Attachment #184187 for bug #261087

Lines 152-157 Link Here

(-)ghostscript-8.64/icclib/icc.c.CVE-2009-0583,0584 (-34 / +333 lines)
152	* Various bug fixes and enhancements.	152	* Various bug fixes and enhancements.
153	*/	153	*/
154		154
		155	#include <limits.h>
		156	#include <stdint.h>
155	#include <stdio.h>	157	#include <stdio.h>
156	#include <stdlib.h>	158	#include <stdlib.h>
157	#include <stdarg.h>	159	#include <stdarg.h>
Lines 313-320 size_t count Link Here
313	icmFileMem p = (icmFileMem )pp;	315	icmFileMem p = (icmFileMem )pp;
314	size_t len;	316	size_t len;
315		317
		318	if (count > 0 && size > SIZE_MAX / count)
		319	return 0;
		320
316	len = size * count;	321	len = size * count;
317	if ((p->cur + len) >= p->end) { /* Too much */	322	if (len > (p->end - p->cur)) { /* Too much */
318	if (size > 0)	323	if (size > 0)
319	count = (p->end - p->cur)/size;	324	count = (p->end - p->cur)/size;
320	else	325	else
Lines 1634-1639 static int icmUInt8Array_write( Link Here
1634		1639
1635	/* Allocate a file write buffer */	1640	/* Allocate a file write buffer */
1636	len = p->get_size((icmBase *)p);	1641	len = p->get_size((icmBase *)p);
		1642	if (icp->errc)
		1643	return icp->errc;
1637	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	1644	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
1638	sprintf(icp->err,"icmUInt8Array_write malloc() failed");	1645	sprintf(icp->err,"icmUInt8Array_write malloc() failed");
1639	return icp->errc = 2;	1646	return icp->errc = 2;
Lines 1698-1704 static int icmUInt8Array_allocate( Link Here
1698	if (p->size != p->_size) {	1705	if (p->size != p->_size) {
1699	if (p->data != NULL)	1706	if (p->data != NULL)
1700	icp->al->free(icp->al, p->data);	1707	icp->al->free(icp->al, p->data);
1701	if ((p->data = (unsigned int ) icp->al->malloc(icp->al, p->size sizeof(unsigned int))) == NULL) {	1708	if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
1702	sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed");	1709	sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed");
1703	return icp->errc = 2;	1710	return icp->errc = 2;
1704	}	1711	}
Lines 1749-1754 static unsigned int icmUInt16Array_get_s Link Here
1749	icmUInt16Array p = (icmUInt16Array )pp;	1756	icmUInt16Array p = (icmUInt16Array )pp;
1750	unsigned int len = 0;	1757	unsigned int len = 0;
1751	len += 8; /* 8 bytes for tag and padding */	1758	len += 8; /* 8 bytes for tag and padding */
		1759	if (p->size > (UINT_MAX - len) / 2) {
		1760	p->icp->errc = 1;
		1761	return (unsigned int) -1;
		1762	}
1752	len += p->size * 2; /* 2 bytes for each UInt16 */	1763	len += p->size * 2; /* 2 bytes for each UInt16 */
1753	return len;	1764	return len;
1754	}	1765	}
Lines 1821-1826 static int icmUInt16Array_write( Link Here
1821		1832
1822	/* Allocate a file write buffer */	1833	/* Allocate a file write buffer */
1823	len = p->get_size((icmBase *)p);	1834	len = p->get_size((icmBase *)p);
		1835	if (icp->errc)
		1836	return icp->errc;
1824	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	1837	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
1825	sprintf(icp->err,"icmUInt16Array_write malloc() failed");	1838	sprintf(icp->err,"icmUInt16Array_write malloc() failed");
1826	return icp->errc = 2;	1839	return icp->errc = 2;
Lines 1885-1891 static int icmUInt16Array_allocate( Link Here
1885	if (p->size != p->_size) {	1898	if (p->size != p->_size) {
1886	if (p->data != NULL)	1899	if (p->data != NULL)
1887	icp->al->free(icp->al, p->data);	1900	icp->al->free(icp->al, p->data);
1888	if ((p->data = (unsigned int ) icp->al->malloc(icp->al, p->size sizeof(unsigned int))) == NULL) {	1901	if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
1889	sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed");	1902	sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed");
1890	return icp->errc = 2;	1903	return icp->errc = 2;
1891	}	1904	}
Lines 1936-1941 static unsigned int icmUInt32Array_get_s Link Here
1936	icmUInt32Array p = (icmUInt32Array )pp;	1949	icmUInt32Array p = (icmUInt32Array )pp;
1937	unsigned int len = 0;	1950	unsigned int len = 0;
1938	len += 8; /* 8 bytes for tag and padding */	1951	len += 8; /* 8 bytes for tag and padding */
		1952	if (p->size > (UINT_MAX - len) / 4) {
		1953	p->icp->errc = 1;
		1954	return (unsigned int) -1;
		1955	}
1939	len += p->size * 4; /* 4 bytes for each UInt32 */	1956	len += p->size * 4; /* 4 bytes for each UInt32 */
1940	return len;	1957	return len;
1941	}	1958	}
Lines 2008-2013 static int icmUInt32Array_write( Link Here
2008		2025
2009	/* Allocate a file write buffer */	2026	/* Allocate a file write buffer */
2010	len = p->get_size((icmBase *)p);	2027	len = p->get_size((icmBase *)p);
		2028	if (icp->errc)
		2029	return icp->errc;
2011	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2030	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2012	sprintf(icp->err,"icmUInt32Array_write malloc() failed");	2031	sprintf(icp->err,"icmUInt32Array_write malloc() failed");
2013	return icp->errc = 2;	2032	return icp->errc = 2;
Lines 2072-2078 static int icmUInt32Array_allocate( Link Here
2072	if (p->size != p->_size) {	2091	if (p->size != p->_size) {
2073	if (p->data != NULL)	2092	if (p->data != NULL)
2074	icp->al->free(icp->al, p->data);	2093	icp->al->free(icp->al, p->data);
2075	if ((p->data = (unsigned int ) icp->al->malloc(icp->al, p->size sizeof(unsigned int))) == NULL) {	2094	if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
2076	sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed");	2095	sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed");
2077	return icp->errc = 2;	2096	return icp->errc = 2;
2078	}	2097	}
Lines 2123-2128 static unsigned int icmUInt64Array_get_s Link Here
2123	icmUInt64Array p = (icmUInt64Array )pp;	2142	icmUInt64Array p = (icmUInt64Array )pp;
2124	unsigned int len = 0;	2143	unsigned int len = 0;
2125	len += 8; /* 8 bytes for tag and padding */	2144	len += 8; /* 8 bytes for tag and padding */
		2145	if (p->size > (UINT_MAX - len) / 8) {
		2146	p->icp->errc = 1;
		2147	return (unsigned int) -1;
		2148	}
2126	len += p->size * 8; /* 8 bytes for each UInt64 */	2149	len += p->size * 8; /* 8 bytes for each UInt64 */
2127	return len;	2150	return len;
2128	}	2151	}
Lines 2195-2200 static int icmUInt64Array_write( Link Here
2195		2218
2196	/* Allocate a file write buffer */	2219	/* Allocate a file write buffer */
2197	len = p->get_size((icmBase *)p);	2220	len = p->get_size((icmBase *)p);
		2221	if (icp->errc)
		2222	return icp->errc;
2198	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2223	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2199	sprintf(icp->err,"icmUInt64Array_write malloc() failed");	2224	sprintf(icp->err,"icmUInt64Array_write malloc() failed");
2200	return icp->errc = 2;	2225	return icp->errc = 2;
