summaryrefslogtreecommitdiffstats
path: root/abs/extra/netpbm/netpbm-security-code.patch
diff options
context:
space:
mode:
authorMichael Hanson <hansonorders@verizon.net>2010-11-30 23:35:41 (GMT)
committerMichael Hanson <hansonorders@verizon.net>2010-11-30 23:35:41 (GMT)
commit7329cbbfcc175fd295e9713e866259f4b7bd4fdf (patch)
treeb4bd0c8e633a4e66d4d5213c8063054f56fc3d09 /abs/extra/netpbm/netpbm-security-code.patch
parentccb9daefd021288219c88d451a31dc2ff1511e32 (diff)
downloadlinhes_pkgbuild-7329cbbfcc175fd295e9713e866259f4b7bd4fdf.zip
linhes_pkgbuild-7329cbbfcc175fd295e9713e866259f4b7bd4fdf.tar.gz
linhes_pkgbuild-7329cbbfcc175fd295e9713e866259f4b7bd4fdf.tar.bz2
netpbm: initial include as dep for groff
Diffstat (limited to 'abs/extra/netpbm/netpbm-security-code.patch')
-rw-r--r--abs/extra/netpbm/netpbm-security-code.patch1817
1 files changed, 1817 insertions, 0 deletions
diff --git a/abs/extra/netpbm/netpbm-security-code.patch b/abs/extra/netpbm/netpbm-security-code.patch
new file mode 100644
index 0000000..e8fbc29
--- /dev/null
+++ b/abs/extra/netpbm/netpbm-security-code.patch
@@ -0,0 +1,1817 @@
+diff -up netpbm-10.47.04/analyzer/pgmtexture.c.security netpbm-10.47.04/analyzer/pgmtexture.c
+--- netpbm-10.47.04/analyzer/pgmtexture.c.security 2009-10-21 13:38:55.000000000 +0200
++++ netpbm-10.47.04/analyzer/pgmtexture.c 2009-10-21 15:09:33.000000000 +0200
+@@ -79,6 +79,9 @@ vector (int nl, int nh)
+ {
+ float *v;
+
++ if(nh < nl)
++ pm_error("assert: h < l");
++ overflow_add(nh - nl, 1);
+ MALLOCARRAY(v, (unsigned) (nh - nl + 1));
+ if (v == NULL)
+ pm_error("Unable to allocate memory for a vector.");
+@@ -95,6 +98,9 @@ matrix (int nrl, int nrh, int ncl, int n
+ float **m;
+
+ /* allocate pointers to rows */
++ if(nrh < nrl)
++ pm_error("assert: h < l");
++ overflow_add(nrh - nrl, 1);
+ MALLOCARRAY(m, (unsigned) (nrh - nrl + 1));
+ if (m == NULL)
+ pm_error("Unable to allocate memory for a matrix.");
+@@ -102,6 +108,9 @@ matrix (int nrl, int nrh, int ncl, int n
+ m -= ncl;
+
+ /* allocate rows and set pointers to them */
++ if(nch < ncl)
++ pm_error("assert: h < l");
++ overflow_add(nch - ncl, 1);
+ for (i = nrl; i <= nrh; i++)
+ {
+ MALLOCARRAY(m[i], (unsigned) (nch - ncl + 1));
+diff -up netpbm-10.47.04/converter/other/gemtopnm.c.security netpbm-10.47.04/converter/other/gemtopnm.c
+--- netpbm-10.47.04/converter/other/gemtopnm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/gemtopnm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -106,6 +106,7 @@ main(argc, argv)
+
+ pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 );
+
++ overflow_add(cols, padright);
+ {
+ /* allocate input row data structure */
+ int plane;
+diff -up netpbm-10.47.04/converter/other/jpegtopnm.c.security netpbm-10.47.04/converter/other/jpegtopnm.c
+--- netpbm-10.47.04/converter/other/jpegtopnm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/jpegtopnm.c 2009-10-21 15:54:30.000000000 +0200
+@@ -861,6 +861,8 @@ convertImage(FILE *
+ /* Calculate output image dimensions so we can allocate space */
+ jpeg_calc_output_dimensions(cinfoP);
+
++ overflow2(cinfoP->output_width, cinfoP->output_components);
++
+ /* Start decompressor */
+ jpeg_start_decompress(cinfoP);
+
+diff -up netpbm-10.47.04/converter/other/pbmtopgm.c.security netpbm-10.47.04/converter/other/pbmtopgm.c
+--- netpbm-10.47.04/converter/other/pbmtopgm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/pbmtopgm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -47,6 +47,7 @@ main(int argc, char *argv[]) {
+ "than the image height (%u rows)", height, rows);
+
+ outrow = pgm_allocrow(cols) ;
++ overflow2(width, height);
+ maxval = MIN(PGM_OVERALLMAXVAL, width*height);
+ pgm_writepgminit(stdout, cols, rows, maxval, 0) ;
+
+diff -up netpbm-10.47.04/converter/other/pngtopnm.c.security netpbm-10.47.04/converter/other/pngtopnm.c
+diff -up netpbm-10.47.04/converter/other/pnmtoddif.c.security netpbm-10.47.04/converter/other/pnmtoddif.c
+--- netpbm-10.47.04/converter/other/pnmtoddif.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/pnmtoddif.c 2009-10-21 15:09:33.000000000 +0200
+@@ -632,6 +632,7 @@ main(int argc, char *argv[]) {
+ switch (PNM_FORMAT_TYPE(format)) {
+ case PBM_TYPE:
+ ip.bits_per_pixel = 1;
++ overflow_add(cols, 7);
+ ip.bytes_per_line = (cols + 7) / 8;
+ ip.spectral = 2;
+ ip.components = 1;
+@@ -647,6 +648,7 @@ main(int argc, char *argv[]) {
+ ip.polarity = 2;
+ break;
+ case PPM_TYPE:
++ overflow2(cols, 3);
+ ip.bytes_per_line = 3 * cols;
+ ip.bits_per_pixel = 24;
+ ip.spectral = 5;
+diff -up netpbm-10.47.04/converter/other/pnmtojpeg.c.security netpbm-10.47.04/converter/other/pnmtojpeg.c
+--- netpbm-10.47.04/converter/other/pnmtojpeg.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/pnmtojpeg.c 2009-10-21 15:56:32.000000000 +0200
+@@ -605,7 +605,11 @@ read_scan_script(j_compress_ptr const ci
+ want JPOOL_PERMANENT.
+ */
+ const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info);
+- jpeg_scan_info * const scan_info =
++ const jpeg_scan_info * scan_info;
++
++ overflow2(nscans, sizeof(jpeg_scan_info));
++
++ scan_info =
+ (jpeg_scan_info *)
+ (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
+ scan_info_size);
+@@ -936,6 +940,8 @@ compute_rescaling_array(JSAMPLE ** const
+ const long half_maxval = maxval / 2;
+ long val;
+
++ overflow_add(maxval, 1);
++ overflow2(maxval+1, sizeof(JSAMPLE));
+ *rescale_p = (JSAMPLE *)
+ (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE,
+ (size_t) (((long) maxval + 1L) *
+@@ -1014,6 +1020,7 @@ convert_scanlines(struct jpeg_compress_s
+ */
+
+ /* Allocate the libpnm output and compressor input buffers */
++ overflow2(cinfo_p->image_width, cinfo_p->input_components);
+ buffer = (*cinfo_p->mem->alloc_sarray)
+ ((j_common_ptr) cinfo_p, JPOOL_IMAGE,
+ (unsigned int) cinfo_p->image_width * cinfo_p->input_components,
+diff -up netpbm-10.47.04/converter/other/pnmtops.c.security netpbm-10.47.04/converter/other/pnmtops.c
+--- netpbm-10.47.04/converter/other/pnmtops.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/pnmtops.c 2009-10-21 15:09:33.000000000 +0200
+@@ -186,16 +186,20 @@ parseCommandLine(int argc, char ** argv,
+ cmdlineP->canturn = !noturn;
+ cmdlineP->showpage = !noshowpage;
+
++ overflow2(width, 72);
+ cmdlineP->width = width * 72;
++ overflow2(height, 72);
+ cmdlineP->height = height * 72;
+
+- if (imagewidthSpec)
++ if (imagewidthSpec) {
++ overflow2(imagewidth, 72);
+ cmdlineP->imagewidth = imagewidth * 72;
+- else
++ } else
+ cmdlineP->imagewidth = 0;
+- if (imageheightSpec)
++ if (imageheightSpec) {
++ overflow2(imageheight, 72);
+ cmdlineP->imageheight = imageheight * 72;
+- else
++ } else
+ cmdlineP->imageheight = 0;
+
+ if (!cmdlineP->psfilter &&
+diff -up netpbm-10.47.04/converter/other/pnmtorle.c.security netpbm-10.47.04/converter/other/pnmtorle.c
+--- netpbm-10.47.04/converter/other/pnmtorle.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/pnmtorle.c 2009-10-21 15:09:33.000000000 +0200
+@@ -19,6 +19,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * pnmtorle - A program which will convert pbmplus (ppm or pgm) images
+diff -up netpbm-10.47.04/converter/other/pnmtosgi.c.security netpbm-10.47.04/converter/other/pnmtosgi.c
+--- netpbm-10.47.04/converter/other/pnmtosgi.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/pnmtosgi.c 2009-10-21 15:09:33.000000000 +0200
+@@ -213,6 +213,22 @@ write_channels(cols, rows, channels, put
+ }
+ }
+
++static void *
++xmalloc2(int x, int y)
++{
++ void *mem;
++
++ overflow2(x,y);
++ if( x * y == 0 )
++ return NULL;
++
++ mem = malloc2(x, y);
++ if( mem == NULL )
++ pm_error("out of memory allocating %d bytes", x * y);
++ return mem;
++}
++
++
+ static void
+ put_big_short(short s)
+ {
+@@ -250,6 +266,7 @@ build_channels(FILE *ifp, int cols, int
+ #endif
+
+ if( storage != STORAGE_VERBATIM ) {
++ overflow2(channels, rows);
+ MALLOCARRAY_NOFAIL(table, channels * rows);
+ MALLOCARRAY_NOFAIL(rletemp, WORSTCOMPR(cols));
+ }
+@@ -303,6 +320,8 @@ compress(temp, row, rows, cols, chan_no,
+ break;
+ case STORAGE_RLE:
+ tabrow = chan_no * rows + row;
++ overflow2(chan_no, rows);
++ overflow_add(chan_no* rows, row);
+ len = rle_compress(temp, cols); /* writes result into rletemp */
+ channel[chan_no][row].length = len;
+ MALLOCARRAY(p, len);
+diff -up netpbm-10.47.04/converter/other/rletopnm.c.security netpbm-10.47.04/converter/other/rletopnm.c
+--- netpbm-10.47.04/converter/other/rletopnm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/rletopnm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -19,6 +19,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rletopnm - A conversion program to convert from Utah's "rle" image format
