diff options
author | wiz <wiz> | 2009-08-31 20:12:20 +0000 |
---|---|---|
committer | wiz <wiz> | 2009-08-31 20:12:20 +0000 |
commit | e74d9b63e706f38241b7c2a970d1f97457a72c6d (patch) | |
tree | 947489bf1f8d96802843ca3490f88b876ba5bec8 /print/ghostscript | |
parent | 0f6df7c19e9f89b751310cf6814ed2bd9da3b8b8 (diff) | |
download | pkgsrc-e74d9b63e706f38241b7c2a970d1f97457a72c6d.tar.gz |
Update to 8.70:
The license is now GPLv3 or later. A large number of issues with
transparency were fixed. Several significant fixes to font handling,
especially when generating PDF, were made. Numerous robustness,
correctness, and performance improvements were made. Security fixes
addressing CVE-2009-0583 and CVE-2009-0792 were made. New generic
Esc/Page devices, eplmono and eplcolor, were added, as well as the
cdnj500 device to support the HP DesignJet 500. The size of PostScript
integers was limited to 32 bits, as recommended in the specification.
XXX: does not fix build with cups option and jpeg7.
Diffstat (limited to 'print/ghostscript')
-rw-r--r-- | print/ghostscript/Makefile | 5 | ||||
-rw-r--r-- | print/ghostscript/distinfo | 12 | ||||
-rw-r--r-- | print/ghostscript/patches/patch-aa | 24 | ||||
-rw-r--r-- | print/ghostscript/patches/patch-ag | 14 | ||||
-rw-r--r-- | print/ghostscript/patches/patch-aj | 1153 |
5 files changed, 14 insertions, 1194 deletions
diff --git a/print/ghostscript/Makefile b/print/ghostscript/Makefile index 6d94c84c0e2..e9ce21e75ab 100644 --- a/print/ghostscript/Makefile +++ b/print/ghostscript/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.63 2009/08/26 19:56:52 sno Exp $ +# $NetBSD: Makefile,v 1.64 2009/08/31 20:12:20 wiz Exp $ -DISTNAME= ghostscript-8.64 -PKGREVISION= 4 +DISTNAME= ghostscript-8.70 CATEGORIES= print MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=ghostscript/} EXTRACT_SUFX= .tar.bz2 diff --git a/print/ghostscript/distinfo b/print/ghostscript/distinfo index f5f7c52dce5..bc70ede43c4 100644 --- a/print/ghostscript/distinfo +++ b/print/ghostscript/distinfo @@ -1,14 +1,12 @@ -$NetBSD: distinfo,v 1.24 2009/04/17 15:05:31 drochner Exp $ +$NetBSD: distinfo,v 1.25 2009/08/31 20:12:20 wiz Exp $ -SHA1 (ghostscript-8.64.tar.bz2) = 4c2a6e04145428d35da73fbc4db9c66a75e336e0 -RMD160 (ghostscript-8.64.tar.bz2) = 565134dcfe1e823b435c3761461c5eb394bd633c -Size (ghostscript-8.64.tar.bz2) = 16921504 bytes -SHA1 (patch-aa) = 31d077502dba343c5834e5ee9fdb42102ef47668 +SHA1 (ghostscript-8.70.tar.bz2) = 4e4132713258c680a4fbec577e6dfc82b980ec01 +RMD160 (ghostscript-8.70.tar.bz2) = 88f7d380d1075c57829aa7f34334542fd2bbd6ce +Size (ghostscript-8.70.tar.bz2) = 17019673 bytes SHA1 (patch-ab) = 7a98cad37f94394f172bdac23f5dd73fb1f08006 SHA1 (patch-ad) = 8b3b743b2d6405ea35bfb16970942ecd55702401 SHA1 (patch-ae) = 50335e72adebe95ab0cb5873d1c6dd00e971579a SHA1 (patch-af) = e4d56f13f5eb595a3929aac6c257012961f59c2b -SHA1 (patch-ag) = dd452d29253e20bb8fa453a1e4f139a40b2ab3e3 +SHA1 (patch-ag) = bdfbe40c849537d84ac2b3def4a0a3a87ecc152f SHA1 (patch-ah) = efc85dead838505ee462714167f196db2deeb0aa SHA1 (patch-ai) = ad69ddd4a4bd50cf2263ac6c6d17a59798ef3124 -SHA1 (patch-aj) = 83403be55c9fa8d22fbf3809190c381a06fa2657 diff --git a/print/ghostscript/patches/patch-aa b/print/ghostscript/patches/patch-aa deleted file mode 100644 index 1a7e7489722..00000000000 --- a/print/ghostscript/patches/patch-aa +++ /dev/null @@ -1,24 +0,0 @@ -$NetBSD: patch-aa,v 1.4 2009/04/14 19:32:54 tron Exp $ - -Patch for CVE-2009-0196 taken from Redhat's Bugzilla: - -https://bugzilla.redhat.com/attachment.cgi?id=337747 - ---- jbig2dec/jbig2_symbol_dict.c.orig 2007-12-11 08:29:58.000000000 +0000 -+++ jbig2dec/jbig2_symbol_dict.c 2009-04-14 20:19:01.000000000 +0100 -@@ -699,6 +699,15 @@ - exrunlength = params->SDNUMEXSYMS; - else - code = jbig2_arith_int_decode(IAEX, as, &exrunlength); -+ if (exrunlength > params->SDNUMEXSYMS - j) { -+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, -+ "runlength too large in export symbol table (%d > %d - %d)\n", -+ exrunlength, params->SDNUMEXSYMS, j); -+ jbig2_sd_release(ctx, SDEXSYMS); -+ /* skip to the cleanup code and return SDEXSYMS = NULL */ -+ SDEXSYMS = NULL; -+ break; -+ } - for(k = 0; k < exrunlength; k++) - if (exflag) { - SDEXSYMS->glyphs[j++] = (i < m) ? diff --git a/print/ghostscript/patches/patch-ag b/print/ghostscript/patches/patch-ag index 4f798749a20..2896d330417 100644 --- a/print/ghostscript/patches/patch-ag +++ b/print/ghostscript/patches/patch-ag @@ -1,13 +1,13 @@ -$NetBSD: patch-ag,v 1.3 2009/02/12 19:51:08 drochner Exp $ +$NetBSD: patch-ag,v 1.4 2009/08/31 20:12:20 wiz Exp $ ---- cups/cups.mak.orig 2009-02-06 18:58:54.000000000 +0100 +--- cups/cups.mak.orig 2009-03-07 21:46:16.000000000 +0000 +++ cups/cups.mak -@@ -49,7 +49,7 @@ pdftoraster: $(PDFTORASTER_XE) - pdftoraster_=cups/pdftoraster.c +@@ -51,7 +51,7 @@ pdftoraster_=cups/pdftoraster.c $(PDFTORASTER_XE): $(pdftoraster_) -- $(GLCC) `cups-config --image --libs` -DBINDIR='"$(bindir)"' -DGS='"$(GS)"' -o $@ $(pdftoraster_) -+ $(GLCC) `cups-config --ldflags --image --libs` -DBINDIR='"$(bindir)"' -DGS='"$(GS)"' -o $@ $(pdftoraster_) + if [ "$(CUPSPDFTORASTER)" = "1" ]; then \ +- $(GLCC) $(LDFLAGS) -DBINDIR='"$(bindir)"' -DGS='"$(GS)"' -o $@ $(pdftoraster_) `cups-config --image --libs`; \ ++ $(GLCC) $(LDFLAGS) -DBINDIR='"$(bindir)"' -DGS='"$(GS)"' -o $@ $(pdftoraster_) `cups-config --ldflags --image --libs`; \ + fi install: install-cups - diff --git a/print/ghostscript/patches/patch-aj b/print/ghostscript/patches/patch-aj deleted file mode 100644 index 0626660c1a1..00000000000 --- a/print/ghostscript/patches/patch-aj +++ /dev/null @@ -1,1153 +0,0 @@ -$NetBSD: patch-aj,v 1.4 2009/04/17 15:05:31 drochner Exp $ - ---- icclib/icc.c.orig 2008-05-09 06:12:01.000000000 +0200 -+++ icclib/icc.c -@@ -152,6 +152,8 @@ - * Various bug fixes and enhancements. - */ - -+#include <limits.h> -+#include <stdint.h> - #include <stdio.h> - #include <stdlib.h> - #include <stdarg.h> -@@ -313,8 +315,11 @@ size_t count - icmFileMem *p = (icmFileMem *)pp; - size_t len; - -+ if (count > 0 && size > SIZE_MAX / count) -+ return 0; -+ - len = size * count; -- if ((p->cur + len) >= p->end) { /* Too much */ -+ if (len > (p->end - p->cur)) { /* Too much */ - if (size > 0) - count = (p->end - p->cur)/size; - else -@@ -1634,6 +1639,8 @@ static int icmUInt8Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUInt8Array_write malloc() failed"); - return icp->errc = 2; -@@ -1698,7 +1705,7 @@ static int icmUInt8Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { -+ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { - sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed"); - return icp->errc = 2; - } -@@ -1749,6 +1756,10 @@ static unsigned int icmUInt16Array_get_s - icmUInt16Array *p = (icmUInt16Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 2) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->size * 2; /* 2 bytes for each UInt16 */ - return len; - } -@@ -1821,6 +1832,8 @@ static int icmUInt16Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUInt16Array_write malloc() failed"); - return icp->errc = 2; -@@ -1885,7 +1898,7 @@ static int icmUInt16Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { -+ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { - sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed"); - return icp->errc = 2; - } -@@ -1936,6 +1949,10 @@ static unsigned int icmUInt32Array_get_s - icmUInt32Array *p = (icmUInt32Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 4) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->size * 4; /* 4 bytes for each UInt32 */ - return len; - } -@@ -2008,6 +2025,8 @@ static int icmUInt32Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUInt32Array_write malloc() failed"); - return icp->errc = 2; -@@ -2072,7 +2091,7 @@ static int icmUInt32Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { -+ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { - sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed"); - return icp->errc = 2; - } -@@ -2123,6 +2142,10 @@ static unsigned int icmUInt64Array_get_s - icmUInt64Array *p = (icmUInt64Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 8) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->size * 8; /* 8 bytes for each UInt64 */ - return len; - } -@@ -2195,6 +2218,8 @@ static int icmUInt64Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUInt64Array_write malloc() failed"); - return icp->errc = 2; -@@ -2259,7 +2284,7 @@ static int icmUInt64Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (icmUint64 *) icp->al->malloc(icp->al, p->size * sizeof(icmUint64))) == NULL) { -+ if ((p->data = (icmUint64 *) icp->al->calloc(icp->al, p->size, sizeof(icmUint64))) == NULL) { - sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed"); - return icp->errc = 2; - } -@@ -2310,6 +2335,10 @@ static unsigned int icmU16Fixed16Array_g - icmU16Fixed16Array *p = (icmU16Fixed16Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 4) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->size * 4; /* 4 byte for each U16Fixed16 */ - return len; - } -@@ -2382,6 +2411,8 @@ static int icmU16Fixed16Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed"); - return icp->errc = 2; -@@ -2446,7 +2477,7 @@ static int icmU16Fixed16Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { -+ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { - sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed"); - return icp->errc = 2; - } -@@ -2497,6 +2528,10 @@ static unsigned int icmS15Fixed16Array_g - icmS15Fixed16Array *p = (icmS15Fixed16Array *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 4) { -+ p->icp->errc = 1; -+ return (unsigned int) - 1; -+ } - len += p->size * 4; /* 4 byte for each S15Fixed16 */ - return len; - } -@@ -2569,6 +2604,8 @@ static int icmS15Fixed16Array_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed"); - return