Lines 2259-2265 static int icmUInt64Array_allocate( Link Here
2259	if (p->size != p->_size) {	2284	if (p->size != p->_size) {
2260	if (p->data != NULL)	2285	if (p->data != NULL)
2261	icp->al->free(icp->al, p->data);	2286	icp->al->free(icp->al, p->data);
2262	if ((p->data = (icmUint64 ) icp->al->malloc(icp->al, p->size sizeof(icmUint64))) == NULL) {	2287	if ((p->data = (icmUint64 *) icp->al->calloc(icp->al, p->size, sizeof(icmUint64))) == NULL) {
2263	sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed");	2288	sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed");
2264	return icp->errc = 2;	2289	return icp->errc = 2;
2265	}	2290	}
Lines 2310-2315 static unsigned int icmU16Fixed16Array_g Link Here
2310	icmU16Fixed16Array p = (icmU16Fixed16Array )pp;	2335	icmU16Fixed16Array p = (icmU16Fixed16Array )pp;
2311	unsigned int len = 0;	2336	unsigned int len = 0;
2312	len += 8; /* 8 bytes for tag and padding */	2337	len += 8; /* 8 bytes for tag and padding */
		2338	if (p->size > (UINT_MAX - len) / 4) {
		2339	p->icp->errc = 1;
		2340	return (unsigned int) -1;
		2341	}
2313	len += p->size * 4; /* 4 byte for each U16Fixed16 */	2342	len += p->size * 4; /* 4 byte for each U16Fixed16 */
2314	return len;	2343	return len;
2315	}	2344	}
Lines 2382-2387 static int icmU16Fixed16Array_write( Link Here
2382		2411
2383	/* Allocate a file write buffer */	2412	/* Allocate a file write buffer */
2384	len = p->get_size((icmBase *)p);	2413	len = p->get_size((icmBase *)p);
		2414	if (icp->errc)
		2415	return icp->errc;
2385	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2416	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2386	sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed");	2417	sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed");
2387	return icp->errc = 2;	2418	return icp->errc = 2;
Lines 2446-2452 static int icmU16Fixed16Array_allocate( Link Here
2446	if (p->size != p->_size) {	2477	if (p->size != p->_size) {
2447	if (p->data != NULL)	2478	if (p->data != NULL)
2448	icp->al->free(icp->al, p->data);	2479	icp->al->free(icp->al, p->data);
2449	if ((p->data = (double ) icp->al->malloc(icp->al, p->size sizeof(double))) == NULL) {	2480	if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
2450	sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed");	2481	sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed");
2451	return icp->errc = 2;	2482	return icp->errc = 2;
2452	}	2483	}
Lines 2497-2502 static unsigned int icmS15Fixed16Array_g Link Here
2497	icmS15Fixed16Array p = (icmS15Fixed16Array )pp;	2528	icmS15Fixed16Array p = (icmS15Fixed16Array )pp;
2498	unsigned int len = 0;	2529	unsigned int len = 0;
2499	len += 8; /* 8 bytes for tag and padding */	2530	len += 8; /* 8 bytes for tag and padding */
		2531	if (p->size > (UINT_MAX - len) / 4) {
		2532	p->icp->errc = 1;
		2533	return (unsigned int) - 1;
		2534	}
2500	len += p->size * 4; /* 4 byte for each S15Fixed16 */	2535	len += p->size * 4; /* 4 byte for each S15Fixed16 */
2501	return len;	2536	return len;
2502	}	2537	}
Lines 2569-2574 static int icmS15Fixed16Array_write( Link Here
2569		2604
2570	/* Allocate a file write buffer */	2605	/* Allocate a file write buffer */
2571	len = p->get_size((icmBase *)p);	2606	len = p->get_size((icmBase *)p);
		2607	if (icp->errc)
		2608	return icp->errc;
2572	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2609	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2573	sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed");	2610	sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed");
2574	return icp->errc = 2;	2611	return icp->errc = 2;
Lines 2633-2639 static int icmS15Fixed16Array_allocate( Link Here
2633	if (p->size != p->_size) {	2670	if (p->size != p->_size) {
2634	if (p->data != NULL)	2671	if (p->data != NULL)
2635	icp->al->free(icp->al, p->data);	2672	icp->al->free(icp->al, p->data);
2636	if ((p->data = (double ) icp->al->malloc(icp->al, p->size sizeof(double))) == NULL) {	2673	if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
2637	sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed");	2674	sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed");
2638	return icp->errc = 2;	2675	return icp->errc = 2;
2639	}	2676	}
Lines 2726-2731 static unsigned int icmXYZArray_get_size Link Here
2726	icmXYZArray p = (icmXYZArray )pp;	2763	icmXYZArray p = (icmXYZArray )pp;
2727	unsigned int len = 0;	2764	unsigned int len = 0;
2728	len += 8; /* 8 bytes for tag and padding */	2765	len += 8; /* 8 bytes for tag and padding */
		2766	if (p->size > (UINT_MAX - len) / 12) {
		2767	p->icp->errc = 1;
		2768	return (unsigned int) - 1;
		2769	}
2729	len += p->size * 12; /* 12 bytes for each XYZ */	2770	len += p->size * 12; /* 12 bytes for each XYZ */
2730	return len;	2771	return len;
2731	}	2772	}
Lines 2798-2803 static int icmXYZArray_write( Link Here
2798		2839
2799	/* Allocate a file write buffer */	2840	/* Allocate a file write buffer */
2800	len = p->get_size((icmBase *)p);	2841	len = p->get_size((icmBase *)p);
		2842	if (icp->errc)
		2843	return icp->errc;
2801	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	2844	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
2802	sprintf(icp->err,"icmXYZArray_write malloc() failed");	2845	sprintf(icp->err,"icmXYZArray_write malloc() failed");
2803	return icp->errc = 2;	2846	return icp->errc = 2;
Lines 2865-2871 static int icmXYZArray_allocate( Link Here
2865	if (p->size != p->_size) {	2908	if (p->size != p->_size) {
2866	if (p->data != NULL)	2909	if (p->data != NULL)
2867	icp->al->free(icp->al, p->data);	2910	icp->al->free(icp->al, p->data);
2868	if ((p->data = (icmXYZNumber ) icp->al->malloc(icp->al, p->size sizeof(icmXYZNumber))) == NULL) {	2911	if ((p->data = (icmXYZNumber *) icp->al->calloc(icp->al, p->size, sizeof(icmXYZNumber))) == NULL) {
2869	sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed");	2912	sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed");
2870	return icp->errc = 2;	2913	return icp->errc = 2;
2871	}	2914	}
Lines 3001-3007 static int icmTable_setup_bwd( Link Here
3001	int nf; /* Next free slot */	3044	int nf; /* Next free slot */
3002	if (rt->rlists[j] == NULL) { /* No allocation */	3045	if (rt->rlists[j] == NULL) { /* No allocation */
3003	as = 5; /* Start with space for 5 */	3046	as = 5; /* Start with space for 5 */
3004	if ((rt->rlists[j] = (int ) icp->al->malloc(icp->al, sizeof(int) as)) == NULL) {	3047	if ((rt->rlists[j] = (int *) icp->al->calloc(icp->al, sizeof(int), as)) == NULL) {
3005	return 2;	3048	return 2;
3006	}	3049	}
3007	rt->rlists[j][0] = as;	3050	rt->rlists[j][0] = as;
Lines 3141-3146 static unsigned int icmCurve_get_size( Link Here
3141	icmCurve p = (icmCurve )pp;	3184	icmCurve p = (icmCurve )pp;
3142	unsigned int len = 0;	3185	unsigned int len = 0;
