diff options
author | nectar <nectar@FreeBSD.org> | 2005-01-19 01:26:56 +0800 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2005-01-19 01:26:56 +0800 |
commit | cf4808af8786d57e66a773a6c1d87d97cc13040c (patch) | |
tree | 6ffaf6bf7e9ffc3290b4844dd1d492de846ce5c5 /graphics | |
parent | acb9e84c28c514fe2a0a872b9fd11654f8ee72ea (diff) | |
download | freebsd-ports-gnome-cf4808af8786d57e66a773a6c1d87d97cc13040c.tar.gz freebsd-ports-gnome-cf4808af8786d57e66a773a6c1d87d97cc13040c.tar.zst freebsd-ports-gnome-cf4808af8786d57e66a773a6c1d87d97cc13040c.zip |
Correct exploitable vulnerabilities documented in
http://vuxml.freebsd.org/249a8c42-6973-11d9-ae49-000c41e2cdad.html .
Diffstat (limited to 'graphics')
-rw-r--r-- | graphics/xzgv/Makefile | 2 | ||||
-rw-r--r-- | graphics/xzgv/files/patch-security-1 | 197 | ||||
-rw-r--r-- | graphics/zgv/files/patch-security-1 | 316 |
3 files changed, 514 insertions, 1 deletions
diff --git a/graphics/xzgv/Makefile b/graphics/xzgv/Makefile index f29525db3c01..525ca680a308 100644 --- a/graphics/xzgv/Makefile +++ b/graphics/xzgv/Makefile @@ -7,7 +7,7 @@ PORTNAME= xzgv PORTVERSION= 0.8 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= graphics MASTER_SITES= http://xzgv.browser.org/ \ ${MASTER_SITE_SUNSITE} diff --git a/graphics/xzgv/files/patch-security-1 b/graphics/xzgv/files/patch-security-1 new file mode 100644 index 000000000000..4beba6fadc89 --- /dev/null +++ b/graphics/xzgv/files/patch-security-1 @@ -0,0 +1,197 @@ +diff -urN xzgv-0.8/ChangeLog xzgv/ChangeLog +--- xzgv-0.8/ChangeLog Tue Sep 16 15:08:42 2003 ++++ ChangeLog Wed Dec 15 03:30:46 2004 +@@ -1,3 +1,13 @@ ++2004-11-03 Russell Marks <russell.marks@ntlworld.com> ++ ++ * Added width/height limits to all native picture readers. This is ++ a crude (albeit effective) fix for heap overflow bugs - there may ++ yet be more subtle problems, but I can't really fix them until I ++ know they're there. :-) Thanks to Luke Macken for letting me know ++ about the heap overflow problems (in zgv). I suppose I should also ++ thank "infamous41md" for publishing the original advisory/exploit ++ (again for zgv), even if he didn't bother emailing me or anything. ++ + 2003-09-16 Russell Marks <russell.marks@ntlworld.com> + + * Version 0.8. +diff -urN xzgv-0.8/src/Makefile xzgv/src/Makefile +--- xzgv-0.8/src/Makefile Tue Jan 1 05:37:45 2002 ++++ src/Makefile Wed Dec 15 03:30:46 2004 +@@ -84,18 +84,19 @@ + logo.o: logo.c logodata.h + logoconv.o: logoconv.c + main.o: main.c backend.h readmrf.h readgif.h readpng.h readjpeg.h \ +- readtiff.h resizepic.h rcfile.h filedetails.h gotodir.h updatetn.h \ +- confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \ ++ readtiff.h readprf.h resizepic.h rcfile.h filedetails.h gotodir.h \ ++ updatetn.h confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \ + dir_icon_small.xpm file_icon.xpm file_icon_small.xpm logo.h \ + icon-48.xpm main.h + misc.o: misc.c misc.h + rcfile.o: rcfile.c getopt.h rcfile.h rcfile_opt.h rcfile_var.h \ + rcfile_short.h +-readgif.o: readgif.c readgif.h +-readjpeg.o: readjpeg.c rcfile.h readjpeg.h +-readmrf.o: readmrf.c readmrf.h ++readgif.o: readgif.c reader.h readgif.h ++readjpeg.o: readjpeg.c rcfile.h reader.h readjpeg.h ++readmrf.o: readmrf.c reader.h readmrf.h + readpng.o: readpng.c readpng.h +-readtiff.o: readtiff.c readtiff.h ++readprf.o: readprf.c reader.h readprf.h ++readtiff.o: readtiff.c reader.h readtiff.h + rename.o: rename.c backend.h main.h rename.h + resizepic.o: resizepic.c resizepic.h + updatetn.o: updatetn.c backend.h main.h rcfile.h dither.h resizepic.h \ +diff -urN xzgv-0.8/src/reader.h xzgv/src/reader.h +--- xzgv-0.8/src/reader.h Thu Jan 1 01:00:00 1970 ++++ src/reader.h Wed Dec 15 03:30:46 2004 +@@ -0,0 +1,15 @@ ++/* xzgv 0.8 - picture viewer for X, with file selector. ++ * Copyright (C) 1999-2004 Russell Marks. See main.c for license details. ++ * ++ * reader.h ++ */ ++ ++/* range check on width and height as a crude way of avoiding overflows ++ * when calling malloc/calloc. 32767 is the obvious limit to use given that ++ * xzgv effectively imposes such a limit anyway. ++ * Adds an extra 2 to height for max-height check, partly to reflect what ++ * the check in zgv does but also to allow for readtiff.c allocating an ++ * extra line (so at least an extra 1 would have been needed in any case). ++ */ ++#define WH_MAX 32767 ++#define WH_BAD(w,h) ((w)<=0 || (w)>WH_MAX || (h)<=0 || ((h)+2)>WH_MAX) +diff -urN xzgv-0.8/src/readgif.c xzgv/src/readgif.c +--- xzgv-0.8/src/readgif.c Sun Mar 3 04:34:32 2002 ++++ src/readgif.c Wed Dec 15 03:30:46 2004 +@@ -8,6 +8,7 @@ + #include <string.h> + #include <unistd.h> + #include <stdlib.h> ++#include "reader.h" + #include "readgif.h" + + +@@ -103,7 +104,7 @@ + + if(local_colour_map) readcolmap(in); + +- if((image=malloc(width*height*3))==NULL) ++ if(WH_BAD(width,height) || (image=malloc(width*height*3))==NULL) + { + fclose(in); + return(0); +diff -urN xzgv-0.8/src/readjpeg.c xzgv/src/readjpeg.c +--- xzgv-0.8/src/readjpeg.c Tue Sep 16 12:52:04 2003 ++++ src/readjpeg.c Wed Dec 15 03:30:46 2004 +@@ -13,6 +13,7 @@ + #include <jpeglib.h> + + #include "rcfile.h" ++#include "reader.h" + + #include "readjpeg.h" + +@@ -265,7 +266,7 @@ + /* this one shouldn't hurt */ + cinfo.do_block_smoothing=FALSE; + +-if((*imagep=image=malloc(width*height*3))==NULL) ++if(WH_BAD(width,height) || (*imagep=image=malloc(width*height*3))==NULL) + longjmp(jerr.setjmp_buffer,1); + + jpeg_start_decompress(&cinfo); +diff -urN xzgv-0.8/src/readmrf.c xzgv/src/readmrf.c +--- xzgv-0.8/src/readmrf.c Sat Oct 7 14:26:55 2000 ++++ src/readmrf.c Wed Dec 15 03:30:46 2004 +@@ -7,6 +7,7 @@ + #include <stdio.h> + #include <string.h> + #include <stdlib.h> ++#include "reader.h" + #include "readmrf.h" + + +@@ -91,7 +92,8 @@ + w64=(w+63)/64; + h64=(h+63)/64; + +-if((*bmap=malloc(w*h*3))==NULL || ++if(WH_BAD(w64*64,h64*64) || WH_BAD(w,h) || ++ (*bmap=malloc(w*h*3))==NULL || + (image=calloc(w64*h64*64*64,1))==NULL) + { + if(*bmap) free(*bmap),*bmap=NULL; +diff -urN xzgv-0.8/src/readpng.c xzgv/src/readpng.c +--- xzgv-0.8/src/readpng.c Thu Jul 10 16:13:43 2003 ++++ src/readpng.c Wed Dec 15 03:32:46 2004 +@@ -16,6 +16,7 @@ + #include <stdlib.h> + #include <png.h> + #include <setjmp.h> /* after png.h to avoid horrible thing in pngconf.h */ ++#include "reader.h" + #include "readpng.h" + + +@@ -129,7 +130,8 @@ + } + + /* allocate image memory */ +-if((*theimageptr=theimage=malloc(width*height*3))==NULL) ++if(WH_BAD(width,height) || ++ (*theimageptr=theimage=malloc(width*height*3))==NULL) + { + png_read_end(png_ptr,info_ptr); + png_destroy_read_struct(&png_ptr,&info_ptr,NULL); +diff -urN xzgv-0.8/src/readprf.c xzgv/src/readprf.c +--- xzgv-0.8/src/readprf.c Mon Apr 9 19:08:19 2001 ++++ src/readprf.c Wed Dec 15 03:30:46 2004 +@@ -7,6 +7,7 @@ + #include <stdio.h> + #include <string.h> + #include <stdlib.h> ++#include "reader.h" + #include "readprf.h" + + #define squaresize 64 +@@ -164,7 +165,7 @@ + bytepp=1; + + n=width*squaresize; +-if((planebuf[0]=calloc(n,planes))==NULL) ++if(WH_BAD(width,height) || (planebuf[0]=calloc(n,planes))==NULL) + { + fclose(in); + return(0); +@@ -173,6 +174,7 @@ + for(f=1;f<planes;f++) + planebuf[f]=planebuf[f-1]+n; + ++/* width/height already checked above */ + if((*theimageptr=malloc(width*height*3))==NULL) + { + free(planebuf[0]); +diff -urN xzgv-0.8/src/readtiff.c xzgv/src/readtiff.c +--- xzgv-0.8/src/readtiff.c Thu Dec 28 03:20:55 2000 ++++ src/readtiff.c Wed Dec 15 03:30:46 2004 +@@ -11,7 +11,7 @@ + #include <setjmp.h> + #include <sys/file.h> /* for open et al */ + #include <tiffio.h> +- ++#include "reader.h" + #include "readtiff.h" + + +@@ -36,7 +36,8 @@ + * spare for the flip afterwards. + */ + numpix=width*height; +-if((image=malloc(numpix*sizeof(uint32)+width*3))==NULL) ++if(WH_BAD(width,height) || ++ (image=malloc(numpix*sizeof(uint32)+width*3))==NULL) + { + TIFFClose(in); + return(0); diff --git a/graphics/zgv/files/patch-security-1 b/graphics/zgv/files/patch-security-1 new file mode 100644 index 000000000000..d134f14d5085 --- /dev/null +++ b/graphics/zgv/files/patch-security-1 @@ -0,0 +1,316 @@ +diff -urN zgv-5.8/ChangeLog zgv/ChangeLog +--- zgv-5.8/ChangeLog Mon Mar 29 05:34:03 2004 ++++ ChangeLog Sun Oct 31 15:23:27 2004 +@@ -1,3 +1,27 @@ ++2004-10-31 Russell Marks <russell.marks@ntlworld.com> ++ ++ * Added width/height limits to all picture readers, 32767x32767 is ++ now the maximum image size supported (consistent with xzgv). This ++ is a crude (albeit effective) fix for heap overflow bugs - there ++ may yet be more subtle problems, but I can't really fix them until ++ I know they're there. :-) Thanks to Luke Macken for letting me ++ know about the heap overflow problems. I suppose I should also ++ thank "infamous41md" for publishing the original exploit (for the ++ XPM colours bug), even if he didn't bother emailing me or ++ anything. ++ ++ * src/readxpm.c (read_xpm_file): fix for exploitable malloc() arg ++ overflow. There are several more of these in zgv, but this is the ++ easiest to fix. ++ ++2004-07-08 Russell Marks <russell.marks@ntlworld.com> ++ ++ * src/readgif.c (read_gif_file): added more multiple-image (e.g. ++ animated) GIF brokenness checks than before. Previously it was ++ possible to get a segfault with the `right' file, despite there ++ already being various range checks. Thanks to Mikulas Patocka for ++ spotting this. ++ + 2004-03-29 Russell Marks <russell.marks@ntlworld.com> + + * Version 5.8. +diff -urN