#! /bin/sh -e ## 16_CAN-2005-0639.dpatch ## ## DP: Description: Fix integer overflows in new.c. ## DP: Author: Debian security team ## DP: Upstream status: Not submitted ## DP: Date: 2005-03-18 if [ $# -ne 1 ]; then echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" exit 1 fi case "$1" in -patch) patch -f --no-backup-if-mismatch -p1 < $0;; -unpatch) patch -f --no-backup-if-mismatch -R -p1 < $0;; *) echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" exit 1;; esac exit 0 @DPATCH@ diff -urNad --exclude=CVS --exclude=.svn ./new.c /tmp/dpep-work.Yefw4q/xloadimage-4.1/new.c --- ./new.c 1993-10-28 17:24:14.000000000 +0000 +++ /tmp/dpep-work.Yefw4q/xloadimage-4.1/new.c 2005-10-08 04:12:37.000000000 +0100 @@ -63,6 +63,18 @@ } +static unsigned int ovmul(unsigned int a, unsigned int b) +{ + unsigned int r; + + r = a * b; + if (r / a != b) { + memoryExhausted(); + } + + return r; +} + void goodImage(image, func) Image *image; char *func; @@ -128,7 +140,7 @@ image->height= height; image->depth= 1; linelen= (width / 8) + (width % 8 ? 1 : 0); /* thanx johnh@amcc.com */ - image->data= (unsigned char *)lcalloc(linelen * height); + image->data= (unsigned char *)lcalloc(ovmul(linelen, height)); return(image); } @@ -149,7 +161,7 @@ image->height= height; image->depth= depth; image->pixlen= pixlen; - image->data= (unsigned char *)lmalloc(width * height * pixlen); + image->data= (unsigned char *)lmalloc(ovmul(ovmul(width, height), pixlen)); return(image); } @@ -165,6 +177,7 @@ image->height= height; image->depth= 24; image->pixlen= 3; + image->data= (unsigned char *)lmalloc(ovmul(ovmul(width, height), 3)); image->data= (unsigned char *)lmalloc(width * height * 3); return(image); }