3143	len += 12; /* 12 bytes for tag, padding and count */	3186	len += 12; /* 12 bytes for tag, padding and count */
		3187	if (p->size > (UINT_MAX - len) / 2) {
		3188	p->icp->errc = 1;
		3189	return (unsigned int) - 1;
		3190	}
3144	len += p->size * 2; /* 2 bytes for each UInt16 */	3191	len += p->size * 2; /* 2 bytes for each UInt16 */
3145	return len;	3192	return len;
3146	}	3193	}
Lines 3238-3243 static int icmCurve_write( Link Here
3238		3285
3239	/* Allocate a file write buffer */	3286	/* Allocate a file write buffer */
3240	len = p->get_size((icmBase *)p);	3287	len = p->get_size((icmBase *)p);
		3288	if (icp->errc)
		3289	return icp->errc;
3241	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	3290	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
3242	sprintf(icp->err,"icmCurve_write malloc() failed");	3291	sprintf(icp->err,"icmCurve_write malloc() failed");
3243	return icp->errc = 2;	3292	return icp->errc = 2;
Lines 3347-3353 static int icmCurve_allocate( Link Here
3347	if (p->size != p->_size) {	3396	if (p->size != p->_size) {
3348	if (p->data != NULL)	3397	if (p->data != NULL)
3349	icp->al->free(icp->al, p->data);	3398	icp->al->free(icp->al, p->data);
3350	if ((p->data = (double ) icp->al->malloc(icp->al, p->size sizeof(double))) == NULL) {	3399	if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
3351	sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed");	3400	sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed");
3352	return icp->errc = 2;	3401	return icp->errc = 2;
3353	}	3402	}
Lines 3493-3498 static int icmData_write( Link Here
3493		3542
3494	/* Allocate a file write buffer */	3543	/* Allocate a file write buffer */
3495	len = p->get_size((icmBase *)p);	3544	len = p->get_size((icmBase *)p);
		3545	if (icp->errc)
		3546	return icp->errc;
3496	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	3547	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
3497	sprintf(icp->err,"icmData_write malloc() failed");	3548	sprintf(icp->err,"icmData_write malloc() failed");
3498	return icp->errc = 2;	3549	return icp->errc = 2;
Lines 3745-3750 static int icmText_write( Link Here
3745		3796
3746	/* Allocate a file write buffer */	3797	/* Allocate a file write buffer */
3747	len = p->get_size((icmBase *)p);	3798	len = p->get_size((icmBase *)p);
		3799	if (icp->errc)
		3800	return icp->errc;
3748	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	3801	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
3749	sprintf(icp->err,"icmText_write malloc() failed");	3802	sprintf(icp->err,"icmText_write malloc() failed");
3750	return icp->errc = 2;	3803	return icp->errc = 2;
Lines 4038-4043 static int icmDateTimeNumber_write( Link Here
4038		4091
4039	/* Allocate a file write buffer */	4092	/* Allocate a file write buffer */
4040	len = p->get_size((icmBase *)p);	4093	len = p->get_size((icmBase *)p);
		4094	if (icp->errc)
		4095	return icp->errc;
4041	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	4096	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
4042	sprintf(icp->err,"icmDateTimeNumber_write malloc() failed");	4097	sprintf(icp->err,"icmDateTimeNumber_write malloc() failed");
4043	return icp->errc = 2;	4098	return icp->errc = 2;
Lines 4128-4138 static icmBase *new_icmDateTimeNumber( Link Here
4128	/* icmLut object */	4183	/* icmLut object */
4129		4184
4130	/* Utility function - raise one integer to an integer power */	4185	/* Utility function - raise one integer to an integer power */
4131	static unsigned int uipow(unsigned int a, unsigned int b) {	4186	static int uipow(unsigned int a, unsigned int b, unsigned int *ret) {
4132	unsigned int rv = 1;	4187	unsigned int rv = 1;
4133	for (; b > 0; b--)	4188	for (; b > 0; b--) {
		4189	if (a > 0 && rv > UINT_MAX / a)
		4190	return 1;
4134	rv *= a;	4191	rv *= a;
4135	return rv;	4192	}
		4193	*ret = rv;
		4194	return 0;
4136	}	4195	}
4137		4196
4138	/* - - - - - - - - - - - - - - - - */	4197	/* - - - - - - - - - - - - - - - - */
Lines 4268-4274 double in / Input array[outputChan] * Link Here
4268	if (p->inputChan <= 8) {	4327	if (p->inputChan <= 8) {
4269	gw = GW; /* Use stack allocation */	4328	gw = GW; /* Use stack allocation */
4270	} else {	4329	} else {
4271	if ((gw = (double ) icp->al->malloc(icp->al, (1 << p->inputChan) sizeof(double))) == NULL) {	4330	if ((gw = (double *) icp->al->calloc(icp->al, (1 << p->inputChan), sizeof(double))) == NULL) {
4272	sprintf(icp->err,"icmLut_lookup_clut: malloc() failed");	4331	sprintf(icp->err,"icmLut_lookup_clut: malloc() failed");
4273	return icp->errc = 2;	4332	return icp->errc = 2;
4274	}	4333	}
Lines 4819-4837 static unsigned int icmLut_get_size( Link Here
4819	) {	4878	) {
4820	icmLut p = (icmLut )pp;	4879	icmLut p = (icmLut )pp;
4821	unsigned int len = 0;	4880	unsigned int len = 0;
		4881	unsigned int pw;
4822		4882
4823	if (p->ttype == icSigLut8Type) {	4883	if (p->ttype == icSigLut8Type) {
4824	len += 48; /* tag and header */	4884	len += 48; /* tag and header */
		4885	if (p->inputChan > 0 &&
		4886	p->inputEnt > (UINT_MAX - len) / p->inputChan / 1)
		4887	goto overflow;
		4888
4825	len += 1 * (p->inputChan * p->inputEnt);	4889	len += 1 * (p->inputChan * p->inputEnt);
4826	len += 1 * (p->outputChan * uipow(p->clutPoints,p->inputChan));	4890	if (uipow(p->clutPoints,p->inputChan, &pw) \|\|
		4891	(p->outputChan > 0 &&
		4892	pw > (UINT_MAX - len) / p->outputChan / 1))
		4893	goto overflow;
		4894
		4895	len += 1 * (p->outputChan * pw);
		4896	if (p->outputChan > 0 &&
		4897	p->outputEnt > (UINT_MAX - len) / p->outputChan / 1)
		4898	goto overflow;
		4899
4827	len += 1 * (p->outputChan * p->outputEnt);	4900	len += 1 * (p->outputChan * p->outputEnt);
4828	} else {	4901	} else {
4829	len += 52; /* tag and header */	4902	len += 52; /* tag and header */
		4903	if (p->inputChan > 0 &&
		4904	p->inputEnt > (UINT_MAX - len) / p->inputChan / 2)
		4905	goto overflow;
		4906
4830	len += 2 * (p->inputChan * p->inputEnt);	4907	len += 2 * (p->inputChan * p->inputEnt);
4831	len += 2 * (p->outputChan * uipow(p->clutPoints,p->inputChan));	4908	if (uipow(p->clutPoints,p->inputChan, &pw) \|\|
		4909	(p->outputChan > 0 &&
		4910	pw > (UINT_MAX - len) / p->outputChan / 2))
		4911	goto overflow;
		4912
		4913	len += 2 * (p->outputChan * pw);
		4914	if (p->outputChan > 0 &&
		4915	p->outputEnt > (UINT_MAX - len) / p->outputChan / 2)
		4916	goto overflow;
		4917
4832	len += 2 * (p->outputChan * p->outputEnt);	4918	len += 2 * (p->outputChan * p->outputEnt);
4833	}	4919	}
4834	return len;	4920	return len;
		4921
		4922	overflow:
		4923	p->icp->errc = 1;
		4924	return (unsigned int) -1;
4835	}	4925	}
4836		4926
4837	/* read the object, return 0 on success, error code on fail */	4927	/* read the object, return 0 on success, error code on fail */
Lines 4844-4849 static int icmLut_read( Link Here
