- BR s/perl/perl-base/

[packages/netpbm.git] / netpbm-security-CAN-2003-0924-VU#378049-VU#630433.patch

diff -urN netpbm-9.25.orig/COPYRIGHT.PATENT netpbm-9.25/COPYRIGHT.PATENT
--- netpbm-9.25.orig/COPYRIGHT.PATENT   2001-11-12 20:16:00.000000000 +0100
+++ netpbm-9.25/COPYRIGHT.PATENT        2004-05-12 11:53:57.823565720 +0200
@@ -23,6 +23,11 @@
 The copyrights on individual components of this package are detailed 
 at appropriate places within the package.
 
+These security fixes for netpbm are (c) Copyright 2002 Red Hat Inc.
+Red Hat has not fixed those items with patent claims or commercial
+use restrictions. These changes include NO WARRANTY and are provided
+under the Open Software License v.1 (see file OPENLICENSE).
+
 
 PATENTS
 -------
diff -urN netpbm-9.25.orig/OPENLICENSE netpbm-9.25/OPENLICENSE
--- netpbm-9.25.orig/OPENLICENSE        1970-01-01 01:00:00.000000000 +0100
+++ netpbm-9.25/OPENLICENSE     2004-05-12 11:53:57.831564504 +0200
@@ -0,0 +1,163 @@
+                       The Open Software License
+                       v. 1.1
+
+This Open Software License (the "License") applies to any original work of
+authorship (the "Original Work") whose owner (the "Licensor") has placed the
+following notice immediately following the copyright notice for the Original
+Work:
+
+Licensed under the Open Software License version 1.1
+
+1) Grant of Copyright License. Licensor hereby grants You a world-wide,
+royalty-free, non-exclusive, perpetual, non-sublicenseable license to do the
+following:
+
+a) to reproduce the Original Work in copies;
+
+b) to prepare derivative works ("Derivative Works") based upon the Original
+Work;
+
+c) to distribute copies of the Original Work and Derivative Works to the
+public, with the proviso that copies of Original Work or Derivative Works that
+You distribute shall be licensed under the Open Software License;
+
+d) to perform the Original Work publicly; and
+
+e) to display the Original Work publicly.
+
+2) Grant of Patent License. Licensor hereby grants You a world-wide,
+royalty-free, non-exclusive, perpetual, non-sublicenseable license, under
+patent claims owned or controlled by the Licensor that are embodied in the
+Original Work as furnished by the Licensor ("Licensed Claims") to make, use,
+sell and offer for sale the Original Work. Licensor hereby grants You a
+world-wide, royalty-free, non-exclusive, perpetual, non-sublicenseable license
+under the Licensed Claims to make, use, sell and offer for sale Derivative Works.
+
+3) Grant of Source Code License. The term "Source Code" means the preferred
+form of the Original Work for making modifications to it and all available
+documentation describing how to modify the Original Work. Licensor hereby
+agrees to provide a machine-readable copy of the Source Code of the Original
+Work along with each copy of the Original Work that Licensor distributes.
+Licensor reserves the right to satisfy this obligation by placing a
+machine-readable copy of the Source Code in an information repository reasonably
+calculated to permit inexpensive and convenient access by You for as long as
+ Licensor continues to distribute the Original Work, and by publishing the
+address of that information repository in a notice immediately following the
+copyright notice that applies to the Original Work.
+
+
+4) Exclusions From License Grant. Nothing in this License shall be deemed to
+grant any rights to trademarks, copyrights, patents, trade secrets or any
+other intellectual property of Licensor except as expressly stated herein. No
+patent license is granted to make, use, sell or offer to sell embodiments of
+any patent claims other than the Licensed Claims defined in Section 2. No
+right is granted to the trademarks of Licensor even if such marks are included
+in the Original Work. Nothing in this License shall be interpreted to prohibit
+Licensor from licensing under different terms from this License any Original
+Work that Licensor otherwise would have a right to license.
+
+5) External Deployment. The term "External Deployment" means the use or
+distribution of the Original Work or Derivative Works in any way such that the
+Original Work or Derivative Works may be used by anyone other than You,
+whether the Original Work or Derivative Works are distributed to those persons
+or made available as an application intended for use over a computer network.
+As an express condition for the grants of license hereunder, You agree that
+any External Deployment by You of a Derivative Work shall be deemed a
+distribution and shall be licensed to all under the terms of this License, as
+prescribed in section 1(c) herein.
+
+6) Attribution Rights. You must retain, in the Source Code of any Derivative
+Works that You create, all copyright, patent or trademark notices from the
+Source Code of the Original Work, as well as any notices of licensing and any
+descriptive text identified therein as an "Attribution Notice." You must cause
+the Source Code for any Derivative Works that You create to carry a prominent
+Attribution Notice reasonably calculated to inform recipients that You have
+modified the Original Work.
+
+7) Warranty and Disclaimer of Warranty. Licensor warrants that the copyright
+in and to the Original Work is owned by the Licensor or that the Original Work
+is distributed by Licensor under a valid current license from the copyright
+owner. Except as expressly stated in the immediately proceeding sentence, the
+Original Work is provided under this License on an "AS IS" BASIS and WITHOUT
+WARRANTY, either express or implied, including, without limitation, the
+warranties of NON-INFRINGEMENT, MERCHANTABILITY or FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY OF THE ORIGINAL WORK IS WITH YOU.
