Attachment #183782 for bug #261087

Lines 152-157 Link Here

(-)ghostscript-8.64/icclib/icc.c.CVE-2009-0583 (-34 / +319 lines)
152	* Various bug fixes and enhancements.	152	* Various bug fixes and enhancements.
153	*/	153	*/
154		154
		155	#include <limits.h>
		156	#include <stdint.h>
155	#include <stdio.h>	157	#include <stdio.h>
156	#include <stdlib.h>	158	#include <stdlib.h>
157	#include <stdarg.h>	159	#include <stdarg.h>
Lines 313-320 size_t count Link Here
313	icmFileMem p = (icmFileMem )pp;	315	icmFileMem p = (icmFileMem )pp;
314	size_t len;	316	size_t len;
315		317
		318	if (size > SIZE_MAX / count)
		319	return 0;
		320
316	len = size * count;	321	len = size * count;
317	if ((p->cur + len) >= p->end) { /* Too much */	322	if (len > (p->end - p->cur)) { /* Too much */
318	if (size > 0)	323	if (size > 0)
319	count = (p->end - p->cur)/size;	324	count = (p->end - p->cur)/size;
320	else	325	else
Lines 1634-1639 static int icmUInt8Array_write( Link Here
1634		1639
1635	/* Allocate a file write buffer */	1640	/* Allocate a file write buffer */
1636	len = p->get_size((icmBase *)p);	1641	len = p->get_size((icmBase *)p);
		1642	if (icp->errc)
		1643	return icp->errc;
1637	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	1644	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
1638	sprintf(icp->err,"icmUInt8Array_write malloc() failed");	1645	sprintf(icp->err,"icmUInt8Array_write malloc() failed");
1639	return icp->errc = 2;	1646	return icp->errc = 2;
Lines 1698-1704 static int icmUInt8Array_allocate( Link Here
1698	if (p->size != p->_size) {	1705	if (p->size != p->_size) {
1699	if (p->data != NULL)	1706	if (p->data != NULL)
1700	icp->al->free(icp->al, p->data);	1707	icp->al->free(icp->al, p->data);
1701	if ((p->data = (unsigned int ) icp->al->malloc(icp->al, p->size sizeof(unsigned int))) == NULL) {	1708	if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
1702	sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed");	1709	sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed");
1703	return icp->errc = 2;	1710	return icp->errc = 2;
1704	}	1711	}
Lines 1749-1754 static unsigned int icmUInt16Array_get_s Link Here
1749	icmUInt16Array p = (icmUInt16Array )pp;	1756	icmUInt16Array p = (icmUInt16Array )pp;
1750	unsigned int len = 0;	1757	unsigned int len = 0;
1751	len += 8; /* 8 bytes for tag and padding */	1758	len += 8; /* 8 bytes for tag and padding */
		1759	if (p->size > (UINT_MAX - len) / 2) {
		1760	p->icp->errc = 1;
		1761	return (unsigned int) -1;
		1762	}
1752	len += p->size * 2; /* 2 bytes for each UInt16 */	1763	len += p->size * 2; /* 2 bytes for each UInt16 */
1753	return len;	1764	return len;
1754	}	1765	}
Lines 1821-1826 static int icmUInt16Array_write( Link Here
1821		1832
1822	/* Allocate a file write buffer */	1833	/* Allocate a file write buffer */
1823	len = p->get_size((icmBase *)p);	1834	len = p->get_size((icmBase *)p);
		1835	if (icp->errc)
		1836	return icp->errc;
1824	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	1837	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
1825	sprintf(icp->err,"icmUInt16Array_write malloc() failed");	1838	sprintf(icp->err,"icmUInt16Array_write malloc() failed");
1826	return icp->errc = 2;	1839	return icp->errc = 2;
Lines 1885-1891 static int icmUInt16Array_allocate( Link Here
1885	if (p->size != p->_size) {	1898	if (p->size != p->_size) {
1886	if (p->data != NULL)	1899	if (p->data != NULL)
1887	icp->al->free(icp->al, p->data);	1900	icp->al->free(icp->al, p->data);
1888	if ((p->data = (unsigned int ) icp->al->malloc(icp->al, p->size sizeof(unsigned int))) == NULL) {	1901	if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
1889	sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed");	1902	sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed");
1890	return icp->errc = 2;	1903	return icp->errc = 2;
1891	}	1904	}
Lines 1936-1941 static unsigned int icmUInt32Array_get_s Link Here
1936	icmUInt32Array p = (icmUInt32Array )pp;	1949	icmUInt32Array p = (icmUInt32Array )pp;
1937	unsigned int len = 0;	1950	unsigned int len = 0;
1938	len += 8; /* 8 bytes for tag and padding */	1951	len += 8; /* 8 bytes for tag and padding */
		1952	if (p->size > (UINT_MAX - len) / 4) {
		1953	p->icp->errc = 1;
		1954	return (unsigned int) -1;
		1955	}
1939	len += p->size * 4; /* 4 bytes for each UInt32 */	1956	len += p->size * 4; /* 4 bytes for each UInt32 */
1940	return len;	1957	return len;
1941	}	1958	}
Lines 2008-2013 static int icmUInt32Array_write( Link Here
2008		2025
2009	/* Allocate a file write buffer */	2026	/* Allocate a file write buffer */
2010	len = p->get_size((icmBase *)p);	2027	len = p->get_size((icmBase *)p);
		2028	if (icp->errc)
		2029	return icp->errc;
2011	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2030	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2012	sprintf(icp->err,"icmUInt32Array_write malloc() failed");	2031	sprintf(icp->err,"icmUInt32Array_write malloc() failed");
2013	return icp->errc = 2;	2032	return icp->errc = 2;
Lines 2072-2078 static int icmUInt32Array_allocate( Link Here
2072	if (p->size != p->_size) {	2091	if (p->size != p->_size) {
2073	if (p->data != NULL)	2092	if (p->data != NULL)
2074	icp->al->free(icp->al, p->data);	2093	icp->al->free(icp->al, p->data);
2075	if ((p->data = (unsigned int ) icp->al->malloc(icp->al, p->size sizeof(unsigned int))) == NULL) {	2094	if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
2076	sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed");	2095	sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed");
2077	return icp->errc = 2;	2096	return icp->errc = 2;
2078	}	2097	}
Lines 2123-2128 static unsigned int icmUInt64Array_get_s Link Here
2123	icmUInt64Array p = (icmUInt64Array )pp;	2142	icmUInt64Array p = (icmUInt64Array )pp;
2124	unsigned int len = 0;	2143	unsigned int len = 0;
2125	len += 8; /* 8 bytes for tag and padding */	2144	len += 8; /* 8 bytes for tag and padding */
		2145	if (p->size > (UINT_MAX - len) / 8) {
		2146	p->icp->errc = 1;
		2147	return (unsigned int) -1;
		2148	}
2126	len += p->size * 8; /* 8 bytes for each UInt64 */	2149	len += p->size * 8; /* 8 bytes for each UInt64 */
2127	return len;	2150	return len;
2128	}	2151	}
Lines 2195-2200 static int icmUInt64Array_write( Link Here
2195		2218
2196	/* Allocate a file write buffer */	2219	/* Allocate a file write buffer */
2197	len = p->get_size((icmBase *)p);	2220	len = p->get_size((icmBase *)p);
		2221	if (icp->errc)
		2222	return icp->errc;
2198	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2223	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2199	sprintf(icp->err,"icmUInt64Array_write malloc() failed");	2224	sprintf(icp->err,"icmUInt64Array_write malloc() failed");