4844	icc *icp = p->icp;	4934	icc *icp = p->icp;
4845	int rv = 0;	4935	int rv = 0;
4846	unsigned long i, j, g, size;	4936	unsigned long i, j, g, size;
		4937	unsigned int pw;
4847	char bp, buf;	4938	char bp, buf;
4848		4939
4849	if (len < 4) {	4940	if (len < 4) {
Lines 4904-4909 static int icmLut_read( Link Here
4904	return icp->errc = 1;	4995	return icp->errc = 1;
4905	}	4996	}
4906		4997
		4998	if (p->clutPoints > 100) {
		4999	sprintf(icp->err,"icmLut_read: too many clutPoints");
		5000	return icp->errc = 1;
		5001	}
		5002
4907	/* Read 3x3 transform matrix */	5003	/* Read 3x3 transform matrix */
4908	for (j = 0; j < 3; j++) { /* Rows */	5004	for (j = 0; j < 3; j++) { /* Rows */
4909	for (i = 0; i < 3; i++) { /* Columns */	5005	for (i = 0; i < 3; i++) { /* Columns */
Lines 4921-4933 static int icmLut_read( Link Here
4921	bp = buf+52;	5017	bp = buf+52;
4922	}	5018	}
4923		5019
4924	if (len < icmLut_get_size((icmBase *)p)) {	5020	if (len < icmLut_get_size((icmBase *)p) \|\| icp->errc) {
4925	sprintf(icp->err,"icmLut_read: Tag too small for contents");	5021	sprintf(icp->err,"icmLut_read: Tag too small for contents");
4926	icp->al->free(icp->al, buf);	5022	icp->al->free(icp->al, buf);
4927	return icp->errc = 1;	5023	return icp->errc = 1;
4928	}	5024	}
4929		5025
4930	/* Read the input tables */	5026	/* Read the input tables */
		5027	if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) {
		5028	sprintf(icp->err,"icmLut_read: overflow");
		5029	icp->al->free(icp->al, buf);
		5030	return icp->errc = 1;
		5031	}
4931	size = (p->inputChan * p->inputEnt);	5032	size = (p->inputChan * p->inputEnt);
4932	if ((rv = p->allocate((icmBase *)p)) != 0) {	5033	if ((rv = p->allocate((icmBase *)p)) != 0) {
4933	icp->al->free(icp->al, buf);	5034	icp->al->free(icp->al, buf);
Lines 4942-4948 static int icmLut_read( Link Here
4942	}	5043	}
4943		5044
4944	/* Read the clut table */	5045	/* Read the clut table */
4945	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));	5046	if (uipow(p->clutPoints,p->inputChan,&pw) \|\|
		5047	(p->outputChan > 0 &&
		5048	pw > UINT_MAX / p->outputChan)) {
		5049	sprintf(icp->err,"icmLut_read: overflow");
		5050	icp->al->free(icp->al, buf);
		5051	return icp->errc = 1;
		5052	}
		5053	size = (p->outputChan * pw);
4946	if ((rv = p->allocate((icmBase *)p)) != 0) {	5054	if ((rv = p->allocate((icmBase *)p)) != 0) {
4947	icp->al->free(icp->al, buf);	5055	icp->al->free(icp->al, buf);
4948	return rv;	5056	return rv;
Lines 4956-4961 static int icmLut_read( Link Here
4956	}	5064	}
4957		5065
4958	/* Read the output tables */	5066	/* Read the output tables */
		5067	if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) {
		5068	sprintf(icp->err,"icmLut_read: overflow");
		5069	icp->al->free(icp->al, buf);
		5070	return icp->errc = 1;
		5071	}
4959	size = (p->outputChan * p->outputEnt);	5072	size = (p->outputChan * p->outputEnt);
4960	if ((rv = p->allocate((icmBase *)p)) != 0) {	5073	if ((rv = p->allocate((icmBase *)p)) != 0) {
4961	icp->al->free(icp->al, buf);	5074	icp->al->free(icp->al, buf);
Lines 4995-5006 static int icmLut_write( Link Here
4995	icmLut p = (icmLut )pp;	5108	icmLut p = (icmLut )pp;
4996	icc *icp = p->icp;	5109	icc *icp = p->icp;
4997	unsigned long i,j;	5110	unsigned long i,j;
4998	unsigned int len, size;	5111	unsigned int len, size, pw;
4999	char bp, buf; /* Buffer to write from */	5112	char bp, buf; /* Buffer to write from */
5000	int rv = 0;	5113	int rv = 0;
5001		5114
5002	/* Allocate a file write buffer */	5115	/* Allocate a file write buffer */
5003	len = p->get_size((icmBase *)p);	5116	len = p->get_size((icmBase *)p);
		5117	if (icp->errc)
		5118	return icp->errc;
5004	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	5119	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
5005	sprintf(icp->err,"icmLut_write malloc() failed");	5120	sprintf(icp->err,"icmLut_write malloc() failed");
5006	return icp->errc = 2;	5121	return icp->errc = 2;
Lines 5066-5071 static int icmLut_write( Link Here
5066	}	5181	}
5067		5182
5068	/* Write the input tables */	5183	/* Write the input tables */
		5184	if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) {
		5185	sprintf(icp->err,"icmLut_write: overflow");
		5186	icp->al->free(icp->al, buf);
		5187	return icp->errc = 1;
		5188	}
5069	size = (p->inputChan * p->inputEnt);	5189	size = (p->inputChan * p->inputEnt);
5070	if (p->ttype == icSigLut8Type) {	5190	if (p->ttype == icSigLut8Type) {
5071	for (i = 0; i < size; i++, bp += 1) {	5191	for (i = 0; i < size; i++, bp += 1) {
Lines 5086-5092 static int icmLut_write( Link Here
5086	}	5206	}
5087		5207
5088	/* Write the clut table */	5208	/* Write the clut table */
5089	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));	5209	if (uipow(p->clutPoints,p->inputChan,&pw) \|\|
		5210	(p->outputChan > 0 &&
		5211	pw > UINT_MAX / p->outputChan)) {
		5212	sprintf(icp->err,"icmLut_write: overflow");
		5213	icp->al->free(icp->al, buf);
		5214	return icp->errc = 1;
		5215	}
		5216	size = (p->outputChan * pw);
5090	if (p->ttype == icSigLut8Type) {	5217	if (p->ttype == icSigLut8Type) {
5091	for (i = 0; i < size; i++, bp += 1) {	5218	for (i = 0; i < size; i++, bp += 1) {
5092	if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) {	5219	if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) {
Lines 5106-5111 static int icmLut_write( Link Here
5106	}	5233	}
5107		5234
5108	/* Write the output tables */	5235	/* Write the output tables */
		5236	if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) {
		5237	sprintf(icp->err,"icmLut_write: overflow");
		5238	icp->al->free(icp->al, buf);
		5239	return icp->errc = 1;
		5240	}
5109	size = (p->outputChan * p->outputEnt);	5241	size = (p->outputChan * p->outputEnt);
5110	if (p->ttype == icSigLut8Type) {	5242	if (p->ttype == icSigLut8Type) {
5111	for (i = 0; i < size; i++, bp += 1) {	5243	for (i = 0; i < size; i++, bp += 1) {
Lines 5177-5183 static void icmLut_dump( Link Here
5177	if (p->inputChan > MAX_CHAN) {	5309	if (p->inputChan > MAX_CHAN) {
5178	fprintf(op," !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN);	5310	fprintf(op," !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN);
5179	} else {	5311	} else {
5180	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));	5312	unsigned int pw;
		5313	if (uipow(p->clutPoints,p->inputChan,&pw) \|\|
		5314	(p->outputChan > 0 &&
		5315	pw > UINT_MAX / p->outputChan)) {
		5316	fprintf(op,"Would overflow.\n");
		5317	return;
		5318	}
		5319	size = (p->outputChan * pw);
5181	for (j = 0; j < p->inputChan; j++)	5320	for (j = 0; j < p->inputChan; j++)
5182	ii[j] = 0;	5321	ii[j] = 0;
5183	for (i = 0; i < size;) {	5322	for (i = 0; i < size;) {
Lines 5216-5222 static void icmLut_dump( Link Here
5216	static int icmLut_allocate(	5355	static int icmLut_allocate(