+diff -up netpbm-10.47.04/converter/other/sgitopnm.c.security netpbm-10.47.04/converter/other/sgitopnm.c
+--- netpbm-10.47.04/converter/other/sgitopnm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/sgitopnm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -252,13 +252,17 @@ read_channels(ifp, head, table, func, oc
+
+ if (ochan < 0) {
+ maxchannel = (head->zsize < 3) ? head->zsize : 3;
++ overflow2(head->ysize, maxchannel);
+ MALLOCARRAY_NOFAIL(image, head->ysize * maxchannel);
+ } else {
+ maxchannel = ochan + 1;
+ MALLOCARRAY_NOFAIL(image, head->ysize);
+ }
+- if ( table )
++ if ( table ) {
++ overflow2(head->xsize, 2);
++ overflow_add(head->xsize*2, 2);
+ MALLOCARRAY_NOFAIL(temp, WORSTCOMPR(head->xsize));
++ }
+
+ for( channel = 0; channel < maxchannel; channel++ ) {
+ #ifdef DEBUG
+diff -up netpbm-10.47.04/converter/other/sirtopnm.c.security netpbm-10.47.04/converter/other/sirtopnm.c
+--- netpbm-10.47.04/converter/other/sirtopnm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/sirtopnm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -69,6 +69,7 @@ char* argv[];
+ }
+ break;
+ case PPM_TYPE:
++ overflow3(cols, rows, 3);
+ picsize = cols * rows * 3;
+ planesize = cols * rows;
+ if ( !( sirarray = (unsigned char*) malloc( picsize ) ) )
+diff -up netpbm-10.47.04/converter/other/tifftopnm.c.security netpbm-10.47.04/converter/other/tifftopnm.c
+--- netpbm-10.47.04/converter/other/tifftopnm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/tifftopnm.c 2009-10-21 15:49:29.000000000 +0200
+@@ -1291,7 +1291,9 @@ convertRasterByRows(pnmOut * const
+ if (scanbuf == NULL)
+ pm_error("can't allocate memory for scanline buffer");
+
+- MALLOCARRAY(samplebuf, cols * spp);
++ /* samplebuf is unsigned int * !!! */
++ samplebuf = (unsigned int *) malloc3(cols , sizeof(unsigned int) , spp);
++
+ if (samplebuf == NULL)
+ pm_error("can't allocate memory for row buffer");
+
+diff -up netpbm-10.47.04/converter/other/xwdtopnm.c.security netpbm-10.47.04/converter/other/xwdtopnm.c
+--- netpbm-10.47.04/converter/other/xwdtopnm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/other/xwdtopnm.c 2009-10-21 15:53:27.000000000 +0200
+@@ -209,6 +209,10 @@ processX10Header(X10WDFileHeader * cons
+ *colorsP = pnm_allocrow(2);
+ PNM_ASSIGN1((*colorsP)[0], 0);
+ PNM_ASSIGN1((*colorsP)[1], *maxvalP);
++ overflow_add(h10P->pixmap_width, 15);
++ if(h10P->pixmap_width < 0)
++ pm_error("assert: negative width");
++ overflow2((((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width), 8);
+ *padrightP =
+ (((h10P->pixmap_width + 15) / 16) * 16 - h10P->pixmap_width) * 8;
+ *bits_per_itemP = 16;
+@@ -634,6 +638,7 @@ processX11Header(X11WDFileHeader * cons
+
+ *colsP = h11FixedP->pixmap_width;
+ *rowsP = h11FixedP->pixmap_height;
++ overflow2(h11FixedP->bytes_per_line, 8);
+ *padrightP =
+ h11FixedP->bytes_per_line * 8 -
+ h11FixedP->pixmap_width * h11FixedP->bits_per_pixel;
+diff -up netpbm-10.47.04/converter/pbm/icontopbm.c.security netpbm-10.47.04/converter/pbm/icontopbm.c
+--- netpbm-10.47.04/converter/pbm/icontopbm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/icontopbm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -11,6 +11,7 @@
+ */
+
+ #include <string.h>
++#include <limits.h>
+
+ #include "nstring.h"
+ #include "pbm.h"
+@@ -87,6 +88,11 @@ ReadIconFile(FILE * const
+ if ( *heightP <= 0 )
+ pm_error( "invalid height (must be positive): %d", *heightP );
+
++ if ( *widthP > INT_MAX - 16 || *widthP < 0)
++ pm_error( "invalid width: %d", *widthP);
++
++ overflow2(*widthP + 16, *heightP);
++
+ data_length = BitmapSize( *widthP, *heightP );
+ *dataP = (short unsigned int *) malloc( data_length );
+ if ( *dataP == NULL )
+diff -up netpbm-10.47.04/converter/pbm/mdatopbm.c.security netpbm-10.47.04/converter/pbm/mdatopbm.c
+--- netpbm-10.47.04/converter/pbm/mdatopbm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/mdatopbm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -245,10 +245,13 @@ main(int argc, char **argv) {
+ pm_readlittleshort(infile, &yy); nInCols = yy;
+ }
+
++ overflow2(nOutCols, 8);
+ nOutCols = 8 * nInCols;
+ nOutRows = nInRows;
+- if (bScale)
++ if (bScale) {
++ overflow2(nOutRows, 2);
+ nOutRows *= 2;
++ }
+
+ data = pbm_allocarray(nOutCols, nOutRows);
+
+diff -up netpbm-10.47.04/converter/pbm/mgrtopbm.c.security netpbm-10.47.04/converter/pbm/mgrtopbm.c
+--- netpbm-10.47.04/converter/pbm/mgrtopbm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/mgrtopbm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -65,6 +65,8 @@ readMgrHeader(FILE * const ifP,
+ if (head.h_high < ' ' || head.l_high < ' ')
+ pm_error("Invalid width field in MGR header");
+
++ overflow_add(*colsP, pad);
++
+ *colsP = (((int)head.h_wide - ' ') << 6) + ((int)head.l_wide - ' ');
+ *rowsP = (((int)head.h_high - ' ') << 6) + ((int) head.l_high - ' ');
+ *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP;
+diff -up netpbm-10.47.04/converter/pbm/pbmto10x.c.security netpbm-10.47.04/converter/pbm/pbmto10x.c
+--- netpbm-10.47.04/converter/pbm/pbmto10x.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmto10x.c 2009-10-21 15:09:33.000000000 +0200
+@@ -162,7 +162,7 @@ main(int argc, char * argv[]) {
+ res_60x72();
+
+ pm_close(ifp);
+- exit(0);
++ return 0;
+ }
+
+
+diff -up netpbm-10.47.04/converter/pbm/pbmto4425.c.security netpbm-10.47.04/converter/pbm/pbmto4425.c
+--- netpbm-10.47.04/converter/pbm/pbmto4425.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmto4425.c 2009-10-21 15:09:33.000000000 +0200
+@@ -2,6 +2,7 @@
+
+ #include "nstring.h"
+ #include "pbm.h"
++#include <string.h>
+
+ static char bit_table[2][3] = {
+ {1, 4, 0x10},
+@@ -160,7 +161,7 @@ main(int argc, char * argv[]) {
+ xres = vmap_width * 2;
+ yres = vmap_height * 3;
+
+- vmap = malloc(vmap_width * vmap_height * sizeof(char));
++ vmap = malloc3(vmap_width, vmap_height, sizeof(char));
+ if(vmap == NULL)
+ {
+ pm_error( "Cannot allocate memory" );
+diff -up netpbm-10.47.04/converter/pbm/pbmtoascii.c.security netpbm-10.47.04/converter/pbm/pbmtoascii.c
+--- netpbm-10.47.04/converter/pbm/pbmtoascii.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtoascii.c 2009-10-21 15:09:33.000000000 +0200
+@@ -115,9 +115,11 @@ char* argv[];
+ pm_usage( usage );
+
+ pbm_readpbminit( ifp, &cols, &rows, &format );
++ overflow_add(cols, gridx);
+ ccols = ( cols + gridx - 1 ) / gridx;
+ bitrow = pbm_allocrow( cols );
+ sig = (int*) pm_allocrow( ccols, sizeof(int) );
++ overflow_add(ccols, 1);
+ line = (char*) pm_allocrow( ccols + 1, sizeof(char) );
+
+ for ( row = 0; row < rows; row += gridy )
+diff -up netpbm-10.47.04/converter/pbm/pbmtocmuwm.c.security netpbm-10.47.04/converter/pbm/pbmtocmuwm.c
+diff -up netpbm-10.47.04/converter/pbm/pbmtogem.c.security netpbm-10.47.04/converter/pbm/pbmtogem.c
+--- netpbm-10.47.04/converter/pbm/pbmtogem.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtogem.c 2009-10-21 15:09:33.000000000 +0200
+@@ -123,6 +123,7 @@ putinit (rows, cols)
+ bitsperitem = 0;
+ bitshift = 7;
+ outcol = 0;
++ overflow_add(cols, 7);
+ outmax = (cols + 7) / 8;
+ outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
+ lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
+diff -up netpbm-10.47.04/converter/pbm/pbmtogo.c.security netpbm-10.47.04/converter/pbm/pbmtogo.c
+--- netpbm-10.47.04/converter/pbm/pbmtogo.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtogo.c 2009-10-21 15:09:33.000000000 +0200
+@@ -158,6 +158,7 @@ main(int argc,
+ bitrow = pbm_allocrow(cols);
+
+ /* Round cols up to the nearest multiple of 8. */
++ overflow_add(cols, 7);
+ rucols = ( cols + 7 ) / 8;
+ bytesperrow = rucols; /* GraphOn uses bytes */
+ rucols = rucols * 8;
+diff -up netpbm-10.47.04/converter/pbm/pbmtoicon.c.security netpbm-10.47.04/converter/pbm/pbmtoicon.c
+--- netpbm-10.47.04/converter/pbm/pbmtoicon.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtoicon.c 2009-10-21 15:38:55.000000000 +0200
+@@ -114,6 +114,7 @@ writeIcon(FILE * const ifP,
+ unsigned char * bitrow;
+ unsigned int row;
+
++ overflow_add(cols, 15);
+ bitbuffer = pbm_allocrow_packed(cols + wordintSize);
+ bitrow = &bitbuffer[1];
+ bitbuffer[0] = 0;
+diff -up netpbm-10.47.04/converter/pbm/pbmtolj.c.security netpbm-10.47.04/converter/pbm/pbmtolj.c
+--- netpbm-10.47.04/converter/pbm/pbmtolj.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtolj.c 2009-10-21 15:09:33.000000000 +0200
+@@ -120,7 +120,11 @@ parseCommandLine(int argc, char ** argv,
+ static void
+ allocateBuffers(unsigned int const cols) {
+
++ overflow_add(cols, 8);
