Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157757 - Bug in netpbm-10.23-security.patch
Summary: Bug in netpbm-10.23-security.patch
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: netpbm
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jindrich Novy
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-14 15:47 UTC by Alexey Tourbin
Modified: 2013-07-02 23:07 UTC (History)
1 user (show)

Fixed In Version: 10.27-3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-16 10:14:59 UTC


Attachments (Terms of Use)

Description Alexey Tourbin 2005-05-14 15:47:28 UTC
As of netpbm-10.27-2, netpbm-10.23-security.patch supposedly has a bug
in the following chunk:

--- netpbm-10.27/editor/ppmdither.c.security	2005-03-29 14:31:42.975577464 +0200
+++ netpbm-10.27/editor/ppmdither.c	2005-03-29 14:31:43.093559528 +0200
@@ -165,7 +168,8 @@ dith_setup(const unsigned int dith_power
     if (dith_nb < 2) 
         pm_error("too few shades for blue, minimum of 2");
 
-    MALLOCARRAY(*colormapP, dith_nr * dith_ng * dith_nb);
+    overflow2(dith_nr, dith_ng);
+    colormapP = malloc3(dith_nr * dith_ng, dith_nb,  sizeof(pixel));
     if (*colormapP == NULL) 
         pm_error("Unable to allocate space for the color lookup table "
                  "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb);

Here *colormapP should be assigned, not colormapP.  Note that colormapP is used
to return allocated buffer from dith_setup() in netpbm-10.27/editor/ppmdither.c:

static void
dith_setup(const unsigned int dith_power,
           const unsigned int dith_nr,
           const unsigned int dith_ng,
           const unsigned int dith_nb,
           const pixval output_maxval,
           pixel ** const colormapP) {

Actually with the above change this code will not even compile with any recent
gcc release.  However, netpbm-10.23-gcc34.patch has the following chunk:

--- netpbm-10.23/editor/ppmdither.c.gcc34       2003-07-06 21:54:02.000000000 +0200
+++ netpbm-10.23/editor/ppmdither.c     2004-08-04 13:36:37.674439040 +0200
@@ -148,7 +148,7 @@
            const unsigned int dith_ng,
            const unsigned int dith_nb,
            const pixval output_maxval,
-           pixel ** const colormapP) {
+           pixel ** colormapP) {
 /*----------------------------------------------------------------------------
    Set up the dithering parameters, color map (lookup table) and
    dithering matrix.


So it simply downgrades the prototype of dith_setup() in order to calm down gcc,
but gcc has found a real bug here.

Comment 1 Jindrich Novy 2005-05-16 06:56:26 UTC
Yes, this needs to be fixed. Thanks.


Note You need to log in before you can comment on or make changes to this bug.