cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8b4c64130a
openbsd-ports/graphics/netpbm/patches/patch-pbm_pbmtext_c
brad 73a9fe0066 Several math overflow errors were found in NetPBM by Al Viro and Alan 
Cox.  While these programs are not installed suid root, they are often
used to prepare data for processing.  These errors may permit remote
attackers to cause a denial of service or execute arbitrary code in
any programs or scripts that use these graphics conversion tools.

http://marc.theaimsgroup.com/?l=bugtraq&m=104644687816522&w=2
2003-03-29 04:13:54 +00:00

67 lines
2.5 KiB
Plaintext
Raw Blame History

$OpenBSD: patch-pbm_pbmtext_c,v 1.1 2003/03/29 04:13:54 brad Exp $
--- pbm/pbmtext.c.orig Mon Mar 19 21:44:49 2001
+++ pbm/pbmtext.c Fri Mar 28 20:22:06 2003
@@ -82,12 +82,14 @@ parse_command_line(int argc, char ** arg
for (i = 1; i < argc; i++) {
if (i > 1) {
+ overflow_add(totaltextsize, 1);
totaltextsize += 1;
cmdline_p->text = realloc(cmdline_p->text, totaltextsize);
if (cmdline_p->text == NULL)
pm_error("out of memory");
strcat(cmdline_p->text, " ");
}
+ overflow_add(totaltextsize, strlen(argv[i]));
totaltextsize += strlen(argv[i]);
cmdline_p->text = realloc(cmdline_p->text, totaltextsize);
if (cmdline_p->text == NULL)
@@ -328,11 +330,12 @@ get_text(const char cmdline_text[], stru
*/
maxlines = 50; /* initial value */
- *input_textP = (char**) malloc(maxlines * sizeof(char*));
+ *input_textP = (char**) malloc2(maxlines, sizeof(char*));
if (*input_textP == NULL)
pm_error("out of memory");
if (cmdline_text) {
+ overflow_add(strlen(cmdline_text), 1);
(*input_textP)[0] = malloc(strlen(cmdline_text)+1);
if ((*input_textP)[0] == NULL)
pm_error("Out of memory.");
@@ -347,7 +350,9 @@ get_text(const char cmdline_text[], stru
while (fgets(buf, sizeof(buf), stdin) != NULL) {
fix_control_chars(buf, fn);
if (*linesP >= maxlines) {
+ overflow2(maxlines, 2);
maxlines *= 2;
+ overflow2(maxlines, sizeof(char *));
*input_textP = (char**) realloc((char*) *input_textP,
maxlines * sizeof(char*));
if(*input_textP == NULL)
@@ -426,6 +431,7 @@ main(int argc, char *argv[]) {
hmargin = fn->maxwidth;
} else {
vmargin = fn->maxheight;
+ overflow2(2, fn->maxwidth);
hmargin = 2 * fn->maxwidth;
}
@@ -441,10 +447,15 @@ main(int argc, char *argv[]) {
} else
lp = input_text;
+ overflow2(2, vmargin);
+ overflow2(lines, fn->maxheight);
+ overflow_add(vmargin * 2, lines * fn->maxheight);
rows = 2 * vmargin + lines * fn->maxheight;
compute_image_width(lp, lines, fn, cmdline.space, &maxwidth, &maxleftb);
+ overflow2(2, hmargin);
+ overflow_add(2*hmargin, maxwidth);
cols = 2 * hmargin + maxwidth;
bits = pbm_allocarray(cols, rows);
Reference in New Issue View Git Blame Copy Permalink