Several math overflow errors were found in NetPBM by Al Viro and Alan

Cox.  While these programs are not installed suid root, they are often
used to prepare data for processing.  These errors may permit remote
attackers to cause a denial of service or execute arbitrary code in
any programs or scripts that use these graphics conversion tools.

http://marc.theaimsgroup.com/?l=bugtraq&m=104644687816522&w=2

graphics/netpbm/Makefile

@@ -1,9 +1,10 @@
-# $OpenBSD: Makefile,v 1.27 2002/10/27 00:03:16 naddy Exp $
+# $OpenBSD: Makefile,v 1.28 2003/03/29 04:13:54 brad Exp $
 # $NetBSD: Makefile,v 1.25 1999/03/04 14:18:54 tron Exp $
 
 COMMENT=	"toolkit for converting images between different formats"
 
 DISTNAME=	netpbm-9.24
+PKGNAME=	${DISTNAME}p1
 CATEGORIES=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=netpbm/}
 EXTRACT_SUFX=	.tgz

graphics/netpbm/patches/patch-pbm_atktopbm_c

@@ -0,0 +1,13 @@
+$OpenBSD: patch-pbm_atktopbm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/atktopbm.c.orig	Sat Mar 18 23:33:36 2000
++++ pbm/atktopbm.c	Fri Mar 28 20:22:06 2003
+@@ -322,8 +322,7 @@ ReadATKRaster(file, rwidth, rheight, des
+ 	*rwidth = width;
+ 	*rheight = height;
+ 	rowlen = (width + 7) / 8;
+-	*destaddr = (unsigned char *) malloc (sizeof(unsigned char) * height *
+-rowlen);
++	*destaddr = (unsigned char *) malloc3 (sizeof(unsigned char), height, rowlen);
+ 	for (row = 0;   row < height;   row++)
+ 	  {
+ 	    long c;

graphics/netpbm/patches/patch-pbm_icontopbm_c

@@ -0,0 +1,24 @@
+$OpenBSD: patch-pbm_icontopbm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/icontopbm.c.orig	Mon Oct  4 05:10:28 1993
++++ pbm/icontopbm.c	Fri Mar 28 20:22:06 2003
+@@ -10,6 +10,8 @@
+ ** implied warranty.
+ */
+ 
++#include <string.h>
++#include <limits.h>
+ #include "pbm.h"
+ 
+ static void ReadIconFile ARGS(( FILE* file, int* width, int* height, short** data ));
+@@ -137,6 +139,11 @@ ReadIconFile( file, width, height, data 
+     if ( *height <= 0 )
+ 	pm_error( "invalid height: %d", *height );
+ 
++    if ( *width > INT_MAX - 16 || *width < 0)
++    	pm_error( "invalid width: %d", *width);
++    
++    overflow2(*width + 16, *height);
++    
+     data_length = BitmapSize( *width, *height );
+     *data = (short*) malloc( data_length );
+     if ( *data == NULL )

graphics/netpbm/patches/patch-pbm_libpbm1_c

@@ -0,0 +1,22 @@
+$OpenBSD: patch-pbm_libpbm1_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/libpbm1.c.orig	Thu Jan  3 15:09:23 2002
++++ pbm/libpbm1.c	Fri Mar 28 20:22:06 2003
+@@ -36,13 +36,18 @@ pbm_check(FILE * file, const enum pm_che
+           const int format, const int cols, const int rows,
+           enum pm_check_code * const retval_p) {
+ 
++    if (rows < 0 || cols < 0)
++    	pm_error("invalid image");
+     if (check_type != PM_CHECK_BASIC) {
+         if (retval_p) *retval_p = PM_CHECK_UNKNOWN_TYPE;
+     } else if (format != RPBM_FORMAT) {
+         if (retval_p) *retval_p = PM_CHECK_UNCHECKABLE;
+     } else {        
++    	/* signed to unsigned so wont wrap */
+         const unsigned int bytes_per_row = (cols+7)/8;
+         const unsigned int need_raster_size = rows * bytes_per_row;
++        
++        overflow2(bytes_per_row, rows);
+         
+         pm_check(file, check_type, need_raster_size, retval_p);
+     }