+ rowBufferSize = (cols + 7) / 8;
++ overflow_add(rowBufferSize, 128);
++ overflow_add(rowBufferSize, rowBufferSize+128);
++ overflow_add(rowBufferSize+10, rowBufferSize/8);
+ packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
+ deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
+
+diff -up netpbm-10.47.04/converter/pbm/pbmtomacp.c.security netpbm-10.47.04/converter/pbm/pbmtomacp.c
+--- netpbm-10.47.04/converter/pbm/pbmtomacp.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtomacp.c 2009-10-21 15:09:33.000000000 +0200
+@@ -101,6 +101,7 @@ char *argv[];
+ if( !lflg )
+ left = 0;
+
++ overflow_add(left, MAX_COLS - 1);
+ if( rflg )
+ { if( right - left >= MAX_COLS )
+ right = left + MAX_COLS - 1;
+@@ -111,6 +112,8 @@ char *argv[];
+ if( !tflg )
+ top = 0;
+
++ overflow_add(top, MAX_LINES - 1);
++
+ if( bflg )
+ { if( bottom - top >= MAX_LINES )
+ bottom = top + MAX_LINES - 1;
+diff -up netpbm-10.47.04/converter/pbm/pbmtomda.c.security netpbm-10.47.04/converter/pbm/pbmtomda.c
+--- netpbm-10.47.04/converter/pbm/pbmtomda.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtomda.c 2009-10-21 15:09:33.000000000 +0200
+@@ -179,6 +179,7 @@ int main(int argc, char **argv)
+
+ nOutRowsUnrounded = bScale ? nInRows/2 : nInRows;
+
++ overflow_add(nOutRowsUnrounded, 3);
+ nOutRows = ((nOutRowsUnrounded + 3) / 4) * 4;
+ /* MDA wants rows a multiple of 4 */
+ nOutCols = nInCols / 8;
+diff -up netpbm-10.47.04/converter/pbm/pbmtomgr.c.security netpbm-10.47.04/converter/pbm/pbmtomgr.c
+diff -up netpbm-10.47.04/converter/pbm/pbmtoppa/pbm.c.security netpbm-10.47.04/converter/pbm/pbmtoppa/pbm.c
+--- netpbm-10.47.04/converter/pbm/pbmtoppa/pbm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtoppa/pbm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -105,6 +105,7 @@ int pbm_readline(pbm_stat* pbm,unsigned
+ return 0;
+
+ case P4:
++ overflow_add(pbm->width, 7);
+ tmp=(pbm->width+7)/8;
+ tmp2=fread(data,1,tmp,pbm->fptr);
+ if(tmp2 == tmp)
+@@ -129,7 +130,8 @@ void pbm_unreadline (pbm_stat *pbm, void
+ return;
+
+ pbm->unread = 1;
+- pbm->revdata = malloc ((pbm->width+7)/8);
++ overflow_add(pbm->width, 7);
++ pbm->revdata = malloc((pbm->width+7)/8);
+ memcpy (pbm->revdata, data, (pbm->width+7)/8);
+ pbm->current_line--;
+ }
+diff -up netpbm-10.47.04/converter/pbm/pbmtoppa/pbmtoppa.c.security netpbm-10.47.04/converter/pbm/pbmtoppa/pbmtoppa.c
+--- netpbm-10.47.04/converter/pbm/pbmtoppa/pbmtoppa.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtoppa/pbmtoppa.c 2009-10-21 15:09:33.000000000 +0200
+@@ -441,6 +441,7 @@ main(int argc, char *argv[]) {
+ pm_error("main(): unrecognized parameter '%s'", argv[argn]);
+ }
+
++ overflow_add(Width, 7);
+ Pwidth=(Width+7)/8;
+ printer.fptr=out;
+
+diff -up netpbm-10.47.04/converter/pbm/pbmtoxbm.c.security netpbm-10.47.04/converter/pbm/pbmtoxbm.c
+--- netpbm-10.47.04/converter/pbm/pbmtoxbm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtoxbm.c 2009-10-21 15:36:54.000000000 +0200
+@@ -335,6 +335,8 @@ convertRaster(FILE * const ifP,
+
+ unsigned char * bitrow;
+ unsigned int row;
++
++ overflow_add(cols, padright);
+
+ putinit(xbmVersion);
+
+diff -up netpbm-10.47.04/converter/pbm/pbmtoybm.c.security netpbm-10.47.04/converter/pbm/pbmtoybm.c
+--- netpbm-10.47.04/converter/pbm/pbmtoybm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtoybm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -45,6 +45,7 @@ main( argc, argv )
+ bitrow = pbm_allocrow( cols );
+
+ /* Compute padding to round cols up to the nearest multiple of 16. */
++ overflow_add(cols, 16);
+ padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+
+ putinit( cols, rows );
+diff -up netpbm-10.47.04/converter/pbm/pbmtozinc.c.security netpbm-10.47.04/converter/pbm/pbmtozinc.c
+--- netpbm-10.47.04/converter/pbm/pbmtozinc.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pbmtozinc.c 2009-10-21 15:09:33.000000000 +0200
+@@ -65,6 +65,7 @@ main(int argc, char * argv[]) {
+ bitrow = pbm_allocrow( cols );
+
+ /* Compute padding to round cols up to the nearest multiple of 16. */
++ overflow_add(cols, 16);
+ padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+
+ printf( "USHORT %s[] = {\n",name);
+diff -up netpbm-10.47.04/converter/pbm/pktopbm.c.security netpbm-10.47.04/converter/pbm/pktopbm.c
+--- netpbm-10.47.04/converter/pbm/pktopbm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/pktopbm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -277,6 +277,7 @@ main(int argc, char *argv[]) {
+ if (flagbyte == 7) { /* long form preamble */
+ integer packetlength = get32() ; /* character packet length */
+ car = get32() ; /* character number */
++ overflow_add(packetlength, pktopbm_pkloc);
+ endofpacket = packetlength + pktopbm_pkloc;
+ /* calculate end of packet */
+ if ((car >= MAXPKCHAR) || !filename[car]) {
+diff -up netpbm-10.47.04/converter/pbm/thinkjettopbm.l.security netpbm-10.47.04/converter/pbm/thinkjettopbm.l
+--- netpbm-10.47.04/converter/pbm/thinkjettopbm.l.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/thinkjettopbm.l 2009-10-21 15:09:33.000000000 +0200
+@@ -107,7 +107,9 @@ DIG [0-9]
+ <RASTERMODE>\033\*b{DIG}+W {
+ int l;
+ if (rowCount >= rowCapacity) {
++ overflow_add(rowCapacity, 100);
+ rowCapacity += 100;
++ overflow2(rowCapacity, sizeof *rows);
+ rows = realloc (rows, rowCapacity * sizeof *rows);
+ if (rows == NULL)
+ pm_error ("Out of memory.");
+@@ -217,6 +219,8 @@ yywrap (void)
+ /*
+ * Quite simple since ThinkJet bit arrangement matches PBM
+ */
++
++ overflow2(maxRowLength, 8);
+ pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0);
+
+ packed_bitrow = malloc(maxRowLength);
+diff -up netpbm-10.47.04/converter/pbm/ybmtopbm.c.security netpbm-10.47.04/converter/pbm/ybmtopbm.c
+--- netpbm-10.47.04/converter/pbm/ybmtopbm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/pbm/ybmtopbm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -88,6 +88,7 @@ getinit( file, colsP, rowsP, depthP, pad
+ pm_error( "EOF / read error" );
+
+ *depthP = 1;
++ overflow_add(*colsP, 15);
+ *padrightP = ( ( *colsP + 15 ) / 16 ) * 16 - *colsP;
+ bitsperitem = 0;
+ }
+diff -up netpbm-10.47.04/converter/pgm/lispmtopgm.c.security netpbm-10.47.04/converter/pgm/lispmtopgm.c
+--- netpbm-10.47.04/converter/pgm/lispmtopgm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/pgm/lispmtopgm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -58,6 +58,7 @@ main( argc, argv )
+ pm_error( "depth (%d bits) is too large", depth);
+
+ pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 );
++ overflow_add(cols, 7);
+ grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 );
+
+ for ( row = 0; row < rows; ++row )
+@@ -102,7 +103,9 @@ getinit( file, colsP, rowsP, depthP, pad
+
+ if ( *depthP == 0 )
+ *depthP = 1; /* very old file */
+-
++
++ overflow_add((int)colsP, 31);
++
+ *padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP;
+
+ if ( *colsP != (cols_32 - *padrightP) ) {
+diff -up netpbm-10.47.04/converter/pgm/psidtopgm.c.security netpbm-10.47.04/converter/pgm/psidtopgm.c
+--- netpbm-10.47.04/converter/pgm/psidtopgm.c.security 2009-10-21 13:39:06.000000000 +0200
++++ netpbm-10.47.04/converter/pgm/psidtopgm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -78,6 +78,7 @@ main(int argc,
+ pm_error("bits/sample (%d) is too large.", bitspersample);
+
+ pgm_writepgminit(stdout, cols, rows, maxval, 0);
++ overflow_add(cols, 7);
+ grayrow = pgm_allocrow((cols + 7) / 8 * 8);
+ for (row = 0; row < rows; ++row) {
+ unsigned int col;
+diff -up netpbm-10.47.04/converter/ppm/ilbmtoppm.c.security netpbm-10.47.04/converter/ppm/ilbmtoppm.c
+--- netpbm-10.47.04/converter/ppm/ilbmtoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ilbmtoppm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -594,6 +594,7 @@ decode_row(FILE * const ifP,
+ rawtype *chp;
+
+ cols = bmhdP->w;
++ overflow_add(cols, 15);
+ bytes = RowBytes(cols);
+ for( plane = 0; plane < nPlanes; plane++ ) {
+ int mask;
+@@ -681,6 +682,23 @@ decode_mask(FILE * const ifP,
+ Multipalette handling
+ ****************************************************************************/
+
++static void *
++xmalloc2(x, y)
++ int x;
++ int y;
++{
++ void *mem;
++
++ overflow2(x,y);
++ if( x * y == 0 )
++ return NULL;
++
++ mem = malloc2(x,y);
++ if( mem == NULL )
++ pm_error("out of memory allocating %d bytes", x * y);
++ return mem;
++}
++
+
+ static void
+ multi_adjust(cmap, row, palchange)
+@@ -1300,6 +1318,9 @@ dcol_to_ppm(FILE * const ifP,
+ if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval )
+ pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval));