+This DISCLAIMER OF WARRANTY constitutes an essential part of this License. No
+license to Original Work is granted hereunder except under this disclaimer.
+
+8) Limitation of Liability. Under no circumstances and under no legal theory,
+whether in tort (including negligence), contract, or otherwise, shall the
+Licensor be liable to any person for any direct, indirect, special, incidental,
+or consequential damages of any character arising as a result of this License
+or the use of the Original Work including, without limitation, damages for
+loss of goodwill, work stoppage, computer failure or malfunction, or any and
+all other commercial damages or losses. This limitation of liability shall not
+apply to liability for death or personal injury resulting from Licensor's
+negligence to the extent applicable law prohibits such limitation. Some
+jurisdictions do not allow the exclusion or limitation of incidental or
+consequential damages, so this exclusion and limitation may not apply to You.
+
+
+9) Acceptance and Termination. If You distribute copies of the Original Work
+or a Derivative Work, You must make a reasonable effort under the circumstances
+to obtain the express and volitional assent of recipients to the terms of this
+License. Nothing else but this License (or another written agreement between
+Licensor and You) grants You permission to create Derivative Works based upon
+the Original Work or to exercise any of the rights granted in Sections 1 herein,
+and any attempt to do so except under the terms of this License (or another
+written agreement between Licensor and You) is expressly prohibited by U.S.
+copyright law, the equivalent laws of other countries, and by international
+treaty. Therefore, by exercising any of the rights granted to You in Sections
+1 herein, You indicate Your acceptance of this License and all of its terms and
+conditions. This License shall terminate immediately and you may no longer
+exercise any of the rights granted to You by this License upon Your failure to
+honor the proviso in Section 1(c) herein.
+
+10) Mutual Termination for Patent Action. This License shall terminate
+automatically and You may no longer exercise any of the rights granted to You
+by this License if You file a lawsuit in any court alleging that any OSI
+Certified open source software that is licensed under any license containing
+this "Mutual Termination for Patent Action" clause infringes any patent claims
+that are essential to use that software.
+
+11) Jurisdiction, Venue and Governing Law. Any action or suit relating to this
+License may be brought only in the courts of a jurisdiction wherein the Licensor
+resides or in which Licensor conducts its primary business, and under the laws
+of that jurisdiction excluding its conflict-of-law provisions. The application
+of the United Nations Convention on Contracts for the International Sale of
+Goods is expressly excluded. Any use of the Original Work outside the scope of
+this License or after its termination shall be subject to the requirements and
+penalties of the U.S. Copyright Act, 17 U.S.C. å¤ 101 et seq., the equivalent
+laws of other countries, and international treaty. This section shall survive
+the termination of this License.
+
+12) Attorneys Fees. In any action to enforce the terms of this License or
+seeking damages relating thereto, the prevailing party shall be entitled to
+recover its costs and expenses, including, without limitation, reasonable
+attorneys' fees and costs incurred in connection with such action, including
+any appeal of such action. This section shall survive the termination of this
+License.
+
+13) Miscellaneous. This License represents the complete agreement concerning
+the subject matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent necessary
+to make it enforceable.
+
+14) Definition of "You" in This License. "You" throughout this License,
+whether in upper or lower case, means an individual or a legal entity exercising
+rights under, and complying with all of the terms of, this License. For legal
+entities, "You" includes any entity that controls, is controlled by, or is under
+common control with you. For purposes of this definition, "control" means (i)
+the power, direct or indirect, to cause the direction or management of such
+entity, whether by contract or otherwise, or (ii) ownership of fifty percent
+(50%) or more of the outstanding shares, or (iii) beneficial ownership of such
+entity.
+
+15) Right to Use. You may use the Original Work in all ways not otherwise
+restricted or conditioned by this License or by law, and Licensor promises not
+to interfere with or be responsible for such uses by You.
+
+This license is Copyright (C) 2002 Lawrence E. Rosen. All rights reserved.
+Permission is hereby granted to copy and distribute this license without
+modification. This license may not be modified without the express written
+permission of its copyright owner.
diff -urN netpbm-9.25.orig/pbm/atktopbm.c netpbm-9.25/pbm/atktopbm.c
--- netpbm-9.25.orig/pbm/atktopbm.c     2000-03-19 05:33:36.000000000 +0100
+++ netpbm-9.25/pbm/atktopbm.c  2004-05-12 11:52:28.426156192 +0200
@@ -322,8 +322,7 @@
        *rwidth = width;
        *rheight = height;
        rowlen = (width + 7) / 8;
-       *destaddr = (unsigned char *) malloc (sizeof(unsigned char) * height *
-rowlen);
+       *destaddr = (unsigned char *) malloc3 (sizeof(unsigned char), height, rowlen);
        for (row = 0;   row < height;   row++)
          {
            long c;
diff -urN netpbm-9.25.orig/pbm/icontopbm.c netpbm-9.25/pbm/icontopbm.c
--- netpbm-9.25.orig/pbm/icontopbm.c    1993-10-04 10:10:28.000000000 +0100
+++ netpbm-9.25/pbm/icontopbm.c 2004-05-12 11:52:28.428155888 +0200
@@ -10,6 +10,8 @@
 ** implied warranty.
 */
 