2200	return icp->errc = 2;	2225	return icp->errc = 2;
Lines 2259-2265 static int icmUInt64Array_allocate( Link Here
2259	if (p->size != p->_size) {	2284	if (p->size != p->_size) {
2260	if (p->data != NULL)	2285	if (p->data != NULL)
2261	icp->al->free(icp->al, p->data);	2286	icp->al->free(icp->al, p->data);
2262	if ((p->data = (icmUint64 ) icp->al->malloc(icp->al, p->size sizeof(icmUint64))) == NULL) {	2287	if ((p->data = (icmUint64 *) icp->al->calloc(icp->al, p->size, sizeof(icmUint64))) == NULL) {
2263	sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed");	2288	sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed");
2264	return icp->errc = 2;	2289	return icp->errc = 2;
2265	}	2290	}
Lines 2310-2315 static unsigned int icmU16Fixed16Array_g Link Here
2310	icmU16Fixed16Array p = (icmU16Fixed16Array )pp;	2335	icmU16Fixed16Array p = (icmU16Fixed16Array )pp;
2311	unsigned int len = 0;	2336	unsigned int len = 0;
2312	len += 8; /* 8 bytes for tag and padding */	2337	len += 8; /* 8 bytes for tag and padding */
		2338	if (p->size > (UINT_MAX - len) / 4) {
		2339	p->icp->errc = 1;
		2340	return (unsigned int) -1;
		2341	}
2313	len += p->size * 4; /* 4 byte for each U16Fixed16 */	2342	len += p->size * 4; /* 4 byte for each U16Fixed16 */
2314	return len;	2343	return len;
2315	}	2344	}
Lines 2382-2387 static int icmU16Fixed16Array_write( Link Here
2382		2411
2383	/* Allocate a file write buffer */	2412	/* Allocate a file write buffer */
2384	len = p->get_size((icmBase *)p);	2413	len = p->get_size((icmBase *)p);
		2414	if (icp->errc)
		2415	return icp->errc;
2385	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2416	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2386	sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed");	2417	sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed");
2387	return icp->errc = 2;	2418	return icp->errc = 2;
Lines 2446-2452 static int icmU16Fixed16Array_allocate( Link Here
2446	if (p->size != p->_size) {	2477	if (p->size != p->_size) {
2447	if (p->data != NULL)	2478	if (p->data != NULL)
2448	icp->al->free(icp->al, p->data);	2479	icp->al->free(icp->al, p->data);
2449	if ((p->data = (double ) icp->al->malloc(icp->al, p->size sizeof(double))) == NULL) {	2480	if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
2450	sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed");	2481	sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed");
2451	return icp->errc = 2;	2482	return icp->errc = 2;
2452	}	2483	}
Lines 2497-2502 static unsigned int icmS15Fixed16Array_g Link Here
2497	icmS15Fixed16Array p = (icmS15Fixed16Array )pp;	2528	icmS15Fixed16Array p = (icmS15Fixed16Array )pp;
2498	unsigned int len = 0;	2529	unsigned int len = 0;
2499	len += 8; /* 8 bytes for tag and padding */	2530	len += 8; /* 8 bytes for tag and padding */
		2531	if (p->size > (UINT_MAX - len) / 4) {
		2532	p->icp->errc = 1;
		2533	return (unsigned int) - 1;
		2534	}
2500	len += p->size * 4; /* 4 byte for each S15Fixed16 */	2535	len += p->size * 4; /* 4 byte for each S15Fixed16 */
2501	return len;	2536	return len;
2502	}	2537	}
Lines 2569-2574 static int icmS15Fixed16Array_write( Link Here
2569		2604
2570	/* Allocate a file write buffer */	2605	/* Allocate a file write buffer */
2571	len = p->get_size((icmBase *)p);	2606	len = p->get_size((icmBase *)p);
		2607	if (icp->errc)
		2608	return icp->errc;
2572	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2609	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2573	sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed");	2610	sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed");
2574	return icp->errc = 2;	2611	return icp->errc = 2;
Lines 2633-2639 static int icmS15Fixed16Array_allocate( Link Here
2633	if (p->size != p->_size) {	2670	if (p->size != p->_size) {
2634	if (p->data != NULL)	2671	if (p->data != NULL)
2635	icp->al->free(icp->al, p->data);	2672	icp->al->free(icp->al, p->data);
2636	if ((p->data = (double ) icp->al->malloc(icp->al, p->size sizeof(double))) == NULL) {	2673	if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
2637	sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed");	2674	sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed");
2638	return icp->errc = 2;	2675	return icp->errc = 2;
2639	}	2676	}
Lines 2726-2731 static unsigned int icmXYZArray_get_size Link Here
2726	icmXYZArray p = (icmXYZArray )pp;	2763	icmXYZArray p = (icmXYZArray )pp;
2727	unsigned int len = 0;	2764	unsigned int len = 0;
2728	len += 8; /* 8 bytes for tag and padding */	2765	len += 8; /* 8 bytes for tag and padding */
		2766	if (p->size > (UINT_MAX - len) / 12) {
		2767	p->icp->errc = 1;
		2768	return (unsigned int) - 1;
		2769	}
2729	len += p->size * 12; /* 12 bytes for each XYZ */	2770	len += p->size * 12; /* 12 bytes for each XYZ */
2730	return len;	2771	return len;
2731	}	2772	}
Lines 2798-2803 static int icmXYZArray_write( Link Here
2798		2839
2799	/* Allocate a file write buffer */	2840	/* Allocate a file write buffer */
2800	len = p->get_size((icmBase *)p);	2841	len = p->get_size((icmBase *)p);
		2842	if (icp->errc)
		2843	return icp->errc;
2801	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2844	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2802	sprintf(icp->err,"icmXYZArray_write malloc() failed");	2845	sprintf(icp->err,"icmXYZArray_write malloc() failed");
2803	return icp->errc = 2;	2846	return icp->errc = 2;
Lines 2865-2871 static int icmXYZArray_allocate( Link Here
2865	if (p->size != p->_size) {	2908	if (p->size != p->_size) {
2866	if (p->data != NULL)	2909	if (p->data != NULL)
2867	icp->al->free(icp->al, p->data);	2910	icp->al->free(icp->al, p->data);
2868	if ((p->data = (icmXYZNumber ) icp->al->malloc(icp->al, p->size sizeof(icmXYZNumber))) == NULL) {	2911	if ((p->data = (icmXYZNumber *) icp->al->calloc(icp->al, p->size, sizeof(icmXYZNumber))) == NULL) {
2869	sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed");	2912	sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed");
2870	return icp->errc = 2;	2913	return icp->errc = 2;
2871	}	2914	}
Lines 3001-3007 static int icmTable_setup_bwd( Link Here
3001	int nf; /* Next free slot */	3044	int nf; /* Next free slot */
3002	if (rt->rlists[j] == NULL) { /* No allocation */	3045	if (rt->rlists[j] == NULL) { /* No allocation */
3003	as = 5; /* Start with space for 5 */	3046	as = 5; /* Start with space for 5 */
3004	if ((rt->rlists[j] = (int ) icp->al->malloc(icp->al, sizeof(int) as)) == NULL) {	3047	if ((rt->rlists[j] = (int *) icp->al->calloc(icp->al, sizeof(int), as)) == NULL) {
3005	return 2;	3048	return 2;
3006	}	3049	}
3007	rt->rlists[j][0] = as;	3050	rt->rlists[j][0] = as;
Lines 3141-3146 static unsigned int icmCurve_get_size( Link Here
