<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[49959] trunk/dports/print/ghostscript</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.macports.org/changeset/49959">49959</a></dd>
<dt>Author</dt> <dd>takanori@macports.org</dd>
<dt>Date</dt> <dd>2009-04-21 02:10:36 -0700 (Tue, 21 Apr 2009)</dd>
</dl>

<h3>Log Message</h3>
<pre>ghostscript: add security fixes for CVE-2009-0196, CVE-2009-0583, 0584, and CVE-2009-0792</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkdportsprintghostscriptPortfile">trunk/dports/print/ghostscript/Portfile</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkdportsprintghostscriptfilesCVE20090196diff">trunk/dports/print/ghostscript/files/CVE-2009-0196.diff</a></li>
<li><a href="#trunkdportsprintghostscriptfilesCVE2009058305840792diff">trunk/dports/print/ghostscript/files/CVE-2009-0583,0584,0792.diff</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkdportsprintghostscriptPortfile"></a>
<div class="modfile"><h4>Modified: trunk/dports/print/ghostscript/Portfile (49958 => 49959)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/print/ghostscript/Portfile        2009-04-21 04:53:05 UTC (rev 49958)
+++ trunk/dports/print/ghostscript/Portfile        2009-04-21 09:10:36 UTC (rev 49959)
</span><span class="lines">@@ -4,7 +4,7 @@
</span><span class="cx"> 
</span><span class="cx"> name            ghostscript
</span><span class="cx"> version         8.64
</span><del>-revision        2
</del><ins>+revision        3
</ins><span class="cx"> categories      print
</span><span class="cx"> maintainers     takanori openmaintainer
</span><span class="cx"> description     GPL Ghostscript, An interpreter for PostScript and PDF
</span><span class="lines">@@ -20,7 +20,9 @@
</span><span class="cx">                 ghostscript-fonts-other-6.0.tar.gz:fonts
</span><span class="cx"> patchfiles      patch-base_macos-fw.mak.diff \
</span><span class="cx">                 patch-base_macosx.mak.diff \
</span><del>-                patch-base_gdevbit.c.diff
</del><ins>+                patch-base_gdevbit.c.diff \
+                CVE-2009-0196.diff \
+                CVE-2009-0583,0584,0792.diff
</ins><span class="cx"> checksums       ${distname}.tar.gz rmd160 c0d5ab9a35cbc7311708ab91f0a4c47e332db121 \
</span><span class="cx">                 ghostscript-fonts-other-6.0.tar.gz rmd160 ab60dbf71e7d91283a106c3df381cadfe173082f
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkdportsprintghostscriptfilesCVE20090196diff"></a>
<div class="addfile"><h4>Added: trunk/dports/print/ghostscript/files/CVE-2009-0196.diff (0 => 49959)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/print/ghostscript/files/CVE-2009-0196.diff                                (rev 0)
+++ trunk/dports/print/ghostscript/files/CVE-2009-0196.diff        2009-04-21 09:10:36 UTC (rev 49959)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+--- jbig2dec/jbig2_symbol_dict.c.orig        2009-04-21 07:14:54.000000000 +0900
++++ jbig2dec/jbig2_symbol_dict.c        2009-04-21 07:17:17.000000000 +0900
+@@ -699,6 +699,15 @@
+         exrunlength = params-&gt;SDNUMEXSYMS;
+       else
+         code = jbig2_arith_int_decode(IAEX, as, &amp;exrunlength);
++      if (exrunlength &gt; params-&gt;SDNUMEXSYMS - j) {
++        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment-&gt;number,
++          &quot;runlength too large in export symbol table (%d &gt; %d - %d)\n&quot;,
++          exrunlength, params-&gt;SDNUMEXSYMS, j);
++        jbig2_sd_release(ctx, SDEXSYMS);
++        /* skip to the cleanup code and return SDEXSYMS = NULL */
++        SDEXSYMS = NULL;
++        break;
++      }
+       for(k = 0; k &lt; exrunlength; k++)
+         if (exflag) {
+           SDEXSYMS-&gt;glyphs[j++] = (i &lt; m) ? 
</ins></span></pre></div>
<a id="trunkdportsprintghostscriptfilesCVE2009058305840792diff"></a>
<div class="addfile"><h4>Added: trunk/dports/print/ghostscript/files/CVE-2009-0583,0584,0792.diff (0 => 49959)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/print/ghostscript/files/CVE-2009-0583,0584,0792.diff                                (rev 0)
+++ trunk/dports/print/ghostscript/files/CVE-2009-0583,0584,0792.diff        2009-04-21 09:10:36 UTC (rev 49959)
</span><span class="lines">@@ -0,0 +1,1151 @@
</span><ins>+--- icclib/icc.c.orig        2008-05-09 13:12:01.000000000 +0900
++++ icclib/icc.c        2009-04-21 07:55:52.000000000 +0900
+@@ -152,6 +152,8 @@
+  *      Various bug fixes and enhancements.
+  */

++#include &lt;limits.h&gt;
++#include &lt;stdint.h&gt;
+ #include &lt;stdio.h&gt;
+ #include &lt;stdlib.h&gt;
+ #include &lt;stdarg.h&gt;
+@@ -313,8 +315,11 @@
+         icmFileMem *p = (icmFileMem *)pp;
+         size_t len;