graphics/netpbm/patches/patch-pbm_libpbm5_c

@@ -0,0 +1,33 @@
+$OpenBSD: patch-pbm_libpbm5_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/libpbm5.c.orig	Sat May  6 02:30:12 2000
++++ pbm/libpbm5.c	Fri Mar 28 20:22:06 2003
+@@ -767,15 +767,18 @@ gotblankcol:
+     fn->frows = frows;
+     fn->fcols = fcols;
+     
+-    glyph = (struct glyph*) malloc( sizeof(struct glyph) * 95 );
++    glyph = (struct glyph*) malloc2( sizeof(struct glyph), 95 );
+     if ( glyph == (struct glyph*) 0 )
+ 	pm_error( "out of memory allocating glyphs" );
+     
+-    bmap = (char*) malloc( fn->maxwidth * fn->maxheight * 95 );
++    bmap = (char*) malloc3( fn->maxwidth, fn->maxheight, 95 );
+     if ( bmap == (char*) 0)
+ 	pm_error( "out of memory allocating glyph data" );
+ 
+     /* Now fill in the 0,0 coords. */
++    overflow2(char_height, 2);
++    overflow2(char_width, 2);
++    
+     row = char_height * 2;
+     col = char_width * 2;
+     for ( ch = 0; ch < 95; ++ch )
+@@ -1022,7 +1025,7 @@ char* name;
+ 				glyph->x = atoi(arg[3]);
+ 				glyph->y = atoi(arg[4]);
+ 
+-				if (!(glyph->bmap = (char*)malloc(glyph->width * glyph->height)))
++				if (!(glyph->bmap = (char*)malloc2(glyph->width, glyph->height)))
+ 					pm_error("no memory for font glyph byte map");
+ 
+ 				if (readline(fp, line, arg) < 0) { fclose(fp); return 0; }

graphics/netpbm/patches/patch-pbm_libpbmvms_c

@@ -0,0 +1,9 @@
+$OpenBSD: patch-pbm_libpbmvms_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/libpbmvms.c.orig	Fri May 26 14:34:55 2000
++++ pbm/libpbmvms.c	Fri Mar 28 20:22:06 2003
+@@ -1,3 +1,5 @@
++#warning "NOT AUDITED"
++
+ /***************************************************************************
+   This file contains library routines needed to build Netpbm for VMS.
+   However, as of 2000.05.26, when these were split out of libpbm1.c

graphics/netpbm/patches/patch-pbm_libpm_c

@@ -0,0 +1,102 @@
+$OpenBSD: patch-pbm_libpm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/libpm.c.orig	Fri Jan 25 19:18:05 2002
++++ pbm/libpm.c	Fri Mar 28 20:22:07 2003
+@@ -14,6 +14,7 @@
+ **************************************************************************/
+ 
+ #include <stdio.h>
++#include <limits.h>
+ #include "version.h"
+ #include "compile.h"
+ #include "shhopt.h"
+@@ -38,7 +39,7 @@ char*
+ pm_allocrow(int const cols, int const size) {
+     register char* itrow;
+ 
+-    itrow = (char*) malloc( cols * size );
++    itrow = (char*) malloc2( cols , size );
+     if ( itrow == (char*) 0 )
+         pm_error( "out of memory allocating a row" );
+     return itrow;
+@@ -56,10 +57,10 @@ pm_allocarray(int const cols, int const 
+     char** its;
+     int i;
+ 
+-    its = (char**) malloc( rows * sizeof(char*) );
++    its = (char**) malloc2( rows, sizeof(char*) );
+     if ( its == (char**) 0 )
+         pm_error( "out of memory allocating an array" );
+-    its[0] = (char*) malloc( rows * cols * size );
++    its[0] = (char*) malloc3( rows, cols, size );
+     if ( its[0] == (char*) 0 )
+         pm_error( "out of memory allocating an array" );
+     for ( i = 1; i < rows; ++i )
+@@ -77,10 +78,12 @@ char**
+ pm_allocarray(int const cols, int const rows, int const size) {
+     char** its;
+     int i;
+-    its = (char**) malloc( (rows + 1) * sizeof(char*) );
++    
++    overflow_add(rows, 1);
++    its = (char**) malloc2( (rows + 1),  sizeof(char*) );
+     if ( its == (char**) 0 )
+         pm_error( "out of memory allocating an array" );
+-    its[rows] = its[0] = (char*) malloc( rows * cols * size );
++    its[rows] = its[0] = (char*) malloc3( rows. cols, size );
+     if ( its[0] != (char*) 0 )
+         for ( i = 1; i < rows; ++i )
+             its[i] = &(its[0][i * cols * size]);
+@@ -878,4 +881,52 @@ pm_check(FILE * const file, const enum p
+ }
+ 
+ 
+-
++/*
++ *	Maths wrapping
++ */
++ 
++void overflow2(int a, int b)
++{
++	if(a < 0 || b < 0)
++		pm_error("object too large");
++	if(b == 0)
++		return;
++	if(a > INT_MAX / b)
++		pm_error("object too large");
++}
++
++void overflow3(int a, int b, int c)
++{
++	overflow2(a,b);
++	overflow2(a*b, c);
++}
++
++void overflow_add(int a, int b)
++{
++	if( a > INT_MAX - b)
++		pm_error("object too large");
++}
++
++void *malloc2(int a, int b)
++{
++	overflow2(a, b);
++	if(a*b == 0)
++		pm_error("Zero byte allocation");
++	return malloc(a*b);
++}
++
++void *malloc3(int a, int b, int c)
++{
++	overflow3(a, b, c);
++	if(a*b*c == 0)
++		pm_error("Zero byte allocation");
++	return malloc(a*b*c);
++}
++
++void *realloc2(void * a, int b, int c)
++{
++	overflow2(b, c);
++	if(b*c == 0)
++		pm_error("Zero byte allocation");
++	return realloc(a, b*c);
++}

