diff options
author | Hiroki Sato <hrs@FreeBSD.org> | 2009-04-20 08:08:50 +0000 |
---|---|---|
committer | Hiroki Sato <hrs@FreeBSD.org> | 2009-04-20 08:08:50 +0000 |
commit | 6fefb478d66b561cb60fedeea1ad0ada99326400 (patch) | |
tree | ad5895c16d60dcc79f7ac616067a13a38577ac8f /print/ghostscript8/files | |
parent | 64d1edd4b49d867fa5f2b7efb8e453065fe7209e (diff) |
Fix multiple integer overflows and lack of boundary check found
and marked as CVE-2009-583 and CVE-2009-584:
CVE-2009-583:
Multiple integer overflows in icc.c in the International Color
Consortium (ICC) Format library (aka icclib), as used in
Ghostscript 8.64 and earlier and Argyll Color Management
System (CMS) 1.0.3 and earlier, allow context-dependent
attackers to cause a denial of service (heap-based buffer
overflow and application crash) or possibly execute arbitrary
code by using a device file for a translation request that
operates on a crafted image file and targets a certain "native
color space," related to an ICC profile in a (1) PostScript
or (2) PDF file with embedded images.
CVE-2009-584:
icc.c in the International Color Consortium (ICC) Format
library (aka icclib), as used in Ghostscript 8.64 and earlier
and Argyll Color Management System (CMS) 1.0.3 and earlier,
allows context-dependent attackers to cause a denial of
service (application crash) or possibly execute arbitrary code
by using a device file for processing a crafted image file
associated with large integer values for certain sizes, related
to an ICC profile in a (1) PostScript or (2) PDF file with
embedded images.
Security: CVE-2009-583
Security: CVE-2009-584
Approved by: portmgr (pav)
Notes
Notes:
svn path=/head/; revision=232378
Diffstat (limited to 'print/ghostscript8/files')
-rw-r--r-- | print/ghostscript8/files/patch-CVE-2009-0583,0584 | 989 |
1 files changed, 989 insertions, 0 deletions
diff --git a/print/ghostscript8/files/patch-CVE-2009-0583,0584 b/print/ghostscript8/files/patch-CVE-2009-0583,0584 new file mode 100644 index 000000000000..71505e257c72 --- /dev/null +++ b/print/ghostscript8/files/patch-CVE-2009-0583,0584 @@ -0,0 +1,989 @@ +--- icclib/icc.c.CVE-2009-0583,0584 2008-05-09 05:12:01.000000000 +0100 ++++ icclib/icc.c 2009-03-06 15:24:33.000000000 +0000 +@@ -152,6 +152,8 @@ + * Various bug fixes and enhancements. + */ + ++#include <limits.h> ++#include <stdint.h> + #include <stdio.h> + #include <stdlib.h> + #include <stdarg.h> +@@ -313,8 +315,11 @@ size_t count + icmFileMem *p = (icmFileMem *)pp; + size_t len; + ++ if (count > 0 && size > SIZE_MAX / count) ++ return 0; ++ + len = size * count; +- if ((p->cur + len) >= p->end) { /* Too much */ ++ if (len > (p->end - p->cur)) { /* Too much */ + if (size > 0) + count = (p->end - p->cur)/size; + else +@@ -1634,6 +1639,8 @@ static int icmUInt8Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUInt8Array_write malloc() failed"); + return icp->errc = 2; +@@ -1698,7 +1705,7 @@ static int icmUInt8Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { ++ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { + sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed"); + return icp->errc = 2; + } +@@ -1749,6 +1756,10 @@ static unsigned int icmUInt16Array_get_s + icmUInt16Array *p = (icmUInt16Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 2) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->size * 2; /* 2 bytes for each UInt16 */ + return len; + } +@@ -1821,6 +1832,8 @@ static int icmUInt16Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUInt16Array_write malloc() failed"); + return icp->errc = 2; +@@ -1885,7 +1898,7 @@ static int icmUInt16Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { ++ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { + sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed"); + return icp->errc = 2; + } +@@ -1936,6 +1949,10 @@ static unsigned int icmUInt32Array_get_s + icmUInt32Array *p = (icmUInt32Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 4) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->size * 4; /* 4 bytes for each UInt32 */ + return len; + } +@@ -2008,6 +2025,8 @@ static int icmUInt32Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUInt32Array_write malloc() failed"); + return icp->errc = 2; +@@ -2072,7 +2091,7 @@ static int icmUInt32Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) { ++ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) { + sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed"); + return icp->errc = 2; + } +@@ -2123,6 +2142,10 @@ static unsigned int icmUInt64Array_get_s + icmUInt64Array *p = (icmUInt64Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 8) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->size * 8; /* 8 bytes for each UInt64 */ + return len; + } +@@ -2195,6 +2218,8 @@ static int icmUInt64Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUInt64Array_write malloc() failed"); + return icp->errc = 2; +@@ -2259,7 +2284,7 @@ static int icmUInt64Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (icmUint64 *) icp->al->malloc(icp->al, p->size * sizeof(icmUint64))) == NULL) { ++ if ((p->data = (icmUint64 *) icp->al->calloc(icp->al, p->size, sizeof(icmUint64))) == NULL) { + sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed"); + return icp->errc = 2; + } +@@ -2310,6 +2335,10 @@ static unsigned int icmU16Fixed16Array_g + icmU16Fixed16Array *p = (icmU16Fixed16Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 4) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->size * 4; /* 4 byte for each U16Fixed16 */ + return len; + } +@@ -2382,6 +2411,8 @@ static int icmU16Fixed16Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed"); + return icp->errc = 2; +@@ -2446,7 +2477,7 @@ static int icmU16Fixed16Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { ++ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { + sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed"); + return icp->errc = 2; + } +@@ -2497,6 +2528,10 @@ static unsigned int icmS15Fixed16Array_g + icmS15Fixed16Array *p = (icmS15Fixed16Array *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 4) { ++ p->icp->errc = 1; ++ return (unsigned int) - 1; ++ } + len += p->size * 4; /* 4 byte for each S15Fixed16 */ + return len; + } +@@ -2569,6 +2604,8 @@ static int icmS15Fixed16Array_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed"); + return icp->errc = 2; +@@ -2633,7 +2670,7 @@ static int icmS15Fixed16Array_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { ++ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { + sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed"); + return icp->errc = 2; + } +@@ -2726,6 +2763,10 @@ static unsigned int icmXYZArray_get_size + icmXYZArray *p = (icmXYZArray *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->size > (UINT_MAX - len) / 12) { ++ p->icp->errc = 1; ++ return (unsigned int) - 1; ++ } + len += p->size * 12; /* 12 bytes for each XYZ */ + return len; + } +@@ -2798,6 +2839,8 @@ static int icmXYZArray_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmXYZArray_write malloc() failed"); + return icp->errc = 2; +@@ -2865,7 +2908,7 @@ static int icmXYZArray_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (icmXYZNumber *) icp->al->malloc(icp->al, p->size * sizeof(icmXYZNumber))) == NULL) { ++ if ((p->data = (icmXYZNumber *) icp->al->calloc(icp->al, p->size, sizeof(icmXYZNumber))) == NULL) { + sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed"); + return icp->errc = 2; + } +@@ -3001,7 +3044,7 @@ static int icmTable_setup_bwd( + int nf; /* Next free slot */ + if (rt->rlists[j] == NULL) { /* No allocation */ + as = 5; /* Start with space for 5 */ +- if ((rt->rlists[j] = (int *) icp->al->malloc(icp->al, sizeof(int) * as)) == NULL) { ++ if ((rt->rlists[j] = (int *) icp->al->calloc(icp->al, sizeof(int), as)) == NULL) { + return 2; + } + rt->rlists[j][0] = as; +@@ -3141,6 +3184,10 @@ static unsigned int icmCurve_get_size( + icmCurve *p = (icmCurve *)pp; + unsigned int len = 0; + len += 12; /* 12 bytes for tag, padding and count */ ++ if (p->size > (UINT_MAX - len) / 2) { ++ p->icp->errc = 1; ++ return (unsigned int) - 1; ++ } + len += p->size * 2; /* 2 bytes for each UInt16 */ + return len; + } +@@ -3238,6 +3285,8 @@ static int icmCurve_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmCurve_write malloc() failed"); + return icp->errc = 2; +@@ -3347,7 +3396,7 @@ static int icmCurve_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) { ++ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) { + sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed"); + return icp->errc = 2; + } +@@ -3493,6 +3542,8 @@ static int icmData_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmData_write malloc() failed"); + return icp->errc = 2; +@@ -3745,6 +3796,8 @@ static int icmText_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmText_write malloc() failed"); + return icp->errc = 2; +@@ -4038,6 +4091,8 @@ static int icmDateTimeNumber_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmDateTimeNumber_write malloc() failed"); + return icp->errc = 2; +@@ -4128,11 +4183,15 @@ static icmBase *new_icmDateTimeNumber( + /* icmLut object */ + + /* Utility function - raise one integer to an integer power */ +-static unsigned int uipow(unsigned int a, unsigned int b) { ++static int uipow(unsigned int a, unsigned int b, unsigned int *ret) { + unsigned int rv = 1; +- for (; b > 0; b--) ++ for (; b > 0; b--) { ++ if (a > 0 && rv > UINT_MAX / a) ++ return 1; + rv *= a; +- return rv; ++ } ++ *ret = rv; ++ return 0; + } + + /* - - - - - - - - - - - - - - - - */ +@@ -4268,7 +4327,7 @@ double *in /* Input array[outputChan] * + if (p->inputChan <= 8) { + gw = GW; /* Use stack allocation */ + } else { +- if ((gw = (double *) icp->al->malloc(icp->al, (1 << p->inputChan) * sizeof(double))) == NULL) { ++ if ((gw = (double *) icp->al->calloc(icp->al, (1 << p->inputChan), sizeof(double))) == NULL) { + sprintf(icp->err,"icmLut_lookup_clut: malloc() failed"); + return icp->errc = 2; + } +@@ -4819,19 +4878,50 @@ static unsigned int icmLut_get_size( + ) { + icmLut *p = (icmLut *)pp; + unsigned int len = 0; ++ unsigned int pw; + + if (p->ttype == icSigLut8Type) { + len += 48; /* tag and header */ ++ if (p->inputChan > 0 && ++ p->inputEnt > (UINT_MAX - len) / p->inputChan / 1) ++ goto overflow; ++ + len += 1 * (p->inputChan * p->inputEnt); +- len += 1 * (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan, &pw) || ++ (p->outputChan > 0 && ++ pw > (UINT_MAX - len) / p->outputChan / 1)) ++ goto overflow; ++ ++ len += 1 * (p->outputChan * pw); ++ if (p->outputChan > 0 && ++ p->outputEnt > (UINT_MAX - len) / p->outputChan / 1) ++ goto overflow; ++ + len += 1 * (p->outputChan * p->outputEnt); + } else { + len += 52; /* tag and header */ ++ if (p->inputChan > 0 && ++ p->inputEnt > (UINT_MAX - len) / p->inputChan / 2) ++ goto overflow; ++ + len += 2 * (p->inputChan * p->inputEnt); +- len += 2 * (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan, &pw) || ++ (p->outputChan > 0 && ++ pw > (UINT_MAX - len) / p->outputChan / 2)) ++ goto overflow; ++ ++ len += 2 * (p->outputChan * pw); ++ if (p->outputChan > 0 && ++ p->outputEnt > (UINT_MAX - len) / p->outputChan / 2) ++ goto overflow; ++ + len += 2 * (p->outputChan * p->outputEnt); + } + return len; ++ ++ overflow: ++ p->icp->errc = 1; ++ return (unsigned int) -1; + } + + /* read the object, return 0 on success, error code on fail */ +@@ -4844,6 +4934,7 @@ static int icmLut_read( + icc *icp = p->icp; + int rv = 0; + unsigned long i, j, g, size; ++ unsigned int pw; + char *bp, *buf; + + if (len < 4) { +@@ -4904,6 +4995,11 @@ static int icmLut_read( + return icp->errc = 1; + } + ++ if (p->clutPoints > 100) { ++ sprintf(icp->err,"icmLut_read: too many clutPoints"); ++ return icp->errc = 1; ++ } ++ + /* Read 3x3 transform matrix */ + for (j = 0; j < 3; j++) { /* Rows */ + for (i = 0; i < 3; i++) { /* Columns */ +@@ -4921,13 +5017,18 @@ static int icmLut_read( + bp = buf+52; + } + +- if (len < icmLut_get_size((icmBase *)p)) { ++ if (len < icmLut_get_size((icmBase *)p) || icp->errc) { + sprintf(icp->err,"icmLut_read: Tag too small for contents"); + icp->al->free(icp->al, buf); + return icp->errc = 1; + } + + /* Read the input tables */ ++ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { ++ sprintf(icp->err,"icmLut_read: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } + size = (p->inputChan * p->inputEnt); + if ((rv = p->allocate((icmBase *)p)) != 0) { + icp->al->free(icp->al, buf); +@@ -4942,7 +5043,14 @@ static int icmLut_read( + } + + /* Read the clut table */ +- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan,&pw) || ++ (p->outputChan > 0 && ++ pw > UINT_MAX / p->outputChan)) { ++ sprintf(icp->err,"icmLut_read: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } ++ size = (p->outputChan * pw); + if ((rv = p->allocate((icmBase *)p)) != 0) { + icp->al->free(icp->al, buf); + return rv; +@@ -4956,6 +5064,11 @@ static int icmLut_read( + } + + /* Read the output tables */ ++ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { ++ sprintf(icp->err,"icmLut_read: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } + size = (p->outputChan * p->outputEnt); + if ((rv = p->allocate((icmBase *)p)) != 0) { + icp->al->free(icp->al, buf); +@@ -4995,12 +5108,14 @@ static int icmLut_write( + icmLut *p = (icmLut *)pp; + icc *icp = p->icp; + unsigned long i,j; +- unsigned int len, size; ++ unsigned int len, size, pw; + char *bp, *buf; /* Buffer to write from */ + int rv = 0; + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmLut_write malloc() failed"); + return icp->errc = 2; +@@ -5066,6 +5181,11 @@ static int icmLut_write( + } + + /* Write the input tables */ ++ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { ++ sprintf(icp->err,"icmLut_write: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } + size = (p->inputChan * p->inputEnt); + if (p->ttype == icSigLut8Type) { + for (i = 0; i < size; i++, bp += 1) { +@@ -5086,7 +5206,14 @@ static int icmLut_write( + } + + /* Write the clut table */ +- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan,&pw) || ++ (p->outputChan > 0 && ++ pw > UINT_MAX / p->outputChan)) { ++ sprintf(icp->err,"icmLut_write: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } ++ size = (p->outputChan * pw); + if (p->ttype == icSigLut8Type) { + for (i = 0; i < size; i++, bp += 1) { + if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) { +@@ -5106,6 +5233,11 @@ static int icmLut_write( + } + + /* Write the output tables */ ++ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { ++ sprintf(icp->err,"icmLut_write: overflow"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } + size = (p->outputChan * p->outputEnt); + if (p->ttype == icSigLut8Type) { + for (i = 0; i < size; i++, bp += 1) { +@@ -5177,7 +5309,14 @@ static void icmLut_dump( + if (p->inputChan > MAX_CHAN) { + fprintf(op," !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN); + } else { +- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ unsigned int pw; ++ if (uipow(p->clutPoints,p->inputChan,&pw) || ++ (p->outputChan > 0 && ++ pw > UINT_MAX / p->outputChan)) { ++ fprintf(op,"Would overflow.