5217	icmBase *pp	5356	icmBase *pp
5218	) {	5357	) {
5219	unsigned int i, j, g, size;	5358	unsigned int i, j, g, size, pw;
5220	icmLut p = (icmLut )pp;	5359	icmLut p = (icmLut )pp;
5221	icc *icp = p->icp;	5360	icc *icp = p->icp;
5222		5361
Lines 5231-5236 static int icmLut_allocate( Link Here
5231	return icp->errc = 1;	5370	return icp->errc = 1;
5232	}	5371	}
5233		5372
		5373	if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) {
		5374	sprintf(icp->err,"icmLut_alloc: too many entries");
		5375	return icp->errc = 1;
		5376	}
5234	size = (p->inputChan * p->inputEnt);	5377	size = (p->inputChan * p->inputEnt);
5235	if (size != p->inputTable_size) {	5378	if (size != p->inputTable_size) {
5236	if (p->inputTable != NULL)	5379	if (p->inputTable != NULL)
Lines 5241-5247 static int icmLut_allocate( Link Here
5241	}	5384	}
5242	p->inputTable_size = size;	5385	p->inputTable_size = size;
5243	}	5386	}
5244	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));	5387	if (uipow(p->clutPoints,p->inputChan,&pw) \|\|
		5388	(p->outputChan > 0 &&
		5389	pw > UINT_MAX / p->outputChan)) {
		5390	sprintf(icp->err,"icmLut_alloc: overflow");
		5391	return icp->errc = 1;
		5392	}
		5393	size = (p->outputChan * pw);
5245	if (size != p->clutTable_size) {	5394	if (size != p->clutTable_size) {
5246	if (p->clutTable != NULL)	5395	if (p->clutTable != NULL)
5247	icp->al->free(icp->al, p->clutTable);	5396	icp->al->free(icp->al, p->clutTable);
Lines 5251-5256 static int icmLut_allocate( Link Here
5251	}	5400	}
5252	p->clutTable_size = size;	5401	p->clutTable_size = size;
5253	}	5402	}
		5403	if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) {
		5404	sprintf(icp->err,"icmLut_alloc: overflow");
		5405	return icp->errc = 1;
		5406	}
5254	size = (p->outputChan * p->outputEnt);	5407	size = (p->outputChan * p->outputEnt);
5255	if (size != p->outputTable_size) {	5408	if (size != p->outputTable_size) {
5256	if (p->outputTable != NULL)	5409	if (p->outputTable != NULL)
Lines 5441-5446 static int icmMeasurement_write( Link Here
5441		5594
5442	/* Allocate a file write buffer */	5595	/* Allocate a file write buffer */
5443	len = p->get_size((icmBase *)p);	5596	len = p->get_size((icmBase *)p);
		5597	if (icp->errc)
		5598	return icp->errc;
5444	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	5599	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
5445	sprintf(icp->err,"icmMeasurement_write malloc() failed");	5600	sprintf(icp->err,"icmMeasurement_write malloc() failed");
5446	return icp->errc = 2;	5601	return icp->errc = 2;
Lines 5712-5724 static unsigned int icmNamedColor_get_si Link Here
5712	len += p->nDeviceCoords * 1; /* bytes for each named color */	5867	len += p->nDeviceCoords * 1; /* bytes for each named color */
5713	}	5868	}
5714	} else { /* Named Color 2 */	5869	} else { /* Named Color 2 */
		5870	unsigned int col;
5715	len += 8; /* 8 bytes for tag and padding */	5871	len += 8; /* 8 bytes for tag and padding */
5716	len += 4; /* 4 for vendor specific flags */	5872	len += 4; /* 4 for vendor specific flags */
5717	len += 4; /* 4 for count of named colors */	5873	len += 4; /* 4 for count of named colors */
5718	len += 4; /* 4 for number of device coords */	5874	len += 4; /* 4 for number of device coords */
5719	len += 32; /* 32 for prefix of color names */	5875	len += 32; /* 32 for prefix of color names */
5720	len += 32; /* 32 for suffix of color names */	5876	len += 32; /* 32 for suffix of color names */
5721	len += p->count * (32 + 6 + p->nDeviceCoords * 2); /* bytes for each named color */	5877	col = 32 + 6 + p->nDeviceCoords * 2;
		5878	if (p->nDeviceCoords > (UINT_MAX - (32 + 6)) / 2 \|\|
		5879	(p->count > 0 && col > (UINT_MAX - len) / p->count)) {
		5880	p->icp->errc = 1;
		5881	return (unsigned int) -1;
		5882	}
		5883	len += p->count * col; /* bytes for each named color */
5722	}	5884	}
5723	return len;	5885	return len;
5724	}	5886	}
Lines 5882-5887 static int icmNamedColor_write( Link Here
5882		6044
5883	/* Allocate a file write buffer */	6045	/* Allocate a file write buffer */
5884	len = p->get_size((icmBase *)p);	6046	len = p->get_size((icmBase *)p);
		6047	if (icp->errc)
		6048	return icp->errc;
5885	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	6049	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
5886	sprintf(icp->err,"icmNamedColor_write malloc() failed");	6050	sprintf(icp->err,"icmNamedColor_write malloc() failed");
5887	return icp->errc = 2;	6051	return icp->errc = 2;
Lines 6109-6117 static unsigned int icmTextDescription_g Link Here
6109	) {	6273	) {
6110	icmTextDescription p = (icmTextDescription )pp;	6274	icmTextDescription p = (icmTextDescription )pp;
6111	unsigned int len = 0;	6275	unsigned int len = 0;
		6276	if (p->size > UINT_MAX - (8 + 4 + 8)) {
		6277	p->icp->errc = 1;
		6278	return (unsigned int) -1;
		6279	}
6112	len += 8; /* 8 bytes for tag and padding */	6280	len += 8; /* 8 bytes for tag and padding */
6113	len += 4 + p->size; /* Ascii string length + ascii string */	6281	len += 4 + p->size; /* Ascii string length + ascii string */
6114	len += 8 + 2 * p->ucSize; /* Unicode language code + length + string */	6282	len += 8; /* Unicode language code + length */
		6283	if (p->ucSize > (UINT_MAX - len) / 2) {
		6284	p->icp->errc = 1;
		6285	return (unsigned int) -1;
		6286	}
		6287	len += 2 * p->ucSize; /* Unicode string */
		6288	if (len > (UINT_MAX - (3 + 67))) {
		6289	p->icp->errc = 1;
		6290	return (unsigned int) -1;
		6291	}
6115	len += 3 + 67; /* ScriptCode code, length string */	6292	len += 3 + 67; /* ScriptCode code, length string */
6116	return len;	6293	return len;
6117	}	6294	}
Lines 6294-6299 static int icmTextDescription_write( Link Here
6294		6471
6295	/* Allocate a file write buffer */	6472	/* Allocate a file write buffer */
6296	len = p->get_size((icmBase *)p);	6473	len = p->get_size((icmBase *)p);
		6474	if (icp->errc)
		6475	return icp->errc;
6297	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	6476	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
6298	sprintf(icp->err,"icmTextDescription_write malloc() failed");	6477	sprintf(icp->err,"icmTextDescription_write malloc() failed");
6299	return icp->errc = 2;	6478	return icp->errc = 2;
Lines 6544-6550 static int icmTextDescription_allocate( Link Here
6544	if (p->ucSize != p->uc_size) {	6723	if (p->ucSize != p->uc_size) {
6545	if (p->ucDesc != NULL)	6724	if (p->ucDesc != NULL)
6546	icp->al->free(icp->al, p->ucDesc);	6725	icp->al->free(icp->al, p->ucDesc);
6547	if ((p->ucDesc = (ORD16 ) icp->al->malloc(icp->al, p->ucSize sizeof(ORD16))) == NULL) {	6726	if ((p->ucDesc = (ORD16 *) icp->al->calloc(icp->al, p->ucSize, sizeof(ORD16))) == NULL) {
6548	sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed");	6727	sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed");