++        if (count &gt; 0 &amp;&amp; size &gt; SIZE_MAX / count)
++                return 0;
++
+         len = size * count;
+-        if ((p-&gt;cur + len) &gt;= p-&gt;end) {                /* Too much */
++        if (len &gt; (p-&gt;end - p-&gt;cur)) { /* Too much */
+                 if (size &gt; 0)
+                         count = (p-&gt;end - p-&gt;cur)/size;
+                 else
+@@ -1634,6 +1639,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmUInt8Array_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -1698,7 +1705,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (unsigned int *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(unsigned int))) == NULL) {
++                if ((p-&gt;data = (unsigned int *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(unsigned int))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmUInt8Array_alloc: malloc() of icmUInt8Array data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -1749,6 +1756,10 @@
+         icmUInt16Array *p = (icmUInt16Array *)pp;
+         unsigned int len = 0;
+         len += 8;                        /* 8 bytes for tag and padding */
++        if (p-&gt;size &gt; (UINT_MAX - len) / 2) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) -1;
++        }
+         len += p-&gt;size * 2;        /* 2 bytes for each UInt16 */
+         return len;
+ }
+@@ -1821,6 +1832,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmUInt16Array_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -1885,7 +1898,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (unsigned int *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(unsigned int))) == NULL) {
++                if ((p-&gt;data = (unsigned int *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(unsigned int))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmUInt16Array_alloc: malloc() of icmUInt16Array data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -1936,6 +1949,10 @@
+         icmUInt32Array *p = (icmUInt32Array *)pp;
+         unsigned int len = 0;
+         len += 8;                        /* 8 bytes for tag and padding */
++        if (p-&gt;size &gt; (UINT_MAX - len) / 4) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) -1;
++        }
+         len += p-&gt;size * 4;        /* 4 bytes for each UInt32 */
+         return len;
+ }
+@@ -2008,6 +2025,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmUInt32Array_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -2072,7 +2091,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (unsigned int *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(unsigned int))) == NULL) {
++                if ((p-&gt;data = (unsigned int *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(unsigned int))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmUInt32Array_alloc: malloc() of icmUInt32Array data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -2123,6 +2142,10 @@
+         icmUInt64Array *p = (icmUInt64Array *)pp;
+         unsigned int len = 0;
+         len += 8;                        /* 8 bytes for tag and padding */
++        if (p-&gt;size &gt; (UINT_MAX - len) / 8) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) -1;
++        }
+         len += p-&gt;size * 8;        /* 8 bytes for each UInt64 */
+         return len;
+ }
+@@ -2195,6 +2218,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmUInt64Array_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -2259,7 +2284,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (icmUint64 *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(icmUint64))) == NULL) {
++                if ((p-&gt;data = (icmUint64 *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(icmUint64))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmUInt64Array_alloc: malloc() of icmUInt64Array data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -2310,6 +2335,10 @@
+         icmU16Fixed16Array *p = (icmU16Fixed16Array *)pp;
+         unsigned int len = 0;
+         len += 8;                        /* 8 bytes for tag and padding */
++        if (p-&gt;size &gt; (UINT_MAX - len) / 4) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) -1;
++        }
+         len += p-&gt;size * 4;        /* 4 byte for each U16Fixed16 */
+         return len;
+ }
+@@ -2382,6 +2411,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmU16Fixed16Array_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -2446,7 +2477,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (double *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(double))) == NULL) {
++                if ((p-&gt;data = (double *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(double))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -2497,6 +2528,10 @@
+         icmS15Fixed16Array *p = (icmS15Fixed16Array *)pp;
+         unsigned int len = 0;
+         len += 8;                        /* 8 bytes for tag and padding */
++        if (p-&gt;size &gt; (UINT_MAX - len) / 4) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) - 1;
++        }
+         len += p-&gt;size * 4;        /* 4 byte for each S15Fixed16 */
+         return len;
+ }
+@@ -2569,6 +2604,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmS15Fixed16Array_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -2633,7 +2670,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (double *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(double))) == NULL) {
++                if ((p-&gt;data = (double *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(double))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -2726,6 +2763,10 @@
+         icmXYZArray *p = (icmXYZArray *)pp;
+         unsigned int len = 0;
+         len += 8;                                /* 8 bytes for tag and padding */
++        if (p-&gt;size &gt; (UINT_MAX - len) / 12) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) - 1;
++        }
+         len += p-&gt;size * 12;        /* 12 bytes for each XYZ */
+         return len;
+ }
+@@ -2798,6 +2839,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmXYZArray_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -2865,7 +2908,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (icmXYZNumber *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(icmXYZNumber))) == NULL) {
++                if ((p-&gt;data = (icmXYZNumber *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(icmXYZNumber))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmXYZArray_alloc: malloc() of icmXYZArray data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -2939,7 +2982,7 @@
+                         rv |= 1;
+                 }
+                 ix = (int)floor(val);                /* Coordinate */
+-                if (ix &gt; (p-&gt;size-2))
++                if (ix &lt; 0 || ix &gt; (p-&gt;size-2))
+                         ix = (p-&gt;size-2);
+                 w = val - (double)ix;                /* weight */
+                 val = p-&gt;data[ix];
+@@ -2961,6 +3004,11 @@
+ ) {
+         int i;

++        if (size &gt; INT_MAX - 2)
++                /* Although rt-&gt;size is unsigned long, the rt data
++                 * structure uses int data types to store indices. */
++                return 2;
++
+         rt-&gt;size = size;                /* Stash pointers to these away */
+         rt-&gt;data = data;
+         
+@@ -2979,7 +3027,7 @@
+         rt-&gt;qscale = (double)rt-&gt;rsize/(rt-&gt;rmax - rt-&gt;rmin);        /* Scale factor to quantize to */
+         
+         /* Initialize the reverse lookup structures, and get overall min/max */
+-        if ((rt-&gt;rlists = (int **) icp-&gt;al-&gt;calloc(icp-&gt;al, 1, rt-&gt;rsize * sizeof(int *))) == NULL) {
++        if ((rt-&gt;rlists = (int **) icp-&gt;al-&gt;calloc(icp-&gt;al, rt-&gt;rsize, sizeof(int *))) == NULL) {
+                 return 2;
+         }

+@@ -2992,6 +3040,15 @@
+                         int t;
+                         t = s; s = e; e = t;
+                 }
++                /* s and e should both be in the range [0,rt-&gt;rsize]
++                 * now, but let's not rely on floating point
++                 * calculations -- double-check. */
++                if (s &lt; 0)
++                        s = 0;
++                if (e &lt; 0)
++                        e = 0;
++                if (s &gt;= rt-&gt;rsize)
++                        s = rt-&gt;rsize-1;
+                 if (e &gt;= rt-&gt;rsize)
+                         e = rt-&gt;rsize-1;