icp->errc = 2; -@@ -2633,7 +2670,7 @@ static int icmS15Fixed16Array_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { -+ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { - sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed"); - return icp->errc = 2; - } -@@ -2726,6 +2763,10 @@ static unsigned int icmXYZArray_get_size - icmXYZArray *p = (icmXYZArray *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->size > (UINT_MAX - len) / 12) { -+ p->icp->errc = 1; -+ return (unsigned int) - 1; -+ } - len += p->size * 12; /* 12 bytes for each XYZ */ - return len; - } -@@ -2798,6 +2839,8 @@ static int icmXYZArray_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmXYZArray_write malloc() failed"); - return icp->errc = 2; -@@ -2865,7 +2908,7 @@ static int icmXYZArray_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (icmXYZNumber *) icp->al->malloc(icp->al, p->size * sizeof(icmXYZNumber))) == NULL) { -+ if ((p->data = (icmXYZNumber *) icp->al->calloc(icp->al, p->size, sizeof(icmXYZNumber))) == NULL) { - sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed"); - return icp->errc = 2; - } -@@ -2939,7 +2982,7 @@ static int icmCurve_lookup_fwd( - rv |= 1; - } - ix = (int)floor(val); /* Coordinate */ -- if (ix > (p->size-2)) -+ if (ix < 0 || ix > (p->size-2)) - ix = (p->size-2); - w = val - (double)ix; /* weight */ - val = p->data[ix]; -@@ -2961,6 +3004,11 @@ static int icmTable_setup_bwd( - ) { - int i; - -+ if (size > INT_MAX - 2) -+ /* Although rt->size is unsigned long, the rt data -+ * structure uses int data types to store indices. */ -+ return 2; -+ - rt->size = size; /* Stash pointers to these away */ - rt->data = data; - -@@ -2979,7 +3027,7 @@ static int icmTable_setup_bwd( - rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */ - - /* Initialize the reverse lookup structures, and get overall min/max */ -- if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { -+ if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) { - return 2; - } - -@@ -2992,6 +3040,15 @@ static int icmTable_setup_bwd( - int t; - t = s; s = e; e = t; - } -+ /* s and e should both be in the range [0,rt->rsize] -+ * now, but let's not rely on floating point -+ * calculations -- double-check. */ -+ if (s < 0) -+ s = 0; -+ if (e < 0) -+ e = 0; -+ if (s >= rt->rsize) -+ s = rt->rsize-1; - if (e >= rt->rsize) - e = rt->rsize-1; - -@@ -3001,7 +3058,7 @@ static int icmTable_setup_bwd( - int nf; /* Next free slot */ - if (rt->rlists[j] == NULL) { /* No allocation */ - as = 5; /* Start with space for 5 */ -- if ((rt->rlists[j] = (int *) icp->al->malloc(icp->al, sizeof(int) * as)) == NULL) { -+ if ((rt->rlists[j] = (int *) icp->al->calloc(icp->al, sizeof(int), as)) == NULL) { - return 2; - } - rt->rlists[j][0] = as; -@@ -3010,6 +3067,9 @@ static int icmTable_setup_bwd( - as = rt->rlists[j][0]; /* Allocate space for this list */ - nf = rt->rlists[j][1]; /* Next free location in list */ - if (nf >= as) { /* need to expand space */ -+ if (as > INT_MAX / 2 / sizeof (int)) -+ return 2; -+ - as *= 2; - rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as); - if (rt->rlists[j] == NULL) { -@@ -3061,7 +3121,7 @@ static int icmTable_lookup_bwd( - val = rsize_1; - ix = (int)floor(val); /* Coordinate */ - -- if (ix > (rt->size-2)) -+ if (ix < 0 || ix > (rt->size-2)) - ix = (rt->size-2); - if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */ - /* For each candidate forward range */ -@@ -3088,6 +3148,7 @@ static int icmTable_lookup_bwd( - /* We have failed to find an exact value, so return the nearest value */ - /* (This is slow !) */ - val = fabs(ival - rt->data[0]); -+ /* rt->size is known to be < INT_MAX */ - for (k = 0, i = 1; i < rt->size; i++) { - double er; - er = fabs(ival - rt->data[i]); -@@ -3141,6 +3202,10 @@ static unsigned int icmCurve_get_size( - icmCurve *p = (icmCurve *)pp; - unsigned int len = 0; - len += 12; /* 12 bytes for tag, padding and count */ -+ if (p->size > (UINT_MAX - len) / 2) { -+ p->icp->errc = 1; -+ return (unsigned int) - 1; -+ } - len += p->size * 2; /* 2 bytes for each UInt16 */ - return len; - } -@@ -3238,6 +3303,8 @@ static int icmCurve_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmCurve_write malloc() failed"); - return icp->errc = 2; -@@ -3347,7 +3414,7 @@ static int icmCurve_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { -+ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { - sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed"); - return icp->errc = 2; - } -@@ -3493,6 +3560,8 @@ static int icmData_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmData_write malloc() failed"); - return icp->errc = 2; -@@ -3620,7 +3689,7 @@ static int icmData_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) { -+ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) { - sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed"); - return icp->errc = 2; - } -@@ -3745,6 +3814,8 @@ static int