6549	return icp->errc = 2;	6728	return icp->errc = 2;
6550	}	6729	}
Lines 6820-6825 static int icmProfileSequenceDesc_read( Link Here
6820	bp += 8; /* Skip padding */	6999	bp += 8; /* Skip padding */
6821		7000
6822	p->count = read_UInt32Number(bp); /* Number of sequence descriptions */	7001	p->count = read_UInt32Number(bp); /* Number of sequence descriptions */
		7002	if (p->count > 1000) {
		7003	sprintf(icp->err,"icmProfileSequenceDesc_read: too many sequence descriptions");
		7004	icp->al->free(icp->al, buf);
		7005	return icp->errc = 1;
		7006	}
		7007
6823	bp += 4;	7008	bp += 4;
6824		7009
6825	/* Read all the sequence descriptions */	7010	/* Read all the sequence descriptions */
Lines 6852-6857 static int icmProfileSequenceDesc_write( Link Here
6852		7037
6853	/* Allocate a file write buffer */	7038	/* Allocate a file write buffer */
6854	len = p->get_size((icmBase *)p);	7039	len = p->get_size((icmBase *)p);
		7040	if (icp->errc)
		7041	return icp->errc;
6855	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	7042	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
6856	sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed");	7043	sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed");
6857	return icp->errc = 2;	7044	return icp->errc = 2;
Lines 6922-6928 static int icmProfileSequenceDesc_alloca Link Here
6922	if (p->count != p->_count) {	7109	if (p->count != p->_count) {
6923	if (p->data != NULL)	7110	if (p->data != NULL)
6924	icp->al->free(icp->al, p->data);	7111	icp->al->free(icp->al, p->data);
6925	if ((p->data = (icmDescStruct ) icp->al->malloc(icp->al, p->count sizeof(icmDescStruct))) == NULL) {	7112	if ((p->data = (icmDescStruct *) icp->al->calloc(icp->al, p->count, sizeof(icmDescStruct))) == NULL) {
6926	sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed");	7113	sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed");
6927	return icp->errc = 2;	7114	return icp->errc = 2;
6928	}	7115	}
Lines 7041-7046 static int icmSignature_write( Link Here
7041		7228
7042	/* Allocate a file write buffer */	7229	/* Allocate a file write buffer */
7043	len = p->get_size((icmBase *)p);	7230	len = p->get_size((icmBase *)p);
		7231	if (icp->errc)
		7232	return icp->errc;
7044	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	7233	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
7045	sprintf(icp->err,"icmSignature_write malloc() failed");	7234	sprintf(icp->err,"icmSignature_write malloc() failed");
7046	return icp->errc = 2;	7235	return icp->errc = 2;
Lines 7156-7161 static unsigned int icmScreening_get_siz Link Here
7156	icmScreening p = (icmScreening )pp;	7345	icmScreening p = (icmScreening )pp;
7157	unsigned int len = 0;	7346	unsigned int len = 0;
7158	len += 16; /* 16 bytes for tag, padding, flag & channeles */	7347	len += 16; /* 16 bytes for tag, padding, flag & channeles */
		7348	if (p->channels > (UINT_MAX - len) / 12) {
		7349	p->icp->errc = 1;
		7350	return (unsigned int) -1;
		7351	}
7159	len += p->channels * 12; /* 12 bytes for each channel */	7352	len += p->channels * 12; /* 12 bytes for each channel */
7160	return len;	7353	return len;
7161	}	7354	}
Lines 7235-7240 static int icmScreening_write( Link Here
7235		7428
7236	/* Allocate a file write buffer */	7429	/* Allocate a file write buffer */
7237	len = p->get_size((icmBase *)p);	7430	len = p->get_size((icmBase *)p);
		7431	if (icp->errc)
		7432	return icp->errc;
7238	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	7433	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
7239	sprintf(icp->err,"icmScreening_write malloc() failed");	7434	sprintf(icp->err,"icmScreening_write malloc() failed");
7240	return icp->errc = 2;	7435	return icp->errc = 2;
Lines 7315-7321 static int icmScreening_allocate( Link Here
7315	if (p->channels != p->_channels) {	7510	if (p->channels != p->_channels) {
7316	if (p->data != NULL)	7511	if (p->data != NULL)
7317	icp->al->free(icp->al, p->data);	7512	icp->al->free(icp->al, p->data);
7318	if ((p->data = (icmScreeningData ) icp->al->malloc(icp->al, p->channels sizeof(icmScreeningData))) == NULL) {	7513	if ((p->data = (icmScreeningData *) icp->al->calloc(icp->al, p->channels, sizeof(icmScreeningData))) == NULL) {
7319	sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed");	7514	sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed");
7320	return icp->errc = 2;	7515	return icp->errc = 2;
7321	}	7516	}
Lines 7366-7375 static unsigned int icmUcrBg_get_size( Link Here
7366	icmUcrBg p = (icmUcrBg )pp;	7561	icmUcrBg p = (icmUcrBg )pp;
7367	unsigned int len = 0;	7562	unsigned int len = 0;
7368	len += 8; /* 8 bytes for tag and padding */	7563	len += 8; /* 8 bytes for tag and padding */
		7564	if (p->UCRcount > (UINT_MAX - len - 4) / 2)
		7565	goto overflow;
		7566
7369	len += 4 + p->UCRcount * 2; /* Undercolor Removal */	7567	len += 4 + p->UCRcount * 2; /* Undercolor Removal */
		7568	if (p->BGcount > (UINT_MAX - len - 4 - p->size) / 2)
		7569	goto overflow;
		7570
7370	len += 4 + p->BGcount * 2; /* Black Generation */	7571	len += 4 + p->BGcount * 2; /* Black Generation */
7371	len += p->size; /* Description string */	7572	len += p->size; /* Description string */
7372	return len;	7573	return len;
		7574
		7575	overflow:
		7576	p->icp->errc = 1;
		7577	return (unsigned int) -1;
7373	}	7578	}
7374		7579
7375	/* read the object, return 0 on success, error code on fail */	7580	/* read the object, return 0 on success, error code on fail */
Lines 7498-7503 static int icmUcrBg_write( Link Here
7498		7703
7499	/* Allocate a file write buffer */	7704	/* Allocate a file write buffer */
7500	len = p->get_size((icmBase *)p);	7705	len = p->get_size((icmBase *)p);
		7706	if (icp->errc)
		7707	return icp->errc;
7501	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	7708	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
7502	sprintf(icp->err,"icmUcrBg_write malloc() failed");	7709	sprintf(icp->err,"icmUcrBg_write malloc() failed");
7503	return icp->errc = 2;	7710	return icp->errc = 2;
Lines 7663-7669 static int icmUcrBg_allocate( Link Here
7663	if (p->UCRcount != p->UCR_count) {	7870	if (p->UCRcount != p->UCR_count) {
7664	if (p->UCRcurve != NULL)	7871	if (p->UCRcurve != NULL)
7665	icp->al->free(icp->al, p->UCRcurve);	7872	icp->al->free(icp->al, p->UCRcurve);
7666	if ((p->UCRcurve = (double ) icp->al->malloc(icp->al, p->UCRcount sizeof(double))) == NULL) {	7873	if ((p->UCRcurve = (double *) icp->al->calloc(icp->al, p->UCRcount, sizeof(double))) == NULL) {
7667	sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed");	7874	sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed");
7668	return icp->errc = 2;	7875	return icp->errc = 2;
7669	}	7876	}
Lines 7672-7678 static int icmUcrBg_allocate( Link Here
7672	if (p->BGcount != p->BG_count) {	7879	if (p->BGcount != p->BG_count) {