+@@ -3001,7 +3058,7 @@
+                         int nf;                        /* Next free slot */
+                         if (rt-&gt;rlists[j] == NULL) {        /* No allocation */
+                                 as = 5;                                                /* Start with space for 5 */
+-                                if ((rt-&gt;rlists[j] = (int *) icp-&gt;al-&gt;malloc(icp-&gt;al, sizeof(int) * as)) == NULL) {
++                                if ((rt-&gt;rlists[j] = (int *) icp-&gt;al-&gt;calloc(icp-&gt;al, sizeof(int), as)) == NULL) {
+                                         return 2;
+                                 }
+                                 rt-&gt;rlists[j][0] = as;
+@@ -3010,6 +3067,9 @@
+                                 as = rt-&gt;rlists[j][0];        /* Allocate space for this list */
+                                 nf = rt-&gt;rlists[j][1];        /* Next free location in list */
+                                 if (nf &gt;= as) {                        /* need to expand space */
++                                        if (as &gt; INT_MAX / 2 / sizeof (int))
++                                                return 2;
++
+                                         as *= 2;
+                                         rt-&gt;rlists[j] = (int *) icp-&gt;al-&gt;realloc(icp-&gt;al,rt-&gt;rlists[j], sizeof(int) * as);
+                                         if (rt-&gt;rlists[j] == NULL) {
+@@ -3061,7 +3121,7 @@
+                 val = rsize_1;
+         ix = (int)floor(val);                /* Coordinate */

+-        if (ix &gt; (rt-&gt;size-2))
++        if (ix &lt; 0 || ix &gt; (rt-&gt;size-2))
+                 ix = (rt-&gt;size-2);
+         if (rt-&gt;rlists[ix] != NULL)  {                /* There is a list of fwd candidates */
+                 /* For each candidate forward range */
+@@ -3088,6 +3148,7 @@
+         /* We have failed to find an exact value, so return the nearest value */
+         /* (This is slow !) */
+         val = fabs(ival - rt-&gt;data[0]);
++        /* rt-&gt;size is known to be &lt; INT_MAX */
+         for (k = 0, i = 1; i &lt; rt-&gt;size; i++) {
+                 double er;
+                 er = fabs(ival - rt-&gt;data[i]);
+@@ -3141,6 +3202,10 @@
+         icmCurve *p = (icmCurve *)pp;
+         unsigned int len = 0;
+         len += 12;                        /* 12 bytes for tag, padding and count */
++        if (p-&gt;size &gt; (UINT_MAX - len) / 2) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) - 1;
++        }
+         len += p-&gt;size * 2;        /* 2 bytes for each UInt16 */
+         return len;
+ }
+@@ -3238,6 +3303,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmCurve_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -3347,7 +3414,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (double *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(double))) == NULL) {
++                if ((p-&gt;data = (double *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(double))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmCurve_alloc: malloc() of icmCurve data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -3493,6 +3560,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmData_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -3620,7 +3689,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (unsigned char *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(unsigned char))) == NULL) {
++                if ((p-&gt;data = (unsigned char *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(unsigned char))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmData_alloc: malloc() of icmData data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -3745,6 +3814,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmText_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -3834,7 +3905,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(char))) == NULL) {
++                if ((p-&gt;data = (char *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(char))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmText_alloc: malloc() of icmText data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -4038,6 +4109,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmDateTimeNumber_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -4128,11 +4201,15 @@
+ /* icmLut object */

+ /* Utility function - raise one integer to an integer power */
+-static unsigned int uipow(unsigned int a, unsigned int b) {
++static int uipow(unsigned int a, unsigned int b, unsigned int *ret) {
+         unsigned int rv = 1;
+-        for (; b &gt; 0; b--)
++        for (; b &gt; 0; b--) {
++                if (a &gt; 0 &amp;&amp; rv &gt; UINT_MAX / a)
++                        return 1;
+                 rv *= a;
+-        return rv;
++        }
++        *ret = rv;
++        return 0;
+ }

+ /* - - - - - - - - - - - - - - - - */
+@@ -4242,7 +4319,7 @@
+                         rv |= 1;
+                 }
+                 ix = (int)floor(val);                /* Grid coordinate */
+-                if (ix &gt; (p-&gt;inputEnt-2))
++                if (ix &lt; 0 || ix &gt; (p-&gt;inputEnt-2))
+                         ix = (p-&gt;inputEnt-2);
+                 w = val - (double)ix;                /* weight */
+                 val = table[ix];
+@@ -4268,7 +4345,7 @@
+         if (p-&gt;inputChan &lt;= 8) {
+                 gw = GW;                                /* Use stack allocation */
+         } else {
+-                if ((gw = (double *) icp-&gt;al-&gt;malloc(icp-&gt;al, (1 &lt;&lt; p-&gt;inputChan) * sizeof(double))) == NULL) {
++                if ((gw = (double *) icp-&gt;al-&gt;calloc(icp-&gt;al, (1 &lt;&lt; p-&gt;inputChan), sizeof(double))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmLut_lookup_clut: malloc() failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -4301,7 +4378,7 @@
+                                 rv |= 1;
+                         }
+                         x = (int)floor(val);                /* Grid coordinate */
+-                        if (x &gt; clutPoints_2)
++                        if (x &lt; 0 || x &gt; clutPoints_2)
+                                 x = clutPoints_2;
+                         co[e] = val - (double)x;        /* 1.0 - weight */
+                         gp += x * p-&gt;dinc[e];                /* Add index offset for base of cube */
+@@ -4374,7 +4451,7 @@
+                                 rv |= 1;
+                         }
+                         x = (int)floor(val);                /* Grid coordinate */
+-                        if (x &gt; clutPoints_2)
++                        if (x &lt; 0 || x &gt; clutPoints_2)
+                                 x = clutPoints_2;
+                         co[e] = val - (double)x;        /* 1.0 - weight */
+                         gp += x * p-&gt;dinc[e];                /* Add index offset for base of cube */
+@@ -4447,7 +4524,7 @@
+                         rv |= 1;
+                 }
+                 ix = (int)floor(val);                /* Grid coordinate */
+-                if (ix &gt; (p-&gt;outputEnt-2))
++                if (ix &lt; 0 || ix &gt; (p-&gt;outputEnt-2))
+                         ix = (p-&gt;outputEnt-2);
+                 w = val - (double)ix;                /* weight */
+                 val = table[ix];
+@@ -4819,19 +4896,50 @@
+ ) {
+         icmLut *p = (icmLut *)pp;
+         unsigned int len = 0;
++        unsigned int pw;