graphics/netpbm/patches/patch-pbm_mdatopbm_c

@@ -0,0 +1,19 @@
+$OpenBSD: patch-pbm_mdatopbm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/mdatopbm.c.orig	Sat May  6 05:28:53 2000
++++ pbm/mdatopbm.c	Fri Mar 28 20:22:06 2003
+@@ -235,9 +235,14 @@ int main(int argc, char **argv)
+ 	pm_readlittleshort(infile, &yy); nInRows = yy;
+ 	pm_readlittleshort(infile, &yy); nInCols = yy;
+ 
++	overflow2(nOutCols, 8);
+ 	nOutCols = 8*nInCols;
+ 	nOutRows = nInRows;
+-	if (bScale) nOutRows *= 2;
++	if (bScale) 
++	{
++		overflow2(nOutRows, 2);
++		nOutRows *= 2;
++	}
+ 
+ 	data = pbm_allocarray(nOutCols, nOutRows);
+ 	mdrow = malloc(nInCols);

graphics/netpbm/patches/patch-pbm_mgrtopbm_c

@@ -0,0 +1,16 @@
+$OpenBSD: patch-pbm_mgrtopbm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/mgrtopbm.c.orig	Thu Mar  2 20:02:09 2000
++++ pbm/mgrtopbm.c	Fri Mar 28 20:22:06 2003
+@@ -108,6 +108,12 @@ getinit( file, colsP, rowsP, depthP, pad
+                  head.magic[0], head.magic[1] );
+         pad = -1;  /* should never reach here */
+     }
++    
++    if(head.h_wide < ' ' || head.l_wide < ' ')
++    	pm_error("bad width/height chars in MGR file");
++    
++    overflow_add(*colsP, pad);
++    
+     *colsP = ( ( (int) head.h_wide - ' ' ) << 6 ) + ( (int) head.l_wide - ' ' );
+     *rowsP = ( ( (int) head.h_high - ' ' ) << 6 ) + ( (int) head.l_high - ' ' );
+     *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP;

graphics/netpbm/patches/patch-pbm_pbmclean_c

@@ -0,0 +1,12 @@
+$OpenBSD: patch-pbm_pbmclean_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmclean.c.orig	Mon Nov 26 13:39:43 2001
++++ pbm/pbmclean.c	Fri Mar 28 20:22:06 2003
+@@ -147,7 +147,7 @@ nextrow(FILE * const ifd, int const row,
+     inrow[0] = inrow[1];
+     inrow[1] = inrow[2];
+     inrow[2] = shuffle ;
+-    if (row+1 < rows) {
++    if (row <= rows) {
+         /* Read the "next" row in from the file.  Allocate buffer if neeeded */
+         if (inrow[2] == NULL)
+             inrow[2] = pbm_allocrow(cols);

graphics/netpbm/patches/patch-pbm_pbmlife_c

@@ -0,0 +1,12 @@
+$OpenBSD: patch-pbm_pbmlife_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmlife.c.orig	Mon Oct  4 05:10:37 1993
++++ pbm/pbmlife.c	Fri Mar 28 20:22:06 2003
+@@ -54,7 +54,7 @@ char* argv[];
+ 	prevrow = thisrow;
+ 	thisrow = nextrow;
+ 	nextrow = temprow;
+-	if ( row < rows - 1 )
++	if ( row <= rows )
+ 	    pbm_readpbmrow( ifp, nextrow, cols, format );
+ 
+         for ( col = 0; col < cols; ++col )