+#include <string.h>
+#include <limits.h>
 #include "pbm.h"
 
 static void ReadIconFile ARGS(( FILE* file, int* width, int* height, short** data ));
@@ -137,6 +139,11 @@
     if ( *height <= 0 )
        pm_error( "invalid height: %d", *height );
 
+    if ( *width > INT_MAX - 16 || *width < 0)
+       pm_error( "invalid width: %d", *width);
+
+    overflow2(*width + 16, *height);
+
     data_length = BitmapSize( *width, *height );
     *data = (short*) malloc( data_length );
     if ( *data == NULL )
diff -urN netpbm-9.25.orig/pbm/libpbm1.c netpbm-9.25/pbm/libpbm1.c
--- netpbm-9.25.orig/pbm/libpbm1.c      2002-01-03 21:09:23.000000000 +0100
+++ netpbm-9.25/pbm/libpbm1.c   2004-05-12 11:52:28.426156192 +0200
@@ -36,13 +36,18 @@
           const int format, const int cols, const int rows,
           enum pm_check_code * const retval_p) {
 
+    if (rows < 0 || cols < 0)
+        pm_error("invalid image");
     if (check_type != PM_CHECK_BASIC) {
         if (retval_p) *retval_p = PM_CHECK_UNKNOWN_TYPE;
     } else if (format != RPBM_FORMAT) {
         if (retval_p) *retval_p = PM_CHECK_UNCHECKABLE;
     } else {        
+        /* signed to unsigned so wont wrap */
         const unsigned int bytes_per_row = (cols+7)/8;
         const unsigned int need_raster_size = rows * bytes_per_row;
+
+       overflow2(bytes_per_row, rows);
         
         pm_check(file, check_type, need_raster_size, retval_p);
     }
diff -urN netpbm-9.25.orig/pbm/libpbm5.c netpbm-9.25/pbm/libpbm5.c
--- netpbm-9.25.orig/pbm/libpbm5.c      2000-05-06 08:30:12.000000000 +0200
+++ netpbm-9.25/pbm/libpbm5.c   2004-05-12 11:52:28.424156496 +0200
@@ -767,15 +767,18 @@
     fn->frows = frows;
     fn->fcols = fcols;
     
-    glyph = (struct glyph*) malloc( sizeof(struct glyph) * 95 );
+    glyph = (struct glyph*) malloc2( sizeof(struct glyph), 95 );
     if ( glyph == (struct glyph*) 0 )
        pm_error( "out of memory allocating glyphs" );
     