+         if (p-&gt;ttype == icSigLut8Type) {
+                 len += 48;                        /* tag and header */
++                if (p-&gt;inputChan &gt; 0 &amp;&amp;
++                    p-&gt;inputEnt &gt; (UINT_MAX - len) / p-&gt;inputChan / 1)
++                        goto overflow;
++
+                 len += 1 * (p-&gt;inputChan * p-&gt;inputEnt);
+-                len += 1 * (p-&gt;outputChan * uipow(p-&gt;clutPoints,p-&gt;inputChan));
++                if (uipow(p-&gt;clutPoints,p-&gt;inputChan, &amp;pw) ||
++                    (p-&gt;outputChan &gt; 0 &amp;&amp;
++                     pw &gt; (UINT_MAX - len) / p-&gt;outputChan / 1))
++                        goto overflow;
++
++                len += 1 * (p-&gt;outputChan * pw);
++                if (p-&gt;outputChan &gt; 0 &amp;&amp;
++                    p-&gt;outputEnt &gt; (UINT_MAX - len) / p-&gt;outputChan / 1)
++                        goto overflow;
++
+                 len += 1 * (p-&gt;outputChan * p-&gt;outputEnt);
+         } else {
+                 len += 52;                        /* tag and header */
++                if (p-&gt;inputChan &gt; 0 &amp;&amp;
++                    p-&gt;inputEnt &gt; (UINT_MAX - len) / p-&gt;inputChan / 2)
++                        goto overflow;
++
+                 len += 2 * (p-&gt;inputChan * p-&gt;inputEnt);
+-                len += 2 * (p-&gt;outputChan * uipow(p-&gt;clutPoints,p-&gt;inputChan));
++                if (uipow(p-&gt;clutPoints,p-&gt;inputChan, &amp;pw) ||
++                    (p-&gt;outputChan &gt; 0 &amp;&amp;
++                     pw &gt; (UINT_MAX - len) / p-&gt;outputChan / 2))
++                        goto overflow;
++
++                len += 2 * (p-&gt;outputChan * pw);
++                if (p-&gt;outputChan &gt; 0 &amp;&amp;
++                    p-&gt;outputEnt &gt; (UINT_MAX - len) / p-&gt;outputChan / 2)
++                        goto overflow;
++
+                 len += 2 * (p-&gt;outputChan * p-&gt;outputEnt);
+         }
+         return len;
++
++  overflow:
++        p-&gt;icp-&gt;errc = 1;
++        return (unsigned int) -1;
+ }

+ /* read the object, return 0 on success, error code on fail */
+@@ -4844,6 +4952,7 @@
+         icc *icp = p-&gt;icp;
+         int rv = 0;
+         unsigned long i, j, g, size;
++        unsigned int pw;
+         char *bp, *buf;

+         if (len &lt; 4) {
+@@ -4904,6 +5013,11 @@
+                 return icp-&gt;errc = 1;
+         }

++        if (p-&gt;clutPoints &gt; 100) {
++                sprintf(icp-&gt;err,&quot;icmLut_read: too many clutPoints&quot;);
++                return icp-&gt;errc = 1;
++        }
++
+         /* Read 3x3 transform matrix */
+         for (j = 0; j &lt; 3; j++) {                /* Rows */
+                 for (i = 0; i &lt; 3; i++) {        /* Columns */
+@@ -4921,13 +5035,18 @@
+                 bp = buf+52;
+         }

+-        if (len &lt; icmLut_get_size((icmBase *)p)) {
++        if (len &lt; icmLut_get_size((icmBase *)p) || icp-&gt;errc) {
+                 sprintf(icp-&gt;err,&quot;icmLut_read: Tag too small for contents&quot;);
+                 icp-&gt;al-&gt;free(icp-&gt;al, buf);
+                 return icp-&gt;errc = 1;
+         }

+         /* Read the input tables */
++        if (p-&gt;inputEnt &gt; 0 &amp;&amp; p-&gt;inputChan &gt; UINT_MAX / p-&gt;inputEnt) {
++                sprintf(icp-&gt;err,&quot;icmLut_read: overflow&quot;);
++                icp-&gt;al-&gt;free(icp-&gt;al, buf);
++                return icp-&gt;errc = 1;
++        }
+         size = (p-&gt;inputChan * p-&gt;inputEnt);
+         if ((rv = p-&gt;allocate((icmBase *)p)) != 0) {
+                 icp-&gt;al-&gt;free(icp-&gt;al, buf);
+@@ -4942,7 +5061,14 @@
+         }

+         /* Read the clut table */
+-        size = (p-&gt;outputChan * uipow(p-&gt;clutPoints,p-&gt;inputChan));
++        if (uipow(p-&gt;clutPoints,p-&gt;inputChan,&amp;pw) ||
++            (p-&gt;outputChan &gt; 0 &amp;&amp;
++             pw &gt; UINT_MAX / p-&gt;outputChan)) {
++                sprintf(icp-&gt;err,&quot;icmLut_read: overflow&quot;);
++                icp-&gt;al-&gt;free(icp-&gt;al, buf);
++                return icp-&gt;errc = 1;
++        }
++        size = (p-&gt;outputChan * pw);
+         if ((rv = p-&gt;allocate((icmBase *)p)) != 0) {
+                 icp-&gt;al-&gt;free(icp-&gt;al, buf);
+                 return rv;
+@@ -4956,6 +5082,11 @@
+         }

+         /* Read the output tables */
++        if (p-&gt;outputChan &gt; 0 &amp;&amp; p-&gt;outputEnt &gt; UINT_MAX / p-&gt;outputChan) {
++                sprintf(icp-&gt;err,&quot;icmLut_read: overflow&quot;);
++                icp-&gt;al-&gt;free(icp-&gt;al, buf);
++                return icp-&gt;errc = 1;
++        }
+         size = (p-&gt;outputChan * p-&gt;outputEnt);
+         if ((rv = p-&gt;allocate((icmBase *)p)) != 0) {
+                 icp-&gt;al-&gt;free(icp-&gt;al, buf);
+@@ -4995,12 +5126,14 @@
+         icmLut *p = (icmLut *)pp;
+         icc *icp = p-&gt;icp;
+         unsigned long i,j;
+-        unsigned int len, size;
++        unsigned int len, size, pw;
+         char *bp, *buf;                /* Buffer to write from */
+         int rv = 0;

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmLut_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -5066,6 +5199,11 @@
+         }

+         /* Write the input tables */
++        if (p-&gt;inputEnt &gt; 0 &amp;&amp; p-&gt;inputChan &gt; UINT_MAX / p-&gt;inputEnt) {
++                sprintf(icp-&gt;err,&quot;icmLut_write: overflow&quot;);
++                icp-&gt;al-&gt;free(icp-&gt;al, buf);
++                return icp-&gt;errc = 1;
++        }
+         size = (p-&gt;inputChan * p-&gt;inputEnt);
+         if (p-&gt;ttype == icSigLut8Type) {
+                 for (i = 0; i &lt; size; i++, bp += 1) {
+@@ -5086,7 +5224,14 @@
+         }