+
++ overflow_add(redmaxval, 1);
++ overflow_add(greenmaxval, 1);
++ overflow_add(bluemaxval, 1);
+ MALLOCARRAY_NOFAIL(redtable, redmaxval +1);
+ MALLOCARRAY_NOFAIL(greentable, greenmaxval +1);
+ MALLOCARRAY_NOFAIL(bluetable, bluemaxval +1);
+@@ -1729,7 +1750,9 @@ PCHG_ConvertSmall(PCHG, cmap, mask, data
+ ChangeCount32 = *data++;
+ datasize -= 2;
+
++ overflow_add(ChangeCount16, ChangeCount32);
+ changes = ChangeCount16 + ChangeCount32;
++ overflow_add(changes, 1);
+ for( i = 0; i < changes; i++ ) {
+ if( totalchanges >= PCHG->TotalChanges ) goto fail;
+ if( datasize < 2 ) goto fail;
+@@ -1994,6 +2017,9 @@ read_pchg(FILE * const ifp,
+ cmap->mp_change[i] = NULL;
+ if( PCHG.StartLine < 0 ) {
+ int nch;
++ if(PCHG.MaxReg < PCHG.MinReg)
++ pm_error("assert: MinReg > MaxReg");
++ overflow_add(PCHG.MaxReg-PCHG.MinReg, 2);
+ nch = PCHG.MaxReg - PCHG.MinReg +1;
+ MALLOCARRAY_NOFAIL(cmap->mp_init, nch + 1);
+ for( i = 0; i < nch; i++ )
+@@ -2070,6 +2096,7 @@ process_body( FILE * const ifp,
+ if( typeid == ID_ILBM ) {
+ int isdeep;
+
++ overflow_add(bmhdP->w, 15);
+ MALLOCARRAY_NOFAIL(ilbmrow, RowBytes(bmhdP->w));
+ *viewportmodesP |= fakeviewport; /* -isham/-isehb */
+
+diff -up netpbm-10.47.04/converter/ppm/imgtoppm.c.security netpbm-10.47.04/converter/ppm/imgtoppm.c
+--- netpbm-10.47.04/converter/ppm/imgtoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/imgtoppm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -84,6 +84,7 @@ main(int argc, char ** argv) {
+ len = atoi((char*) buf );
+ if ( fread( buf, len, 1, ifp ) != 1 )
+ pm_error( "bad colormap buf" );
++ overflow2(cmaplen, 3);
+ if ( cmaplen * 3 != len )
+ {
+ pm_message(
+@@ -105,6 +106,7 @@ main(int argc, char ** argv) {
+ pm_error( "bad pixel data header" );
+ buf[8] = '\0';
+ len = atoi((char*) buf );
++ overflow2(cols, rows);
+ if ( len != cols * rows )
+ pm_message(
+ "pixel data length (%d) does not match image size (%d)",
+diff -up netpbm-10.47.04/converter/ppm/Makefile.security netpbm-10.47.04/converter/ppm/Makefile
+--- netpbm-10.47.04/converter/ppm/Makefile.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/Makefile 2009-10-21 15:09:33.000000000 +0200
+@@ -11,7 +11,7 @@ SUBDIRS = hpcdtoppm ppmtompeg
+
+ PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
+ leaftoppm mtvtoppm neotoppm \
+- pcxtoppm pc1toppm pi1toppm picttoppm pjtoppm \
++ pcxtoppm pc1toppm pi1toppm pjtoppm \
+ ppmtoacad ppmtoarbtxt \
+ ppmtobmp ppmtoeyuv ppmtogif ppmtoicr ppmtoilbm \
+ ppmtoleaf ppmtolj ppmtomitsu ppmtoneo \
+diff -up netpbm-10.47.04/converter/ppm/pcxtoppm.c.security netpbm-10.47.04/converter/ppm/pcxtoppm.c
+--- netpbm-10.47.04/converter/ppm/pcxtoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/pcxtoppm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -409,6 +409,7 @@ pcx_planes_to_pixels(pixels, bitplanes,
+ /*
+ * clear the pixel buffer
+ */
++ overflow2(bytesperline, 8);
+ npixels = (bytesperline * 8) / bitsperpixel;
+ p = pixels;
+ while (--npixels >= 0)
+@@ -470,6 +471,7 @@ pcx_16col_to_ppm(FILE * const ifP,
+ }
+
+ /* BytesPerLine should be >= BitsPerPixel * cols / 8 */
++ overflow2(BytesPerLine, 8);
+ rawcols = BytesPerLine * 8 / BitsPerPixel;
+ if (headerCols > rawcols) {
+ pm_message("warning - BytesPerLine = %d, "
+diff -up netpbm-10.47.04/converter/ppm/picttoppm.c.security netpbm-10.47.04/converter/ppm/picttoppm.c
+--- netpbm-10.47.04/converter/ppm/picttoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/picttoppm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -1,3 +1,5 @@
++#error "Unfixable. Don't ship me"
++
+ /*
+ * picttoppm.c -- convert a MacIntosh PICT file to PPM format.
+ *
+diff -up netpbm-10.47.04/converter/ppm/pjtoppm.c.security netpbm-10.47.04/converter/ppm/pjtoppm.c
+--- netpbm-10.47.04/converter/ppm/pjtoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/pjtoppm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -127,19 +127,21 @@ main(argc, argv)
+ case 'V': /* send plane */
+ case 'W': /* send last plane */
+ if (rows == -1 || r >= rows || image == NULL) {
+- if (rows == -1 || r >= rows)
++ if (rows == -1 || r >= rows) {
++ overflow_add(rows, 100);
+ rows += 100;
++ }
+ if (image == NULL) {
+- MALLOCARRAY(image, rows * planes);
+- MALLOCARRAY(imlen, rows * planes);
++ image = (unsigned char **)
++ malloc3(rows , planes , sizeof(unsigned char *));
++ imlen = (int *) malloc3(rows , planes, sizeof(int));
+ }
+ else {
++ overflow2(rows,planes);
+ image = (unsigned char **)
+- realloc(image,
+- rows * planes *
++ realloc2(image, rows * planes,
+ sizeof(unsigned char *));
+- imlen = (int *)
+- realloc(imlen, rows * planes * sizeof(int));
++ imlen = (int *) realloc2(imlen, rows * planes, sizeof(int));
+ }
+ }
+ if (image == NULL || imlen == NULL)
+@@ -212,8 +214,10 @@ main(argc, argv)
+ for (i = 0, c = 0; c < imlen[p + r * planes]; c += 2)
+ for (cmd = image[p + r * planes][c],
+ val = image[p + r * planes][c+1];
+- cmd >= 0 && i < newcols; cmd--, i++)
++ cmd >= 0 && i < newcols; cmd--, i++) {
+ buf[i] = val;
++ overflow_add(i, 1);
++ }
+ cols = cols > i ? cols : i;
+ free(image[p + r * planes]);
+ /*
+@@ -224,6 +228,7 @@ main(argc, argv)
+ image[p + r * planes] = (unsigned char *) realloc(buf, i);
+ }
+ }
++ overflow2(cols, 8);
+ cols *= 8;
+ }
+
+diff -up netpbm-10.47.04/converter/ppm/ppmtoeyuv.c.security netpbm-10.47.04/converter/ppm/ppmtoeyuv.c
+--- netpbm-10.47.04/converter/ppm/ppmtoeyuv.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtoeyuv.c 2009-10-21 15:09:33.000000000 +0200
+@@ -114,6 +114,7 @@ create_multiplication_tables(const pixva
+
+ int index;
+
++ overflow_add(maxval, 1);
+ MALLOCARRAY_NOFAIL(mult299 , maxval+1);
+ MALLOCARRAY_NOFAIL(mult587 , maxval+1);
+ MALLOCARRAY_NOFAIL(mult114 , maxval+1);
+diff -up netpbm-10.47.04/converter/ppm/ppmtoicr.c.security netpbm-10.47.04/converter/ppm/ppmtoicr.c
+--- netpbm-10.47.04/converter/ppm/ppmtoicr.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtoicr.c 2009-10-21 15:09:33.000000000 +0200
+@@ -169,7 +169,7 @@ char* argv[];
+
+ if (rleflag) {
+ pm_message("sending run-length encoded picture data ..." );
+- testimage = (char*) malloc(rows*cols);
++ testimage = (char*) malloc2(rows, cols);
+ p = testimage;
+ for (i=0; i<rows; i++)
+ for (j=0; j<cols; j++)
+diff -up netpbm-10.47.04/converter/ppm/ppmtoilbm.c.security netpbm-10.47.04/converter/ppm/ppmtoilbm.c
+--- netpbm-10.47.04/converter/ppm/ppmtoilbm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtoilbm.c 2009-10-21 15:47:50.000000000 +0200
+@@ -1214,6 +1214,7 @@ ppm_to_rgb8(ifP, cols, rows, maxval)
+
+ maskmethod = 0; /* no masking - RGB8 uses genlock bits */
+ compmethod = 4; /* RGB8 files are always compressed */
++ overflow2(cols, 4);
+ MALLOCARRAY_NOFAIL(compr_row, cols * 4);
+
+ if( maxval != 255 ) {
+@@ -1302,6 +1303,7 @@ ppm_to_rgbn(ifP, cols, rows, maxval)
+
+ maskmethod = 0; /* no masking - RGBN uses genlock bits */
+ compmethod = 4; /* RGBN files are always compressed */
++ overflow2(cols, 2);
+ MALLOCARRAY_NOFAIL(compr_row, cols * 2);
+
+ if( maxval != 15 ) {
+@@ -1779,6 +1781,7 @@ make_val_table(oldmaxval, newmaxval)
+ unsigned int i;
+ int * table;
+
++ overflow_add(oldmaxval, 1);
+ MALLOCARRAY_NOFAIL(table, oldmaxval + 1);
+ for (i = 0; i <= oldmaxval; ++i)
+ table[i] = ROUNDDIV(i * newmaxval, oldmaxval);
+@@ -2283,8 +2286,11 @@ main(int argc, char ** argv) {
+ MALLOCARRAY_NOFAIL(coded_rowbuf, RowBytes(cols));
+ for (i = 0; i < RowBytes(cols); ++i)
+ coded_rowbuf[i] = 0;
+- if (DO_COMPRESS)
++ if (DO_COMPRESS) {
++ overflow2(cols,2);
++ overflow_add(cols*2,2);
+ MALLOCARRAY_NOFAIL(compr_rowbuf, WORSTCOMPR(RowBytes(cols)));
++ }
+ }
+
+ switch (mode) {
+diff -up netpbm-10.47.04/converter/ppm/ppmtolj.c.security netpbm-10.47.04/converter/ppm/ppmtolj.c
+--- netpbm-10.47.04/converter/ppm/ppmtolj.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtolj.c 2009-10-21 15:09:33.000000000 +0200
+@@ -181,7 +181,8 @@ int main(int argc, char *argv[]) {
+
+ ppm_readppminit( ifp, &cols, &rows, &maxval, &format );
+ pixelrow = ppm_allocrow( cols );
+-
++
++ overflow2(cols, 6);
+ obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char));
+ cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char));
+ if (mode == C_TRANS_MODE_DELTA)
+diff -up netpbm-10.47.04/converter/ppm/ppmtomitsu.c.security netpbm-10.47.04/converter/ppm/ppmtomitsu.c
+--- netpbm-10.47.04/converter/ppm/ppmtomitsu.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtomitsu.c 2009-10-21 15:48:30.000000000 +0200
+@@ -685,6 +685,8 @@ main(int argc, char * argv[]) {
+ medias = MSize_User;
+
+ if (dpi300) {
++ overflow2(medias.maxcols, 2);