-    bmap = (char*) malloc( fn->maxwidth * fn->maxheight * 95 );
+    bmap = (char*) malloc3( fn->maxwidth, fn->maxheight, 95 );
     if ( bmap == (char*) 0)
        pm_error( "out of memory allocating glyph data" );
 
     /* Now fill in the 0,0 coords. */
+    overflow2(char_height, 2);
+    overflow2(char_width, 2);
+
     row = char_height * 2;
     col = char_width * 2;
     for ( ch = 0; ch < 95; ++ch )
@@ -1022,7 +1025,7 @@
                                glyph->x = atoi(arg[3]);
                                glyph->y = atoi(arg[4]);
 
-                               if (!(glyph->bmap = (char*)malloc(glyph->width * glyph->height)))
+                               if (!(glyph->bmap = (char*)malloc2(glyph->width, glyph->height)))
                                        pm_error("no memory for font glyph byte map");
 
                                if (readline(fp, line, arg) < 0) { fclose(fp); return 0; }
diff -urN netpbm-9.25.orig/pbm/libpbmvms.c netpbm-9.25/pbm/libpbmvms.c
--- netpbm-9.25.orig/pbm/libpbmvms.c    2000-05-26 20:34:55.000000000 +0200
+++ netpbm-9.25/pbm/libpbmvms.c 2004-05-12 11:52:28.448152848 +0200
@@ -1,3 +1,5 @@
+#warning "NOT AUDITED"
+
 /***************************************************************************
   This file contains library routines needed to build Netpbm for VMS.
   However, as of 2000.05.26, when these were split out of libpbm1.c
diff -urN netpbm-9.25.orig/pbm/libpm.c netpbm-9.25/pbm/libpm.c
--- netpbm-9.25.orig/pbm/libpm.c        2002-02-24 23:37:29.000000000 +0100
+++ netpbm-9.25/pbm/libpm.c     2004-05-12 11:52:28.449152696 +0200
@@ -14,6 +14,7 @@
 **************************************************************************/
 
 #include <stdio.h>
+#include <limits.h>
 #include "version.h"
 #include "compile.h"
 #include "shhopt.h"
@@ -90,7 +91,7 @@
 pm_allocrow(int const cols, int const size) {
     register char* itrow;
 
-    itrow = (char*) malloc( cols * size );
+    itrow = (char*) malloc2( cols , size );
     if ( itrow == (char*) 0 )
         pm_error( "out of memory allocating a row" );
     return itrow;
@@ -108,10 +109,10 @@
     char** its;
     int i;
 
-    its = (char**) malloc( rows * sizeof(char*) );
+    its = (char**) malloc2( rows, sizeof(char*) );
     if ( its == (char**) 0 )
         pm_error( "out of memory allocating an array" );
-    its[0] = (char*) malloc( rows * cols * size );
+    its[0] = (char*) malloc3( rows, cols, size );
     if ( its[0] == (char*) 0 )
         pm_error( "out of memory allocating an array" );
     for ( i = 1; i < rows; ++i )
@@ -129,10 +130,12 @@
 pm_allocarray(int const cols, int const rows, int const size) {
     char** its;
     int i;
-    its = (char**) malloc( (rows + 1) * sizeof(char*) );
+
+    overflow_add(rows, 1);
+    its = (char**) malloc2( (rows + 1),  sizeof(char*) );
     if ( its == (char**) 0 )
         pm_error( "out of memory allocating an array" );
-    its[rows] = its[0] = (char*) malloc( rows * cols * size );
+    its[rows] = its[0] = (char*) malloc3( rows. cols, size );
     if ( its[0] != (char*) 0 )
         for ( i = 1; i < rows; ++i )
             its[i] = &(its[0][i * cols * size]);
@@ -958,4 +961,53 @@
 }
 
 
+/*
+ *     Maths wrapping
+ */
+
+void overflow2(int a, int b)
+{
+       if(a < 0 || b < 0)
+               pm_error("object too large");
+       if(b == 0)
+               return;
+       if(a > INT_MAX / b)
+               pm_error("object too large");
+}
+
+void overflow3(int a, int b, int c)
+{
+       overflow2(a,b);
+       overflow2(a*b, c);
+}
+
+void overflow_add(int a, int b)
+{
+       if( a > INT_MAX - b)
+               pm_error("object too large");
+}
+
+void *malloc2(int a, int b)
+{
+       overflow2(a, b);
+       if(a*b == 0)
+               pm_error("Zero byte allocation");
+       return malloc(a*b);
+}
+
+void *malloc3(int a, int b, int c)
+{
+       overflow3(a, b, c);
+       if(a*b*c == 0)
+               pm_error("Zero byte allocation");
+       return malloc(a*b*c);
+}
+
+void *realloc2(void * a, int b, int c)
+{
+       overflow2(b, c);
+       if(b*c == 0)
+               pm_error("Zero byte allocation");
+       return realloc(a, b*c);
+}
 