+         /* Write the clut table */
+-        size = (p-&gt;outputChan * uipow(p-&gt;clutPoints,p-&gt;inputChan));
++        if (uipow(p-&gt;clutPoints,p-&gt;inputChan,&amp;pw) ||
++            (p-&gt;outputChan &gt; 0 &amp;&amp;
++             pw &gt; UINT_MAX / p-&gt;outputChan)) {
++                sprintf(icp-&gt;err,&quot;icmLut_write: overflow&quot;);
++                icp-&gt;al-&gt;free(icp-&gt;al, buf);
++                return icp-&gt;errc = 1;
++        }
++        size = (p-&gt;outputChan * pw);
+         if (p-&gt;ttype == icSigLut8Type) {
+                 for (i = 0; i &lt; size; i++, bp += 1) {
+                         if ((rv = write_DCS8Number(p-&gt;clutTable[i], bp)) != 0) {
+@@ -5106,6 +5251,11 @@
+         }

+         /* Write the output tables */
++        if (p-&gt;outputChan &gt; 0 &amp;&amp; p-&gt;outputEnt &gt; UINT_MAX / p-&gt;outputChan) {
++                sprintf(icp-&gt;err,&quot;icmLut_write: overflow&quot;);
++                icp-&gt;al-&gt;free(icp-&gt;al, buf);
++                return icp-&gt;errc = 1;
++        }
+         size = (p-&gt;outputChan * p-&gt;outputEnt);
+         if (p-&gt;ttype == icSigLut8Type) {
+                 for (i = 0; i &lt; size; i++, bp += 1) {
+@@ -5177,7 +5327,14 @@
+                 if (p-&gt;inputChan &gt; MAX_CHAN) {
+                         fprintf(op,&quot;  !!Can't dump &gt; %d input channel CLUT table!!\n&quot;,MAX_CHAN);
+                 } else {
+-                        size = (p-&gt;outputChan * uipow(p-&gt;clutPoints,p-&gt;inputChan));
++                        unsigned int pw;
++                        if (uipow(p-&gt;clutPoints,p-&gt;inputChan,&amp;pw) ||
++                            (p-&gt;outputChan &gt; 0 &amp;&amp;
++                             pw &gt; UINT_MAX / p-&gt;outputChan)) {
++                                fprintf(op,&quot;Would overflow.\n&quot;);
++                                return;
++                        }
++                        size = (p-&gt;outputChan * pw);
+                         for (j = 0; j &lt; p-&gt;inputChan; j++)
+                                 ii[j] = 0;
+                         for (i = 0; i &lt; size;) {
+@@ -5216,7 +5373,7 @@
+ static int icmLut_allocate(
+         icmBase *pp
+ ) {
+-        unsigned int i, j, g, size;
++        unsigned int i, j, g, size, pw;
+         icmLut *p = (icmLut *)pp;
+         icc *icp = p-&gt;icp;

+@@ -5231,6 +5388,10 @@
+                 return icp-&gt;errc = 1;
+         }

++        if (p-&gt;inputEnt &gt; 0 &amp;&amp; p-&gt;inputChan &gt; UINT_MAX / p-&gt;inputEnt) {
++                sprintf(icp-&gt;err,&quot;icmLut_alloc: too many entries&quot;);
++                return icp-&gt;errc = 1;
++        }
+         size = (p-&gt;inputChan * p-&gt;inputEnt);
+         if (size != p-&gt;inputTable_size) {
+                 if (p-&gt;inputTable != NULL)
+@@ -5241,7 +5402,13 @@
+                 }
+                 p-&gt;inputTable_size = size;
+         }
+-        size = (p-&gt;outputChan * uipow(p-&gt;clutPoints,p-&gt;inputChan));
++        if (uipow(p-&gt;clutPoints,p-&gt;inputChan,&amp;pw) ||
++            (p-&gt;outputChan &gt; 0 &amp;&amp;
++             pw &gt; UINT_MAX / p-&gt;outputChan)) {
++                sprintf(icp-&gt;err,&quot;icmLut_alloc: overflow&quot;);
++                return icp-&gt;errc = 1;
++        }
++        size = (p-&gt;outputChan * pw);
+         if (size != p-&gt;clutTable_size) {
+                 if (p-&gt;clutTable != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;clutTable);
+@@ -5251,6 +5418,10 @@
+                 }
+                 p-&gt;clutTable_size = size;
+         }
++        if (p-&gt;outputChan &gt; 0 &amp;&amp; p-&gt;outputEnt &gt; UINT_MAX / p-&gt;outputChan) {
++                sprintf(icp-&gt;err,&quot;icmLut_alloc: overflow&quot;);
++                return icp-&gt;errc = 1;
++        }
+         size = (p-&gt;outputChan * p-&gt;outputEnt);
+         if (size != p-&gt;outputTable_size) {
+                 if (p-&gt;outputTable != NULL)
+@@ -5441,6 +5612,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmMeasurement_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -5712,13 +5885,20 @@
+                         len += p-&gt;nDeviceCoords * 1;        /* bytes for each named color */
+                 }
+         } else {        /* Named Color 2 */
++                unsigned int col;
+                 len += 8;                        /* 8 bytes for tag and padding */
+                 len += 4;                        /* 4 for vendor specific flags */
+                 len += 4;                        /* 4 for count of named colors */
+                 len += 4;                        /* 4 for number of device coords */
+                 len += 32;                        /* 32 for prefix of color names */
+                 len += 32;                        /* 32 for suffix of color names */
+-                len += p-&gt;count * (32 + 6 + p-&gt;nDeviceCoords * 2);        /* bytes for each named color */
++                col = 32 + 6 + p-&gt;nDeviceCoords * 2;
++                if (p-&gt;nDeviceCoords &gt; (UINT_MAX - (32 + 6)) / 2 ||
++                    (p-&gt;count &gt; 0 &amp;&amp; col &gt; (UINT_MAX - len) / p-&gt;count)) {
++                        p-&gt;icp-&gt;errc = 1;
++                        return (unsigned int) -1;
++                }
++                len += p-&gt;count * col;        /* bytes for each named color */
+         }
+         return len;
+ }
+@@ -5882,6 +6062,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmNamedColor_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -6109,9 +6291,22 @@
+ ) {
+         icmTextDescription *p = (icmTextDescription *)pp;
+         unsigned int len = 0;
++        if (p-&gt;size &gt; UINT_MAX - (8 + 4 + 8)) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) -1;
++        }
+         len += 8;                        /* 8 bytes for tag and padding */
+         len += 4 + p-&gt;size;        /* Ascii string length + ascii string */
+-        len += 8 + 2 * p-&gt;ucSize;        /* Unicode language code + length + string */
++        len += 8;               /* Unicode language code + length */
++        if (p-&gt;ucSize &gt; (UINT_MAX - len) / 2) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) -1;
++        }
++        len += 2 * p-&gt;ucSize;    /* Unicode string */
++        if (len &gt; (UINT_MAX - (3 + 67))) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) -1;
++        }
+         len += 3 + 67;                /* ScriptCode code, length string */
+         return len;
+ }
+@@ -6294,6 +6489,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmTextDescription_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -6535,7 +6732,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;desc != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;desc);
+-                if ((p-&gt;desc = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(char))) == NULL) {
++                if ((p-&gt;desc = (char *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(char))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmTextDescription_alloc: malloc() of Ascii description failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -6544,7 +6741,7 @@
+         if (p-&gt;ucSize != p-&gt;uc_size) {
+                 if (p-&gt;ucDesc != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;ucDesc);
+-                if ((p-&gt;ucDesc = (ORD16 *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;ucSize * sizeof(ORD16))) == NULL) {
++                if ((p-&gt;ucDesc = (ORD16 *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;ucSize, sizeof(ORD16))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmTextDescription_alloc: malloc() of Unicode description failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -6820,6 +7017,12 @@
+         bp += 8;        /* Skip padding */