graphics/netpbm/patches/patch-pbm_pbmpage_c

@@ -0,0 +1,21 @@
+$OpenBSD: patch-pbm_pbmpage_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmpage.c.orig	Sat Mar 31 01:58:23 2001
++++ pbm/pbmpage.c	Fri Mar 28 20:22:06 2003
+@@ -15,6 +15,7 @@
+ #include <math.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <string.h>
+ #include "pbm.h"
+ 
+ /* Support both US and A4. */
+@@ -143,6 +144,9 @@ output_pbm(FILE *file, const int Width, 
+     /* We round the allocated row space up to a multiple of 8 so the ugly
+        fast code below can work.
+        */
++       
++    overflow_add(Width, 7);
++    
+     pbmrow = pbm_allocrow(((Width+7)/8)*8);
+     
+     bitmap_cursor = 0;

graphics/netpbm/patches/patch-pbm_pbmpscale_c

@@ -0,0 +1,14 @@
+$OpenBSD: patch-pbm_pbmpscale_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmpscale.c.orig	Thu Mar  2 20:14:24 2000
++++ pbm/pbmpscale.c	Fri Mar 28 20:22:06 2003
+@@ -108,8 +108,9 @@ main(argc, argv)
+    inrow[0] = inrow[1] = inrow[2] = NULL;
+    pbm_readpbminit(ifd, &columns, &rows, &format) ;
+ 
++   overflow2(columns, scale);
+    outrow = pbm_allocrow(columns*scale) ;
+-   flags = (unsigned char *)malloc(sizeof(unsigned char)*columns) ;
++   flags = (unsigned char *)malloc2(sizeof(unsigned char), columns) ;
+    if (flags == NULL) pm_perror("out of memory") ;
+ 
+    pbm_writepbminit(stdout, columns*scale, rows*scale, 0) ;

graphics/netpbm/patches/patch-pbm_pbmreduce_c

@@ -0,0 +1,15 @@
+$OpenBSD: patch-pbm_pbmreduce_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmreduce.c.orig	Wed Apr 26 15:24:02 2000
++++ pbm/pbmreduce.c	Fri Mar 28 20:22:06 2003
+@@ -92,8 +92,9 @@ main( argc, argv )
+ 
+     if ( halftone == QT_FS ) {
+         /* Initialize Floyd-Steinberg. */
+-        thiserr = (long*) malloc( ( newcols + 2 ) * sizeof(long) );
+-        nexterr = (long*) malloc( ( newcols + 2 ) * sizeof(long) );
++        overflow_add(newcols, 2);
++        thiserr = (long*) malloc2( ( newcols + 2 ), sizeof(long) );
++        nexterr = (long*) malloc2( ( newcols + 2 ), sizeof(long) );
+         if ( thiserr == 0 || nexterr == 0 )
+           pm_error( "out of memory" );
+ 

graphics/netpbm/patches/patch-pbm_pbmtext_c

@@ -0,0 +1,66 @@
+$OpenBSD: patch-pbm_pbmtext_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtext.c.orig	Mon Mar 19 21:44:49 2001
++++ pbm/pbmtext.c	Fri Mar 28 20:22:06 2003
+@@ -82,12 +82,14 @@ parse_command_line(int argc, char ** arg
+         
+         for (i = 1; i < argc; i++) {
+             if (i > 1) {
++                overflow_add(totaltextsize, 1);
+                 totaltextsize += 1;
+                 cmdline_p->text = realloc(cmdline_p->text, totaltextsize);
+                 if (cmdline_p->text == NULL)
+                     pm_error("out of memory");
+                 strcat(cmdline_p->text, " ");
+             } 
++            overflow_add(totaltextsize, strlen(argv[i]));
+             totaltextsize += strlen(argv[i]);
+             cmdline_p->text = realloc(cmdline_p->text, totaltextsize);
+             if (cmdline_p->text == NULL)
+@@ -328,11 +330,12 @@ get_text(const char cmdline_text[], stru
+            */
+ 
+     maxlines = 50;  /* initial value */
+-    *input_textP = (char**) malloc(maxlines * sizeof(char*));
++    *input_textP = (char**) malloc2(maxlines, sizeof(char*));
+     if (*input_textP == NULL)
+         pm_error("out of memory");
+ 
+     if (cmdline_text) {
++        overflow_add(strlen(cmdline_text), 1);
+         (*input_textP)[0] = malloc(strlen(cmdline_text)+1);
+         if ((*input_textP)[0] == NULL)
+             pm_error("Out of memory.");
+@@ -347,7 +350,9 @@ get_text(const char cmdline_text[], stru
+         while (fgets(buf, sizeof(buf), stdin) != NULL) {
+             fix_control_chars(buf, fn);
+             if (*linesP >= maxlines) {
++                overflow2(maxlines, 2);
+                 maxlines *= 2;
++                overflow2(maxlines, sizeof(char *));
+                 *input_textP = (char**) realloc((char*) *input_textP, 
+                                                 maxlines * sizeof(char*));
+                 if(*input_textP == NULL)
+@@ -426,6 +431,7 @@ main(int argc, char *argv[]) {
+         hmargin = fn->maxwidth;
+ 	} else {
+         vmargin = fn->maxheight;
++        overflow2(2, fn->maxwidth);
+         hmargin = 2 * fn->maxwidth;
+ 	}
+ 
+@@ -441,10 +447,15 @@ main(int argc, char *argv[]) {
+     } else
+         lp = input_text;
+     
++    overflow2(2, vmargin);
++    overflow2(lines, fn->maxheight);
++    overflow_add(vmargin * 2, lines * fn->maxheight);
+     rows = 2 * vmargin + lines * fn->maxheight;
+ 
+     compute_image_width(lp, lines, fn, cmdline.space, &maxwidth, &maxleftb);
+ 
++    overflow2(2, hmargin);
++    overflow_add(2*hmargin, maxwidth);
+     cols = 2 * hmargin + maxwidth;
+     bits = pbm_allocarray(cols, rows);
+ 