3141	icmCurve p = (icmCurve )pp;	3184	icmCurve p = (icmCurve )pp;
3142	unsigned int len = 0;	3185	unsigned int len = 0;
3143	len += 12; /* 12 bytes for tag, padding and count */	3186	len += 12; /* 12 bytes for tag, padding and count */
		3187	if (p->size > (UINT_MAX - len) / 2) {
		3188	p->icp->errc = 1;
		3189	return (unsigned int) - 1;
		3190	}
3144	len += p->size * 2; /* 2 bytes for each UInt16 */	3191	len += p->size * 2; /* 2 bytes for each UInt16 */
3145	return len;	3192	return len;
3146	}	3193	}
Lines 3238-3243 static int icmCurve_write( Link Here
3238		3285
3239	/* Allocate a file write buffer */	3286	/* Allocate a file write buffer */
3240	len = p->get_size((icmBase *)p);	3287	len = p->get_size((icmBase *)p);
		3288	if (icp->errc)
		3289	return icp->errc;
3241	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	3290	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
3242	sprintf(icp->err,"icmCurve_write malloc() failed");	3291	sprintf(icp->err,"icmCurve_write malloc() failed");
3243	return icp->errc = 2;	3292	return icp->errc = 2;
Lines 3347-3353 static int icmCurve_allocate( Link Here
3347	if (p->size != p->_size) {	3396	if (p->size != p->_size) {
3348	if (p->data != NULL)	3397	if (p->data != NULL)
3349	icp->al->free(icp->al, p->data);	3398	icp->al->free(icp->al, p->data);
3350	if ((p->data = (double ) icp->al->malloc(icp->al, p->size sizeof(double))) == NULL) {	3399	if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
3351	sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed");	3400	sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed");
3352	return icp->errc = 2;	3401	return icp->errc = 2;
3353	}	3402	}
Lines 3493-3498 static int icmData_write( Link Here
3493		3542
3494	/* Allocate a file write buffer */	3543	/* Allocate a file write buffer */
3495	len = p->get_size((icmBase *)p);	3544	len = p->get_size((icmBase *)p);
		3545	if (icp->errc)
		3546	return icp->errc;
3496	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	3547	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
3497	sprintf(icp->err,"icmData_write malloc() failed");	3548	sprintf(icp->err,"icmData_write malloc() failed");
3498	return icp->errc = 2;	3549	return icp->errc = 2;
Lines 3745-3750 static int icmText_write( Link Here
3745		3796
3746	/* Allocate a file write buffer */	3797	/* Allocate a file write buffer */
3747	len = p->get_size((icmBase *)p);	3798	len = p->get_size((icmBase *)p);
		3799	if (icp->errc)
		3800	return icp->errc;
3748	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	3801	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
3749	sprintf(icp->err,"icmText_write malloc() failed");	3802	sprintf(icp->err,"icmText_write malloc() failed");
3750	return icp->errc = 2;	3803	return icp->errc = 2;
Lines 4038-4043 static int icmDateTimeNumber_write( Link Here
4038		4091
4039	/* Allocate a file write buffer */	4092	/* Allocate a file write buffer */
4040	len = p->get_size((icmBase *)p);	4093	len = p->get_size((icmBase *)p);
		4094	if (icp->errc)
		4095	return icp->errc;
4041	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	4096	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
4042	sprintf(icp->err,"icmDateTimeNumber_write malloc() failed");	4097	sprintf(icp->err,"icmDateTimeNumber_write malloc() failed");
4043	return icp->errc = 2;	4098	return icp->errc = 2;
Lines 4128-4138 static icmBase *new_icmDateTimeNumber( Link Here
4128	/* icmLut object */	4183	/* icmLut object */
4129		4184
4130	/* Utility function - raise one integer to an integer power */	4185	/* Utility function - raise one integer to an integer power */
4131	static unsigned int uipow(unsigned int a, unsigned int b) {	4186	static int uipow(unsigned int a, unsigned int b, unsigned int *ret) {
4132	unsigned int rv = 1;	4187	unsigned int rv = 1;
4133	for (; b > 0; b--)	4188	for (; b > 0; b--) {
		4189	if (rv > UINT_MAX / a)
		4190	return 1;
4134	rv *= a;	4191	rv *= a;
4135	return rv;	4192	}
		4193	*ret = rv;
		4194	return 0;
4136	}	4195	}
4137		4196
4138	/* - - - - - - - - - - - - - - - - */	4197	/* - - - - - - - - - - - - - - - - */
Lines 4268-4274 double in / Input array[outputChan] * Link Here
4268	if (p->inputChan <= 8) {	4327	if (p->inputChan <= 8) {
4269	gw = GW; /* Use stack allocation */	4328	gw = GW; /* Use stack allocation */
4270	} else {	4329	} else {
4271	if ((gw = (double ) icp->al->malloc(icp->al, (1 << p->inputChan) sizeof(double))) == NULL) {	4330	if ((gw = (double *) icp->al->calloc(icp->al, (1 << p->inputChan), sizeof(double))) == NULL) {
4272	sprintf(icp->err,"icmLut_lookup_clut: malloc() failed");	4331	sprintf(icp->err,"icmLut_lookup_clut: malloc() failed");
4273	return icp->errc = 2;	4332	return icp->errc = 2;
4274	}	4333	}
Lines 4819-4837 static unsigned int icmLut_get_size( Link Here
4819	) {	4878	) {
4820	icmLut p = (icmLut )pp;	4879	icmLut p = (icmLut )pp;
4821	unsigned int len = 0;	4880	unsigned int len = 0;
		4881	unsigned int pw;
4822		4882
4823	if (p->ttype == icSigLut8Type) {	4883	if (p->ttype == icSigLut8Type) {
4824	len += 48; /* tag and header */	4884	len += 48; /* tag and header */
		4885	if (p->inputEnt > (UINT_MAX - len) / p->inputChan / 1)
		4886	goto overflow;
		4887
4825	len += 1 * (p->inputChan * p->inputEnt);	4888	len += 1 * (p->inputChan * p->inputEnt);
4826	len += 1 * (p->outputChan * uipow(p->clutPoints,p->inputChan));	4889	if (uipow(p->clutPoints,p->inputChan, &pw) \|\|
		4890	pw > (UINT_MAX - len) / p->outputChan / 1)
		4891	goto overflow;
		4892
		4893	len += 1 * (p->outputChan * pw);
		4894	if (p->outputEnt > (UINT_MAX - len) / p->outputChan / 1)
		4895	goto overflow;
		4896
4827	len += 1 * (p->outputChan * p->outputEnt);	4897	len += 1 * (p->outputChan * p->outputEnt);
4828	} else {	4898	} else {
4829	len += 52; /* tag and header */	4899	len += 52; /* tag and header */
		4900	if (p->inputEnt > (UINT_MAX - len) / p->inputChan / 2)
		4901	goto overflow;
		4902
4830	len += 2 * (p->inputChan * p->inputEnt);	4903	len += 2 * (p->inputChan * p->inputEnt);
4831	len += 2 * (p->outputChan * uipow(p->clutPoints,p->inputChan));	4904	if (uipow(p->clutPoints,p->inputChan, &pw) \|\|
		4905	pw > (UINT_MAX - len) / p->outputChan / 2)
		4906	goto overflow;
		4907
		4908	len += 2 * (p->outputChan * pw);
		4909	if (p->outputEnt > (UINT_MAX - len) / p->outputChan / 2)
		4910	goto overflow;
		4911
4832	len += 2 * (p->outputChan * p->outputEnt);	4912	len += 2 * (p->outputChan * p->outputEnt);
4833	}	4913	}
4834	return len;	4914	return len;
		4915
		4916	overflow:
		4917	p->icp->errc = 1;
		4918	return (unsigned int) -1;
4835	}	4919	}
4836		4920
4837	/* read the object, return 0 on success, error code on fail */	4921	/* read the object, return 0 on success, error code on fail */
Lines 4844-4849 static int icmLut_read( Link Here
