Attachment #25749 for bug #62677

View | Details | Raw Unified | Return to bug 62677
Collapse All | Expand All




#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include "sizetmax.h"
#include "readgif.h"



    }
  
  if(local_colour_map) readcolmap(in);

  if ((width <= 0) || (height <=0 ) || 
      (width > (SIZE_T_MAX/height)) ||
      ((width * height) > SIZE_T_MAX/3))
    {
    fclose(in);
    return(0);
    }

  if((image=malloc(width*height*3))==NULL)
    {
    fclose(in);

Lines 13-19 Link Here

(-)../xzgv-0.8/src/readjpeg.c (-1 / +10 lines)
13	#include <jpeglib.h>	13	#include <jpeglib.h>
14		14
15	#include "rcfile.h"	15	#include "rcfile.h"
16		16	#include "sizetmax.h"
17	#include "readjpeg.h"	17	#include "readjpeg.h"
18		18
19		19
Lines 265-276 Link Here
265	/* this one shouldn't hurt */	265	/* this one shouldn't hurt */
266	cinfo.do_block_smoothing=FALSE;	266	cinfo.do_block_smoothing=FALSE;
267		267
		268	if ((width <= 0) \|\| (height <=0 ) \|\|
		269	(width > (SIZE_T_MAX/height)) \|\|
		270	((width * height) > SIZE_T_MAX/3))
		271	longjmp(jerr.setjmp_buffer,1);
		272
268	if((imagep=image=malloc(widthheight*3))==NULL)	273	if((imagep=image=malloc(widthheight*3))==NULL)
269	longjmp(jerr.setjmp_buffer,1);	274	longjmp(jerr.setjmp_buffer,1);
270		275
271	jpeg_start_decompress(&cinfo);	276	jpeg_start_decompress(&cinfo);
272		277
273	/* read the image */	278	/* read the image */
		279	if ((height <= 0) \|\|
		280	(height > (SIZE_T_MAX/sizeof(unsigned char *))))
		281	longjmp(jerr.setjmp_buffer,1);
		282
274	if((lineptrs=malloc(heightsizeof(unsigned char )))==NULL)	283	if((lineptrs=malloc(heightsizeof(unsigned char )))==NULL)
275	longjmp(jerr.setjmp_buffer,1);	284	longjmp(jerr.setjmp_buffer,1);
276		285




#include <string.h>
#include <stdlib.h>
#include "readmrf.h"
#include "sizetmax.h"

static int bitbox,bitsleft;


w64=(w+63)/64;
h64=(h+63)/64;

if ((w <= 0) || (h <=0 ) || 
    (w > (SIZE_T_MAX/h)) || ((w * h) > SIZE_T_MAX/3) ||
    (w64<=0) || (h64<=0) || (w64>(SIZE_T_MAX/h64)) ||
    (w64*h64) > SIZE_T_MAX/(64*64))
    {
    return(0);
    }


if((*bmap=malloc(w*h*3))==NULL ||
   (image=calloc(w64*h64*64*64,1))==NULL)
  {

Lines 17-22 Link Here

(-)../xzgv-0.8/src/readpng.c (+9 lines)
17	#include <png.h>	17	#include <png.h>
18	#include <setjmp.h> /* after png.h to avoid horrible thing in pngconf.h */	18	#include <setjmp.h> /* after png.h to avoid horrible thing in pngconf.h */
19	#include "readpng.h"	19	#include "readpng.h"
		20	#include "sizetmax.h"
20		21
21		22
22	/* must be global to allow aborting in mid-read */	23	/* must be global to allow aborting in mid-read */
Lines 129-134 Link Here
129	}	130	}
130		131
131	/* allocate image memory */	132	/* allocate image memory */
		133	if((width <= 0) \|\| (height <=0 ) \|\|
		134	(width > (SIZE_T_MAX/height)) \|\|
		135	((width * height) > SIZE_T_MAX/3))
		136	{
		137	fclose(in);
		138	return(0);
		139	}
		140
132	if((theimageptr=theimage=malloc(widthheight*3))==NULL)	141	if((theimageptr=theimage=malloc(widthheight*3))==NULL)
133	{	142	{
134	png_read_end(png_ptr,info_ptr);	143	png_read_end(png_ptr,info_ptr);

Lines 8-13 Link Here

(-)../xzgv-0.8/src/readprf.c (+14 lines)
8	#include <string.h>	8	#include <string.h>
9	#include <stdlib.h>	9	#include <stdlib.h>
10	#include "readprf.h"	10	#include "readprf.h"
		11	#include "sizetmax.h"
11		12
12	#define squaresize 64	13	#define squaresize 64
13		14
Lines 163-168 Link Here
163	if(planes==1)	164	if(planes==1)
164	bytepp=1;	165	bytepp=1;
165		166
		167	if((width <= 0) \|\| (width > (SIZE_T_MAX/squaresize)))
		168	{
		169	fclose(in);
		170	return(0);
		171	}
		172
166	n=width*squaresize;	173	n=width*squaresize;
167	if((planebuf[0]=calloc(n,planes))==NULL)	174	if((planebuf[0]=calloc(n,planes))==NULL)
168	{	175	{
Lines 173-178 Link Here
173	for(f=1;f<planes;f++)	180	for(f=1;f<planes;f++)
174	planebuf[f]=planebuf[f-1]+n;	181	planebuf[f]=planebuf[f-1]+n;
175		182
		183	if((height <= 0 ) \|\|
		184	(width > (SIZE_T_MAX/height)) \|\| ((width * height) > SIZE_T_MAX/3))
		185	{
		186	fclose(in);
		187	return(0);
		188	}
		189
176	if((theimageptr=malloc(widthheight*3))==NULL)	190	if((theimageptr=malloc(widthheight*3))==NULL)
177	{	191	{
178	free(planebuf[0]);	192	free(planebuf[0]);