graphics/netpbm/patches/patch-pbm_pbmto10x_c

@@ -0,0 +1,30 @@
+$OpenBSD: patch-pbm_pbmto10x_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmto10x.c.orig	Sat Aug 12 23:36:40 1995
++++ pbm/pbmto10x.c	Fri Mar 28 20:22:06 2003
+@@ -50,7 +50,7 @@ main(argc, argv)
+ 		res_60x72();
+ 
+ 	pm_close(ifp);
+-	exit(0);
++	return 0;
+ }
+ 
+ static void
+@@ -84,6 +84,8 @@ res_60x72()
+ 	char		*stripe, *sP;
+ 
+ 	stripe = malloc(cols);
++        if(stripe == NULL)
++        	pm_error("out of memory");
+ 	for (i = 0; i < LOW_RES_ROWS; ++i)
+ 		bitrows[i] = pbm_allocrow(cols);
+ 	printf("\033A\010");		/* '\n' = 8/72 */
+@@ -117,6 +119,8 @@ res_120x144()
+ 	char		*stripe, *sP;
+ 
+ 	stripe = malloc(cols);
++	if(stripe == NULL)
++		pm_error("out of memory");
+ 	for (i = 0; i < HIGH_RES_ROWS; ++i)
+ 		bitrows[i] = pbm_allocrow(cols);
+ 	printf("\0333\001");			/* \n = 1/144" */

graphics/netpbm/patches/patch-pbm_pbmto4425_c

@@ -0,0 +1,18 @@
+$OpenBSD: patch-pbm_pbmto4425_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmto4425.c.orig	Sat Mar 25 17:23:19 2000
++++ pbm/pbmto4425.c	Fri Mar 28 20:22:06 2003
+@@ -1,4 +1,5 @@
+ #include "pbm.h"
++#include <string.h>
+ 
+ /*extern char *sys_errlist[];
+ char *malloc();*/
+@@ -70,7 +71,7 @@ char *argv[];
+   xres = vmap_width * 2;
+   yres = vmap_height * 3;
+ 
+-  vmap = malloc(vmap_width * vmap_height * sizeof(char));
++  vmap = malloc3(vmap_width, vmap_height, sizeof(char));
+   if(vmap == NULL)
+ 	{
+ 	  pm_error( "Cannot allocate memory" );

graphics/netpbm/patches/patch-pbm_pbmtoascii_c

@@ -0,0 +1,15 @@
+$OpenBSD: patch-pbm_pbmtoascii_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtoascii.c.orig	Sat Mar 25 17:23:05 2000
++++ pbm/pbmtoascii.c	Fri Mar 28 20:22:06 2003
+@@ -115,9 +115,11 @@ char* argv[];
+         pm_usage( usage );
+ 
+     pbm_readpbminit( ifp, &cols, &rows, &format );
++    overflow_add(cols, gridx);
+     ccols = ( cols + gridx - 1 ) / gridx;
+     bitrow = pbm_allocrow( cols );
+     sig = (int*) pm_allocrow( ccols, sizeof(int) );
++    overflow_add(ccols, 1);
+     line = (char*) pm_allocrow( ccols + 1, sizeof(char) );
+ 
+     for ( row = 0; row < rows; row += gridy )