\n"); ++ return; ++ } ++ size = (p->outputChan * pw); + for (j = 0; j < p->inputChan; j++) + ii[j] = 0; + for (i = 0; i < size;) { +@@ -5216,7 +5355,7 @@ static void icmLut_dump( + static int icmLut_allocate( + icmBase *pp + ) { +- unsigned int i, j, g, size; ++ unsigned int i, j, g, size, pw; + icmLut *p = (icmLut *)pp; + icc *icp = p->icp; + +@@ -5231,6 +5370,10 @@ static int icmLut_allocate( + return icp->errc = 1; + } + ++ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) { ++ sprintf(icp->err,"icmLut_alloc: too many entries"); ++ return icp->errc = 1; ++ } + size = (p->inputChan * p->inputEnt); + if (size != p->inputTable_size) { + if (p->inputTable != NULL) +@@ -5241,7 +5384,13 @@ static int icmLut_allocate( + } + p->inputTable_size = size; + } +- size = (p->outputChan * uipow(p->clutPoints,p->inputChan)); ++ if (uipow(p->clutPoints,p->inputChan,&pw) || ++ (p->outputChan > 0 && ++ pw > UINT_MAX / p->outputChan)) { ++ sprintf(icp->err,"icmLut_alloc: overflow"); ++ return icp->errc = 1; ++ } ++ size = (p->outputChan * pw); + if (size != p->clutTable_size) { + if (p->clutTable != NULL) + icp->al->free(icp->al, p->clutTable); +@@ -5251,6 +5400,10 @@ static int icmLut_allocate( + } + p->clutTable_size = size; + } ++ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) { ++ sprintf(icp->err,"icmLut_alloc: overflow"); ++ return icp->errc = 1; ++ } + size = (p->outputChan * p->outputEnt); + if (size != p->outputTable_size) { + if (p->outputTable != NULL) +@@ -5441,6 +5594,8 @@ static int icmMeasurement_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmMeasurement_write malloc() failed"); + return icp->errc = 2; +@@ -5712,13 +5867,20 @@ static unsigned int icmNamedColor_get_si + len += p->nDeviceCoords * 1; /* bytes for each named color */ + } + } else { /* Named Color 2 */ ++ unsigned int col; + len += 8; /* 8 bytes for tag and padding */ + len += 4; /* 4 for vendor specific flags */ + len += 4; /* 4 for count of named colors */ + len += 4; /* 4 for number of device coords */ + len += 32; /* 32 for prefix of color names */ + len += 32; /* 32 for suffix of color names */ +- len += p->count * (32 + 6 + p->nDeviceCoords * 2); /* bytes for each named color */ ++ col = 32 + 6 + p->nDeviceCoords * 2; ++ if (p->nDeviceCoords > (UINT_MAX - (32 + 6)) / 2 || ++ (p->count > 0 && col > (UINT_MAX - len) / p->count)) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } ++ len += p->count * col; /* bytes for each named color */ + } + return len; + } +@@ -5882,6 +6044,8 @@ static int icmNamedColor_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmNamedColor_write malloc() failed"); + return icp->errc = 2; +@@ -6109,9 +6273,22 @@ static unsigned int icmTextDescription_g + ) { + icmTextDescription *p = (icmTextDescription *)pp; + unsigned int len = 0; ++ if (p->size > UINT_MAX - (8 + 4 + 8)) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += 8; /* 8 bytes for tag and padding */ + len += 4 + p->size; /* Ascii string length + ascii string */ +- len += 8 + 2 * p->ucSize; /* Unicode language code + length + string */ ++ len += 8; /* Unicode language code + length */ ++ if (p->ucSize > (UINT_MAX - len) / 2) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } ++ len += 2 * p->ucSize; /* Unicode string */ ++ if (len > (UINT_MAX - (3 + 67))) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += 3 + 67; /* ScriptCode code, length string */ + return len; + } +@@ -6294,6 +6471,8 @@ static int icmTextDescription_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmTextDescription_write malloc() failed"); + return icp->errc = 2; +@@ -6544,7 +6723,7 @@ static int icmTextDescription_allocate( + if (p->ucSize != p->uc_size) { + if (p->ucDesc != NULL) + icp->al->free(icp->al, p->ucDesc); +- if ((p->ucDesc = (ORD16 *) icp->al->malloc(icp->al, p->ucSize * sizeof(ORD16))) == NULL) { ++ if ((p->ucDesc = (ORD16 *) icp->al->calloc(icp->al, p->ucSize, sizeof(ORD16))) == NULL) { + sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed"); + return