Lines 11-17 Link Here

(-)../xzgv-0.8/src/readtiff.c (-1 / +17 lines)
11	#include <setjmp.h>	11	#include <setjmp.h>
12	#include <sys/file.h> /* for open et al */	12	#include <sys/file.h> /* for open et al */
13	#include <tiffio.h>	13	#include <tiffio.h>
14		14	#include "sizetmax.h"
15	#include "readtiff.h"	15	#include "readtiff.h"
16		16
17		17
Lines 32-41 Link Here
32	TIFFGetField(in,TIFFTAG_IMAGEWIDTH,&width);	32	TIFFGetField(in,TIFFTAG_IMAGEWIDTH,&width);
33	TIFFGetField(in,TIFFTAG_IMAGELENGTH,&height);	33	TIFFGetField(in,TIFFTAG_IMAGELENGTH,&height);
34		34
		35	if((width <= 0) \|\| (height <=0 ) \|\|
		36	(width > (SIZE_T_MAX/height)) \|\|
		37	((width * height) > SIZE_T_MAX/sizeof(uint32)))
		38	{
		39	TIFFClose(in);
		40	return(0);
		41	}
		42
		43
35	/* the width*3 guarantees there'll be at least one line	44	/* the width*3 guarantees there'll be at least one line
36	* spare for the flip afterwards.	45	* spare for the flip afterwards.
37	*/	46	*/
38	numpix=width*height;	47	numpix=width*height;
		48
		49	if((width > (SIZE_T_MAX/3)) \|\| (numpixsizeof(uint32) > SIZE_T_MAX-width3))
		50	{
		51	TIFFClose(in);
		52	return(0);
		53	}
		54
39	if((image=malloc(numpixsizeof(uint32)+width3))==NULL)	55	if((image=malloc(numpixsizeof(uint32)+width3))==NULL)
40	{	56	{
41	TIFFClose(in);	57	TIFFClose(in);

Line 0 Link Here

(-)../xzgv-0.8/src/sizetmax.h (+8 lines)
	1	/* unfortunately, there is no ANSI-C constant that holds the size of
	2	* size_t. The only thing we know is that it is "the largest unsigned
	3	* integer type on the platform" (usually unsigned long int, but not
	4	* always, cf. 31-bit mode S/390.) At least we can rely on it being
	5	* unsigned, hence the following should always work.
	6	*/
	7
	8	#define SIZE_T_MAX (~((size_t) 0))

Return to bug 62677

Lines 8-13 Link Here

(-)../xzgv-0.8/src/readgif.c (-1 / +10 lines)
8	#include <string.h>	8	#include <string.h>
9	#include <unistd.h>	9	#include <unistd.h>
10	#include <stdlib.h>	10	#include <stdlib.h>
		11	#include "sizetmax.h"
11	#include "readgif.h"	12	#include "readgif.h"
12		13
13		14
Lines 102-108 Link Here
102	}	103	}
103		104
104	if(local_colour_map) readcolmap(in);	105	if(local_colour_map) readcolmap(in);
105		106
		107	if ((width <= 0) \|\| (height <=0 ) \|\|
		108	(width > (SIZE_T_MAX/height)) \|\|
		109	((width * height) > SIZE_T_MAX/3))
		110	{
		111	fclose(in);
		112	return(0);
		113	}
		114
106	if((image=malloc(widthheight3))==NULL)	115	if((image=malloc(widthheight3))==NULL)
107	{	116	{
108	fclose(in);	117	fclose(in);

Lines 8-14 Link Here

(-)../xzgv-0.8/src/readmrf.c (-1 / +10 lines)
8	#include <string.h>	8	#include <string.h>
9	#include <stdlib.h>	9	#include <stdlib.h>
10	#include "readmrf.h"	10	#include "readmrf.h"
11		11	#include "sizetmax.h"
12		12
13	static int bitbox,bitsleft;	13	static int bitbox,bitsleft;
14		14
Lines 91-96 Link Here
91	w64=(w+63)/64;	91	w64=(w+63)/64;
92	h64=(h+63)/64;	92	h64=(h+63)/64;
93		93
		94	if ((w <= 0) \|\| (h <=0 ) \|\|
		95	(w > (SIZE_T_MAX/h)) \|\| ((w * h) > SIZE_T_MAX/3) \|\|
		96	(w64<=0) \|\| (h64<=0) \|\| (w64>(SIZE_T_MAX/h64)) \|\|
		97	(w64h64) > SIZE_T_MAX/(6464))
		98	{
		99	return(0);
		100	}
		101
		102
94	if((bmap=malloc(wh*3))==NULL \|\|	103	if((bmap=malloc(wh*3))==NULL \|\|
95	(image=calloc(w64h6464*64,1))==NULL)	104	(image=calloc(w64h6464*64,1))==NULL)
96	{	105	{