++ overflow2(medias.maxrows, 2);
+ medias.maxcols *= 2;
+ medias.maxrows *= 2;
+ }
+diff -up netpbm-10.47.04/converter/ppm/ppmtopcx.c.security netpbm-10.47.04/converter/ppm/ppmtopcx.c
+--- netpbm-10.47.04/converter/ppm/ppmtopcx.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtopcx.c 2009-10-21 15:09:33.000000000 +0200
+@@ -419,6 +419,8 @@ ppmTo16ColorPcx(pixel ** cons
+ else Planes = 1;
+ }
+ }
++ overflow2(BitsPerPixel, cols);
++ overflow_add(BitsPerPixel * cols, 7);
+ BytesPerLine = ((cols * BitsPerPixel) + 7) / 8;
+ MALLOCARRAY_NOFAIL(indexRow, cols);
+ MALLOCARRAY_NOFAIL(planesrow, BytesPerLine);
+diff -up netpbm-10.47.04/converter/ppm/ppmtopict.c.security netpbm-10.47.04/converter/ppm/ppmtopict.c
+--- netpbm-10.47.04/converter/ppm/ppmtopict.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtopict.c 2009-10-21 15:09:33.000000000 +0200
+@@ -245,6 +245,8 @@ char *argv[];
+ putShort(stdout, 0); /* mode */
+
+ /* Finally, write out the data. */
++ overflow_add(cols/MAX_COUNT, 1);
++ overflow_add(cols, cols/MAX_COUNT+1);
+ packed = (char*) malloc((unsigned)(cols+cols/MAX_COUNT+1));
+ oc = 0;
+ for (row = 0; row < rows; row++)
+diff -up netpbm-10.47.04/converter/ppm/ppmtopj.c.security netpbm-10.47.04/converter/ppm/ppmtopj.c
+--- netpbm-10.47.04/converter/ppm/ppmtopj.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtopj.c 2009-10-21 15:09:33.000000000 +0200
+@@ -179,6 +179,7 @@ char *argv[];
+ pixels = ppm_readppm( ifp, &cols, &rows, &maxval );
+
+ pm_close( ifp );
++ overflow2(cols,2);
+ obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char));
+ cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char));
+
+diff -up netpbm-10.47.04/converter/ppm/ppmtopjxl.c.security netpbm-10.47.04/converter/ppm/ppmtopjxl.c
+--- netpbm-10.47.04/converter/ppm/ppmtopjxl.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtopjxl.c 2009-10-21 15:43:31.000000000 +0200
+@@ -276,6 +276,8 @@ main(int argc, const char * argv[]) {
+ pm_error("image too large; reduce with ppmscale");
+ if (maxval > PCL_MAXVAL)
+ pm_error("color range too large; reduce with ppmcscale");
++ if (cols < 0 || rows < 0)
++ pm_error("negative size is not possible");
+
+ /* Figure out the colormap. */
+ pm_message("Computing colormap...");
+@@ -296,6 +298,8 @@ main(int argc, const char * argv[]) {
+ case 0: /* direct mode (no palette) */
+ bpp = bitsperpixel(maxval); /* bits per pixel */
+ bpg = bpp; bpb = bpp;
++ overflow2(bpp, 3);
++ overflow_add(bpp*3, 7);
+ bpp = (bpp*3+7)>>3; /* bytes per pixel now */
+ bpr = (bpp<<3)-bpg-bpb;
+ bpp *= cols; /* bytes per row now */
+@@ -305,9 +309,13 @@ main(int argc, const char * argv[]) {
+ case 3: case 7: pclindex++;
+ default:
+ bpp = 8/pclindex;
++ overflow_add(cols, bpp);
++ if(bpp == 0)
++ pm_error("assert: no bpp");
+ bpp = (cols+bpp-1)/bpp; /* bytes per row */
+ }
+ }
++ overflow2(bpp,2);
+ inrow = (char *)malloc((unsigned)bpp);
+ outrow = (char *)malloc((unsigned)bpp*2);
+ runcnt = (signed char *)malloc((unsigned)bpp);
+diff -up netpbm-10.47.04/converter/ppm/ppmtowinicon.c.security netpbm-10.47.04/converter/ppm/ppmtowinicon.c
+--- netpbm-10.47.04/converter/ppm/ppmtowinicon.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtowinicon.c 2009-10-21 15:44:54.000000000 +0200
+@@ -12,6 +12,7 @@
+
+ #include <math.h>
+ #include <string.h>
++#include <stdlib.h>
+
+ #include "pm_c_util.h"
+ #include "winico.h"
+@@ -219,6 +220,7 @@ createAndBitmap (gray ** const ba, int c
+ MALLOCARRAY_NOFAIL(rowData, rows);
+ icBitmap->xBytes = xBytes;
+ icBitmap->data = rowData;
++ overflow2(xBytes, rows);
+ icBitmap->size = xBytes * rows;
+ for (y=0;y<rows;y++) {
+ u1 * row;
+@@ -347,6 +349,7 @@ create4Bitmap (pixel ** const pa, int co
+ MALLOCARRAY_NOFAIL(rowData, rows);
+ icBitmap->xBytes = xBytes;
+ icBitmap->data = rowData;
++ overflow2(xBytes, rows);
+ icBitmap->size = xBytes * rows;
+
+ for (y=0;y<rows;y++) {
+@@ -407,6 +410,7 @@ create8Bitmap (pixel ** const pa, int co
+ MALLOCARRAY_NOFAIL(rowData, rows);
+ icBitmap->xBytes = xBytes;
+ icBitmap->data = rowData;
++ overflow2(xBytes, rows);
+ icBitmap->size = xBytes * rows;
+
+ for (y=0;y<rows;y++) {
+@@ -714,6 +718,10 @@ addEntryToIcon(MS_Ico const MSIcon
+ entry->bitcount = bpp;
+ entry->ih = createInfoHeader(entry, xorBitmap, andBitmap);
+ entry->colors = palette->colors;
++ overflow2(4, entry->color_count);
++ overflow_add(xorBitmap->size, andBitmap->size);
++ overflow_add(xorBitmap->size + andBitmap->size, 40);
++ overflow_add(xorBitmap->size + andBitmap->size + 40, 4 * entry->color_count);
+ entry->size_in_bytes =
+ xorBitmap->size + andBitmap->size + 40 + (4 * entry->color_count);
+ if (verbose)
+diff -up netpbm-10.47.04/converter/ppm/ppmtoxpm.c.security netpbm-10.47.04/converter/ppm/ppmtoxpm.c
+--- netpbm-10.47.04/converter/ppm/ppmtoxpm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ppmtoxpm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -197,6 +197,7 @@ genNumstr(unsigned int const input, int
+ unsigned int i;
+
+ /* Allocate memory for printed number. Abort if error. */
++ overflow_add(digits, 1);
+ if (!(str = (char *) malloc(digits + 1)))
+ pm_error("out of memory");
+
+@@ -314,6 +315,7 @@ genCmap(colorhist_vector const chv,
+ unsigned int charsPerPixel;
+ unsigned int xpmMaxval;
+
++ if (includeTransparent) overflow_add(ncolors, 1);
+ MALLOCARRAY(cmap, cmapSize);
+ if (cmapP == NULL)
+ pm_error("Out of memory allocating %u bytes for a color map.",
+diff -up netpbm-10.47.04/converter/ppm/qrttoppm.c.security netpbm-10.47.04/converter/ppm/qrttoppm.c
+--- netpbm-10.47.04/converter/ppm/qrttoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/qrttoppm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -46,7 +46,7 @@ main( argc, argv )
+
+ ppm_writeppminit( stdout, cols, rows, maxval, 0 );
+ pixelrow = ppm_allocrow( cols );
+- buf = (unsigned char *) malloc( 3 * cols );
++ buf = (unsigned char *) malloc2( 3 , cols );
+ if ( buf == (unsigned char *) 0 )
+ pm_error( "out of memory" );
+
+diff -up netpbm-10.47.04/converter/ppm/sldtoppm.c.security netpbm-10.47.04/converter/ppm/sldtoppm.c
+--- netpbm-10.47.04/converter/ppm/sldtoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/sldtoppm.c 2009-10-21 15:44:11.000000000 +0200
+@@ -455,6 +455,8 @@ slider(slvecfn slvec,
+
+ /* Allocate image buffer and clear it to black. */
+
++ overflow_add(ixdots,1);
++ overflow_add(iydots,1);
+ pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1);
+ PPM_ASSIGN(rgbcolor, 0, 0, 0);
+ ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0,
+diff -up netpbm-10.47.04/converter/ppm/ximtoppm.c.security netpbm-10.47.04/converter/ppm/ximtoppm.c
+--- netpbm-10.47.04/converter/ppm/ximtoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/ximtoppm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -117,6 +117,7 @@ ReadXimHeader(FILE * const in_fp,
+ header->bits_channel = atoi(a_head.bits_per_channel);
+ header->alpha_flag = atoi(a_head.alpha_channel);
+ if (strlen(a_head.author)) {
++ overflow_add(strlen(a_head.author),1);
+ if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1,
+ 1))) {
+ pm_message("ReadXimHeader: can't calloc author string" );
+@@ -126,6 +127,7 @@ ReadXimHeader(FILE * const in_fp,
+ strncpy(header->author, a_head.author, strlen(a_head.author));
+ }
+ if (strlen(a_head.date)) {
++ overflow_add(strlen(a_head.date),1);
+ if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){
+ pm_message("ReadXimHeader: can't calloc date string" );
+ return(0);
+@@ -134,6 +136,7 @@ ReadXimHeader(FILE * const in_fp,
+ strncpy(header->date, a_head.date, strlen(a_head.date));
+ }
+ if (strlen(a_head.program)) {
++ overflow_add(strlen(a_head.program),1);
+ if (!(header->program = calloc(
+ (unsigned int)strlen(a_head.program) + 1, 1))) {
+ pm_message("ReadXimHeader: can't calloc program string" );
+@@ -160,6 +163,7 @@ ReadXimHeader(FILE * const in_fp,
+ if (header->nchannels == 3 && header->bits_channel == 8)
+ header->ncolors = 0;
+ else if (header->nchannels == 1 && header->bits_channel == 8) {
++ overflow2(header->ncolors, sizeof(Color));
+ header->colors = (Color *)calloc((unsigned int)header->ncolors,
+ sizeof(Color));
+ if (header->colors == NULL) {
+diff -up netpbm-10.47.04/converter/ppm/xpmtoppm.c.security netpbm-10.47.04/converter/ppm/xpmtoppm.c
+--- netpbm-10.47.04/converter/ppm/xpmtoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/xpmtoppm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -701,6 +701,7 @@ ReadXPMFile(FILE * const stream, int * c
+ &ncolors, colorsP, &ptab);
+ *transparentP = -1; /* No transparency in version 1 */
+ }
++ overflow2(*widthP, *heightP);