graphics/netpbm/patches/patch-pbm_pbmtoatk_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtoatk_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtoatk.c.orig	Fri Jun  9 03:05:24 2000
++++ pbm/pbmtoatk.c	Fri Mar 28 20:22:06 2003
+@@ -65,6 +65,7 @@ main( argc, argv )
+     bitrow = pbm_allocrow( cols );
+ 
+     /* Compute padding to round cols up to the nearest multiple of 16. */
++    overflow_add(cols, 15);
+     padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+ 
+     printf ("\\begindata{raster,%d}\n", 1);

graphics/netpbm/patches/patch-pbm_pbmtocmuwm_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtocmuwm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtocmuwm.c.orig	Mon Oct  4 05:10:46 1993
++++ pbm/pbmtocmuwm.c	Fri Mar 28 20:22:06 2003
+@@ -43,6 +43,7 @@ main( argc, argv )
+     bitrow = pbm_allocrow( cols );
+     
+     /* Round cols up to the nearest multiple of 8. */
++    overflow_add(cols, 7);
+     padright = ( ( cols + 7 ) / 8 ) * 8 - cols;
+ 
+     putinit( rows, cols );

graphics/netpbm/patches/patch-pbm_pbmtogem_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtogem_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtogem.c.orig	Fri Jun  9 03:07:05 2000
++++ pbm/pbmtogem.c	Fri Mar 28 20:22:06 2003
+@@ -123,6 +123,7 @@ putinit (rows, cols)
+   bitsperitem = 0;
+   bitshift = 7;
+   outcol = 0;
++  overflow_add(cols, 7);
+   outmax = (cols + 7) / 8;
+   outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
+   lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));

graphics/netpbm/patches/patch-pbm_pbmtogo_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtogo_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtogo.c.orig	Fri Jun  9 03:07:04 2000
++++ pbm/pbmtogo.c	Fri Mar 28 20:22:06 2003
+@@ -90,6 +90,7 @@ main( argc, argv )
+     bitrow = pbm_allocrow(cols);
+ 
+     /* Round cols up to the nearest multiple of 8. */
++    overflow_add(cols, 7);
+     rucols = ( cols + 7 ) / 8;
+     bytesperrow = rucols;       /* GraphOn uses bytes */
+     rucols = rucols * 8;

graphics/netpbm/patches/patch-pbm_pbmtoicon_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtoicon_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtoicon.c.orig	Mon Oct  4 05:10:50 1993
++++ pbm/pbmtoicon.c	Fri Mar 28 20:22:06 2003
+@@ -42,6 +42,7 @@ main( argc, argv )
+     bitrow = pbm_allocrow( cols );
+     
+     /* Round cols up to the nearest multiple of 16. */
++    overflow_add(cols, 15);
+     pad = ( ( cols + 15 ) / 16 ) * 16 - cols;
+     padleft = pad / 2;
+     padright = pad - padleft;

graphics/netpbm/patches/patch-pbm_pbmtolj_c

@@ -0,0 +1,23 @@
+$OpenBSD: patch-pbm_pbmtolj_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtolj.c.orig	Sun Oct  7 14:14:15 2001
++++ pbm/pbmtolj.c	Fri Mar 28 20:22:06 2003
+@@ -29,6 +29,7 @@
+ 
+ #include "pbm.h"
+ #include <assert.h>
++#include <string.h>
+ 
+ static int dpi = 75;
+ static int floating = 0;  /* suppress the ``ESC & l 0 E'' ? */
+@@ -122,7 +123,11 @@ main( argc, argv )
+     pbm_readpbminit( ifp, &cols, &rows, &format );
+     bitrow = pbm_allocrow( cols );
+ 
++    overflow_add(cols, 8);
+     rowBufferSize = (cols + 7) / 8;
++    overflow_add(rowBufferSize, 128);
++    overflow_add(rowBufferSize, rowBufferSize+128);
++    overflow_add(rowBufferSize+10, rowBufferSize/8);
+     packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
+     deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
+ 

graphics/netpbm/patches/patch-pbm_pbmtomacp_c

@@ -0,0 +1,20 @@
+$OpenBSD: patch-pbm_pbmtomacp_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtomacp.c.orig	Thu Mar  2 21:27:33 2000
++++ pbm/pbmtomacp.c	Fri Mar 28 20:22:06 2003
+@@ -102,6 +102,7 @@ char *argv[];
+   if( !lflg )
+     left = 0;
+ 
++  overflow_add(left, MAX_COLS - 1);
+   if( rflg )
+   { if( right - left >= MAX_COLS )
+       right = left + MAX_COLS - 1;
+@@ -111,6 +112,8 @@ char *argv[];
+ 
+   if( !tflg )
+     top = 0;
++
++  overflow_add(top, MAX_LINES - 1);
+ 
+   if( bflg )
+   { if( bottom - top >= MAX_LINES )