4844	icc *icp = p->icp;	4928	icc *icp = p->icp;
4845	int rv = 0;	4929	int rv = 0;
4846	unsigned long i, j, g, size;	4930	unsigned long i, j, g, size;
		4931	unsigned int pw;
4847	char bp, buf;	4932	char bp, buf;
4848		4933
4849	if (len < 4) {	4934	if (len < 4) {
Lines 4904-4909 static int icmLut_read( Link Here
4904	return icp->errc = 1;	4989	return icp->errc = 1;
4905	}	4990	}
4906		4991
		4992	if (p->clutPoints > 100) {
		4993	sprintf(icp->err,"icmLut_read: too many clutPoints");
		4994	return icp->errc = 1;
		4995	}
		4996
4907	/* Read 3x3 transform matrix */	4997	/* Read 3x3 transform matrix */
4908	for (j = 0; j < 3; j++) { /* Rows */	4998	for (j = 0; j < 3; j++) { /* Rows */
4909	for (i = 0; i < 3; i++) { /* Columns */	4999	for (i = 0; i < 3; i++) { /* Columns */
Lines 4921-4933 static int icmLut_read( Link Here
4921	bp = buf+52;	5011	bp = buf+52;
4922	}	5012	}
4923		5013
4924	if (len < icmLut_get_size((icmBase *)p)) {	5014	if (len < icmLut_get_size((icmBase *)p) \|\| icp->errc) {
4925	sprintf(icp->err,"icmLut_read: Tag too small for contents");	5015	sprintf(icp->err,"icmLut_read: Tag too small for contents");
4926	icp->al->free(icp->al, buf);	5016	icp->al->free(icp->al, buf);
4927	return icp->errc = 1;	5017	return icp->errc = 1;
4928	}	5018	}
4929		5019
4930	/* Read the input tables */	5020	/* Read the input tables */
		5021	if (p->inputChan > UINT_MAX / p->inputEnt) {
		5022	sprintf(icp->err,"icmLut_read: overflow");
		5023	icp->al->free(icp->al, buf);
		5024	return icp->errc = 1;
		5025	}
4931	size = (p->inputChan * p->inputEnt);	5026	size = (p->inputChan * p->inputEnt);
4932	if ((rv = p->allocate((icmBase *)p)) != 0) {	5027	if ((rv = p->allocate((icmBase *)p)) != 0) {
4933	icp->al->free(icp->al, buf);	5028	icp->al->free(icp->al, buf);
Lines 4942-4948 static int icmLut_read( Link Here
4942	}	5037	}
4943		5038
4944	/* Read the clut table */	5039	/* Read the clut table */
4945	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));	5040	if (uipow(p->clutPoints,p->inputChan,&pw) \|\|
		5041	pw > UINT_MAX / p->outputChan) {
		5042	sprintf(icp->err,"icmLut_read: overflow");
		5043	icp->al->free(icp->al, buf);
		5044	return icp->errc = 1;
		5045	}
		5046	size = (p->outputChan * pw);
4946	if ((rv = p->allocate((icmBase *)p)) != 0) {	5047	if ((rv = p->allocate((icmBase *)p)) != 0) {
4947	icp->al->free(icp->al, buf);	5048	icp->al->free(icp->al, buf);
4948	return rv;	5049	return rv;
Lines 4956-4961 static int icmLut_read( Link Here
4956	}	5057	}
4957		5058
4958	/* Read the output tables */	5059	/* Read the output tables */
		5060	if (p->outputEnt > UINT_MAX / p->outputChan) {
		5061	sprintf(icp->err,"icmLut_read: overflow");
		5062	icp->al->free(icp->al, buf);
		5063	return icp->errc = 1;
		5064	}
4959	size = (p->outputChan * p->outputEnt);	5065	size = (p->outputChan * p->outputEnt);
4960	if ((rv = p->allocate((icmBase *)p)) != 0) {	5066	if ((rv = p->allocate((icmBase *)p)) != 0) {
4961	icp->al->free(icp->al, buf);	5067	icp->al->free(icp->al, buf);
Lines 4995-5006 static int icmLut_write( Link Here
4995	icmLut p = (icmLut )pp;	5101	icmLut p = (icmLut )pp;
4996	icc *icp = p->icp;	5102	icc *icp = p->icp;
4997	unsigned long i,j;	5103	unsigned long i,j;
4998	unsigned int len, size;	5104	unsigned int len, size, pw;
4999	char bp, buf; /* Buffer to write from */	5105	char bp, buf; /* Buffer to write from */
5000	int rv = 0;	5106	int rv = 0;
5001		5107
5002	/* Allocate a file write buffer */	5108	/* Allocate a file write buffer */
5003	len = p->get_size((icmBase *)p);	5109	len = p->get_size((icmBase *)p);
		5110	if (icp->errc)
		5111	return icp->errc;
5004	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	5112	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
5005	sprintf(icp->err,"icmLut_write malloc() failed");	5113	sprintf(icp->err,"icmLut_write malloc() failed");
5006	return icp->errc = 2;	5114	return icp->errc = 2;
Lines 5066-5071 static int icmLut_write( Link Here
5066	}	5174	}
5067		5175
5068	/* Write the input tables */	5176	/* Write the input tables */
		5177	if (p->inputChan > UINT_MAX / p->inputEnt) {
		5178	sprintf(icp->err,"icmLut_write: overflow");
		5179	icp->al->free(icp->al, buf);
		5180	return icp->errc = 1;
		5181	}
5069	size = (p->inputChan * p->inputEnt);	5182	size = (p->inputChan * p->inputEnt);
5070	if (p->ttype == icSigLut8Type) {	5183	if (p->ttype == icSigLut8Type) {
5071	for (i = 0; i < size; i++, bp += 1) {	5184	for (i = 0; i < size; i++, bp += 1) {
Lines 5086-5092 static int icmLut_write( Link Here
5086	}	5199	}
5087		5200
5088	/* Write the clut table */	5201	/* Write the clut table */
5089	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));	5202	if (uipow(p->clutPoints,p->inputChan,&pw) \|\|
		5203	pw > UINT_MAX / p->outputChan) {
		5204	sprintf(icp->err,"icmLut_write: overflow");
		5205	icp->al->free(icp->al, buf);
		5206	return icp->errc = 1;
		5207	}
		5208	size = (p->outputChan * pw);
5090	if (p->ttype == icSigLut8Type) {	5209	if (p->ttype == icSigLut8Type) {
5091	for (i = 0; i < size; i++, bp += 1) {	5210	for (i = 0; i < size; i++, bp += 1) {
5092	if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) {	5211	if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) {
Lines 5106-5111 static int icmLut_write( Link Here
5106	}	5225	}
5107		5226
5108	/* Write the output tables */	5227	/* Write the output tables */
		5228	if (p->outputEnt > UINT_MAX / p->outputChan) {
		5229	sprintf(icp->err,"icmLut_write: overflow");
		5230	icp->al->free(icp->al, buf);
		5231	return icp->errc = 1;
		5232	}
5109	size = (p->outputChan * p->outputEnt);	5233	size = (p->outputChan * p->outputEnt);
5110	if (p->ttype == icSigLut8Type) {	5234	if (p->ttype == icSigLut8Type) {
5111	for (i = 0; i < size; i++, bp += 1) {	5235	for (i = 0; i < size; i++, bp += 1) {
Lines 5177-5183 static void icmLut_dump( Link Here
5177	if (p->inputChan > MAX_CHAN) {	5301	if (p->inputChan > MAX_CHAN) {
5178	fprintf(op," !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN);	5302	fprintf(op," !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN);
5179	} else {	5303	} else {
5180	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));	5304	unsigned int pw;
		5305	if (uipow(p->clutPoints,p->inputChan,&pw) \|\|
		5306	pw > UINT_MAX / p->outputChan) {
		5307	fprintf(op,"Would overflow.\n");
		5308	return;
		5309	}
		5310	size = (p->outputChan * pw);
5181	for (j = 0; j < p->inputChan; j++)	5311	for (j = 0; j < p->inputChan; j++)
5182	ii[j] = 0;	5312	ii[j] = 0;
5183	for (i = 0; i < size;) {	5313	for (i = 0; i < size;) {
Lines 5216-5222 static void icmLut_dump( Link Here
5216	static int icmLut_allocate(	5346	static int icmLut_allocate(
5217	icmBase *pp	5347	icmBase *pp
5218	) {	5348	) {
