic overflow trying to " + "expand buffer beyond %u bytes.", + bufferP->allocatedSize); + + REALLOCARRAY(bufferP->buffer, newSize); if (bufferP->buffer == NULL) pm_error("Couldn't (re)allocate %u bytes of memory " - "for buffer.", bufferP->allocatedSize); + "for buffer.", newSize); + + bufferP->allocatedSize = newSize; } bufferP->buffer[bufferP->occupiedSize++] = newByte; } -- cgit 1.4.1