From 678a09f9062469cdcdfd5bdb8eeb189ecaaf9691 Mon Sep 17 00:00:00 2001 From: giraffedata Date: Sat, 6 Oct 2018 17:04:27 +0000 Subject: Fix arithmetic overflow git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@3383 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- converter/ppm/pjtoppm.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) (limited to 'converter/ppm') diff --git a/converter/ppm/pjtoppm.c b/converter/ppm/pjtoppm.c index 3f180267..b8b94f74 100644 --- a/converter/ppm/pjtoppm.c +++ b/converter/ppm/pjtoppm.c @@ -16,6 +16,20 @@ static char usage[] = "[paintjetfile]"; + + +static unsigned int +uintProduct(unsigned int const multiplicand, + unsigned int const multiplier) { + + if (UINT_MAX / multiplier < multiplicand) + pm_error("Airthmetic overflow"); + + return multiplicand * multiplier; +} + + + static int egetc(FILE * const ifP) { int c; @@ -138,21 +152,16 @@ main(int argc, const char ** argv) { if (rows == -1 || row >= rows) rows += 100; if (image == NULL) { - MALLOCARRAY(image, rows * planes); - MALLOCARRAY(imlen, rows * planes); - } - else { - image = (unsigned char **) - realloc(image, - rows * planes * - sizeof(unsigned char *)); - imlen = (int *) - realloc(imlen, rows * planes * sizeof(int)); + MALLOCARRAY(image, uintProduct(rows, planes)); + MALLOCARRAY(imlen, uintProduct(rows, planes)); + } else { + REALLOCARRAY(image, uintProduct(rows, planes)); + REALLOCARRAY(imlen, uintProduct(rows, planes)); } } if (image == NULL || imlen == NULL) pm_error("out of memory"); - if (plane == planes) + if (plane >= planes) pm_error("too many planes"); cols = MAX(cols, val); imlen[row * planes + plane] = val; -- cgit 1.4.1