+         p-&gt;count = read_UInt32Number(bp);        /* Number of sequence descriptions */
++        if (p-&gt;count &gt; 1000) {
++                sprintf(icp-&gt;err,&quot;icmProfileSequenceDesc_read: too many sequence descriptions&quot;);
++                icp-&gt;al-&gt;free(icp-&gt;al, buf);
++                return icp-&gt;errc = 1;
++        }
++
+         bp += 4;

+         /* Read all the sequence descriptions */
+@@ -6852,6 +7055,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmProfileSequenceDesc_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -6922,7 +7127,7 @@
+         if (p-&gt;count != p-&gt;_count) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (icmDescStruct *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;count * sizeof(icmDescStruct))) == NULL) {
++                if ((p-&gt;data = (icmDescStruct *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;count, sizeof(icmDescStruct))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmProfileSequenceDesc_allocate Allocation of DescStruct array failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -7041,6 +7246,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmSignature_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -7156,6 +7363,10 @@
+         icmScreening *p = (icmScreening *)pp;
+         unsigned int len = 0;
+         len += 16;                                /* 16 bytes for tag, padding, flag &amp; channeles */
++        if (p-&gt;channels &gt; (UINT_MAX - len) / 12) {
++                p-&gt;icp-&gt;errc = 1;
++                return (unsigned int) -1;
++        }
+         len += p-&gt;channels * 12;        /* 12 bytes for each channel */
+         return len;
+ }
+@@ -7235,6 +7446,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmScreening_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -7315,7 +7528,7 @@
+         if (p-&gt;channels != p-&gt;_channels) {
+                 if (p-&gt;data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;data);
+-                if ((p-&gt;data = (icmScreeningData *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;channels * sizeof(icmScreeningData))) == NULL) {
++                if ((p-&gt;data = (icmScreeningData *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;channels, sizeof(icmScreeningData))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmScreening_alloc: malloc() of icmScreening data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -7366,10 +7579,20 @@
+         icmUcrBg *p = (icmUcrBg *)pp;
+         unsigned int len = 0;
+         len += 8;                        /* 8 bytes for tag and padding */
++        if (p-&gt;UCRcount &gt; (UINT_MAX - len - 4) / 2)
++                goto overflow;
++
+         len += 4 + p-&gt;UCRcount * 2;        /* Undercolor Removal */
++        if (p-&gt;BGcount &gt; (UINT_MAX - len - 4 - p-&gt;size) / 2)
++                goto overflow;
++
+         len += 4 + p-&gt;BGcount * 2;        /* Black Generation */
+         len += p-&gt;size;                                /* Description string */
+         return len;
++
++ overflow:
++        p-&gt;icp-&gt;errc = 1;
++        return (unsigned int) -1;
+ }

+ /* read the object, return 0 on success, error code on fail */
+@@ -7498,6 +7721,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmUcrBg_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -7663,7 +7888,7 @@
+         if (p-&gt;UCRcount != p-&gt;UCR_count) {
+                 if (p-&gt;UCRcurve != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;UCRcurve);
+-                if ((p-&gt;UCRcurve = (double *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;UCRcount * sizeof(double))) == NULL) {
++                if ((p-&gt;UCRcurve = (double *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;UCRcount, sizeof(double))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmUcrBg_allocate: malloc() of UCR curve data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -7672,7 +7897,7 @@
+         if (p-&gt;BGcount != p-&gt;BG_count) {
+                 if (p-&gt;BGcurve != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;BGcurve);
+-                if ((p-&gt;BGcurve = (double *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;BGcount * sizeof(double))) == NULL) {
++                if ((p-&gt;BGcurve = (double *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;BGcount, sizeof(double))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmUcrBg_allocate: malloc() of BG curve data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -7681,7 +7906,7 @@
+         if (p-&gt;size != p-&gt;_size) {
+                 if (p-&gt;string != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;string);
+-                if ((p-&gt;string = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;size * sizeof(char))) == NULL) {
++                if ((p-&gt;string = (char *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;size, sizeof(char))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmUcrBg_allocate: malloc() of string data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -7743,6 +7968,15 @@
+                 len += 2;       /* 2 bytes for channels */
+                 len += 2;       /* 2 for entry count */
+                 len += 2;       /* 2 for entry size */
++                if (p-&gt;u.table.entryCount &gt; 0 &amp;&amp;
++                    p-&gt;u.table.entrySize &gt; 0 &amp;&amp;
++                    p-&gt;u.table.channels &gt;
++                    (UINT_MAX - len) /
++                    p-&gt;u.table.entryCount /
++                    p-&gt;u.table.entrySize) {
++                        p-&gt;icp-&gt;errc = 1;
++                        return (unsigned int) -1;
++                }
+                 len += ( p-&gt;u.table.channels *     /* compute table size */
+                                  p-&gt;u.table.entryCount *
+                                  p-&gt;u.table.entrySize );
+@@ -7762,10 +7996,11 @@
+ ) {
+         icmVideoCardGamma *p = (icmVideoCardGamma *)pp;
+         icc *icp = p-&gt;icp;
+-        int rv, c;
++        int rv;
+         char *bp, *buf;
+         unsigned char *pchar;
+         unsigned short *pshort;
++        unsigned long c;

