1 --- ghostscript-8.64/icclib/icc.c.CVE-2009-0792 2009-04-03 16:24:27.000000000 +0100 |
|
2 +++ ghostscript-8.64/icclib/icc.c 2009-04-03 16:24:45.000000000 +0100 |
|
3 @@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd( |
|
4 ) { |
|
5 int i; |
|
6 |
|
7 + if (size > INT_MAX - 2) |
|
8 + /* Although rt->size is unsigned long, the rt data |
|
9 + * structure uses int data types to store indices. */ |
|
10 + return 2; |
|
11 + |
|
12 rt->size = size; /* Stash pointers to these away */ |
|
13 rt->data = data; |
|
14 |
|
15 @@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd( |
|
16 rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */ |
|
17 |
|
18 /* Initialize the reverse lookup structures, and get overall min/max */ |
|
19 - if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { |
|
20 + if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) { |
|
21 return 2; |
|
22 } |
|
23 |
|
24 @@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd( |
|
25 int t; |
|
26 t = s; s = e; e = t; |
|
27 } |
|
28 + /* s and e should both be in the range [0,rt->rsize] |
|
29 + * now, but let's not rely on floating point |
|
30 + * calculations -- double-check. */ |
|
31 + if (s < 0) |
|
32 + s = 0; |
|
33 + if (e < 0) |
|
34 + e = 0; |
|
35 + if (s >= rt->rsize) |
|
36 + s = rt->rsize-1; |
|
37 if (e >= rt->rsize) |
|
38 e = rt->rsize-1; |
|
39 |
|
40 @@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd( |
|
41 as = rt->rlists[j][0]; /* Allocate space for this list */ |
|
42 nf = rt->rlists[j][1]; /* Next free location in list */ |
|
43 if (nf >= as) { /* need to expand space */ |
|
44 + if (as > INT_MAX / 2 / sizeof (int)) |
|
45 + return 2; |
|
46 + |
|
47 as *= 2; |
|
48 rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as); |
|
49 if (rt->rlists[j] == NULL) { |
|
50 @@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd( |
|
51 val = rsize_1; |
|
52 ix = (int)floor(val); /* Coordinate */ |
|
53 |
|
54 - if (ix > (rt->size-2)) |
|
55 + if (ix < 0 || ix > (rt->size-2)) |
|
56 ix = (rt->size-2); |
|
57 if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */ |
|
58 /* For each candidate forward range */ |
|
59 @@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd( |
|
60 /* We have failed to find an exact value, so return the nearest value */ |
|
61 /* (This is slow !) */ |
|
62 val = fabs(ival - rt->data[0]); |
|
63 + /* rt->size is known to be < INT_MAX */ |
|
64 for (k = 0, i = 1; i < rt->size; i++) { |
|
65 double er; |
|
66 er = fabs(ival - rt->data[i]); |
|
67 @@ -3671,7 +3689,7 @@ static int icmData_allocate( |
|
68 if (p->size != p->_size) { |
|
69 if (p->data != NULL) |
|
70 icp->al->free(icp->al, p->data); |
|
71 - if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) { |
|
72 + if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) { |
|
73 sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed"); |
|
74 return icp->errc = 2; |
|
75 } |
|
76 @@ -3887,7 +3905,7 @@ static int icmText_allocate( |
|
77 if (p->size != p->_size) { |
|
78 if (p->data != NULL) |
|
79 icp->al->free(icp->al, p->data); |
|
80 - if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { |
|
81 + if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { |
|
82 sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed"); |
|
83 return icp->errc = 2; |
|
84 } |
|
85 @@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate( |
|
86 if (p->size != p->_size) { |
|
87 if (p->desc != NULL) |
|
88 icp->al->free(icp->al, p->desc); |
|
89 - if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { |
|
90 + if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { |
|
91 sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed"); |
|
92 return icp->errc = 2; |
|
93 } |
|
94 @@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate( |
|
95 if (p->size != p->_size) { |
|
96 if (p->string != NULL) |
|
97 icp->al->free(icp->al, p->string); |
|
98 - if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { |
|
99 + if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { |
|
100 sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed"); |
|
101 return icp->errc = 2; |
|
102 } |
|
103 @@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate( |
|
104 if (p->ppsize != p->_ppsize) { |
|
105 if (p->ppname != NULL) |
|
106 icp->al->free(icp->al, p->ppname); |
|
107 - if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) { |
|
108 + if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) { |
|
109 sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed"); |
|
110 return icp->errc = 2; |
|
111 } |
|
112 @@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate( |
|
113 if (p->crdsize[t] != p->_crdsize[t]) { |
|
114 if (p->crdname[t] != NULL) |
|
115 icp->al->free(icp->al, p->crdname[t]); |
|
116 - if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) { |
|
117 + if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) { |
|
118 sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t); |
|
119 return icp->errc = 2; |
|
120 } |
|
121 --- ghostscript-8.64/icclib/icc.c.orig 2009-04-08 07:40:43.000000000 -0400 |
|
122 +++ ghostscript-8.64/icclib/icc.c 2009-04-08 07:42:29.000000000 -0400 |
|
123 @@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd( |
|
124 rv |= 1; |
|
125 } |
|
126 ix = (int)floor(val); /* Coordinate */ |
|
127 - if (ix > (p->size-2)) |
|
128 + if (ix < 0 || ix > (p->size-2)) |
|
129 ix = (p->size-2); |
|
130 w = val - (double)ix; /* weight */ |
|
131 val = p->data[ix]; |
|
132 @@ -4319,7 +4319,7 @@ double *in /* Input array[inputChan] */ |
|
133 rv |= 1; |
|
134 } |
|
135 ix = (int)floor(val); /* Grid coordinate */ |
|
136 - if (ix > (p->inputEnt-2)) |
|
137 + if (ix < 0 || ix > (p->inputEnt-2)) |
|
138 ix = (p->inputEnt-2); |
|
139 w = val - (double)ix; /* weight */ |
|
140 val = table[ix]; |
|
141 @@ -4378,7 +4378,7 @@ double *in /* Input array[outputChan] * |
|
142 rv |= 1; |
|
143 } |
|
144 x = (int)floor(val); /* Grid coordinate */ |
|
145 - if (x > clutPoints_2) |
|
146 + if (x < 0 || x > clutPoints_2) |
|
147 x = clutPoints_2; |
|
148 co[e] = val - (double)x; /* 1.0 - weight */ |
|
149 gp += x * p->dinc[e]; /* Add index offset for base of cube */ |
|
150 @@ -4451,7 +4451,7 @@ double *in /* Input array[outputChan] * |
|
151 rv |= 1; |
|
152 } |
|
153 x = (int)floor(val); /* Grid coordinate */ |
|
154 - if (x > clutPoints_2) |
|
155 + if (x < 0 || x > clutPoints_2) |
|
156 x = clutPoints_2; |
|
157 co[e] = val - (double)x; /* 1.0 - weight */ |
|
158 gp += x * p->dinc[e]; /* Add index offset for base of cube */ |
|
159 @@ -4524,7 +4524,7 @@ double *in /* Input array[outputChan] * |
|
160 rv |= 1; |
|
161 } |
|
162 ix = (int)floor(val); /* Grid coordinate */ |
|
163 - if (ix > (p->outputEnt-2)) |
|
164 + if (ix < 0 || ix > (p->outputEnt-2)) |
|
165 ix = (p->outputEnt-2); |
|
166 w = val - (double)ix; /* weight */ |
|
167 val = table[ix]; |
|