7673	if (p->BGcurve != NULL)	7880	if (p->BGcurve != NULL)
7674	icp->al->free(icp->al, p->BGcurve);	7881	icp->al->free(icp->al, p->BGcurve);
7675	if ((p->BGcurve = (double ) icp->al->malloc(icp->al, p->BGcount sizeof(double))) == NULL) {	7882	if ((p->BGcurve = (double *) icp->al->calloc(icp->al, p->BGcount, sizeof(double))) == NULL) {
7676	sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed");	7883	sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed");
7677	return icp->errc = 2;	7884	return icp->errc = 2;
7678	}	7885	}
Lines 7743-7748 static unsigned int icmVideoCardGamma_ge Link Here
7743	len += 2; /* 2 bytes for channels */	7950	len += 2; /* 2 bytes for channels */
7744	len += 2; /* 2 for entry count */	7951	len += 2; /* 2 for entry count */
7745	len += 2; /* 2 for entry size */	7952	len += 2; /* 2 for entry size */
		7953	if (p->u.table.entryCount > 0 &&
		7954	p->u.table.entrySize > 0 &&
		7955	p->u.table.channels >
		7956	(UINT_MAX - len) /
		7957	p->u.table.entryCount /
		7958	p->u.table.entrySize) {
		7959	p->icp->errc = 1;
		7960	return (unsigned int) -1;
		7961	}
7746	len += ( p->u.table.channels * /* compute table size */	7962	len += ( p->u.table.channels * /* compute table size */
7747	p->u.table.entryCount *	7963	p->u.table.entryCount *
7748	p->u.table.entrySize );	7964	p->u.table.entrySize );
Lines 7762-7771 static int icmVideoCardGamma_read( Link Here
7762	) {	7978	) {
7763	icmVideoCardGamma p = (icmVideoCardGamma )pp;	7979	icmVideoCardGamma p = (icmVideoCardGamma )pp;
7764	icc *icp = p->icp;	7980	icc *icp = p->icp;
7765	int rv, c;	7981	int rv;
7766	char bp, buf;	7982	char bp, buf;
7767	unsigned char *pchar;	7983	unsigned char *pchar;
7768	unsigned short *pshort;	7984	unsigned short *pshort;
		7985	unsigned long c;
7769		7986
7770	if (len < 18) {	7987	if (len < 18) {
7771	sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");	7988	sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");
Lines 7803-7808 static int icmVideoCardGamma_read( Link Here
7803	p->u.table.channels = read_UInt16Number(bp+12);	8020	p->u.table.channels = read_UInt16Number(bp+12);
7804	p->u.table.entryCount = read_UInt16Number(bp+14);	8021	p->u.table.entryCount = read_UInt16Number(bp+14);
7805	p->u.table.entrySize = read_UInt16Number(bp+16);	8022	p->u.table.entrySize = read_UInt16Number(bp+16);
		8023	if (p->u.table.entrySize > 65530 \|\| p->u.table.entrySize == 0) {
		8024	sprintf(icp->err,"icmVideoCardGamma_read: Too many entries (or none)");
		8025	return icp->errc = 1;
		8026	}
		8027	if (p->u.table.entryCount > 0 && p->u.table.entrySize > 0 &&
		8028	p->u.table.channels >
		8029	UINT_MAX / p->u.table.entryCount / p->u.table.entrySize) {
		8030	sprintf(icp->err,"icmVideoCardGamma_read: Overflow reading tag");
		8031	return icp->errc = 1;
		8032	}
7806	if (len-18 < p->u.table.channelsp->u.table.entryCountp->u.table.entrySize) {	8033	if (len-18 < p->u.table.channelsp->u.table.entryCountp->u.table.entrySize) {
7807	sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");	8034	sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");
7808	return icp->errc = 1;	8035	return icp->errc = 1;
Lines 7871-7876 static int icmVideoCardGamma_write( Link Here
7871		8098
7872	/* Allocate a file write buffer */	8099	/* Allocate a file write buffer */
7873	len = p->get_size((icmBase *)p);	8100	len = p->get_size((icmBase *)p);
		8101	if (icp->errc)
		8102	return icp->errc;
7874	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	8103	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
7875	sprintf(icp->err,"icmViewingConditions_write malloc() failed");	8104	sprintf(icp->err,"icmViewingConditions_write malloc() failed");
7876	return icp->errc = 2;	8105	return icp->errc = 2;
Lines 8049-8055 static int icmVideoCardGamma_allocate( Link Here
8049	) {	8278	) {
8050	icmVideoCardGamma p = (icmVideoCardGamma )pp;	8279	icmVideoCardGamma p = (icmVideoCardGamma )pp;
8051	icc *icp = p->icp;	8280	icc *icp = p->icp;
8052	int size;	8281	unsigned int size;
8053		8282
8054	/* note: allocation is only relevant for table type	8283	/* note: allocation is only relevant for table type
8055	* and in that case the channels, entryCount, and entrySize	8284	* and in that case the channels, entryCount, and entrySize
Lines 8059-8064 static int icmVideoCardGamma_allocate( Link Here
8059	if (p->tagType == icmVideoCardGammaTableType) {	8288	if (p->tagType == icmVideoCardGammaTableType) {
8060	if (p->u.table.data != NULL)	8289	if (p->u.table.data != NULL)
8061	icp->al->free(icp->al, p->u.table.data);	8290	icp->al->free(icp->al, p->u.table.data);
		8291	if (p->u.table.entryCount > 0 &&
		8292	p->u.table.channels > UINT_MAX / p->u.table.entryCount) {
		8293	sprintf(icp->err,"icmVideoCardGamma_alloc: table too large");
		8294	return icp->errc = 1;
		8295	}
8062	size = (p->u.table.channels *	8296	size = (p->u.table.channels *
8063	p->u.table.entryCount);	8297	p->u.table.entryCount);
8064	switch (p->u.table.entrySize) {	8298	switch (p->u.table.entrySize) {
Lines 8066-8071 static int icmVideoCardGamma_allocate( Link Here
8066	size *= sizeof(unsigned char);	8300	size *= sizeof(unsigned char);
8067	break;	8301	break;
8068	case 2:	8302	case 2:
		8303	if (size > UINT_MAX / sizeof(unsigned short)) {
		8304	sprintf(icp->err,"icmVideoCardGamma_alloc: table too large");
		8305	return icp->errc = 1;
		8306	}
8069	size *= sizeof(unsigned short);	8307	size *= sizeof(unsigned short);
8070	break;	8308	break;
8071	default:	8309	default:
Lines 8201-8206 static int icmViewingConditions_write( Link Here
8201		8439
8202	/* Allocate a file write buffer */	8440	/* Allocate a file write buffer */
8203	len = p->get_size((icmBase *)p);	8441	len = p->get_size((icmBase *)p);
		8442	if (icp->errc)
		8443	return icp->errc;
8204	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	8444	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
8205	sprintf(icp->err,"icmViewingConditions_write malloc() failed");	8445	sprintf(icp->err,"icmViewingConditions_write malloc() failed");
8206	return icp->errc = 2;	8446	return icp->errc = 2;
Lines 8433-8438 static int icmCrdInfo_write( Link Here
8433		8673
8434	/* Allocate a file write buffer */	8674	/* Allocate a file write buffer */
8435	len = p->get_size((icmBase *)p);	8675	len = p->get_size((icmBase *)p);
		8676	if (icp->errc)
		8677	return icp->errc;
8436	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {	8678	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
8437	sprintf(icp->err,"icmCrdInfo_write malloc() failed");	8679	sprintf(icp->err,"icmCrdInfo_write malloc() failed");
8438	return icp->errc = 2;	8680	return icp->errc = 2;
Lines 8736-8741 static int icmHeader_write( Link Here
8736	int rv = 0;	8978	int rv = 0;
8737		8979
8738	len = p->get_size(p);	8980	len = p->get_size(p);
		8981	if (icp->errc)
