Bug 157757 - Bug in netpbm-10.23-security.patch
Bug in netpbm-10.23-security.patch
Product: Fedora
Classification: Fedora
Component: netpbm (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jindrich Novy
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2005-05-14 11:47 EDT by Alexey Tourbin
Modified: 2013-07-02 19:07 EDT (History)
1 user (show)

See Also:
Fixed In Version: 10.27-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-16 06:14:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alexey Tourbin 2005-05-14 11:47:28 EDT
As of netpbm-10.27-2, netpbm-10.23-security.patch supposedly has a bug
in the following chunk:

--- netpbm-10.27/editor/ppmdither.c.security	2005-03-29 14:31:42.975577464 +0200
+++ netpbm-10.27/editor/ppmdither.c	2005-03-29 14:31:43.093559528 +0200
@@ -165,7 +168,8 @@ dith_setup(const unsigned int dith_power
     if (dith_nb < 2) 
         pm_error("too few shades for blue, minimum of 2");
-    MALLOCARRAY(*colormapP, dith_nr * dith_ng * dith_nb);
+    overflow2(dith_nr, dith_ng);
+    colormapP = malloc3(dith_nr * dith_ng, dith_nb,  sizeof(pixel));
     if (*colormapP == NULL) 
         pm_error("Unable to allocate space for the color lookup table "
                  "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb);

Here *colormapP should be assigned, not colormapP.  Note that colormapP is used
to return allocated buffer from dith_setup() in netpbm-10.27/editor/ppmdither.c:

static void
dith_setup(const unsigned int dith_power,
           const unsigned int dith_nr,
           const unsigned int dith_ng,
           const unsigned int dith_nb,
           const pixval output_maxval,
           pixel ** const colormapP) {

Actually with the above change this code will not even compile with any recent
gcc release.  However, netpbm-10.23-gcc34.patch has the following chunk:

--- netpbm-10.23/editor/ppmdither.c.gcc34       2003-07-06 21:54:02.000000000 +0200
+++ netpbm-10.23/editor/ppmdither.c     2004-08-04 13:36:37.674439040 +0200
@@ -148,7 +148,7 @@
            const unsigned int dith_ng,
            const unsigned int dith_nb,
            const pixval output_maxval,
-           pixel ** const colormapP) {
+           pixel ** colormapP) {
    Set up the dithering parameters, color map (lookup table) and
    dithering matrix.

So it simply downgrades the prototype of dith_setup() in order to calm down gcc,
but gcc has found a real bug here.
Comment 1 Jindrich Novy 2005-05-16 02:56:26 EDT
Yes, this needs to be fixed. Thanks.

Note You need to log in before you can comment on or make changes to this bug.