5219	unsigned int i, j, g, size;	5349	unsigned int i, j, g, size, pw;
5220	icmLut p = (icmLut )pp;	5350	icmLut p = (icmLut )pp;
5221	icc *icp = p->icp;	5351	icc *icp = p->icp;
5222		5352
Lines 5231-5236 static int icmLut_allocate( Link Here
5231	return icp->errc = 1;	5361	return icp->errc = 1;
5232	}	5362	}
5233		5363
		5364	if (p->inputChan > UINT_MAX / p->inputEnt) {
		5365	sprintf(icp->err,"icmLut_alloc: too many entries");
		5366	return icp->errc = 1;
		5367	}
5234	size = (p->inputChan * p->inputEnt);	5368	size = (p->inputChan * p->inputEnt);
5235	if (size != p->inputTable_size) {	5369	if (size != p->inputTable_size) {
5236	if (p->inputTable != NULL)	5370	if (p->inputTable != NULL)
Lines 5241-5247 static int icmLut_allocate( Link Here
5241	}	5375	}
5242	p->inputTable_size = size;	5376	p->inputTable_size = size;
5243	}	5377	}
5244	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));	5378	if (uipow(p->clutPoints,p->inputChan,&pw) \|\|
		5379	pw > UINT_MAX / p->outputChan) {
		5380	sprintf(icp->err,"icmLut_alloc: overflow");
		5381	return icp->errc = 1;
		5382	}
		5383	size = (p->outputChan * pw);
5245	if (size != p->clutTable_size) {	5384	if (size != p->clutTable_size) {
5246	if (p->clutTable != NULL)	5385	if (p->clutTable != NULL)
5247	icp->al->free(icp->al, p->clutTable);	5386	icp->al->free(icp->al, p->clutTable);
Lines 5251-5256 static int icmLut_allocate( Link Here
5251	}	5390	}
5252	p->clutTable_size = size;	5391	p->clutTable_size = size;
5253	}	5392	}
		5393	if (p->outputEnt > UINT_MAX / p->outputChan) {
		5394	sprintf(icp->err,"icmLut_alloc: overflow");
		5395	return icp->errc = 1;
		5396	}
5254	size = (p->outputChan * p->outputEnt);	5397	size = (p->outputChan * p->outputEnt);
5255	if (size != p->outputTable_size) {	5398	if (size != p->outputTable_size) {
5256	if (p->outputTable != NULL)	5399	if (p->outputTable != NULL)
Lines 5441-5446 static int icmMeasurement_write( Link Here
5441		5584
5442	/* Allocate a file write buffer */	5585	/* Allocate a file write buffer */
5443	len = p->get_size((icmBase *)p);	5586	len = p->get_size((icmBase *)p);
		5587	if (icp->errc)
		5588	return icp->errc;
5444	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	5589	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
5445	sprintf(icp->err,"icmMeasurement_write malloc() failed");	5590	sprintf(icp->err,"icmMeasurement_write malloc() failed");
5446	return icp->errc = 2;	5591	return icp->errc = 2;
Lines 5712-5724 static unsigned int icmNamedColor_get_si Link Here
5712	len += p->nDeviceCoords * 1; /* bytes for each named color */	5857	len += p->nDeviceCoords * 1; /* bytes for each named color */
5713	}	5858	}
5714	} else { /* Named Color 2 */	5859	} else { /* Named Color 2 */
		5860	unsigned int col;
5715	len += 8; /* 8 bytes for tag and padding */	5861	len += 8; /* 8 bytes for tag and padding */
5716	len += 4; /* 4 for vendor specific flags */	5862	len += 4; /* 4 for vendor specific flags */
5717	len += 4; /* 4 for count of named colors */	5863	len += 4; /* 4 for count of named colors */
5718	len += 4; /* 4 for number of device coords */	5864	len += 4; /* 4 for number of device coords */
5719	len += 32; /* 32 for prefix of color names */	5865	len += 32; /* 32 for prefix of color names */
5720	len += 32; /* 32 for suffix of color names */	5866	len += 32; /* 32 for suffix of color names */
5721	len += p->count * (32 + 6 + p->nDeviceCoords * 2); /* bytes for each named color */	5867	col = 32 + 6 + p->nDeviceCoords * 2;
		5868	if (p->nDeviceCoords > (UINT_MAX - (32 + 6)) / 2 \|\|
		5869	col > (UINT_MAX - len) / p->count) {
		5870	p->icp->errc = 1;
		5871	return (unsigned int) -1;
		5872	}
		5873	len += p->count * col; /* bytes for each named color */
5722	}	5874	}
5723	return len;	5875	return len;
5724	}	5876	}
Lines 5882-5887 static int icmNamedColor_write( Link Here
5882		6034
5883	/* Allocate a file write buffer */	6035	/* Allocate a file write buffer */
5884	len = p->get_size((icmBase *)p);	6036	len = p->get_size((icmBase *)p);
		6037	if (icp->errc)
		6038	return icp->errc;
5885	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	6039	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
5886	sprintf(icp->err,"icmNamedColor_write malloc() failed");	6040	sprintf(icp->err,"icmNamedColor_write malloc() failed");
5887	return icp->errc = 2;	6041	return icp->errc = 2;
Lines 6109-6117 static unsigned int icmTextDescription_g Link Here
6109	) {	6263	) {
6110	icmTextDescription p = (icmTextDescription )pp;	6264	icmTextDescription p = (icmTextDescription )pp;
6111	unsigned int len = 0;	6265	unsigned int len = 0;
		6266	if (p->size > UINT_MAX - (8 + 4 + 8)) {
		6267	p->icp->errc = 1;
		6268	return (unsigned int) -1;
		6269	}
6112	len += 8; /* 8 bytes for tag and padding */	6270	len += 8; /* 8 bytes for tag and padding */
6113	len += 4 + p->size; /* Ascii string length + ascii string */	6271	len += 4 + p->size; /* Ascii string length + ascii string */
6114	len += 8 + 2 * p->ucSize; /* Unicode language code + length + string */	6272	len += 8; /* Unicode language code + length */
		6273	if (p->ucSize > (UINT_MAX - len) / 2) {
		6274	p->icp->errc = 1;
		6275	return (unsigned int) -1;
		6276	}
		6277	len += 2 * p->ucSize; /* Unicode string */
		6278	if (len > (UINT_MAX - (3 + 67))) {
		6279	p->icp->errc = 1;
		6280	return (unsigned int) -1;
		6281	}
6115	len += 3 + 67; /* ScriptCode code, length string */	6282	len += 3 + 67; /* ScriptCode code, length string */
6116	return len;	6283	return len;
6117	}	6284	}
Lines 6294-6299 static int icmTextDescription_write( Link Here
6294		6461
6295	/* Allocate a file write buffer */	6462	/* Allocate a file write buffer */
6296	len = p->get_size((icmBase *)p);	6463	len = p->get_size((icmBase *)p);
		6464	if (icp->errc)
		6465	return icp->errc;
6297	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	6466	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
6298	sprintf(icp->err,"icmTextDescription_write malloc() failed");	6467	sprintf(icp->err,"icmTextDescription_write malloc() failed");
6299	return icp->errc = 2;	6468	return icp->errc = 2;
Lines 6544-6550 static int icmTextDescription_allocate( Link Here
6544	if (p->ucSize != p->uc_size) {	6713	if (p->ucSize != p->uc_size) {
6545	if (p->ucDesc != NULL)	6714	if (p->ucDesc != NULL)
6546	icp->al->free(icp->al, p->ucDesc);	6715	icp->al->free(icp->al, p->ucDesc);
6547	if ((p->ucDesc = (ORD16 ) icp->al->malloc(icp->al, p->ucSize sizeof(ORD16))) == NULL) {	6716	if ((p->ucDesc = (ORD16 *) icp->al->calloc(icp->al, p->ucSize, sizeof(ORD16))) == NULL) {
6548	sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed");	6717	sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed");
6549	return icp->errc = 2;	6718	return icp->errc = 2;