icmText_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmText_write malloc() failed"); - return icp->errc = 2; -@@ -3834,7 +3905,7 @@ static int icmText_allocate( - if (p->size != p->_size) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { -+ if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { - sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed"); - return icp->errc = 2; - } -@@ -4038,6 +4109,8 @@ static int icmDateTimeNumber_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmDateTimeNumber_write malloc() failed"); - return icp->errc = 2; -@@ -4128,11 +4201,15 @@ static icmBase *new_icmDateTimeNumber( - /* icmLut object */ - - /* Utility function - raise one integer to an integer power */ --static unsigned int uipow(unsigned int a, unsigned int b) { -+static int uipow(unsigned int a, unsigned int b, unsigned int *ret) { - unsigned int rv = 1; -- for (; b > 0; b--) -+ for (; b > 0; b--) { -+ if (a > 0 && rv > UINT_MAX / a) -+ return 1; - rv *= a; -- return rv; -+ } -+ *ret = rv; -+ return 0; - } - - /* - - - - - - - - - - - - - - - - */ -@@ -4242,7 +4319,7 @@ double *in /* Input array[inputChan] */ - rv |= 1; - } - ix = (int)floor(val); /* Grid coordinate */ -- if (ix > (p->inputEnt-2)) -+ if (ix < 0 || ix > (p->inputEnt-2)) - ix = (p->inputEnt-2); - w = val - (double)ix; /* weight */ - val = table[ix]; -@@ -4268,7 +4345,7 @@ double *in /* Input array[outputChan] * - if (p->inputChan <= 8) { - gw = GW; /* Use stack allocation */ - } else { -- if ((gw = (double *) icp->al->malloc(icp->al, (1 << p->inputChan) * sizeof(double))) == NULL) { -+ if ((gw = (double *) icp->al->calloc(icp->al, (1 << p->inputChan), sizeof(double))) == NULL) { - sprintf(icp->err,"icmLut_lookup_clut: malloc() failed"); - return icp->errc = 2; - } -@@ -4301,7 +4378,7 @@ double *in /* Input array[outputChan] * - rv |= 1; - } - x = (int)floor(val); /* Grid coordinate */ -- if (x > clutPoints_2) -+ if (x < 0 || x > clutPoints_2) - x = clutPoints_2; - co[e] = val - (double)x; /* 1.0 - weight */ - gp += x * p->dinc[e]; /* Add index offset for base of cube */ -@@ -4374,7 +4451,7 @@ double *in /* Input array[outputChan] * - rv |= 1; - } - x = (int)floor(val); /* Grid coordinate */ -- if (x > clutPoints_2) -+ if (x < 0 || x > clutPoints_2) - x = clutPoints_2; - co[e] = val - (double)x; /* 1.0 - weight */ - gp += x * p->dinc[e]; /* Add index offset for base of cube */ -@@ -4447,7 +4524,7 @@ double *in /* Input array[outputChan] * - rv |= 1; - } - ix = (int)floor(val); /* Grid coordinate */ -- if (ix > (p->outputEnt-2)) -+ if (ix < 0 || ix > (p->outputEnt-2)) - ix = (p->outputEnt-2); - w = val - (double)ix; /* weight */ - val = table[ix]; -@@ -4819,19 +4896,50 @@ static unsigned int icmLut_get_size( - ) { - icmLut *p = (icmLut *)pp; - unsigned int len = 0; -+ unsigned int pw; - - if (p->ttype == icSigLut8Type) { - len += 48; /* tag and header */ -+ if (p->inputChan > 0 && -+ p->inputEnt > (UINT_MAX - len) / p->inputChan / 1) -+ goto overflow; -+ - len += 1 * (p->inputChan * p->inputEnt); -- len += 1 * (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan, &pw) || -+ (p->outputChan > 0 && -+ pw > (UINT_MAX - len) / p->outputChan / 1)) -+ goto overflow; -+ -+ len += 1 * (p->outputChan * pw); -+ if (p->outputChan > 0 && -+ p->outputEnt > (UINT_MAX - len) / p->outputChan / 1) -+ goto overflow; -+ - len += 1 * (p->outputChan * p->outputEnt); - } else { - len += 52; /* tag and header */ -+ if (p->inputChan > 0 && -+ p->inputEnt > (UINT_MAX - len) / p->inputChan / 2) -+ goto overflow; -+ - len += 2 * (p->inputChan * p->inputEnt); -- len += 2 * (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan, &pw) || -+ (p->outputChan > 0 && -+ pw > (UINT_MAX - len) / p->outputChan / 2)) -+ goto overflow; -+ -+ len += 2 * (p->outputChan * pw); -+ if (p->outputChan > 0 && -+ p->outputEnt > (UINT_MAX - len) / p->outputChan / 2) -+ goto overflow; -+ - len += 2 * (p->outputChan * p->outputEnt); - } - return len; -+ -+ overflow: -+ p->icp->errc = 1; -+ return (unsigned int) -1; - } - - /* read the object, return 0 on success, error code on fail */ -@@ -4844,6 +4952,7 @@ static int icmLut_read( - icc *icp = p->icp; - int rv = 0; - unsigned long i, j, g, size; -+ unsigned int pw; - char *bp, *buf; - - if (len < 4) { -@@ -4904,6 +5013,11 @@ static int icmLut_read( - return icp->errc = 1; - } - -+ if (p->clutPoints > 100) { -+ sprintf(icp->err,"icmLut_read: too many clutPoints"); -+ return icp->errc = 1; -+ } -+ - /* Read 3x3 transform matrix */ - for (j = 0; j < 3; j++) { /* Rows */ - for (i = 0; i < 3; i++) { /* Columns */ -@@ -4921,13 +5035,18 @@ static int icmLut_read( - bp = buf+52; - } - -- if (len < icmLut_get_size((icmBase *)p)) { -+ if (len < icmLut_get_size((icmBase *)p) || icp->errc) { - sprintf(icp->err,"icmLut_read: Tag too small for contents"); - icp->al->free(icp->al, buf); - return icp->errc = 1; - } - - /* Read the input tables */ -+ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { -+ sprintf(icp->err,"icmLut_read: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } - size = (p->inputChan * p->inputEnt); - if ((rv = p->allocate((icmBase *)p)) != 0) { - icp->al->free(icp->al, buf); -@@ -4942,7 +5061,14 @@ static int icmLut_read( - } - - /* Read the clut table */ -- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan,&pw) || -+ (p->outputChan > 0 && -+ pw > UINT_MAX / p->outputChan)) { -+ sprintf(icp->err,"icmLut_read: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } -+ size = (p->outputChan * pw); - if ((rv = p->allocate((icmBase *)p)) != 0) { - icp->al->free(icp->al, buf); - return rv; -@@ -4956,6 +5082,11 @@ static int icmLut_read( - } - - /* Read the output tables */ -+ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { -+ sprintf(icp->err,"icmLut_read: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } - size = (p->outputChan * p->outputEnt); - if ((rv = p->allocate((icmBase *)p)) != 0) { - icp->al->free(icp->al, buf); -@@ -4995,12 +5126,14 @@ static int icmLut_write( - icmLut *p = (icmLut *)pp; - icc *icp = p->icp; - unsigned long i,j; -- unsigned int len, size; -+ unsigned int len, size, pw; - char *bp, *buf; /* Buffer to write from */ - int rv = 0; - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmLut_write malloc() failed"); - return icp->errc = 2; -@@ -5066,6 +5199,11 @@ static int icmLut_write( - } - - /* Write the input tables */ -+ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { -+ sprintf(icp->err,"icmLut_write: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } - size = (p->inputChan * p->inputEnt); - if (p->ttype == icSigLut8Type) { - for (i = 0; i < size; i++, bp += 1) { -@@ -5086,7 +5224,14 @@ static int icmLut_write( - } - - /* Write the clut table */ -- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan,&pw) || -+ (p->outputChan > 0 && -+ pw > UINT_MAX / p->outputChan)) { -+ sprintf(icp->err,"icmLut_write: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } -+ size = (p->outputChan * pw); - if (p->ttype == icSigLut8Type) { - for (i = 0; i < size; i++, bp += 1) { - if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) { -@@ -5106,6 +5251,11 @@ static int icmLut_write( - } - - /* Write the output tables */ -+ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { -+ sprintf(icp->err,"icmLut_write: overflow"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } - size = (p->outputChan * p->outputEnt); - if (p->ttype == icSigLut8Type) { - for (i = 0; i < size; i++, bp += 1) { -@@ -5177,7 +5327,14 @@ static void icmLut_dump( - if (p->inputChan > MAX_CHAN) { - fprintf(op," !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN); - } else { -- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ unsigned int pw; -+ if (uipow(p->clutPoints,p->inputChan,&pw) || -+ (p->outputChan > 0 && -+ pw > UINT_MAX / p->outputChan)) { -+ fprintf(op,"Would overflow.\n"); -+ return; -+ } -+ size = (p->outputChan * pw); - for (j = 0; j < p->inputChan; j++) - ii[j] = 0; - for (i = 0; i < size;) { -@@ -5216,7 +5373,7 @@ static void icmLut_dump( - static int icmLut_allocate( - icmBase *pp - ) { -- unsigned int i, j, g, size; -+ unsigned int i, j, g, size, pw; - icmLut *p = (icmLut *)pp; - icc *icp = p->icp; - -@@ -5231,6 +5388,10 @@ static int icmLut_allocate( - return icp->errc = 1; - } - -+ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { -+ sprintf(icp->err,"icmLut_alloc: too many entries"); -+ return icp->errc = 1; -+ } - size = (p->inputChan * p->inputEnt); - if (size != p->inputTable_size) { - if (p->inputTable != NULL) -@@ -5241,7 +5402,13 @@ static int icmLut_allocate( - } - p->inputTable_size = size; - } -- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); -+ if (uipow(p->clutPoints,p->inputChan,&pw) || -+ (p->outputChan > 0 && -+ pw > UINT_MAX / p->outputChan)) { -+ sprintf(icp->err,"icmLut_alloc: overflow"); -+ return icp->errc = 1; -+ } -+ size = (p->outputChan * pw); - if (size != p->clutTable_size) { - if (p->clutTable != NULL) - icp->al->free(icp->al, p->clutTable); -@@ -5251,6 +5418,10 @@ static int icmLut_allocate( - } - p->clutTable_size = size; - } -+ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { -+ sprintf(icp->err,"icmLut_alloc: overflow"); -+ return icp->errc = 1; -+ } - size = (p->outputChan * p->outputEnt); - if (size != p->outputTable_size) { - if (p->outputTable != NULL) -@@ -5441,6 +5612,8 @@ static int icmMeasurement_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmMeasurement_write malloc() failed"); - return icp->errc = 2; -@@ -5712,13 +5885,20 @@ static unsigned int icmNamedColor_get_si - len += p->nDeviceCoords * 1; /* bytes for each named color */ - } - } else { /* Named Color 2 */ -+ unsigned int col; - len += 8; /* 8 bytes for tag and padding */ - len += 4; /* 4 for vendor specific flags */ - len += 4; /* 4 for count of named colors */ - len += 4; /* 4 for number of device coords */ - len += 32; /* 32 for prefix of color names */ - len += 32; /* 32 for suffix of color names */ -- len += p->count * (32 + 6 + p->nDeviceCoords * 2); /* bytes for each named color */ -+ col = 32 + 6 + p->nDeviceCoords * 2; -+ if (p->nDeviceCoords > (UINT_MAX - (32 + 6)) / 2 || -+ (p->count > 0 && col > (UINT_MAX - len) / p->count)) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } -+ len += p->count * col; /* bytes for each named color */ - } - return len; - } -@@ -5882,6 +6062,8 @@ static int icmNamedColor_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmNamedColor_write malloc() failed"); - return icp->errc = 2; -@@ -6109,9 +6291,22 @@ static unsigned int icmTextDescription_g - ) { - icmTextDescription *p = (icmTextDescription *)pp; - unsigned int len = 0; -+ if (p->size > UINT_MAX - (8 + 4 + 8)) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += 8; /* 8 bytes for tag and padding */ - len += 4 + p->size; /* Ascii string length + ascii string */ -- len += 8 + 2 * p->ucSize; /* Unicode language code + length + string */ -+ len += 8; /* Unicode language code + length */ -+ if (p->ucSize > (UINT_MAX - len) / 2) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } -+ len += 2 * p->ucSize; /* Unicode string */ -+ if (len > (UINT_MAX - (3 + 67))) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += 3 + 67; /* ScriptCode code, length string */ - return len; - } -@@ -6294,6 +6489,8 @@ static int icmTextDescription_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmTextDescription_write malloc() failed"); - return icp->errc = 2; -@@ -6535,7 +6732,7 @@ static int icmTextDescription_allocate( - if (p->size != p->_size) { - if (p->desc != NULL) - icp->al->free(icp->al, p->desc); -- if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { -+ if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { - sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed"); - return icp->errc = 2; - } -@@ -6544,7 +6741,7 @@ static int icmTextDescription_allocate( - if (p->ucSize != p->uc_size) { - if (p->ucDesc != NULL) - icp->al->free(icp->al, p->ucDesc); -- if ((p->ucDesc = (ORD16 *) icp->al->malloc(icp->al, p->ucSize * sizeof(ORD16))) == NULL) { -+ if ((p->ucDesc = (ORD16 *) icp->al->calloc(icp->al, p->ucSize, sizeof(ORD16))) == NULL) { - sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed"); - return icp->errc = 2; - } -@@ -6820,6 +7017,12 @@ static int icmProfileSequenceDesc_read( - bp += 8; /* Skip padding */ - - p->count = read_UInt32Number(bp); /* Number of sequence descriptions */ -+ if (p->count > 1000) { -+ sprintf(icp->err,"icmProfileSequenceDesc_read: too many sequence descriptions"); -+ icp->al->free(icp->al, buf); -+ return icp->errc = 1; -+ } -+ - bp += 4; - - /* Read all the sequence descriptions */ -@@ -6852,6 +7055,8 @@ static int icmProfileSequenceDesc_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed"); - return icp->errc = 2; -@@ -6922,7 +7127,7 @@ static int icmProfileSequenceDesc_alloca - if (p->count != p->_count) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (icmDescStruct *) icp->al->malloc(icp->al, p->count * sizeof(icmDescStruct))) == NULL) { -+ if ((p->data = (icmDescStruct *) icp->al->calloc(icp->al, p->count, sizeof(icmDescStruct))) == NULL) { - sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed"); - return icp->errc = 2; - } -@@ -7041,6 +7246,8 @@ static int icmSignature_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmSignature_write malloc() failed"); - return icp->errc = 2; -@@ -7156,6 +7363,10 @@ static unsigned int icmScreening_get_siz - icmScreening *p = (icmScreening *)pp; - unsigned int len = 0; - len += 16; /* 16 bytes for tag, padding, flag & channeles */ -+ if (p->channels > (UINT_MAX - len) / 12) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += p->channels * 12; /* 12 bytes for each channel */ - return len; - } -@@ -7235,6 +7446,8 @@ static int icmScreening_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmScreening_write malloc() failed"); - return icp->errc = 2; -@@ -7315,7 +7528,7 @@ static int icmScreening_allocate( - if (p->channels != p->_channels) { - if (p->data != NULL) - icp->al->free(icp->al, p->data); -- if ((p->data = (icmScreeningData *) icp->al->malloc(icp->al, p->channels * sizeof(icmScreeningData))) == NULL) { -+ if ((p->data = (icmScreeningData *) icp->al->calloc(icp->al, p->channels, sizeof(icmScreeningData))) == NULL) { - sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed"); - return icp->errc = 2; - } -@@ -7366,10 +7579,20 @@ static unsigned int icmUcrBg_get_size( - icmUcrBg *p = (icmUcrBg *)pp; - unsigned int len = 0; - len += 8; /* 8 bytes for tag and padding */ -+ if (p->UCRcount > (UINT_MAX - len - 4) / 2) -+ goto overflow; -+ - len += 4 + p->UCRcount * 2; /* Undercolor Removal */ -+ if (p->BGcount > (UINT_MAX - len - 4 - p->size) / 2) -+ goto overflow; -+ - len += 4 + p->BGcount * 2; /* Black Generation */ - len += p->size; /* Description string */ - return len; -+ -+ overflow: -+ p->icp->errc = 1; -+ return (unsigned int) -1; - } - - /* read the object, return 0 on success, error code on fail */ -@@ -7498,6 +7721,8 @@ static int icmUcrBg_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmUcrBg_write malloc() failed"); - return icp->errc = 2; -@@ -7663,7 +7888,7 @@ static int icmUcrBg_allocate( - if (p->UCRcount != p->UCR_count) { - if (p->UCRcurve != NULL) - icp->al->free(icp->al, p->UCRcurve); -- if ((p->UCRcurve = (double *) icp->al->malloc(icp->al, p->UCRcount * sizeof(double))) == NULL) { -+ if ((p->UCRcurve = (double *) icp->al->calloc(icp->al, p->UCRcount, sizeof(double))) == NULL) { - sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed"); - return icp->errc = 2; - } -@@ -7672,7 +7897,7 @@ static int icmUcrBg_allocate( - if (p->BGcount != p->BG_count) { - if (p->BGcurve != NULL) - icp->al->free(icp->al, p->BGcurve); -- if ((p->BGcurve = (double *) icp->al->malloc(icp->al, p->BGcount * sizeof(double))) == NULL) { -+ if ((p->BGcurve = (double *) icp->al->calloc(icp->al, p->BGcount, sizeof(double))) == NULL) { - sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed"); - return icp->errc = 2; - } -@@ -7681,7 +7906,7 @@ static int icmUcrBg_allocate( - if (p->size != p->_size) { - if (p->string != NULL) - icp->al->free(icp->al, p->string); -- if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { -+ if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { - sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed"); - return icp->errc = 2; - } -@@ -7743,6 +7968,15 @@ static unsigned int icmVideoCardGamma_ge - len += 2; /* 2 bytes for channels */ - len += 2; /* 2 for entry count */ - len += 2; /* 2 for entry size */ -+ if (p->u.table.entryCount > 0 && -+ p->u.table.entrySize > 0 && -+ p->u.table.channels > -+ (UINT_MAX - len) / -+ p->u.table.entryCount / -+ p->u.table.entrySize) { -+ p->icp->errc = 1; -+ return (unsigned int) -1; -+ } - len += ( p->u.table.channels * /* compute table size */ - p->u.table.entryCount * - p->u.table.entrySize ); -@@ -7762,10 +7996,11 @@ static int icmVideoCardGamma_read( - ) { - icmVideoCardGamma *p = (icmVideoCardGamma *)pp; - icc *icp = p->icp; -- int rv, c; -+ int rv; - char *bp, *buf; - unsigned char *pchar; - unsigned short *pshort; -+ unsigned long c; - - if (len < 18) { - sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal"); -@@ -7803,6 +8038,16 @@ static int icmVideoCardGamma_read( - p->u.table.channels = read_UInt16Number(bp+12); - p->u.table.entryCount = read_UInt16Number(bp+14); - p->u.table.entrySize = read_UInt16Number(bp+16); -+ if (p->u.table.entrySize > 65530 || p->u.table.entrySize == 0) { -+ sprintf(icp->err,"icmVideoCardGamma_read: Too many entries (or none)"); -+ return icp->errc = 1; -+ } -+ if (p->u.table.entryCount > 0 && p->u.table.entrySize > 0 && -+ p->u.table.channels > -+ UINT_MAX / p->u.table.entryCount / p->u.table.entrySize) { -+ sprintf(icp->err,"icmVideoCardGamma_read: Overflow reading tag"); -+ return icp->errc = 1; -+ } - if (len-18 < p->u.table.channels*p->u.table.entryCount*p->u.table.entrySize) { - sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal"); - return icp->errc = 1; -@@ -7871,6 +8116,8 @@ static int icmVideoCardGamma_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmViewingConditions_write malloc() failed"); - return icp->errc = 2; -@@ -8049,7 +8296,7 @@ static int icmVideoCardGamma_allocate( - ) { - icmVideoCardGamma *p = (icmVideoCardGamma *)pp; - icc *icp = p->icp; -- int size; -+ unsigned int size; - - /* note: allocation is only relevant for table type - * and in that case the channels, entryCount, and entrySize -@@ -8059,6 +8306,11 @@ static int icmVideoCardGamma_allocate( - if (p->tagType == icmVideoCardGammaTableType) { - if (p->u.table.data != NULL) - icp->al->free(icp->al, p->u.table.data); -+ if (p->u.table.entryCount > 0 && -+ p->u.table.channels > UINT_MAX / p->u.table.entryCount) { -+ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large"); -+ return icp->errc = 1; -+ } - size = (p->u.table.channels * - p->u.table.entryCount); - switch (p->u.table.entrySize) { -@@ -8066,6 +8318,10 @@ static int icmVideoCardGamma_allocate( - size *= sizeof(unsigned char); - break; - case 2: -+ if (size > UINT_MAX / sizeof(unsigned short)) { -+ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large"); -+ return icp->errc = 1; -+ } - size *= sizeof(unsigned short); - break; - default: -@@ -8201,6 +8457,8 @@ static int icmViewingConditions_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmViewingConditions_write malloc() failed"); - return icp->errc = 2; -@@ -8433,6 +8691,8 @@ static int icmCrdInfo_write( - - /* Allocate a file write buffer */ - len = p->get_size((icmBase *)p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { - sprintf(icp->err,"icmCrdInfo_write malloc() failed"); - return icp->errc = 2; -@@ -8585,7 +8845,7 @@ static int icmCrdInfo_allocate( - if (p->ppsize != p->_ppsize) { - if (p->ppname != NULL) - icp->al->free(icp->al, p->ppname); -- if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) { -+ if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) { - sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed"); - return icp->errc = 2; - } -@@ -8595,7 +8855,7 @@ static int icmCrdInfo_allocate( - if (p->crdsize[t] != p->_crdsize[t]) { - if (p->crdname[t] != NULL) - icp->al->free(icp->al, p->crdname[t]); -- if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) { -+ if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) { - sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t); - return icp->errc = 2; - } -@@ -8736,6 +8996,8 @@ static int icmHeader_write( - int rv = 0; - - len = p->get_size(p); -+ if (icp->errc) -+ return icp->errc; - if ((buf = (char *) icp->al->calloc(icp->al,1,len)) == NULL) { /* Zero it - some CMS are fussy */ - sprintf(icp->err,"icmHeader_write calloc() failed"); - return icp->errc = 2; -@@ -9245,13 +9507,23 @@ static int icc_read( - } - - p->count = read_UInt32Number(tcbuf); /* Tag count */ -+ if (p->count > 100) { -+ sprintf(p->err,"icc_read: too many table tags"); -+ return p->errc = 1; -+ } - if (p->count > 0) { - char *bp, *buf; -- if ((p->data = (icmTag *) p->al->malloc(p->al, p->count * sizeof(icmTag))) == NULL) { -+ if ((p->data = (icmTag *) p->al->calloc(p->al, p->count, sizeof(icmTag))) == NULL) { - sprintf(p->err,"icc_read: Tag table malloc() failed"); - return p->errc = 2; - } - -+ if (p->count > (UINT_MAX - 4) / 12) { -+ sprintf(p->err,"icc_read: overflow"); -+ p->al->free(p->al, p->data); -+ p->data = NULL; -+ return p->errc = 1; -+ } - len = 4 + p->count * 12; - if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) { - sprintf(p->err,"icc_read: Tag table read buffer malloc() failed"); -@@ -9281,6 +9553,14 @@ static int icc_read( - return p->errc = 1; - } - p->data[i].size = read_UInt32Number(bp + 8); -+ if (p->data[i].offset + p->data[i].size > -+ p->header->size) { -+ sprintf(p->err,"icc_read: tag out of bounds"); -+ p->al->free(p->al, p->data); -+ p->data = NULL; -+ p->al->free(p->al, buf); -+ return p->errc = 1; -+ } - if ( p->fp->seek(p->fp, of + p->data[i].offset) != 0 - || p->fp->read(p->fp, tcbuf, 1, 4) != 4) { - sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers"); -@@ -9321,8 +9601,14 @@ static unsigned int icc_get_size( - } - - size += p->header->get_size(p->header); -+ if (p->errc) -+ return (unsigned int) -1; - - size = DO_ALIGN(size); -+ if (size == 0 || p->count > (UINT_MAX - 4 - size) / 12) { -+ p->errc = 1; -+ return (unsigned int) -1; -+ } - size += 4 + p->count * 12; /* Tag table length */ - - /* Reset touched flag for each tag type */ -@@ -9337,8 +9623,13 @@ static unsigned int icc_get_size( - /* Get size for each tag type, skipping links */ - for (i = 0; i < p->count; i++) { - if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */ -+ unsigned int obj_size; - size = DO_ALIGN(size); -- size += p->data[i].objp->get_size(p->data[i].objp); -+ obj_size = p->data[i].objp->get_size(p->data[i].objp); -+ if (size == 0 || p->errc || -+ obj_size > UINT_MAX - size) -+ return (unsigned int) -1; -+ size += obj_size; - p->data[i].objp->touched = 1; /* Don't account for this again */ - } - } -@@ -9373,9 +9664,19 @@ static int icc_write( - } - - size += p->header->get_size(p->header); -+ if (p->errc) -+ return p->errc; - -+ if (p->count > (UINT_MAX - 4 - len) / 12) { -+ sprintf(p->err,"icc_write: too many tags"); -+ return p->errc = 1; -+ } - len = 4 + p->count * 12; /* Tag table length */ - size = DO_ALIGN(size); -+ if (size == 0 || size > UINT_MAX - len) { -+ sprintf(p->err,"icc_write: overflow writing tag table"); -+ return p->errc = 1; -+ } - size += len; - - /* Allocate memory buffer for tag table */ -@@ -9406,6 +9707,12 @@ static int icc_write( - size = DO_ALIGN(size); - p->data[i].offset = size; /* Profile relative target */ - p->data[i].size = p->data[i].objp->get_size(p->data[i].objp); -+ if (size == 0 || -+ p->errc || p->data[i].size > UINT_MAX - size) { -+ sprintf(p->err,"icc_write: internal error - overflow?"); -+ p->al->free(p->al, buf); -+ return p->errc; -+ } - size += p->data[i].size; - p->data[i].objp->touched = 1; /* Allocated space for it */ - } else { /* must be linked - copy allocation */ -@@ -9529,6 +9836,11 @@ static icmBase *icc_add_tag( - } - - /* Make space in tag table for new tag item */ -+ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) { -+ sprintf(p->err,"icc_add_tag: overflow"); -+ p->errc = 1; -+ return NULL; -+ } - if (p->data == NULL) - tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag)); - else -@@ -9612,6 +9924,11 @@ static icmBase *icc_link_tag( - } - - /* Make space in tag table for new tag item */ -+ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) { -+ sprintf(p->err,"icc_link_tag: overflow"); -+ p->errc = 1; -+ return NULL; -+ } - if (p->data == NULL) - tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag)); - else |