+ totalpixels = *widthP * *heightP;
+ MALLOCARRAY(*dataP, totalpixels);
+ if (*dataP == NULL)
+diff -up netpbm-10.47.04/converter/ppm/yuvtoppm.c.security netpbm-10.47.04/converter/ppm/yuvtoppm.c
+--- netpbm-10.47.04/converter/ppm/yuvtoppm.c.security 2009-10-21 13:39:10.000000000 +0200
++++ netpbm-10.47.04/converter/ppm/yuvtoppm.c 2009-10-21 15:09:33.000000000 +0200
+@@ -72,6 +72,7 @@ main(argc, argv)
+
+ ppm_writeppminit(stdout, cols, rows, (pixval) 255, 0);
+ pixrow = ppm_allocrow(cols);
++ overflow_add(cols, 1);
+ MALLOCARRAY(yuvbuf, (cols+1)/2);
+ if (yuvbuf == NULL)
+ pm_error("Unable to allocate YUV buffer for %d columns.", cols);
+diff -up netpbm-10.47.04/editor/pamcut.c.security netpbm-10.47.04/editor/pamcut.c
+--- netpbm-10.47.04/editor/pamcut.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pamcut.c 2009-10-21 15:29:36.000000000 +0200
+@@ -655,6 +655,8 @@ cutOneImage(FILE * const ifP
+
+ outpam = inpam; /* Initial value -- most fields should be same */
+ outpam.file = ofP;
++ overflow_add(rightcol, 1);
++ overflow_add(bottomrow, 1);
+ outpam.width = rightcol - leftcol + 1;
+ outpam.height = bottomrow - toprow + 1;
+
+diff -up netpbm-10.47.04/editor/pbmpscale.c.security netpbm-10.47.04/editor/pbmpscale.c
+--- netpbm-10.47.04/editor/pbmpscale.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pbmpscale.c 2009-10-21 15:27:21.000000000 +0200
+@@ -110,6 +110,7 @@ main(int argc, char ** argv) {
+ inrow[0] = inrow[1] = inrow[2] = NULL;
+ pbm_readpbminit(ifP, &columns, &rows, &format) ;
+
++ overflow2(columns, scale);
+ outrow = pbm_allocrow(columns*scale) ;
+ MALLOCARRAY(flags, columns);
+ if (flags == NULL)
+diff -up netpbm-10.47.04/editor/pbmreduce.c.security netpbm-10.47.04/editor/pbmreduce.c
+--- netpbm-10.47.04/editor/pbmreduce.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pbmreduce.c 2009-10-21 15:26:13.000000000 +0200
+@@ -94,6 +94,7 @@ main( argc, argv )
+ if (halftone == QT_FS) {
+ unsigned int col;
+ /* Initialize Floyd-Steinberg. */
++ overflow_add(newcols, 2);
+ MALLOCARRAY(thiserr, newcols + 2);
+ MALLOCARRAY(nexterr, newcols + 2);
+ if (thiserr == NULL || nexterr == NULL)
+diff -up netpbm-10.47.04/editor/pnmgamma.c.security netpbm-10.47.04/editor/pnmgamma.c
+--- netpbm-10.47.04/editor/pnmgamma.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pnmgamma.c 2009-10-21 15:09:34.000000000 +0200
+@@ -586,6 +586,7 @@ createGammaTables(enum transferFunction
+ xelval ** const btableP) {
+
+ /* Allocate space for the tables. */
++ overflow_add(maxval, 1);
+ MALLOCARRAY(*rtableP, maxval+1);
+ MALLOCARRAY(*gtableP, maxval+1);
+ MALLOCARRAY(*btableP, maxval+1);
+diff -up netpbm-10.47.04/editor/pnmhisteq.c.security netpbm-10.47.04/editor/pnmhisteq.c
+--- netpbm-10.47.04/editor/pnmhisteq.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pnmhisteq.c 2009-10-21 15:09:34.000000000 +0200
+@@ -103,6 +103,7 @@ computeLuminosityHistogram(xel * const *
+ unsigned int pixelCount;
+ unsigned int * lumahist;
+
++ overflow_add(maxval, 1);
+ MALLOCARRAY(lumahist, maxval + 1);
+ if (lumahist == NULL)
+ pm_error("Out of storage allocating array for %u histogram elements",
+diff -up netpbm-10.47.04/editor/pnmindex.csh.security netpbm-10.47.04/editor/pnmindex.csh
+--- netpbm-10.47.04/editor/pnmindex.csh.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pnmindex.csh 2009-10-21 15:09:34.000000000 +0200
+@@ -1,5 +1,8 @@
+ #!/bin/csh -f
+ #
++echo "Unsafe code, needs debugging, do not ship"
++exit 1
++#
+ # pnmindex - build a visual index of a bunch of anymaps
+ #
+ # Copyright (C) 1991 by Jef Poskanzer.
+diff -up netpbm-10.47.04/editor/pnmpad.c.security netpbm-10.47.04/editor/pnmpad.c
+--- netpbm-10.47.04/editor/pnmpad.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pnmpad.c 2009-10-21 15:33:51.000000000 +0200
+@@ -527,6 +527,8 @@ main(int argc, const char ** argv) {
+
+ computePadSizes(cmdline, cols, rows, &lpad, &rpad, &tpad, &bpad);
+
++ overflow_add(cols, lpad);
++ overflow_add(cols + lpad, rpad);
+ newcols = cols + lpad + rpad;
+
+ if (PNM_FORMAT_TYPE(format) == PBM_TYPE)
+diff -up netpbm-10.47.04/editor/pnmpaste.c.security netpbm-10.47.04/editor/pnmpaste.c
+diff -up netpbm-10.47.04/editor/pnmremap.c.security netpbm-10.47.04/editor/pnmremap.c
+--- netpbm-10.47.04/editor/pnmremap.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pnmremap.c 2009-10-21 15:28:20.000000000 +0200
+@@ -408,7 +408,7 @@ initFserr(struct pam * const pamP,
+ unsigned int plane;
+
+ unsigned int const fserrSize = pamP->width + 2;
+-
++ overflow_add(pamP->width, 2);
+ fserrP->width = pamP->width;
+
+ MALLOCARRAY(fserrP->thiserr, pamP->depth);
+@@ -444,6 +444,7 @@ floydInitRow(struct pam * const pamP, st
+
+ int col;
+
++ overflow_add(pamP->width, 2);
+ for (col = 0; col < pamP->width + 2; ++col) {
+ unsigned int plane;
+ for (plane = 0; plane < pamP->depth; ++plane)
+diff -up netpbm-10.47.04/editor/pnmscalefixed.c.security netpbm-10.47.04/editor/pnmscalefixed.c
+--- netpbm-10.47.04/editor/pnmscalefixed.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pnmscalefixed.c 2009-10-21 15:09:34.000000000 +0200
+@@ -211,6 +211,8 @@ compute_output_dimensions(const struct c
+ const int rows, const int cols,
+ int * newrowsP, int * newcolsP) {
+
++ overflow2(rows, cols);
++
+ if (cmdline.pixels) {
+ if (rows * cols <= cmdline.pixels) {
+ *newrowsP = rows;
+@@ -262,6 +264,8 @@ compute_output_dimensions(const struct c
+
+ if (*newcolsP < 1) *newcolsP = 1;
+ if (*newrowsP < 1) *newrowsP = 1;
++
++ overflow2(*newcolsP, *newrowsP);
+ }
+
+
+@@ -443,6 +447,9 @@ main(int argc, char **argv ) {
+ unfilled. We can address that by stretching, whereas the other
+ case would require throwing away some of the input.
+ */
++
++ overflow2(newcols, SCALE);
++ overflow2(newrows, SCALE);
+ sxscale = SCALE * newcols / cols;
+ syscale = SCALE * newrows / rows;
+
+diff -up netpbm-10.47.04/editor/pnmshear.c.security netpbm-10.47.04/editor/pnmshear.c
+--- netpbm-10.47.04/editor/pnmshear.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/pnmshear.c 2009-10-21 15:31:26.000000000 +0200
+@@ -15,6 +15,7 @@
+ #include <assert.h>
+ #include <math.h>
+ #include <string.h>
++#include <limits.h>
+
+ #include "pm_c_util.h"
+ #include "ppm.h"
+@@ -236,6 +237,11 @@ main(int argc, char * argv[]) {
+
+ shearfac = fabs(tan(cmdline.angle));
+
++ if(rows * shearfac >= INT_MAX-1)
++ pm_error("image too large");
++
++ overflow_add(rows * shearfac, cols+1);
++
+ newcols = rows * shearfac + cols + 0.999999;
+
+ pnm_writepnminit(stdout, newcols, rows, newmaxval, newformat, 0);
+diff -up netpbm-10.47.04/editor/ppmdither.c.security netpbm-10.47.04/editor/ppmdither.c
+--- netpbm-10.47.04/editor/ppmdither.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/editor/ppmdither.c 2009-10-21 15:09:34.000000000 +0200
+@@ -111,6 +111,9 @@ dith_matrix(unsigned int const dith_dim)
+ (dith_dim * sizeof(int *)) + /* pointers */
+ (dith_dim * dith_dim * sizeof(int)); /* data */
+
++ overflow2(dith_dim, sizeof(int *));
++ overflow3(dith_dim, dith_dim, sizeof(int));
++ overflow_add(dith_dim * sizeof(int *), dith_dim * dith_dim * sizeof(int));
+ dith_mat = (unsigned int **) malloc(dith_mat_sz);
+
+ if (dith_mat == NULL)
+@@ -165,7 +168,8 @@ dith_setup(const unsigned int dith_power
+ if (dith_nb < 2)
+ pm_error("too few shades for blue, minimum of 2");
+
+- MALLOCARRAY(*colormapP, dith_nr * dith_ng * dith_nb);
++ overflow2(dith_nr, dith_ng);
++ *colormapP = malloc3(dith_nr * dith_ng, dith_nb, sizeof(pixel));
+ if (*colormapP == NULL)
+ pm_error("Unable to allocate space for the color lookup table "
+ "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb);
+diff -up netpbm-10.47.04/editor/specialty/pamoil.c.security netpbm-10.47.04/editor/specialty/pamoil.c
+--- netpbm-10.47.04/editor/specialty/pamoil.c.security 2009-10-21 13:38:56.000000000 +0200
++++ netpbm-10.47.04/editor/specialty/pamoil.c 2009-10-21 15:09:33.000000000 +0200
+@@ -112,6 +112,7 @@ main(int argc, char *argv[] ) {
+ tuples = pnm_readpam(ifp, &inpam, PAM_STRUCT_SIZE(tuple_type));
+ pm_close(ifp);
+
++ overflow_add(inpam.maxval, 1);
+ MALLOCARRAY(hist, inpam.maxval + 1);
+ if (hist == NULL)
+ pm_error("Unable to allocate memory for histogram.");
+diff -up netpbm-10.47.04/generator/pbmpage.c.security netpbm-10.47.04/generator/pbmpage.c
+--- netpbm-10.47.04/generator/pbmpage.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/generator/pbmpage.c 2009-10-21 15:09:34.000000000 +0200
+@@ -170,6 +170,9 @@ outputPbm(FILE * const file,
+ /* We round the allocated row space up to a multiple of 8 so the ugly
+ fast code below can work.