		8982	return icp->errc;
8739	if ((buf = (char ) icp->al->calloc(icp->al,1,len)) == NULL) { / Zero it - some CMS are fussy */	8983	if ((buf = (char ) icp->al->calloc(icp->al,1,len)) == NULL) { / Zero it - some CMS are fussy */
8740	sprintf(icp->err,"icmHeader_write calloc() failed");	8984	sprintf(icp->err,"icmHeader_write calloc() failed");
8741	return icp->errc = 2;	8985	return icp->errc = 2;
Lines 9245-9257 static int icc_read( Link Here
9245	}	9489	}
9246		9490
9247	p->count = read_UInt32Number(tcbuf); /* Tag count */	9491	p->count = read_UInt32Number(tcbuf); /* Tag count */
		9492	if (p->count > 100) {
		9493	sprintf(p->err,"icc_read: too many table tags");
		9494	return p->errc = 1;
		9495	}
9248	if (p->count > 0) {	9496	if (p->count > 0) {
9249	char bp, buf;	9497	char bp, buf;
9250	if ((p->data = (icmTag ) p->al->malloc(p->al, p->count sizeof(icmTag))) == NULL) {	9498	if ((p->data = (icmTag *) p->al->calloc(p->al, p->count, sizeof(icmTag))) == NULL) {
9251	sprintf(p->err,"icc_read: Tag table malloc() failed");	9499	sprintf(p->err,"icc_read: Tag table malloc() failed");
9252	return p->errc = 2;	9500	return p->errc = 2;
9253	}	9501	}
9254		9502
		9503	if (p->count > (UINT_MAX - 4) / 12) {
		9504	sprintf(p->err,"icc_read: overflow");
		9505	p->al->free(p->al, p->data);
		9506	p->data = NULL;
		9507	return p->errc = 1;
		9508	}
9255	len = 4 + p->count * 12;	9509	len = 4 + p->count * 12;
9256	if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) {	9510	if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) {
9257	sprintf(p->err,"icc_read: Tag table read buffer malloc() failed");	9511	sprintf(p->err,"icc_read: Tag table read buffer malloc() failed");
Lines 9281-9286 static int icc_read( Link Here
9281	return p->errc = 1;	9535	return p->errc = 1;
9282	}	9536	}
9283	p->data[i].size = read_UInt32Number(bp + 8);	9537	p->data[i].size = read_UInt32Number(bp + 8);
		9538	if (p->data[i].offset + p->data[i].size >
		9539	p->header->size) {
		9540	sprintf(p->err,"icc_read: tag out of bounds");
		9541	p->al->free(p->al, p->data);
		9542	p->data = NULL;
		9543	p->al->free(p->al, buf);
		9544	return p->errc = 1;
		9545	}
9284	if ( p->fp->seek(p->fp, of + p->data[i].offset) != 0	9546	if ( p->fp->seek(p->fp, of + p->data[i].offset) != 0
9285	\|\| p->fp->read(p->fp, tcbuf, 1, 4) != 4) {	9547	\|\| p->fp->read(p->fp, tcbuf, 1, 4) != 4) {
9286	sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers");	9548	sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers");
Lines 9321-9328 static unsigned int icc_get_size( Link Here
9321	}	9583	}
9322		9584
9323	size += p->header->get_size(p->header);	9585	size += p->header->get_size(p->header);
		9586	if (p->errc)
		9587	return (unsigned int) -1;
9324		9588
9325	size = DO_ALIGN(size);	9589	size = DO_ALIGN(size);
		9590	if (size == 0 \|\| p->count > (UINT_MAX - 4 - size) / 12) {
		9591	p->errc = 1;
		9592	return (unsigned int) -1;
		9593	}
9326	size += 4 + p->count * 12; /* Tag table length */	9594	size += 4 + p->count * 12; /* Tag table length */
9327		9595
9328	/* Reset touched flag for each tag type */	9596	/* Reset touched flag for each tag type */
Lines 9337-9344 static unsigned int icc_get_size( Link Here
9337	/* Get size for each tag type, skipping links */	9605	/* Get size for each tag type, skipping links */
9338	for (i = 0; i < p->count; i++) {	9606	for (i = 0; i < p->count; i++) {
9339	if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */	9607	if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */
		9608	unsigned int obj_size;
9340	size = DO_ALIGN(size);	9609	size = DO_ALIGN(size);
9341	size += p->data[i].objp->get_size(p->data[i].objp);	9610	obj_size = p->data[i].objp->get_size(p->data[i].objp);
		9611	if (size == 0 \|\| p->errc \|\|
		9612	obj_size > UINT_MAX - size)
		9613	return (unsigned int) -1;
		9614	size += obj_size;
9342	p->data[i].objp->touched = 1; /* Don't account for this again */	9615	p->data[i].objp->touched = 1; /* Don't account for this again */
9343	}	9616	}
9344	}	9617	}
Lines 9373-9381 static int icc_write( Link Here
9373	}	9646	}
9374		9647
9375	size += p->header->get_size(p->header);	9648	size += p->header->get_size(p->header);
		9649	if (p->errc)
		9650	return p->errc;
9376		9651
		9652	if (p->count > (UINT_MAX - 4 - len) / 12) {
		9653	sprintf(p->err,"icc_write: too many tags");
		9654	return p->errc = 1;
		9655	}
9377	len = 4 + p->count * 12; /* Tag table length */	9656	len = 4 + p->count * 12; /* Tag table length */
9378	size = DO_ALIGN(size);	9657	size = DO_ALIGN(size);
		9658	if (size == 0 \|\| size > UINT_MAX - len) {
		9659	sprintf(p->err,"icc_write: overflow writing tag table");
		9660	return p->errc = 1;
		9661	}
9379	size += len;	9662	size += len;
9380		9663
9381	/* Allocate memory buffer for tag table */	9664	/* Allocate memory buffer for tag table */
Lines 9406-9411 static int icc_write( Link Here
9406	size = DO_ALIGN(size);	9689	size = DO_ALIGN(size);
9407	p->data[i].offset = size; /* Profile relative target */	9690	p->data[i].offset = size; /* Profile relative target */
9408	p->data[i].size = p->data[i].objp->get_size(p->data[i].objp);	9691	p->data[i].size = p->data[i].objp->get_size(p->data[i].objp);
		9692	if (size == 0 \|\|
		9693	p->errc \|\| p->data[i].size > UINT_MAX - size) {
		9694	sprintf(p->err,"icc_write: internal error - overflow?");
		9695	p->al->free(p->al, buf);
		9696	return p->errc;
		9697	}
9409	size += p->data[i].size;	9698	size += p->data[i].size;
9410	p->data[i].objp->touched = 1; /* Allocated space for it */	9699	p->data[i].objp->touched = 1; /* Allocated space for it */
9411	} else { /* must be linked - copy allocation */	9700	} else { /* must be linked - copy allocation */
Lines 9529-9534 static icmBase *icc_add_tag( Link Here
9529	}	9818	}
9530		9819
9531	/* Make space in tag table for new tag item */	9820	/* Make space in tag table for new tag item */
		9821	if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) {
		9822	sprintf(p->err,"icc_add_tag: overflow");
		9823	p->errc = 1;
		9824	return NULL;
		9825	}
9532	if (p->data == NULL)	9826	if (p->data == NULL)
9533	tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));	9827	tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));
9534	else	9828	else
Lines 9612-9617 static icmBase *icc_link_tag( Link Here
9612	}	9906	}
9613		9907
9614	/* Make space in tag table for new tag item */	9908	/* Make space in tag table for new tag item */
		9909	if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) {
		9910	sprintf(p->err,"icc_link_tag: overflow");
		9911	p->errc = 1;
		9912	return NULL;
		9913	}
9615	if (p->data == NULL)	9914	if (p->data == NULL)
9616	tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));	9915	tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));
9617	else	9916	else

Return to bug 261087