graphics/netpbm/patches/patch-pbm_pbmtomda_c

@@ -0,0 +1,12 @@
+$OpenBSD: patch-pbm_pbmtomda_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtomda.c.orig	Sat May  6 05:28:11 2000
++++ pbm/pbmtomda.c	Fri Mar 28 20:22:06 2003
+@@ -152,6 +152,8 @@ int main(int argc, char **argv)
+ 
+ 	if (bScale)	nOutRows = nInRows / 2;
+ 	else		nOutRows = nInRows;
++
++	overflow_add(nOutRows, 3);
+ 	nOutRows = ((nOutRows + 3) / 4) * 4;
+ 					 /* MDA wants rows a multiple of 4 */	
+ 	nOutCols = nInCols / 8;

graphics/netpbm/patches/patch-pbm_pbmtomgr_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtomgr_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtomgr.c.orig	Mon Oct  4 05:10:50 1993
++++ pbm/pbmtomgr.c	Fri Mar 28 20:22:06 2003
+@@ -43,6 +43,7 @@ main( argc, argv )
+     bitrow = pbm_allocrow( cols );
+     
+     /* Round cols up to the nearest multiple of 8. */
++    overflow_add(cols, 7);
+     padright = ( ( cols + 7 ) / 8 ) * 8 - cols;
+ 
+     putinit( rows, cols );

graphics/netpbm/patches/patch-pbm_pbmtoppa_pbm_c

@@ -0,0 +1,21 @@
+$OpenBSD: patch-pbm_pbmtoppa_pbm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtoppa/pbm.c.orig	Thu Jun  1 13:20:30 2000
++++ pbm/pbmtoppa/pbm.c	Fri Mar 28 20:22:06 2003
+@@ -105,6 +105,7 @@ int pbm_readline(pbm_stat* pbm,unsigned 
+     return 0;
+ 
+   case P4:
++    overflow_add(pbm->width, 7);
+     tmp=(pbm->width+7)/8;
+     tmp2=fread(data,1,tmp,pbm->fptr);
+     if(tmp2 == tmp)
+@@ -129,7 +130,8 @@ void pbm_unreadline (pbm_stat *pbm, void
+     return;
+ 
+   pbm->unread = 1;
+-  pbm->revdata = malloc ((pbm->width+7)/8);
++  overflow_add(pbm->width, 7);
++  pbm->revdata = malloc((pbm->width+7)/8);
+   memcpy (pbm->revdata, data, (pbm->width+7)/8);
+   pbm->current_line--;
+ }

graphics/netpbm/patches/patch-pbm_pbmtoppa_pbmtoppa_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtoppa_pbmtoppa_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtoppa/pbmtoppa.c.orig	Fri Jun  9 03:09:41 2000
++++ pbm/pbmtoppa/pbmtoppa.c	Fri Mar 28 20:22:06 2003
+@@ -447,6 +447,7 @@ int main (int argc, char *argv[])
+     }
+   }
+ 
++  overflow_add(Width, 7);
+   Pwidth=(Width+7)/8;
+   printer.fptr=out;
+ 

graphics/netpbm/patches/patch-pbm_pbmtox10bm_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtox10bm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtox10bm.c.orig	Fri Jun  9 03:07:01 2000
++++ pbm/pbmtox10bm.c	Fri Mar 28 20:22:06 2003
+@@ -57,6 +57,7 @@ main( argc, argv )
+     bitrow = pbm_allocrow( cols );
+ 
+     /* Compute padding to round cols up to the nearest multiple of 16. */
++    overflow_add(cols, 15);
+     padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+ 
+     printf( "#define %s_width %d\n", name, cols );

graphics/netpbm/patches/patch-pbm_pbmtoxbm_c

@@ -0,0 +1,12 @@
+$OpenBSD: patch-pbm_pbmtoxbm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtoxbm.c.orig	Sat Mar 18 21:45:05 2000
++++ pbm/pbmtoxbm.c	Fri Mar 28 20:22:06 2003
+@@ -93,6 +93,8 @@ main( argc, argv )
+     bitrow = pbm_allocrow( cols );
+     
+     /* Compute padding to round cols up to the nearest multiple of 8. */
++    
++    overflow_add(cols, 8);
+     padright = ( ( cols + 7 ) / 8 ) * 8 - cols;
+ 
+     printf( "#define %s_width %d\n", name, cols );