+         if (len &lt; 18) {
+                 sprintf(icp-&gt;err,&quot;icmVideoCardGamma_read: Tag too small to be legal&quot;);
+@@ -7803,6 +8038,16 @@
+                 p-&gt;u.table.channels   = read_UInt16Number(bp+12);
+                 p-&gt;u.table.entryCount = read_UInt16Number(bp+14);
+                 p-&gt;u.table.entrySize  = read_UInt16Number(bp+16);
++                if (p-&gt;u.table.entrySize &gt; 65530 || p-&gt;u.table.entrySize == 0) {
++                        sprintf(icp-&gt;err,&quot;icmVideoCardGamma_read: Too many entries (or none)&quot;);
++                        return icp-&gt;errc = 1;
++                }
++                if (p-&gt;u.table.entryCount &gt; 0 &amp;&amp; p-&gt;u.table.entrySize &gt; 0 &amp;&amp;
++                    p-&gt;u.table.channels &gt;
++                    UINT_MAX / p-&gt;u.table.entryCount / p-&gt;u.table.entrySize) {
++                        sprintf(icp-&gt;err,&quot;icmVideoCardGamma_read: Overflow reading tag&quot;);
++                        return icp-&gt;errc = 1;
++                }
+                 if (len-18 &lt; p-&gt;u.table.channels*p-&gt;u.table.entryCount*p-&gt;u.table.entrySize) {
+                         sprintf(icp-&gt;err,&quot;icmVideoCardGamma_read: Tag too small to be legal&quot;);
+                         return icp-&gt;errc = 1;
+@@ -7871,6 +8116,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmViewingConditions_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -8049,7 +8296,7 @@
+ ) {
+         icmVideoCardGamma *p = (icmVideoCardGamma *)pp;
+         icc *icp = p-&gt;icp;
+-        int size;
++        unsigned int size;

+         /* note: allocation is only relevant for table type
+          * and in that case the channels, entryCount, and entrySize
+@@ -8059,6 +8306,11 @@
+         if (p-&gt;tagType == icmVideoCardGammaTableType) {
+                 if (p-&gt;u.table.data != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;u.table.data);
++                if (p-&gt;u.table.entryCount &gt; 0 &amp;&amp;
++                    p-&gt;u.table.channels &gt; UINT_MAX / p-&gt;u.table.entryCount) {
++                        sprintf(icp-&gt;err,&quot;icmVideoCardGamma_alloc: table too large&quot;);
++                        return icp-&gt;errc = 1;
++                }
+                 size = (p-&gt;u.table.channels *
+                                 p-&gt;u.table.entryCount);
+                 switch (p-&gt;u.table.entrySize) {
+@@ -8066,6 +8318,10 @@
+                         size *= sizeof(unsigned char);
+                         break;
+                 case 2:
++                        if (size &gt; UINT_MAX / sizeof(unsigned short)) {
++                                sprintf(icp-&gt;err,&quot;icmVideoCardGamma_alloc: table too large&quot;);
++                                return icp-&gt;errc = 1;
++                        }
+                         size *= sizeof(unsigned short);
+                         break;
+                 default:
+@@ -8201,6 +8457,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmViewingConditions_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -8433,6 +8691,8 @@

+         /* Allocate a file write buffer */
+         len = p-&gt;get_size((icmBase *)p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, len)) == NULL) {
+                 sprintf(icp-&gt;err,&quot;icmCrdInfo_write malloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -8585,7 +8845,7 @@
+         if (p-&gt;ppsize != p-&gt;_ppsize) {
+                 if (p-&gt;ppname != NULL)
+                         icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;ppname);
+-                if ((p-&gt;ppname = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;ppsize * sizeof(char))) == NULL) {
++                if ((p-&gt;ppname = (char *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;ppsize, sizeof(char))) == NULL) {
+                         sprintf(icp-&gt;err,&quot;icmCrdInfo_alloc: malloc() of string data failed&quot;);
+                         return icp-&gt;errc = 2;
+                 }
+@@ -8595,7 +8855,7 @@
+                 if (p-&gt;crdsize[t] != p-&gt;_crdsize[t]) {
+                         if (p-&gt;crdname[t] != NULL)
+                                 icp-&gt;al-&gt;free(icp-&gt;al, p-&gt;crdname[t]);
+-                        if ((p-&gt;crdname[t] = (char *) icp-&gt;al-&gt;malloc(icp-&gt;al, p-&gt;crdsize[t] * sizeof(char))) == NULL) {
++                        if ((p-&gt;crdname[t] = (char *) icp-&gt;al-&gt;calloc(icp-&gt;al, p-&gt;crdsize[t], sizeof(char))) == NULL) {
+                                 sprintf(icp-&gt;err,&quot;icmCrdInfo_alloc: malloc() of CRD%d name string failed&quot;,t);
+                                 return icp-&gt;errc = 2;
+                         }
+@@ -8736,6 +8996,8 @@
+         int rv = 0;

+         len = p-&gt;get_size(p);
++        if (icp-&gt;errc)
++                return icp-&gt;errc;
+         if ((buf = (char *) icp-&gt;al-&gt;calloc(icp-&gt;al,1,len)) == NULL) {                        /* Zero it - some CMS are fussy */
+                 sprintf(icp-&gt;err,&quot;icmHeader_write calloc() failed&quot;);
+                 return icp-&gt;errc = 2;
+@@ -9245,13 +9507,23 @@
+         }