icp->errc = 2; + } +@@ -6820,6 +6999,12 @@ static int icmProfileSequenceDesc_read( + bp += 8; /* Skip padding */ + + p->count = read_UInt32Number(bp); /* Number of sequence descriptions */ ++ if (p->count > 1000) { ++ sprintf(icp->err,"icmProfileSequenceDesc_read: too many sequence descriptions"); ++ icp->al->free(icp->al, buf); ++ return icp->errc = 1; ++ } ++ + bp += 4; + + /* Read all the sequence descriptions */ +@@ -6852,6 +7037,8 @@ static int icmProfileSequenceDesc_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed"); + return icp->errc = 2; +@@ -6922,7 +7109,7 @@ static int icmProfileSequenceDesc_alloca + if (p->count != p->_count) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (icmDescStruct *) icp->al->malloc(icp->al, p->count * sizeof(icmDescStruct))) == NULL) { ++ if ((p->data = (icmDescStruct *) icp->al->calloc(icp->al, p->count, sizeof(icmDescStruct))) == NULL) { + sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed"); + return icp->errc = 2; + } +@@ -7041,6 +7228,8 @@ static int icmSignature_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmSignature_write malloc() failed"); + return icp->errc = 2; +@@ -7156,6 +7345,10 @@ static unsigned int icmScreening_get_siz + icmScreening *p = (icmScreening *)pp; + unsigned int len = 0; + len += 16; /* 16 bytes for tag, padding, flag & channeles */ ++ if (p->channels > (UINT_MAX - len) / 12) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += p->channels * 12; /* 12 bytes for each channel */ + return len; + } +@@ -7235,6 +7428,8 @@ static int icmScreening_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmScreening_write malloc() failed"); + return icp->errc = 2; +@@ -7315,7 +7510,7 @@ static int icmScreening_allocate( + if (p->channels != p->_channels) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (icmScreeningData *) icp->al->malloc(icp->al, p->channels * sizeof(icmScreeningData))) == NULL) { ++ if ((p->data = (icmScreeningData *) icp->al->calloc(icp->al, p->channels, sizeof(icmScreeningData))) == NULL) { + sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed"); + return icp->errc = 2; + } +@@ -7366,10 +7561,20 @@ static unsigned int icmUcrBg_get_size( + icmUcrBg *p = (icmUcrBg *)pp; + unsigned int len = 0; + len += 8; /* 8 bytes for tag and padding */ ++ if (p->UCRcount > (UINT_MAX - len - 4) / 2) ++ goto overflow; ++ + len += 4 + p->UCRcount * 2; /* Undercolor Removal */ ++ if (p->BGcount > (UINT_MAX - len - 4 - p->size) / 2) ++ goto overflow; ++ + len += 4 + p->BGcount * 2; /* Black Generation */ + len += p->size; /* Description string */ + return len; ++ ++ overflow: ++ p->icp->errc = 1; ++ return (unsigned int) -1; + } + + /* read the object, return 0 on success, error code on fail */ +@@ -7498,6 +7703,8 @@ static int icmUcrBg_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmUcrBg_write malloc() failed"); + return icp->errc = 2; +@@ -7663,7 +7870,7 @@ static int icmUcrBg_allocate( + if (p->UCRcount != p->UCR_count) { + if (p->UCRcurve != NULL) + icp->al->free(icp->al, p->UCRcurve); +- if ((p->UCRcurve = (double *) icp->al->malloc(icp->al, p->UCRcount * sizeof(double))) == NULL) { ++ if ((p->UCRcurve = (double *) icp->al->calloc(icp->al, p->UCRcount, sizeof(double))) == NULL) { + sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed"); + return icp->errc = 2; + } +@@ -7672,7 +7879,7 @@ static int icmUcrBg_allocate( + if (p->BGcount != p->BG_count) { + if (p->BGcurve != NULL) + icp->al->free(icp->al, p->BGcurve); +- if ((p->BGcurve = (double *) icp->al->malloc(icp->al, p->BGcount * sizeof(double))) == NULL) { ++ if ((p->BGcurve = (double *) icp->al->calloc(icp->al, p->BGcount, sizeof(double))) == NULL) { + sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed"); + return icp->errc = 2; + } +@@ -7743,6 +7950,15 @@ static unsigned int icmVideoCardGamma_ge + len += 2; /* 2 bytes for channels */ + len += 2; /* 2 for entry count */ + len += 2; /* 2 for entry size */ ++ if (p->u.table.entryCount > 0 && ++ p->u.table.entrySize > 0 && ++ p->u.table.channels > ++ (UINT_MAX - len) / ++ p->u.table.entryCount / ++ p->u.table.entrySize) { ++ p->icp->errc = 1; ++ return (unsigned int) -1; ++ } + len += ( p->u.table.channels * /* compute table size */ + p->u.table.entryCount * + p->u.table.entrySize ); +@@ -7762,10 +7978,11 @@ static int icmVideoCardGamma_read( + ) { + icmVideoCardGamma *p = (icmVideoCardGamma *)pp; + icc *icp = p->icp; +- int rv, c; ++ int rv; + char *bp, *buf; + unsigned char *pchar; + unsigned short *pshort; ++ unsigned long c; + + if (len < 18) { + sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal"); +@@ -7803,6 +8020,16 @@ static int icmVideoCardGamma_read( + p->u.table.channels = read_UInt16Number(bp+12); + p->u.table.entryCount = read_UInt16Number(bp+14); + p->u.table.entrySize = read_UInt16Number(bp+16); ++ if (p->u.table.entrySize > 65530 || p->u.table.entrySize == 0) { ++ sprintf(icp->err,"icmVideoCardGamma_read: Too many entries (or none)"); ++ return icp->errc = 1; ++ } ++ if (p->u.table.entryCount > 0 && p->u.table.entrySize > 0 && ++ p->u.table.channels > ++ UINT_MAX / p->u.table.entryCount / p->u.table.entrySize) { ++ sprintf(icp->err,"icmVideoCardGamma_read: Overflow reading tag"); ++ return icp->errc = 1; ++ } + if (len-18 < p->u.table.channels*p->u.table.entryCount*p->u.table.entrySize) { + sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal"); + return icp->errc = 1; +@@ -7871,6 +8098,8 @@ static int icmVideoCardGamma_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmViewingConditions_write malloc() failed"); + return icp->errc = 2; +@@ -8049,7 +8278,7 @@ static int icmVideoCardGamma_allocate( + ) { + icmVideoCardGamma *p = (icmVideoCardGamma *)pp; + icc *icp = p->icp; +- int size; ++ unsigned int size; + + /* note: allocation is only relevant for table type + * and in that case the channels, entryCount, and entrySize +@@ -8059,6 +8288,11 @@ static int icmVideoCardGamma_allocate( + if (p->tagType == icmVideoCardGammaTableType) { + if (p->u.table.data != NULL) + icp->al->free(icp->al, p->u.table.data); ++ if (p->u.table.entryCount > 0 && ++ p->u.table.channels > UINT_MAX / p->u.table.entryCount) { ++ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large"); ++ return icp->errc = 1; ++ } + size = (p->u.table.channels * + p->u.table.entryCount); + switch (p->u.table.entrySize) { +@@ -8066,6 +8300,10 @@ static int icmVideoCardGamma_allocate( + size *= sizeof(unsigned char); + break; + case 2: ++ if (size > UINT_MAX / sizeof(unsigned short)) { ++ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large"); ++ return icp->errc = 1; ++ } + size *= sizeof(unsigned short); + break; + default: +@@ -8201,6 +8439,8 @@ static int icmViewingConditions_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmViewingConditions_write malloc() failed"); + return icp->errc = 2; +@@ -8433,6 +8673,8 @@ static int icmCrdInfo_write( + + /* Allocate a file write buffer */ + len = p->get_size((icmBase *)p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) { + sprintf(icp->err,"icmCrdInfo_write malloc() failed"); + return icp->errc = 2; +@@ -8736,6 +8978,8 @@ static int icmHeader_write( + int rv = 0; + + len = p->get_size(p); ++ if (icp->errc) ++ return icp->errc; + if ((buf = (char *) icp->al->calloc(icp->al,1,len)) == NULL) { /* Zero it - some CMS are fussy */ + sprintf(icp->err,"icmHeader_write calloc() failed"); + return icp->errc = 2; +@@ -9245,13 +9489,23 @@ static int icc_read( + } + + p->count = read_UInt32Number(tcbuf); /* Tag count */ ++ if (p->count > 100) { ++ sprintf(p->err,"icc_read: too many table tags"); ++ return p->errc = 1; ++ } + if (p->count > 0) { + char *bp, *buf; +- if ((p->data = (icmTag *) p->al->malloc(p->al, p->count * sizeof(icmTag))) == NULL) { ++ if ((p->data = (icmTag *) p->al->calloc(p->al, p->count, sizeof(icmTag))) == NULL) { + sprintf(p->err,"icc_read: Tag table malloc() failed"); + return p->errc = 2; + } + ++ if (p->count > (UINT_MAX - 4) / 12) { ++ sprintf(p->err,"icc_read: overflow"); ++ p->al->free(p->al, p->data); ++ p->data = NULL; ++ return p->errc = 1; ++ } + len = 4 + p->count * 12; + if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) { + sprintf(p->err,"icc_read: Tag table read buffer malloc() failed"); +@@ -9281,6 +9535,14 @@ static int icc_read( + return p->errc = 1; + } + p->data[i].size = read_UInt32Number(bp + 8); ++ if (p->data[i].offset + p->data[i].size > ++ p->header->size) { ++ sprintf(p->err,"icc_read: tag out of bounds"); ++ p->al->free(p->al, p->data); ++ p->data = NULL; ++ p->al->free(p->al, buf); ++ return p->errc = 1; ++ } + if ( p->fp->seek(p->fp, of + p->data[i].offset) != 0 + || p->fp->read(p->fp, tcbuf, 1, 4) != 4) { + sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers"); +@@ -9321,8 +9583,14 @@ static unsigned int icc_get_size( + } + + size += p->header->get_size(p->header); ++ if (p->errc) ++ return (unsigned int) -1; + + size = DO_ALIGN(size); ++ if (size == 0 || p->count > (UINT_MAX - 4 - size) / 12) { ++ p->errc = 1; ++ return (unsigned int) -1; ++ } + size += 4 + p->count * 12; /* Tag table length */ + + /* Reset touched flag for each tag type */ +@@ -9337,8 +9605,13 @@ static unsigned int icc_get_size( + /* Get size for each tag type, skipping links */ + for (i = 0; i < p->count; i++) { + if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */ ++ unsigned int obj_size; + size = DO_ALIGN(size); +- size += p->data[i].objp->get_size(p->data[i].objp); ++ obj_size = p->data[i].objp->get_size(p->data[i].objp); ++ if (size == 0 || p->errc || ++ obj_size > UINT_MAX - size) ++ return (unsigned int) -1; ++ size += obj_size; + p->data[i].objp->touched = 1; /* Don't account for this again */ + } + } +@@ -9373,9 +9646,19 @@ static int icc_write( + } + + size += p->header->get_size(p->header); ++ if (p->errc) ++ return p->errc; + ++ if (p->count > (UINT_MAX - 4 - len) / 12) { ++ sprintf(p->err,"icc_write: too many tags"); ++ return p->errc = 1; ++ } + len = 4 + p->count * 12; /* Tag table length */ + size = DO_ALIGN(size); ++ if (size == 0 || size > UINT_MAX - len) { ++ sprintf(p->err,"icc_write: overflow writing tag table"); ++ return p->errc = 1; ++ } + size += len; + + /* Allocate memory buffer for tag table */ +@@ -9406,6 +9689,12 @@ static int icc_write( + size = DO_ALIGN(size); + p->data[i].offset = size; /* Profile relative target */ + p->data[i].size = p->data[i].objp->get_size(p->data[i].objp); ++ if (size == 0 || ++ p->errc || p->data[i].size > UINT_MAX - size) { ++ sprintf(p->err,"icc_write: internal error - overflow?"); ++ p->al->free(p->al, buf); ++ return p->errc; ++ } + size += p->data[i].size; + p->data[i].objp->touched = 1; /* Allocated space for it */ + } else { /* must be linked - copy allocation */ +@@ -9529,6 +9818,11 @@ static icmBase *icc_add_tag( + } + + /* Make space in tag table for new tag item */ ++ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) { ++ sprintf(p->err,"icc_add_tag: overflow"); ++ p->errc = 1; ++ return NULL; ++ } + if (p->data == NULL) + tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag)); + else +@@ -9612,6 +9906,11 @@ static icmBase *icc_link_tag( + } + + /* Make space in tag table for new tag item */ ++ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) { ++ sprintf(p->err,"icc_link_tag: overflow"); ++ p->errc = 1; ++ return NULL; ++ } + if (p->data == NULL) + tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag)); + else + |