+ */
++
++ overflow_add(bitmap.Width, 7);
++
+ pbmrow = pbm_allocrow(((bitmap.Width+7)/8)*8);
+
+ bitmap_cursor = 0;
+diff -up netpbm-10.47.04/generator/pbmtext.c.security netpbm-10.47.04/generator/pbmtext.c
+--- netpbm-10.47.04/generator/pbmtext.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/generator/pbmtext.c 2009-10-21 15:23:15.000000000 +0200
+@@ -96,12 +96,14 @@ parseCommandLine(int argc, const char **
+
+ for (i = 1; i < argc; ++i) {
+ if (i > 1) {
++ overflow_add(totaltextsize, 1);
+ totaltextsize += 1;
+ text = realloc(text, totaltextsize);
+ if (text == NULL)
+ pm_error("out of memory allocating space for input text");
+ strcat(text, " ");
+ }
++ overflow_add(totaltextsize, strlen(argv[i]));
+ totaltextsize += strlen(argv[i]);
+ text = realloc(text, totaltextsize);
+ if (text == NULL)
+@@ -711,6 +713,7 @@ getText(const char cmdline_text
+ pm_error("A line of input text is longer than %u characters."
+ "Cannot process.", sizeof(buf)-1);
+ if (lineCount >= maxlines) {
++ overflow2(maxlines, 2);
+ maxlines *= 2;
+ REALLOCARRAY(text_array, maxlines);
+ if (text_array == NULL)
+@@ -831,6 +834,7 @@ main(int argc, const char *argv[]) {
+ hmargin = fontP->maxwidth;
+ } else {
+ vmargin = fontP->maxheight;
++ overflow2(2, fontP->maxwidth);
+ hmargin = 2 * fontP->maxwidth;
+ }
+ }
+diff -up netpbm-10.47.04/generator/pgmcrater.c.security netpbm-10.47.04/generator/pgmcrater.c
+--- netpbm-10.47.04/generator/pgmcrater.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/generator/pgmcrater.c 2009-10-21 15:09:34.000000000 +0200
+@@ -130,7 +130,7 @@ static void gencraters()
+ /* Acquire the elevation array and initialize it to mean
+ surface elevation. */
+
+- MALLOCARRAY(aux, SCRX * SCRY);
++ aux = (unsigned short *) malloc3(SCRX, SCRY, sizeof(short));
+ if (aux == NULL)
+ pm_error("out of memory allocating elevation array");
+
+diff -up netpbm-10.47.04/generator/pgmkernel.c.security netpbm-10.47.04/generator/pgmkernel.c
+--- netpbm-10.47.04/generator/pgmkernel.c.security 2009-10-21 13:38:57.000000000 +0200
++++ netpbm-10.47.04/generator/pgmkernel.c 2009-10-21 15:09:34.000000000 +0200
+@@ -68,7 +68,7 @@ main ( argc, argv )
+ kycenter = (fysize - 1) / 2.0;
+ ixsize = fxsize + 0.999;
+ iysize = fysize + 0.999;
+- MALLOCARRAY(fkernel, ixsize * iysize);
++ fkernel = (double *) malloc3 (ixsize, iysize, sizeof(double));
+ for (i = 0; i < iysize; i++)
+ for (j = 0; j < ixsize; j++) {
+ fkernel[i*ixsize+j] = 1.0 / (1.0 + w * sqrt((double)
+diff -up netpbm-10.47.04/lib/libpam.c.security netpbm-10.47.04/lib/libpam.c
+--- netpbm-10.47.04/lib/libpam.c.security 2009-10-21 13:39:00.000000000 +0200
++++ netpbm-10.47.04/lib/libpam.c 2009-10-21 15:09:34.000000000 +0200
+@@ -235,7 +235,8 @@ allocPamRow(const struct pam * const pam
+ int const bytesPerTuple = allocationDepth(pamP) * sizeof(sample);
+ tuple * tuplerow;
+
+- tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytesPerTuple));
++ overflow_add(sizeof(tuple *), bytesPerTuple);
++ tuplerow = malloc2(pamP->width, sizeof(tuple *) + bytesPerTuple);
+
+ if (tuplerow != NULL) {
+ /* Now we initialize the pointers to the individual tuples
+diff -up netpbm-10.47.04/lib/libpammap.c.security netpbm-10.47.04/lib/libpammap.c
+--- netpbm-10.47.04/lib/libpammap.c.security 2009-10-21 13:39:00.000000000 +0200
++++ netpbm-10.47.04/lib/libpammap.c 2009-10-21 15:09:34.000000000 +0200
+@@ -104,6 +104,8 @@ allocTupleIntListItem(struct pam * const
+ */
+ struct tupleint_list_item * retval;
+
++ overflow2(pamP->depth, sizeof(sample));
++ overflow_add(sizeof(*retval)-sizeof(retval->tupleint.tuple), pamP->depth*sizeof(sample));
+ unsigned int const size =
+ sizeof(*retval) - sizeof(retval->tupleint.tuple)
+ + pamP->depth * sizeof(sample);
+diff -up netpbm-10.47.04/lib/libpbm1.c.security netpbm-10.47.04/lib/libpbm1.c
+--- netpbm-10.47.04/lib/libpbm1.c.security 2009-10-21 13:39:00.000000000 +0200
++++ netpbm-10.47.04/lib/libpbm1.c 2009-10-21 15:09:34.000000000 +0200
+@@ -77,6 +77,7 @@ pbm_check(FILE * file, const enum pm_che
+ pm_message("pm_filepos passed to pm_check() is %u bytes",
+ sizeof(pm_filepos));
+ #endif
++ overflow2(bytes_per_row, rows);
+ pm_check(file, check_type, need_raster_size, retval_p);
+ }
+ }
+diff -up netpbm-10.47.04/lib/libpbmvms.c.security netpbm-10.47.04/lib/libpbmvms.c
+--- netpbm-10.47.04/lib/libpbmvms.c.security 2009-10-21 13:39:00.000000000 +0200
++++ netpbm-10.47.04/lib/libpbmvms.c 2009-10-21 15:09:34.000000000 +0200
+@@ -1,3 +1,5 @@
++#warning "NOT AUDITED"
++
+ /***************************************************************************
+ This file contains library routines needed to build Netpbm for VMS.
+ However, as of 2000.05.26, when these were split out of libpbm1.c
+diff -up netpbm-10.47.04/lib/libpm.c.security netpbm-10.47.04/lib/libpm.c
+--- netpbm-10.47.04/lib/libpm.c.security 2009-10-21 13:39:00.000000000 +0200
++++ netpbm-10.47.04/lib/libpm.c 2009-10-21 15:09:34.000000000 +0200
+@@ -827,4 +827,53 @@ pm_parse_height(const char * const arg)
+ }
+
+
++/*
++ * Maths wrapping
++ */
++
++void __overflow2(int a, int b)
++{
++ if(a < 0 || b < 0)
++ pm_error("object too large");
++ if(b == 0)
++ return;
++ if(a > INT_MAX / b)
++ pm_error("object too large");
++}
++
++void overflow3(int a, int b, int c)
++{
++ overflow2(a,b);
++ overflow2(a*b, c);
++}
++
++void overflow_add(int a, int b)
++{
++ if( a > INT_MAX - b)
++ pm_error("object too large");
++}
++
++void *malloc2(int a, int b)
++{
++ overflow2(a, b);
++ if(a*b == 0)
++ pm_error("Zero byte allocation");
++ return malloc(a*b);
++}
++
++void *malloc3(int a, int b, int c)
++{
++ overflow3(a, b, c);
++ if(a*b*c == 0)
++ pm_error("Zero byte allocation");
++ return malloc(a*b*c);
++}
++
++void *realloc2(void * a, int b, int c)
++{
++ overflow2(b, c);
++ if(b*c == 0)
++ pm_error("Zero byte allocation");
++ return realloc(a, b*c);
++}
+
+diff -up netpbm-10.47.04/lib/pm.h.security netpbm-10.47.04/lib/pm.h
+--- netpbm-10.47.04/lib/pm.h.security 2009-10-21 13:39:00.000000000 +0200
++++ netpbm-10.47.04/lib/pm.h 2009-10-21 15:09:34.000000000 +0200
+@@ -377,4 +377,11 @@ pm_parse_height(const char * const arg);
+ #endif
+
+
++void *malloc2(int, int);
++void *malloc3(int, int, int);
++#define overflow2(a,b) __overflow2(a,b)
++void __overflow2(int, int);
++void overflow3(int, int, int);
++void overflow_add(int, int);
++
+ #endif
+diff -up netpbm-10.47.04/other/pnmcolormap.c.security netpbm-10.47.04/other/pnmcolormap.c
+--- netpbm-10.47.04/other/pnmcolormap.c.security 2009-10-21 13:38:54.000000000 +0200
++++ netpbm-10.47.04/other/pnmcolormap.c 2009-10-21 15:09:34.000000000 +0200
+@@ -840,6 +840,7 @@ colormapToSquare(struct pam * const pamP
+ pamP->width = intsqrt;
+ else
+ pamP->width = intsqrt + 1;
++ overflow_add(intsqrt, 1);
+ }
+ {
+ unsigned int const intQuotient = colormap.size / pamP->width;
+diff -up netpbm-10.47.04/urt/README.security netpbm-10.47.04/urt/README
+--- netpbm-10.47.04/urt/README.security 2009-10-21 13:39:11.000000000 +0200
++++ netpbm-10.47.04/urt/README 2009-10-21 15:09:34.000000000 +0200
+@@ -18,3 +18,8 @@ in its initializer in the original. But
+ defines stdout as a variable, so that wouldn't compile. So I changed
+ it to NULL and added a line to rle_hdr_init to set that field to
+ 'stdout' dynamically. 2000.06.02 BJH.
++
++Redid the code to check for maths overflows and other crawly horrors.
++Removed pipe through and compress support (unsafe)
++
++Alan Cox <alan@redhat.com>
+diff -up netpbm-10.47.04/urt/rle_addhist.c.security netpbm-10.47.04/urt/rle_addhist.c
+--- netpbm-10.47.04/urt/rle_addhist.c.security 2009-10-21 13:39:11.000000000 +0200
++++ netpbm-10.47.04/urt/rle_addhist.c 2009-10-21 15:09:34.000000000 +0200
+@@ -14,6 +14,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rle_addhist.c - Add to the HISTORY comment in header
+@@ -76,13 +78,19 @@ rle_addhist(char * argv[],
+ return;
+
+ length = 0;
+- for (i = 0; argv[i]; ++i)
++ for (i = 0; argv[i]; ++i) {
++ overflow_add(length, strlen(argv[i]));
++ overflow_add(length+1, strlen(argv[i]));
+ length += strlen(argv[i]) +1; /* length of each arg plus space. */
++ }
+
+ time(&temp);
+ timedate = ctime(&temp);
+ length += strlen(timedate); /* length of date and time in ASCII. */
+
++ overflow_add(strlen(padding), 4);
++ overflow_add(strlen(histoire), strlen(padding) + 4);
++ overflow_add(length, strlen(histoire) + strlen(padding) + 4);
+ length += strlen(padding) + 3 + strlen(histoire) + 1;
+ /* length of padding, "on " and length of history name plus "="*/
+ if (in_hdr) /* if we are interested in the old comments... */
+@@ -90,9 +98,12 @@ rle_addhist(char * argv[],
+ else
+ old = NULL;
+
+- if (old && *old)
++ if (old && *old) {
++ overflow_add(length, strlen(old));
+ length += strlen(old); /* add length if there. */
++ }
+
++ overflow_add(length, 1);
+ ++length; /*Cater for the null. */
+
+ MALLOCARRAY(newc, length);
+diff -up netpbm-10.47.04/urt/rle_getrow.c.security netpbm-10.47.04/urt/rle_getrow.c
+--- netpbm-10.47.04/urt/rle_getrow.c.security 2009-10-21 13:39:11.000000000 +0200
++++ netpbm-10.47.04/urt/rle_getrow.c 2009-10-21 15:09:34.000000000 +0200
+@@ -17,6 +17,8 @@
+ *
+ * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
+ * to have all "void" functions so declared.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rle_getrow.c - Read an RLE file in.