+         p-&gt;count = read_UInt32Number(tcbuf);                /* Tag count */
++        if (p-&gt;count &gt; 100) {
++                sprintf(p-&gt;err,&quot;icc_read: too many table tags&quot;);
++                return p-&gt;errc = 1;
++        }
+         if (p-&gt;count &gt; 0) {
+                 char *bp, *buf;
+-                if ((p-&gt;data = (icmTag *) p-&gt;al-&gt;malloc(p-&gt;al, p-&gt;count * sizeof(icmTag))) == NULL) {
++                if ((p-&gt;data = (icmTag *) p-&gt;al-&gt;calloc(p-&gt;al, p-&gt;count, sizeof(icmTag))) == NULL) {
+                         sprintf(p-&gt;err,&quot;icc_read: Tag table malloc() failed&quot;);
+                         return p-&gt;errc = 2;
+                 }
+         
++                if (p-&gt;count &gt; (UINT_MAX - 4) / 12) {
++                        sprintf(p-&gt;err,&quot;icc_read: overflow&quot;);
++                        p-&gt;al-&gt;free(p-&gt;al, p-&gt;data);
++                        p-&gt;data = NULL;
++                        return p-&gt;errc = 1;
++                }
+                 len = 4 + p-&gt;count * 12;
+                 if ((buf = (char *) p-&gt;al-&gt;malloc(p-&gt;al, len)) == NULL) {
+                         sprintf(p-&gt;err,&quot;icc_read: Tag table read buffer malloc() failed&quot;);
+@@ -9281,6 +9553,14 @@
+                         return p-&gt;errc = 1;
+                     }
+                     p-&gt;data[i].size = read_UInt32Number(bp + 8);        
++                        if (p-&gt;data[i].offset + p-&gt;data[i].size &gt;
++                            p-&gt;header-&gt;size) {
++                                sprintf(p-&gt;err,&quot;icc_read: tag out of bounds&quot;);
++                                p-&gt;al-&gt;free(p-&gt;al, p-&gt;data);
++                                p-&gt;data = NULL;
++                                p-&gt;al-&gt;free(p-&gt;al, buf);
++                                return p-&gt;errc = 1;
++                        }
+                         if (   p-&gt;fp-&gt;seek(p-&gt;fp, of + p-&gt;data[i].offset) != 0
+                             || p-&gt;fp-&gt;read(p-&gt;fp, tcbuf, 1, 4) != 4) {
+                                 sprintf(p-&gt;err,&quot;icc_read: fseek() or fread() failed on tag headers&quot;);
+@@ -9321,8 +9601,14 @@
+         }

+         size += p-&gt;header-&gt;get_size(p-&gt;header);
++        if (p-&gt;errc)
++                return (unsigned int) -1;

+         size = DO_ALIGN(size);
++        if (size == 0 || p-&gt;count &gt; (UINT_MAX - 4 - size) / 12) {
++                p-&gt;errc = 1;
++                return (unsigned int) -1;
++        }
+         size += 4 + p-&gt;count * 12;        /* Tag table length */
+         
+         /* Reset touched flag for each tag type */
+@@ -9337,8 +9623,13 @@
+         /* Get size for each tag type, skipping links */
+         for (i = 0; i &lt; p-&gt;count; i++) {
+                 if (p-&gt;data[i].objp-&gt;touched == 0) { /* Not alllowed for previously */
++                        unsigned int obj_size;
+                         size = DO_ALIGN(size);
+-                        size += p-&gt;data[i].objp-&gt;get_size(p-&gt;data[i].objp);
++                        obj_size = p-&gt;data[i].objp-&gt;get_size(p-&gt;data[i].objp);
++                        if (size == 0 || p-&gt;errc ||
++                            obj_size &gt; UINT_MAX - size)
++                                return (unsigned int) -1;
++                        size += obj_size;
+                         p-&gt;data[i].objp-&gt;touched = 1;        /* Don't account for this again */
+                 }
+         }
+@@ -9373,9 +9664,19 @@
+         }

+         size += p-&gt;header-&gt;get_size(p-&gt;header);
++        if (p-&gt;errc)
++                return p-&gt;errc;

++        if (p-&gt;count &gt; (UINT_MAX - 4 - len) / 12) {
++                sprintf(p-&gt;err,&quot;icc_write: too many tags&quot;);
++                return p-&gt;errc = 1;
++        }
+         len = 4 + p-&gt;count * 12;        /* Tag table length */
+         size = DO_ALIGN(size);
++        if (size == 0 || size &gt; UINT_MAX - len) {
++                sprintf(p-&gt;err,&quot;icc_write: overflow writing tag table&quot;);
++                return p-&gt;errc = 1;
++        }
+         size += len;
+         
+         /* Allocate memory buffer for tag table */
+@@ -9406,6 +9707,12 @@
+                         size = DO_ALIGN(size);
+                         p-&gt;data[i].offset = size;                        /* Profile relative target */
+                         p-&gt;data[i].size = p-&gt;data[i].objp-&gt;get_size(p-&gt;data[i].objp);
++                        if (size == 0 ||
++                            p-&gt;errc || p-&gt;data[i].size &gt; UINT_MAX - size) {
++                                sprintf(p-&gt;err,&quot;icc_write: internal error - overflow?&quot;);
++                                p-&gt;al-&gt;free(p-&gt;al, buf);
++                                return p-&gt;errc;
++                        }
+                         size += p-&gt;data[i].size;
+                         p-&gt;data[i].objp-&gt;touched = 1;        /* Allocated space for it */
+                 } else { /* must be linked - copy allocation */
+@@ -9529,6 +9836,11 @@
+         }

+         /* Make space in tag table for new tag item */
++        if (p-&gt;count &gt; (UINT_MAX / sizeof(icmTag)) - 1) {
++                sprintf(p-&gt;err,&quot;icc_add_tag: overflow&quot;);
++                p-&gt;errc = 1;
++                return NULL;
++        }
+         if (p-&gt;data == NULL)
+                 tp = p-&gt;al-&gt;malloc(p-&gt;al, (p-&gt;count+1) * sizeof(icmTag));
+         else
+@@ -9612,6 +9924,11 @@
+         }

+         /* Make space in tag table for new tag item */
++        if (p-&gt;count &gt; (UINT_MAX / sizeof(icmTag)) - 1) {
++                sprintf(p-&gt;err,&quot;icc_link_tag: overflow&quot;);
++                p-&gt;errc = 1;
++                return NULL;
++        }
+         if (p-&gt;data == NULL)
+                 tp = p-&gt;al-&gt;malloc(p-&gt;al, (p-&gt;count+1) * sizeof(icmTag));
+         else
</ins></span></pre>
</div>
</div>

</body>
</html>