graphics/netpbm/patches/patch-pbm_pbmtoybm_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtoybm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtoybm.c.orig	Mon Oct  4 05:10:43 1993
++++ pbm/pbmtoybm.c	Fri Mar 28 20:22:07 2003
+@@ -45,6 +45,7 @@ main( argc, argv )
+     bitrow = pbm_allocrow( cols );
+     
+     /* Compute padding to round cols up to the nearest multiple of 16. */
++    overflow_add(cols, 16);
+     padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+ 
+     putinit( cols, rows );

graphics/netpbm/patches/patch-pbm_pbmtozinc_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_pbmtozinc_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pbmtozinc.c.orig	Fri Jun  9 03:07:21 2000
++++ pbm/pbmtozinc.c	Fri Mar 28 20:22:07 2003
+@@ -66,6 +66,7 @@ main( argc, argv )
+     bitrow = pbm_allocrow( cols );
+ 
+     /* Compute padding to round cols up to the nearest multiple of 16. */
++    overflow_add(cols, 16);
+     padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+ 
+     printf( "USHORT %s[] = {\n",name);

graphics/netpbm/patches/patch-pbm_pktopbm_c

@@ -0,0 +1,13 @@
+$OpenBSD: patch-pbm_pktopbm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pktopbm.c.orig	Thu Jan 25 22:42:30 2001
++++ pbm/pktopbm.c	Fri Mar 28 20:22:07 2003
+@@ -255,7 +255,8 @@ main(argc, argv)
+       if (turnon) flagbyte &= 7 ;		/* long or short form */
+       if (flagbyte == 7) {			/* long form preamble */
+ 	 integer packetlength = get32() ;	/* character packet length */
+-	 car = get32() ;			/* character number */
++	 car = get32() ;			/* character number */	
++	 overflow_add(packetlength, pktopbm_pkloc);
+ 	 endofpacket = packetlength + pktopbm_pkloc ;	/* calculate end of packet */
+          if ((car >= MAXPKCHAR) || !filename[car]) {
+ 	    ignorechar(car, endofpacket);

graphics/netpbm/patches/patch-pbm_pm_h

@@ -0,0 +1,15 @@
+$OpenBSD: patch-pbm_pm_h,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/pm.h.orig	Thu Jan  3 15:35:23 2002
++++ pbm/pm.h	Fri Mar 28 20:22:07 2003
+@@ -217,6 +217,11 @@ pm_check(FILE * const file, const enum p
+          const unsigned int need_raster_size,
+          enum pm_check_code * const retval_p);
+ 
++void *malloc2(int, int);
++void *malloc3(int, int, int);
++void overflow2(int, int);
++void overflow3(int, int, int);
++void overflow_add(int, int);
+ 
+ /* By making this <> instead of "", we avoid making shhopt.h a dependency
+    of every program in the package when we do make dep.

graphics/netpbm/patches/patch-pbm_thinkjettopbm_l

@@ -0,0 +1,22 @@
+$OpenBSD: patch-pbm_thinkjettopbm_l,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/thinkjettopbm.l.orig	Fri Jan  4 10:12:53 2002
++++ pbm/thinkjettopbm.l	Fri Mar 28 20:22:07 2003
+@@ -71,7 +71,9 @@ DIG             [0-9]
+ <RASTERMODE>\033\*b{DIG}+W  {
+                             int l;
+                             if (rowCount >= rowCapacity) {
++				overflow_add(rowCapacity, 100);
+                                 rowCapacity += 100;
++				overflow2(rowCapacity, sizeof *rows);
+                                 rows = realloc (rows, rowCapacity * sizeof *rows);
+                                 if (rows == NULL)
+                                     pm_error ("Out of memory.");
+@@ -163,6 +165,8 @@ int yywrap (void)
+     /*
+      * Quite simple since ThinkJet bit arrangement matches PBM
+      */
++
++    overflow2(maxRowLength, 8);
+     pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0);
+ 
+     packed_bitrow = malloc(maxRowLength);

graphics/netpbm/patches/patch-pbm_ybmtopbm_c

@@ -0,0 +1,11 @@
+$OpenBSD: patch-pbm_ybmtopbm_c,v 1.1 2003/03/29 04:13:54 brad Exp $
+--- pbm/ybmtopbm.c.orig	Mon Oct  4 05:10:35 1993
++++ pbm/ybmtopbm.c	Fri Mar 28 20:22:07 2003
+@@ -88,6 +88,7 @@ getinit( file, colsP, rowsP, depthP, pad
+ 	pm_error( "EOF / read error" );
+ 
+     *depthP = 1;
++    overflow_add(*colsP, 15);
+     *padrightP = ( ( *colsP + 15 ) / 16 ) * 16 - *colsP;
+     bitsperitem = 0;
+     }