6550	}	6719	}
Lines 6820-6825 static int icmProfileSequenceDesc_read( Link Here
6820	bp += 8; /* Skip padding */	6989	bp += 8; /* Skip padding */
6821		6990
6822	p->count = read_UInt32Number(bp); /* Number of sequence descriptions */	6991	p->count = read_UInt32Number(bp); /* Number of sequence descriptions */
		6992	if (p->count > 1000) {
		6993	sprintf(icp->err,"icmProfileSequenceDesc_read: too many sequence descriptions");
		6994	icp->al->free(icp->al, buf);
		6995	return icp->errc = 1;
		6996	}
		6997
6823	bp += 4;	6998	bp += 4;
6824		6999
6825	/* Read all the sequence descriptions */	7000	/* Read all the sequence descriptions */
Lines 6852-6857 static int icmProfileSequenceDesc_write( Link Here
6852		7027
6853	/* Allocate a file write buffer */	7028	/* Allocate a file write buffer */
6854	len = p->get_size((icmBase *)p);	7029	len = p->get_size((icmBase *)p);
		7030	if (icp->errc)
		7031	return icp->errc;
6855	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	7032	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
6856	sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed");	7033	sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed");
6857	return icp->errc = 2;	7034	return icp->errc = 2;
Lines 6922-6928 static int icmProfileSequenceDesc_alloca Link Here
6922	if (p->count != p->_count) {	7099	if (p->count != p->_count) {
6923	if (p->data != NULL)	7100	if (p->data != NULL)
6924	icp->al->free(icp->al, p->data);	7101	icp->al->free(icp->al, p->data);
6925	if ((p->data = (icmDescStruct ) icp->al->malloc(icp->al, p->count sizeof(icmDescStruct))) == NULL) {	7102	if ((p->data = (icmDescStruct *) icp->al->calloc(icp->al, p->count, sizeof(icmDescStruct))) == NULL) {
6926	sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed");	7103	sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed");
6927	return icp->errc = 2;	7104	return icp->errc = 2;
6928	}	7105	}
Lines 7041-7046 static int icmSignature_write( Link Here
7041		7218
7042	/* Allocate a file write buffer */	7219	/* Allocate a file write buffer */
7043	len = p->get_size((icmBase *)p);	7220	len = p->get_size((icmBase *)p);
		7221	if (icp->errc)
		7222	return icp->errc;
7044	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	7223	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
7045	sprintf(icp->err,"icmSignature_write malloc() failed");	7224	sprintf(icp->err,"icmSignature_write malloc() failed");
7046	return icp->errc = 2;	7225	return icp->errc = 2;
Lines 7156-7161 static unsigned int icmScreening_get_siz Link Here
7156	icmScreening p = (icmScreening )pp;	7335	icmScreening p = (icmScreening )pp;
7157	unsigned int len = 0;	7336	unsigned int len = 0;
7158	len += 16; /* 16 bytes for tag, padding, flag & channeles */	7337	len += 16; /* 16 bytes for tag, padding, flag & channeles */
		7338	if (p->channels > (UINT_MAX - len) / 12) {
		7339	p->icp->errc = 1;
		7340	return (unsigned int) -1;
		7341	}
7159	len += p->channels * 12; /* 12 bytes for each channel */	7342	len += p->channels * 12; /* 12 bytes for each channel */
7160	return len;	7343	return len;
7161	}	7344	}
Lines 7235-7240 static int icmScreening_write( Link Here
7235		7418
7236	/* Allocate a file write buffer */	7419	/* Allocate a file write buffer */
7237	len = p->get_size((icmBase *)p);	7420	len = p->get_size((icmBase *)p);
		7421	if (icp->errc)
		7422	return icp->errc;
7238	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	7423	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
7239	sprintf(icp->err,"icmScreening_write malloc() failed");	7424	sprintf(icp->err,"icmScreening_write malloc() failed");
7240	return icp->errc = 2;	7425	return icp->errc = 2;
Lines 7315-7321 static int icmScreening_allocate( Link Here
7315	if (p->channels != p->_channels) {	7500	if (p->channels != p->_channels) {
7316	if (p->data != NULL)	7501	if (p->data != NULL)
7317	icp->al->free(icp->al, p->data);	7502	icp->al->free(icp->al, p->data);
7318	if ((p->data = (icmScreeningData ) icp->al->malloc(icp->al, p->channels sizeof(icmScreeningData))) == NULL) {	7503	if ((p->data = (icmScreeningData *) icp->al->calloc(icp->al, p->channels, sizeof(icmScreeningData))) == NULL) {
7319	sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed");	7504	sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed");
7320	return icp->errc = 2;	7505	return icp->errc = 2;
7321	}	7506	}
Lines 7366-7375 static unsigned int icmUcrBg_get_size( Link Here
7366	icmUcrBg p = (icmUcrBg )pp;	7551	icmUcrBg p = (icmUcrBg )pp;
7367	unsigned int len = 0;	7552	unsigned int len = 0;
7368	len += 8; /* 8 bytes for tag and padding */	7553	len += 8; /* 8 bytes for tag and padding */
		7554	if (p->UCRcount > (UINT_MAX - len - 4) / 2)
		7555	goto overflow;
		7556
7369	len += 4 + p->UCRcount * 2; /* Undercolor Removal */	7557	len += 4 + p->UCRcount * 2; /* Undercolor Removal */
		7558	if (p->BGcount > (UINT_MAX - len - 4 - p->size) / 2)
		7559	goto overflow;
		7560
7370	len += 4 + p->BGcount * 2; /* Black Generation */	7561	len += 4 + p->BGcount * 2; /* Black Generation */
7371	len += p->size; /* Description string */	7562	len += p->size; /* Description string */
7372	return len;	7563	return len;
		7564
		7565	overflow:
		7566	p->icp->errc = 1;
		7567	return (unsigned int) -1;
7373	}	7568	}
7374		7569
7375	/* read the object, return 0 on success, error code on fail */	7570	/* read the object, return 0 on success, error code on fail */
Lines 7498-7503 static int icmUcrBg_write( Link Here
7498		7693
7499	/* Allocate a file write buffer */	7694	/* Allocate a file write buffer */
7500	len = p->get_size((icmBase *)p);	7695	len = p->get_size((icmBase *)p);
		7696	if (icp->errc)
		7697	return icp->errc;
7501	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	7698	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
7502	sprintf(icp->err,"icmUcrBg_write malloc() failed");	7699	sprintf(icp->err,"icmUcrBg_write malloc() failed");
7503	return icp->errc = 2;	7700	return icp->errc = 2;
Lines 7663-7669 static int icmUcrBg_allocate( Link Here
7663	if (p->UCRcount != p->UCR_count) {	7860	if (p->UCRcount != p->UCR_count) {
7664	if (p->UCRcurve != NULL)	7861	if (p->UCRcurve != NULL)
7665	icp->al->free(icp->al, p->UCRcurve);	7862	icp->al->free(icp->al, p->UCRcurve);
7666	if ((p->UCRcurve = (double ) icp->al->malloc(icp->al, p->UCRcount sizeof(double))) == NULL) {	7863	if ((p->UCRcurve = (double *) icp->al->calloc(icp->al, p->UCRcount, sizeof(double))) == NULL) {
7667	sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed");	7864	sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed");
7668	return icp->errc = 2;	7865	return icp->errc = 2;
7669	}	7866	}
Lines 7672-7678 static int icmUcrBg_allocate( Link Here