+@@ -168,6 +170,7 @@ rle_get_setup(rle_hdr * const the_hdr) {
+ register char * cp;
+
+ VAXSHORT( comlen, infile ); /* get comment length */
++ overflow_add(comlen, 1);
+ evenlen = (comlen + 1) & ~1; /* make it even */
+ if ( evenlen )
+ {
+diff -up netpbm-10.47.04/urt/rle_hdr.c.security netpbm-10.47.04/urt/rle_hdr.c
+--- netpbm-10.47.04/urt/rle_hdr.c.security 2009-10-21 13:39:11.000000000 +0200
++++ netpbm-10.47.04/urt/rle_hdr.c 2009-10-21 15:09:34.000000000 +0200
+@@ -14,6 +14,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rle_hdr.c - Functions to manipulate rle_hdr structures.
+@@ -79,7 +81,10 @@ int img_num;
+ /* Fill in with copies of the strings. */
+ if ( the_hdr->cmd != pgmname )
+ {
+- char *tmp = (char *)malloc( strlen( pgmname ) + 1 );
++ char *tmp ;
++
++ overflow_add(strlen(pgmname), 1);
++ tmp = malloc( strlen( pgmname ) + 1 );
+ RLE_CHECK_ALLOC( pgmname, tmp, 0 );
+ strcpy( tmp, pgmname );
+ the_hdr->cmd = tmp;
+@@ -87,7 +92,9 @@ int img_num;
+
+ if ( the_hdr->file_name != fname )
+ {
+- char *tmp = (char *)malloc( strlen( fname ) + 1 );
++ char *tmp;
++ overflow_add(strlen(fname), 1);
++ tmp = malloc( strlen( fname ) + 1 );
+ RLE_CHECK_ALLOC( pgmname, tmp, 0 );
+ strcpy( tmp, fname );
+ the_hdr->file_name = tmp;
+@@ -152,6 +159,7 @@ rle_hdr *from_hdr, *to_hdr;
+ if ( to_hdr->bg_color )
+ {
+ int size = to_hdr->ncolors * sizeof(int);
++ overflow2(to_hdr->ncolors, sizeof(int));
+ to_hdr->bg_color = (int *)malloc( size );
+ RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" );
+ memcpy( to_hdr->bg_color, from_hdr->bg_color, size );
+@@ -160,7 +168,7 @@ rle_hdr *from_hdr, *to_hdr;
+ if ( to_hdr->cmap )
+ {
+ int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map);
+- to_hdr->cmap = (rle_map *)malloc( size );
++ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<<to_hdr->cmaplen, sizeof(rle_map));
+ RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" );
+ memcpy( to_hdr->cmap, from_hdr->cmap, size );
+ }
+@@ -173,11 +181,16 @@ rle_hdr *from_hdr, *to_hdr;
+ int size = 0;
+ CONST_DECL char **cp;
+ for ( cp=to_hdr->comments; *cp; cp++ )
++ {
++ overflow_add(size, 1);
+ size++; /* Count the comments. */
++ }
+ /* Check if there are really any comments. */
+ if ( size )
+ {
++ overflow_add(size, 1);
+ size++; /* Copy the NULL pointer, too. */
++ overflow2(size, sizeof(char *));
+ size *= sizeof(char *);
+ to_hdr->comments = (CONST_DECL char **)malloc( size );
+ RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" );
+diff -up netpbm-10.47.04/urt/rle.h.security netpbm-10.47.04/urt/rle.h
+--- netpbm-10.47.04/urt/rle.h.security 2009-10-21 13:39:11.000000000 +0200
++++ netpbm-10.47.04/urt/rle.h 2009-10-21 15:09:34.000000000 +0200
+@@ -14,6 +14,9 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
++ * Header declarations needed
+ */
+ /*
+ * rle.h - Global declarations for Utah Raster Toolkit RLE programs.
+@@ -166,6 +169,17 @@ rle_hdr /* End of typedef. *
+ */
+ extern rle_hdr rle_dflt_hdr;
+
++/*
++ * Provided by pm library
++ */
++
++extern void overflow_add(int, int);
++#define overflow2(a,b) __overflow2(a,b)
++extern void __overflow2(int, int);
++extern void overflow3(int, int, int);
++extern void *malloc2(int, int);
++extern void *malloc3(int, int, int);
++extern void *realloc2(void *, int, int);
+
+ /* Declare RLE library routines. */
+
+diff -up netpbm-10.47.04/urt/rle_open_f.c.security netpbm-10.47.04/urt/rle_open_f.c
+--- netpbm-10.47.04/urt/rle_open_f.c.security 2009-10-21 13:39:11.000000000 +0200
++++ netpbm-10.47.04/urt/rle_open_f.c 2009-10-21 15:15:38.000000000 +0200
+@@ -163,64 +163,7 @@ dealWithSubprocess(const char * const f
+ bool * const noSubprocessP,
+ const char ** const errorP) {
+
+-#ifdef NO_OPEN_PIPES
+ *noSubprocessP = TRUE;
+-#else
+- const char *cp;
+-
+- reapChildren(catchingChildrenP, pids);
+-
+- /* Real file, not stdin or stdout. If name ends in ".Z",
+- * pipe from/to un/compress (depending on r/w mode).
+- *
+- * If it starts with "|", popen that command.
+- */
+-
+- cp = file_name + strlen(file_name) - 2;
+- /* Pipe case. */
+- if (file_name[0] == '|') {
+- pid_t thepid; /* PID from my_popen */
+-
+- *noSubprocessP = FALSE;
+-
+- *fpP = my_popen(file_name + 1, mode, &thepid);
+- if (*fpP == NULL)
+- *errorP = "%s: can't invoke <<%s>> for %s: ";
+- else {
+- /* One more child to catch, eventually. */
+- if (*catchingChildrenP < MAX_CHILDREN)
+- pids[(*catchingChildrenP)++] = thepid;
+- }
+- } else if (cp > file_name && *cp == '.' && *(cp + 1) == 'Z' ) {
+- /* Compress case. */
+- pid_t thepid; /* PID from my_popen. */
+- const char * command;
+-
+- *noSubprocessP = FALSE;
+-
+- if (*mode == 'w')
+- asprintfN(&command, "compress > %s", file_name);
+- else if (*mode == 'a')
+- asprintfN(&command, "compress >> %s", file_name);
+- else
+- asprintfN(&command, "compress -d < %s", file_name);
+-
+- *fpP = my_popen(command, mode, &thepid);
+-
+- if (*fpP == NULL)
+- *errorP = "%s: can't invoke 'compress' program, "
+- "trying to open %s for %s";
+- else {
+- /* One more child to catch, eventually. */
+- if (*catchingChildrenP < MAX_CHILDREN)
+- pids[(*catchingChildrenP)++] = thepid;
+- }
+- strfree(command);
+- } else {
+- *noSubprocessP = TRUE;
+- *errorP = NULL;
+- }
+-#endif
+ }
+
+
+diff -up netpbm-10.47.04/urt/rle_putcom.c.security netpbm-10.47.04/urt/rle_putcom.c
+--- netpbm-10.47.04/urt/rle_putcom.c.security 2009-10-21 13:39:11.000000000 +0200
++++ netpbm-10.47.04/urt/rle_putcom.c 2009-10-21 15:09:34.000000000 +0200
+@@ -14,6 +14,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rle_putcom.c - Add a picture comment to the header struct.
+@@ -98,12 +100,14 @@ rle_putcom(const char * const value,
+ const char * v;
+ const char ** old_comments;
+ int i;
+- for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp)
++ for (i = 2, cp = the_hdr->comments; *cp != NULL; ++i, ++cp) {
++ overflow_add(i, 1);
+ if (match(value, *cp) != NULL) {
+ v = *cp;
+ *cp = value;
+ return v;
+ }
++ }
+ /* Not found */
+ /* Can't realloc because somebody else might be pointing to this
+ * comments block. Of course, if this were true, then the
+diff -up netpbm-10.47.04/urt/Runput.c.security netpbm-10.47.04/urt/Runput.c
+--- netpbm-10.47.04/urt/Runput.c.security 2009-10-21 13:39:11.000000000 +0200
++++ netpbm-10.47.04/urt/Runput.c 2009-10-21 15:09:34.000000000 +0200
+@@ -17,6 +17,8 @@
+ *
+ * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
+ * to have all "void" functions so declared.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * Runput.c - General purpose Run Length Encoding.
+@@ -202,9 +204,11 @@ RunSetup(rle_hdr * the_hdr)
+ if ( the_hdr->background != 0 )
+ {
+ register int i;
+- register rle_pixel *background =
+- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
++ register rle_pixel *background;
+ register int *bg_color;
++
++ overflow_add(the_hdr->ncolors,1);
++ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
+ /*
+ * If even number of bg color bytes, put out one more to get to
+ * 16 bit boundary.
+@@ -224,7 +228,7 @@ RunSetup(rle_hdr * the_hdr)
+ /* Big-endian machines are harder */
+ register int i, nmap = (1 << the_hdr->cmaplen) *
+ the_hdr->ncmap;
+- register char *h_cmap = (char *)malloc( nmap * 2 );
++ register char *h_cmap = (char *)malloc2( nmap, 2 );
+ if ( h_cmap == NULL )
+ {
+ fprintf( stderr,
+diff -up netpbm-10.47.04/urt/scanargs.c.security netpbm-10.47.04/urt/scanargs.c
+--- netpbm-10.47.04/urt/scanargs.c.security 2009-10-21 13:39:11.000000000 +0200
++++ netpbm-10.47.04/urt/scanargs.c 2009-10-21 15:09:34.000000000 +0200
+@@ -38,6 +38,8 @@
+ *
+ * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
+ * to have all "void" functions so declared.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+
+ #include "rle.h"
+@@ -65,8 +67,8 @@ typedef int *ptr;
+ /*
+ * Storage allocation macros
+ */
+-#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) )
+-#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) )
++#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) )
++#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) )
+
+ #if defined(c_plusplus) && !defined(USE_PROTOTYPES)
+ #define USE_PROTOTYPES