Bug 157757

Summary: Bug in netpbm-10.23-security.patch
Product: [Fedora] Fedora Reporter: Alexey Tourbin <at>
Component: netpbmAssignee: Jindrich Novy <jnovy>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: pknirsch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 10.27-3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-16 10:14:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Tourbin 2005-05-14 15:47:28 UTC 
As of netpbm-10.27-2, netpbm-10.23-security.patch supposedly has a bug
in the following chunk:

--- netpbm-10.27/editor/ppmdither.c.security	2005-03-29 14:31:42.975577464 +0200
+++ netpbm-10.27/editor/ppmdither.c	2005-03-29 14:31:43.093559528 +0200
@@ -165,7 +168,8 @@ dith_setup(const unsigned int dith_power
     if (dith_nb < 2) 
         pm_error("too few shades for blue, minimum of 2");
 
-    MALLOCARRAY(*colormapP, dith_nr * dith_ng * dith_nb);
+    overflow2(dith_nr, dith_ng);
+    colormapP = malloc3(dith_nr * dith_ng, dith_nb,  sizeof(pixel));
     if (*colormapP == NULL) 
         pm_error("Unable to allocate space for the color lookup table "
                  "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb);

Here *colormapP should be assigned, not colormapP.  Note that colormapP is used
to return allocated buffer from dith_setup() in netpbm-10.27/editor/ppmdither.c:

static void
dith_setup(const unsigned int dith_power,
           const unsigned int dith_nr,
           const unsigned int dith_ng,
           const unsigned int dith_nb,
           const pixval output_maxval,
           pixel ** const colormapP) {

Actually with the above change this code will not even compile with any recent
gcc release.  However, netpbm-10.23-gcc34.patch has the following chunk:

--- netpbm-10.23/editor/ppmdither.c.gcc34       2003-07-06 21:54:02.000000000 +0200
+++ netpbm-10.23/editor/ppmdither.c     2004-08-04 13:36:37.674439040 +0200
@@ -148,7 +148,7 @@
            const unsigned int dith_ng,
            const unsigned int dith_nb,
            const pixval output_maxval,
-           pixel ** const colormapP) {
+           pixel ** colormapP) {
 /*----------------------------------------------------------------------------
    Set up the dithering parameters, color map (lookup table) and
    dithering matrix.


So it simply downgrades the prototype of dith_setup() in order to calm down gcc,
but gcc has found a real bug here.
Comment 1 Jindrich Novy 2005-05-16 06:56:26 UTC 
Yes, this needs to be fixed. Thanks.