7672	if (p->BGcount != p->BG_count) {	7869	if (p->BGcount != p->BG_count) {
7673	if (p->BGcurve != NULL)	7870	if (p->BGcurve != NULL)
7674	icp->al->free(icp->al, p->BGcurve);	7871	icp->al->free(icp->al, p->BGcurve);
7675	if ((p->BGcurve = (double ) icp->al->malloc(icp->al, p->BGcount sizeof(double))) == NULL) {	7872	if ((p->BGcurve = (double *) icp->al->calloc(icp->al, p->BGcount, sizeof(double))) == NULL) {
7676	sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed");	7873	sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed");
7677	return icp->errc = 2;	7874	return icp->errc = 2;
7678	}	7875	}
Lines 7743-7748 static unsigned int icmVideoCardGamma_ge Link Here
7743	len += 2; /* 2 bytes for channels */	7940	len += 2; /* 2 bytes for channels */
7744	len += 2; /* 2 for entry count */	7941	len += 2; /* 2 for entry count */
7745	len += 2; /* 2 for entry size */	7942	len += 2; /* 2 for entry size */
		7943	if (p->u.table.channels >
		7944	(UINT_MAX - len) /
		7945	p->u.table.entryCount /
		7946	p->u.table.entrySize) {
		7947	p->icp->errc = 1;
		7948	return (unsigned int) -1;
		7949	}
7746	len += ( p->u.table.channels * /* compute table size */	7950	len += ( p->u.table.channels * /* compute table size */
7747	p->u.table.entryCount *	7951	p->u.table.entryCount *
7748	p->u.table.entrySize );	7952	p->u.table.entrySize );
Lines 7762-7771 static int icmVideoCardGamma_read( Link Here
7762	) {	7966	) {
7763	icmVideoCardGamma p = (icmVideoCardGamma )pp;	7967	icmVideoCardGamma p = (icmVideoCardGamma )pp;
7764	icc *icp = p->icp;	7968	icc *icp = p->icp;
7765	int rv, c;	7969	int rv;
7766	char bp, buf;	7970	char bp, buf;
7767	unsigned char *pchar;	7971	unsigned char *pchar;
7768	unsigned short *pshort;	7972	unsigned short *pshort;
		7973	unsigned long c;
7769		7974
7770	if (len < 18) {	7975	if (len < 18) {
7771	sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");	7976	sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");
Lines 7803-7808 static int icmVideoCardGamma_read( Link Here
7803	p->u.table.channels = read_UInt16Number(bp+12);	8008	p->u.table.channels = read_UInt16Number(bp+12);
7804	p->u.table.entryCount = read_UInt16Number(bp+14);	8009	p->u.table.entryCount = read_UInt16Number(bp+14);
7805	p->u.table.entrySize = read_UInt16Number(bp+16);	8010	p->u.table.entrySize = read_UInt16Number(bp+16);
		8011	if (p->u.table.entrySize > 65530 \|\| p->u.table.entrySize == 0) {
		8012	sprintf(icp->err,"icmVideoCardGamma_read: Too many entries (or none)");
		8013	return icp->errc = 1;
		8014	}
		8015	if (p->u.table.channels >
		8016	UINT_MAX / p->u.table.entryCount / p->u.table.entrySize) {
		8017	sprintf(icp->err,"icmVideoCardGamma_read: Overflow reading tag");
		8018	return icp->errc = 1;
		8019	}
7806	if (len-18 < p->u.table.channelsp->u.table.entryCountp->u.table.entrySize) {	8020	if (len-18 < p->u.table.channelsp->u.table.entryCountp->u.table.entrySize) {
7807	sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");	8021	sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");
7808	return icp->errc = 1;	8022	return icp->errc = 1;
Lines 7871-7876 static int icmVideoCardGamma_write( Link Here
7871		8085
7872	/* Allocate a file write buffer */	8086	/* Allocate a file write buffer */
7873	len = p->get_size((icmBase *)p);	8087	len = p->get_size((icmBase *)p);
		8088	if (icp->errc)
		8089	return icp->errc;
7874	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	8090	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
7875	sprintf(icp->err,"icmViewingConditions_write malloc() failed");	8091	sprintf(icp->err,"icmViewingConditions_write malloc() failed");
7876	return icp->errc = 2;	8092	return icp->errc = 2;
Lines 8049-8055 static int icmVideoCardGamma_allocate( Link Here
8049	) {	8265	) {
8050	icmVideoCardGamma p = (icmVideoCardGamma )pp;	8266	icmVideoCardGamma p = (icmVideoCardGamma )pp;
8051	icc *icp = p->icp;	8267	icc *icp = p->icp;
8052	int size;	8268	unsigned int size;
8053		8269
8054	/* note: allocation is only relevant for table type	8270	/* note: allocation is only relevant for table type
8055	* and in that case the channels, entryCount, and entrySize	8271	* and in that case the channels, entryCount, and entrySize
Lines 8059-8064 static int icmVideoCardGamma_allocate( Link Here
8059	if (p->tagType == icmVideoCardGammaTableType) {	8275	if (p->tagType == icmVideoCardGammaTableType) {
8060	if (p->u.table.data != NULL)	8276	if (p->u.table.data != NULL)
8061	icp->al->free(icp->al, p->u.table.data);	8277	icp->al->free(icp->al, p->u.table.data);
		8278	if (p->u.table.channels > UINT_MAX / p->u.table.entryCount) {
		8279	sprintf(icp->err,"icmVideoCardGamma_alloc: table too large");
		8280	return icp->errc = 1;
		8281	}
8062	size = (p->u.table.channels *	8282	size = (p->u.table.channels *
8063	p->u.table.entryCount);	8283	p->u.table.entryCount);
8064	switch (p->u.table.entrySize) {	8284	switch (p->u.table.entrySize) {
Lines 8066-8071 static int icmVideoCardGamma_allocate( Link Here
8066	size *= sizeof(unsigned char);	8286	size *= sizeof(unsigned char);
8067	break;	8287	break;
8068	case 2:	8288	case 2:
		8289	if (size > UINT_MAX / sizeof(unsigned short)) {
		8290	sprintf(icp->err,"icmVideoCardGamma_alloc: table too large");
		8291	return icp->errc = 1;
		8292	}
8069	size *= sizeof(unsigned short);	8293	size *= sizeof(unsigned short);
8070	break;	8294	break;
8071	default:	8295	default:
Lines 8201-8206 static int icmViewingConditions_write( Link Here
8201		8425
8202	/* Allocate a file write buffer */	8426	/* Allocate a file write buffer */
8203	len = p->get_size((icmBase *)p);	8427	len = p->get_size((icmBase *)p);
		8428	if (icp->errc)
		8429	return icp->errc;
8204	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	8430	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
8205	sprintf(icp->err,"icmViewingConditions_write malloc() failed");	8431	sprintf(icp->err,"icmViewingConditions_write malloc() failed");
8206	return icp->errc = 2;	8432	return icp->errc = 2;
Lines 8433-8438 static int icmCrdInfo_write( Link Here
8433		8659
8434	/* Allocate a file write buffer */	8660	/* Allocate a file write buffer */
8435	len = p->get_size((icmBase *)p);	8661	len = p->get_size((icmBase *)p);
		8662	if (icp->errc)
		8663	return icp->errc;
8436	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	8664	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
8437	sprintf(icp->err,"icmCrdInfo_write malloc() failed");	8665	sprintf(icp->err,"icmCrdInfo_write malloc() failed");
8438	return icp->errc = 2;	8666	return icp->errc = 2;
Lines 8736-8741 static int icmHeader_write( Link Here
8736	int rv = 0;	8964	int rv = 0;
8737		8965
8738	len = p->get_size(p);	8966	len = p->get_size(p);
		8967	if (icp->errc)
		8968	return icp->errc;