zgv-5.8/src/readbmp.c zgv/src/readbmp.c +--- zgv-5.8/src/readbmp.c Thu Oct 4 16:48:36 2001 ++++ src/readbmp.c Sun Oct 31 14:32:44 2004 +@@ -177,7 +177,8 @@ + bytepp=1; + if ((pp->bpp == 24) && (*output_type == 3)) + bytepp = 3; +- if ((work_bmap = *bmap = calloc (w * (h + 2) * bytepp,1)) == NULL) ++ if (WH_BAD(w,h) || ++ (work_bmap = *bmap = calloc (w * (h + 2) * bytepp,1)) == NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + + bytes_in_image=w*h*bytepp; +diff -urN zgv-5.8/src/readgif.c zgv/src/readgif.c +--- zgv-5.8/src/readgif.c Sat Mar 15 02:39:42 2003 ++++ src/readgif.c Sun Oct 31 14:31:48 2004 +@@ -491,7 +491,7 @@ + readcolmap(in,im->cmap,lnumcols); + } + +- if((im->image=(byte *)malloc(width*height))==NULL) ++ if(WH_BAD(width,height) || (im->image=(byte *)malloc(width*height))==NULL) + { + fclose(in); + return(_PICERR_NOMEM); +@@ -599,7 +599,8 @@ + + /* allocate main image and palette */ + +-if((*theimageptr=(byte *)malloc(ginfo->width*ginfo->height))==NULL) ++if(WH_BAD(ginfo->width,ginfo->height) || ++ (*theimageptr=(byte *)malloc(ginfo->width*ginfo->height))==NULL) + { + images_cleanup(); + return(_PICERR_NOMEM); +@@ -668,7 +669,11 @@ + for(i=0;i<imagecount;i++) + { + int x,y,left,w; +- unsigned char *ptr1,*ptr2; ++ unsigned char *ptr1,*ptr2,*oldptr1; ++ ++ /* basic width/height vs. "screen" checks, left/top handled elsewhere */ ++ if(images[i]->width>swidth) images[i]->width=swidth; ++ if(images[i]->height>sheight) images[i]->height=sheight; + + /* for images after the first, we need to set the initial contents + * (as far as GIF is concerned, the `screen' contents) as directed +@@ -708,20 +713,28 @@ + */ + } + } +- +- ptr1=ptr+images[i]->left+images[i]->top*swidth; +- ptr2=images[i]->image; +- +- for(y=0;y<images[i]->height;y++) ++ ++ /* an image with left or top offscreen is broken, but relying ++ * unknowingly on the image not appearing at all. So skip it. ++ */ ++ if(images[i]->left<swidth && images[i]->top<sheight) + { +- for(x=0;x<images[i]->width;x++) +- if(!(images[i]->gcb_control&1) || /* if no transparent col defined */ +- images[i]->transparent_col!=*ptr2) +- *ptr1++=*ptr2++; +- else +- ptr1++,ptr2++; ++ ptr1=ptr+images[i]->left+images[i]->top*swidth; + +- ptr1+=swidth-images[i]->width; ++ for(y=0;y<images[i]->height && images[i]->top+y<sheight;y++) ++ { ++ oldptr1=ptr1; ++ ptr2=images[i]->image+y*images[i]->width; ++ ++ for(x=0;x<images[i]->width && images[i]->left+x<swidth;x++) ++ if(!(images[i]->gcb_control&1) || /* if no transparent col defined */ ++ images[i]->transparent_col!=*ptr2) ++ *ptr1++=*ptr2++; ++ else ++ ptr1++,ptr2++; ++ ++ ptr1=oldptr1+swidth; ++ } + } + + ptr+=swidth*sheight; +diff -urN zgv-5.8/src/readjpeg.c zgv/src/readjpeg.c +--- zgv-5.8/src/readjpeg.c Wed Sep 27 17:28:30 2000 ++++ src/readjpeg.c Sun Oct 31 14:54:26 2004 +@@ -190,10 +190,10 @@ + height=cinfo.output_height; + } + +-theimage=(byte *)malloc(pixelsize*width*height); +-if(theimage==NULL) ++if(WH_BAD(width,height) || ++ (theimage=(byte *)malloc(pixelsize*width*height))==NULL) + { +- jpegerr("Out of memory"); ++ jpegerr("Out of memory"); /* XXX misleading if width/height are bad */ + longjmp(jerr.setjmp_buffer,1); + } + +diff -urN zgv-5.8/src/readmrf.c zgv/src/readmrf.c +--- zgv-5.8/src/readmrf.c Wed Oct 21 07:28:23 1998 ++++ src/readmrf.c Sun Oct 31 14:56:33 2004 +@@ -103,7 +103,8 @@ + w64=(w+63)/64; + h64=(h+63)/64; + +-if((*bmap=malloc(w*h))==NULL || ++if(WH_BAD(w64*64,h64*64) || WH_BAD(w,h) || ++ (*bmap=malloc(w*h))==NULL || + (image=calloc(w64*h64*64*64,1))==NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + +diff -urN zgv-5.8/src/readpcd.c zgv/src/readpcd.c +--- zgv-5.8/src/readpcd.c Thu Sep 30 01:56:59 1999 ++++ src/readpcd.c Sun Oct 31 14:57:37 2004 +@@ -39,7 +39,7 @@ + + if((*output_type)!=1)*output_type=3; + +-if((*bmap=malloc(w*(h+3-*output_type)*(*output_type)))==NULL) ++if(WH_BAD(w,h) || (*bmap=malloc(w*(h+3-*output_type)*(*output_type)))==NULL) + return(_PICERR_NOMEM); + + if((*pal=malloc(768))==NULL) +diff -urN zgv-5.8/src/readpcx.c zgv/src/readpcx.c +--- zgv-5.8/src/readpcx.c Wed Mar 31 00:11:36 1999 ++++ src/readpcx.c Sun Oct 31 14:59:30 2004 +@@ -127,7 +127,7 @@ + bytemax=(1<<30); /* we use a 'y<h' test instead for these files */ + + /* the normal +2 lines in case we're dithering a 24-bit file */ +-if((*bmap=malloc(w*(h+2)*bytepp))==NULL) ++if(WH_BAD(w,h) || (*bmap=malloc(w*(h+2)*bytepp))==NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + + /* need this if more than one bitplane */ +diff -urN zgv-5.8/src/readpng.c zgv/src/readpng.c +--- zgv-5.8/src/readpng.c Mon Jul 7 19:59:18 2003 ++++ src/readpng.c Sun Oct 31 15:00:23 2004 +@@ -223,8 +223,9 @@ + + + /* allocate image memory (with two extra lines for dithering) */ +-theimage=(byte *)malloc(pixelsize*width*(height+2)); +-if(theimage==NULL) return(_PICERR_NOMEM); ++if(WH_BAD(width,height) || ++ (theimage=(byte *)malloc(pixelsize*width*(height+2)))==NULL) ++ return(_PICERR_NOMEM); + + + ilheight=height*number_passes; +diff -urN zgv-5.8/src/readpnm.c zgv/src/readpnm.c +--- zgv-5.8/src/readpnm.c Thu Jun 1 15:45:53 2000 ++++ src/readpnm.c Sun Oct 31 15:02:58 2004 +@@ -144,7 +144,7 @@ + * 3 times as much for each line, which works out only meaning + * 3x as much for the last line. If you see what I mean. (!?) + */ +-if((*bmap=malloc(w*(h+2)*bytepp))==NULL) ++if(WH_BAD(w,h) || (*bmap=malloc(w*(h+2)*bytepp))==NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + + +@@ -294,6 +294,8 @@ + + int ditherinit(int w) + { ++if(WH_BAD(w+10,sizeof(int))) return(0); ++ + ditherfinish(); /* make sure any previous mem is unallocated */ + if((evenerr=calloc(3*(w+10),sizeof(int)))==NULL || + (odderr =calloc(3*(w+10),sizeof(int)))==NULL || +@@ -418,7 +420,7 @@ + if((maxval=read_next_number(in))!=255) + return(_PICERR_CORRUPT); + +-if((*bmap=malloc(w*h))==NULL) ++if(WH_BAD(w,h) || (*bmap=malloc(w*h))==NULL) + return(_PICERR_NOMEM); + + count=fread(*bmap,1,w*h,in); +diff -urN zgv-5.8/src/readprf.c zgv/src/readprf.c +--- zgv-5.8/src/readprf.c Mon Jan 15 20:31:51 2001 ++++ src/readprf.c Sun Oct 31 15:05:24 2004 +@@ -184,7 +184,7 @@ + } + + n=width*squaresize; +-if((planebuf[0]=work_planebuf=calloc(n,planes))==NULL) ++if(WH_BAD(width,height) || (planebuf[0]=work_planebuf=calloc(n,planes))==NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + for(f=1;f<planes;f++) + planebuf[f]=planebuf[f-1]+n; +@@ -202,7 +202,9 @@ + } + + /* add the usual extra 2 lines in case of dithering */ +-if((*bmap=work_bmap=malloc(width*(height+2)*planes))==NULL) ++/* width/height check already done, but WTF :-) */ ++if(WH_BAD(width,height) || ++ (*bmap=work_bmap=malloc(width*(height+2)*planes))==NULL) + { + free(planebuf[0]); + CLOSE_AND_RET(_PICERR_NOMEM); +diff -urN zgv-5.8/src/readtga.c zgv/src/readtga.c +--- zgv-5.8/src/readtga.c Wed Oct 24 17:02:24 2001 ++++ src/readtga.c Sun Oct 31 15:05:54 2004 +@@ -179,7 +179,7 @@ + * 3 times as much for each line, which works out only meaning + * 3x as much for the last line. If you see what I mean. (!?) + */ +-if((*bmap=malloc(w*(h+2)*bytepp))==NULL) ++if(WH_BAD(w,h) || (*bmap=malloc(w*(h+2)*bytepp))==NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + + +diff -urN zgv-5.8/src/readtiff.c zgv/src/readtiff.c +--- zgv-5.8/src/readtiff.c Thu Jan 18 23:45:59 2001 ++++ src/readtiff.c Sun Oct 31 15:06:15 2004 +@@ -86,7 +86,8 @@ + * certain the dithering has room. + */ + numpix=width*height; +-if((image=*bmap=work_bmap=malloc(numpix*sizeof(uint32)+width*3*2))==NULL) ++if(WH_BAD(width,height) || ++ (image=*bmap=work_bmap=malloc(numpix*sizeof(uint32)+width*3*2))==NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + + /* XXX what about hffunc!? */ +diff -urN zgv-5.8/src/readxbm.c zgv/src/readxbm.c +--- zgv-5.8/src/readxbm.c Wed Oct 21 07:28:23 1998 ++++ src/readxbm.c Sun Oct 31 15:08:14 2004 +@@ -97,7 +97,7 @@ + + w8=(w+7)/8; + +-if((*bmap=image=malloc(w*h))==NULL) ++if(WH_BAD(w,h) || (*bmap=image=malloc(w*h))==NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + + /* save stuff in case of abort */ +diff -urN zgv-5.8/src/readxpm.c zgv/src/readxpm.c +--- zgv-5.8/src/readxpm.c Sat Jan 22 11:32:28 2000 ++++ src/readxpm.c Sun Oct 31 15:08:48 2004 +@@ -180,7 +180,7 @@ + if(colchars!=NULL) free(colchars); + + /* alloc colchars array */ +-if((colchars=malloc(ncols*sizeof(struct colchars_tag)))==NULL) ++if(ncols>(1<<24) || (colchars=malloc(ncols*sizeof(struct colchars_tag)))==NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + + +@@ -369,7 +369,7 @@ + */ + + /* extra lines are in case we're dithering. */ +-if((*bmap=malloc(w*(h+2)*bytepp))==NULL) ++if(WH_BAD(w,h) || (*bmap=malloc(w*(h+2)*bytepp))==NULL) + CLOSE_AND_RET(_PICERR_NOMEM); + + ptr=*bmap; +diff -urN zgv-5.8/src/zgv.h zgv/src/zgv.h +--- zgv-5.8/src/zgv.h Sat Feb 21 16:31:29 2004 ++++ src/zgv.h Sun Oct 31 14:58:34 2004 +@@ -66,3 +66,12 @@ + /* make 15/16-bit colours, used in a few different places */ + #define GET15BITCOLOUR(r,g,b) ((((r)&0xf8)<<7)|(((g)&0xf8)<<2)|((b)>>3)) + #define GET16BITCOLOUR(r,g,b) ((((r)&0xf8)<<8)|(((g)&0xfc)<<3)|((b)>>3)) ++ ++/* range check on width and height as a crude way of avoiding overflows ++ * when calling malloc/calloc. The maximum we can allow is around 37000, ++ * but 32767 at least makes it consistent with xzgv. :-) ++ * Adds an extra 2 to height for max-height check, as we usually allocate ++ * 2 more lines to allow for dithering. ++ */ ++#define WH_MAX 32767 ++#define WH_BAD(w,h) ((w)<=0 || (w)>WH_MAX || (h)<=0 || ((h)+2)>WH_MAX) |