8739	if ((buf = (char ) icp->al->calloc(icp->al,1,len)) == NULL) { / Zero it - some CMS are fussy */	8969	if ((buf = (char ) icp->al->calloc(icp->al,1,len)) == NULL) { / Zero it - some CMS are fussy */
8740	sprintf(icp->err,"icmHeader_write calloc() failed");	8970	sprintf(icp->err,"icmHeader_write calloc() failed");
8741	return icp->errc = 2;	8971	return icp->errc = 2;
Lines 9245-9257 static int icc_read( Link Here
9245	}	9475	}
9246		9476
9247	p->count = read_UInt32Number(tcbuf); /* Tag count */	9477	p->count = read_UInt32Number(tcbuf); /* Tag count */
		9478	if (p->count > 100) {
		9479	sprintf(p->err,"icc_read: too many table tags");
		9480	return p->errc = 1;
		9481	}
9248	if (p->count > 0) {	9482	if (p->count > 0) {
9249	char bp, buf;	9483	char bp, buf;
9250	if ((p->data = (icmTag ) p->al->malloc(p->al, p->count sizeof(icmTag))) == NULL) {	9484	if ((p->data = (icmTag *) p->al->calloc(p->al, p->count, sizeof(icmTag))) == NULL) {
9251	sprintf(p->err,"icc_read: Tag table malloc() failed");	9485	sprintf(p->err,"icc_read: Tag table malloc() failed");
9252	return p->errc = 2;	9486	return p->errc = 2;
9253	}	9487	}
9254		9488
		9489	if (p->count > (UINT_MAX - 4) / 12) {
		9490	sprintf(p->err,"icc_read: overflow");
		9491	p->al->free(p->al, p->data);
		9492	p->data = NULL;
		9493	return p->errc = 1;
		9494	}
9255	len = 4 + p->count * 12;	9495	len = 4 + p->count * 12;
9256	if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) {	9496	if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) {
9257	sprintf(p->err,"icc_read: Tag table read buffer malloc() failed");	9497	sprintf(p->err,"icc_read: Tag table read buffer malloc() failed");
Lines 9281-9286 static int icc_read( Link Here
9281	return p->errc = 1;	9521	return p->errc = 1;
9282	}	9522	}
9283	p->data[i].size = read_UInt32Number(bp + 8);	9523	p->data[i].size = read_UInt32Number(bp + 8);
		9524	if (p->data[i].offset + p->data[i].size >
		9525	p->header->size) {
		9526	sprintf(p->err,"icc_read: tag out of bounds");
		9527	p->al->free(p->al, p->data);
		9528	p->data = NULL;
		9529	p->al->free(p->al, buf);
		9530	return p->errc = 1;
		9531	}
9284	if ( p->fp->seek(p->fp, of + p->data[i].offset) != 0	9532	if ( p->fp->seek(p->fp, of + p->data[i].offset) != 0
9285	\|\| p->fp->read(p->fp, tcbuf, 1, 4) != 4) {	9533	\|\| p->fp->read(p->fp, tcbuf, 1, 4) != 4) {
9286	sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers");	9534	sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers");
Lines 9321-9328 static unsigned int icc_get_size( Link Here
9321	}	9569	}
9322		9570
9323	size += p->header->get_size(p->header);	9571	size += p->header->get_size(p->header);
		9572	if (p->errc)
		9573	return (unsigned int) -1;
9324		9574
9325	size = DO_ALIGN(size);	9575	size = DO_ALIGN(size);
		9576	if (size == 0 \|\| p->count > (UINT_MAX - 4 - size) / 12) {
		9577	p->errc = 1;
		9578	return (unsigned int) -1;
		9579	}
9326	size += 4 + p->count * 12; /* Tag table length */	9580	size += 4 + p->count * 12; /* Tag table length */
9327		9581
9328	/* Reset touched flag for each tag type */	9582	/* Reset touched flag for each tag type */
Lines 9337-9344 static unsigned int icc_get_size( Link Here
9337	/* Get size for each tag type, skipping links */	9591	/* Get size for each tag type, skipping links */
9338	for (i = 0; i < p->count; i++) {	9592	for (i = 0; i < p->count; i++) {
9339	if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */	9593	if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */
		9594	unsigned int obj_size;
9340	size = DO_ALIGN(size);	9595	size = DO_ALIGN(size);
9341	size += p->data[i].objp->get_size(p->data[i].objp);	9596	obj_size = p->data[i].objp->get_size(p->data[i].objp);
		9597	if (size == 0 \|\| p->errc \|\|
		9598	obj_size > UINT_MAX - size)
		9599	return (unsigned int) -1;
		9600	size += obj_size;
9342	p->data[i].objp->touched = 1; /* Don't account for this again */	9601	p->data[i].objp->touched = 1; /* Don't account for this again */
9343	}	9602	}
9344	}	9603	}
Lines 9373-9381 static int icc_write( Link Here
9373	}	9632	}
9374		9633
9375	size += p->header->get_size(p->header);	9634	size += p->header->get_size(p->header);
		9635	if (p->errc)
		9636	return p->errc;
9376		9637
		9638	if (p->count > (UINT_MAX - 4 - len) / 12) {
		9639	sprintf(p->err,"icc_write: too many tags");
		9640	return p->errc = 1;
		9641	}
9377	len = 4 + p->count * 12; /* Tag table length */	9642	len = 4 + p->count * 12; /* Tag table length */
9378	size = DO_ALIGN(size);	9643	size = DO_ALIGN(size);
		9644	if (size == 0 \|\| size > UINT_MAX - len) {
		9645	sprintf(p->err,"icc_write: overflow writing tag table");
		9646	return p->errc = 1;
		9647	}
9379	size += len;	9648	size += len;
9380		9649
9381	/* Allocate memory buffer for tag table */	9650	/* Allocate memory buffer for tag table */
Lines 9406-9411 static int icc_write( Link Here
9406	size = DO_ALIGN(size);	9675	size = DO_ALIGN(size);
9407	p->data[i].offset = size; /* Profile relative target */	9676	p->data[i].offset = size; /* Profile relative target */
9408	p->data[i].size = p->data[i].objp->get_size(p->data[i].objp);	9677	p->data[i].size = p->data[i].objp->get_size(p->data[i].objp);
		9678	if (size == 0 \|\|
		9679	p->errc \|\| p->data[i].size > UINT_MAX - size) {
		9680	sprintf(p->err,"icc_write: internal error - overflow?");
		9681	p->al->free(p->al, buf);
		9682	return p->errc;
		9683	}
9409	size += p->data[i].size;	9684	size += p->data[i].size;
9410	p->data[i].objp->touched = 1; /* Allocated space for it */	9685	p->data[i].objp->touched = 1; /* Allocated space for it */
9411	} else { /* must be linked - copy allocation */	9686	} else { /* must be linked - copy allocation */
Lines 9529-9534 static icmBase *icc_add_tag( Link Here
9529	}	9804	}
9530		9805
9531	/* Make space in tag table for new tag item */	9806	/* Make space in tag table for new tag item */
		9807	if (p->count > SIZE_MAX / sizeof(icmTag) - 1) {
		9808	sprintf(p->err,"icc_add_tag: overflow");
		9809	p->errc = 1;
		9810	return NULL;
		9811	}
9532	if (p->data == NULL)	9812	if (p->data == NULL)
9533	tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));	9813	tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));
9534	else	9814	else
Lines 9612-9617 static icmBase *icc_link_tag( Link Here
9612	}	9892	}
9613		9893
9614	/* Make space in tag table for new tag item */	9894	/* Make space in tag table for new tag item */
		9895	if (p->count > UINT_MAX / sizeof(icmTag) - 1) {
		9896	sprintf(p->err,"icc_link_tag: overflow");
		9897	p->errc = 1;
		9898	return NULL;
		9899	}
9615	if (p->data == NULL)	9900	if (p->data == NULL)
9616	tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));	9901	tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));
9617	else	9902	else

Return to bug 261087