diff -urN netpbm-9.25.orig/pbm/mdatopbm.c netpbm-9.25/pbm/mdatopbm.c
--- netpbm-9.25.orig/pbm/mdatopbm.c     2000-05-06 11:28:53.000000000 +0200
+++ netpbm-9.25/pbm/mdatopbm.c  2004-05-12 11:52:28.442153760 +0200
@@ -235,9 +235,14 @@
        pm_readlittleshort(infile, &yy); nInRows = yy;
        pm_readlittleshort(infile, &yy); nInCols = yy;
 
+       overflow2(nOutCols, 8);
        nOutCols = 8*nInCols;
        nOutRows = nInRows;
-       if (bScale) nOutRows *= 2;
+       if (bScale)
+       {
+               overflow2(nOutRows, 2);
+               nOutRows *= 2;
+       }
 
        data = pbm_allocarray(nOutCols, nOutRows);
        mdrow = malloc(nInCols);
diff -urN netpbm-9.25.orig/pbm/mgrtopbm.c netpbm-9.25/pbm/mgrtopbm.c
--- netpbm-9.25.orig/pbm/mgrtopbm.c     2000-03-03 02:02:09.000000000 +0100
+++ netpbm-9.25/pbm/mgrtopbm.c  2004-05-12 11:52:28.432155280 +0200
@@ -108,6 +108,12 @@
                  head.magic[0], head.magic[1] );
         pad = -1;  /* should never reach here */
     }
+
+    if(head.h_wide < ' ' || head.l_wide < ' ')
+       pm_error("bad width/height chars in MGR file");
+
+    overflow_add(*colsP, pad);
+
     *colsP = ( ( (int) head.h_wide - ' ' ) << 6 ) + ( (int) head.l_wide - ' ' );
     *rowsP = ( ( (int) head.h_high - ' ' ) << 6 ) + ( (int) head.l_high - ' ' );
     *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP;
diff -urN netpbm-9.25.orig/pbm/pbmlife.c netpbm-9.25/pbm/pbmlife.c
--- netpbm-9.25.orig/pbm/pbmlife.c      1993-10-04 10:10:37.000000000 +0100
+++ netpbm-9.25/pbm/pbmlife.c   2004-05-12 11:52:28.435154824 +0200
@@ -54,7 +54,7 @@
        prevrow = thisrow;
        thisrow = nextrow;
        nextrow = temprow;
-       if ( row < rows - 1 )
+       if ( row <= rows )
            pbm_readpbmrow( ifp, nextrow, cols, format );
 
         for ( col = 0; col < cols; ++col )
diff -urN netpbm-9.25.orig/pbm/pbmpage.c netpbm-9.25/pbm/pbmpage.c
--- netpbm-9.25.orig/pbm/pbmpage.c      2002-03-13 04:08:09.000000000 +0100
+++ netpbm-9.25/pbm/pbmpage.c   2004-05-12 11:52:28.443153608 +0200
@@ -15,6 +15,7 @@
 #include <math.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include "pbm.h"
 
 /* Support both US and A4. */
@@ -157,6 +158,9 @@
     /* We round the allocated row space up to a multiple of 8 so the ugly
        fast code below can work.
        */
+
+    overflow_add(Width, 7);
+
     pbmrow = pbm_allocrow(((Width+7)/8)*8);
     
     bitmap_cursor = 0;
diff -urN netpbm-9.25.orig/pbm/pbmpscale.c netpbm-9.25/pbm/pbmpscale.c
--- netpbm-9.25.orig/pbm/pbmpscale.c    2000-03-03 02:14:24.000000000 +0100
+++ netpbm-9.25/pbm/pbmpscale.c 2004-05-12 11:52:28.427156040 +0200
@@ -108,8 +108,9 @@
    inrow[0] = inrow[1] = inrow[2] = NULL;
    pbm_readpbminit(ifd, &columns, &rows, &format) ;
 
+   overflow2(columns, scale);
    outrow = pbm_allocrow(columns*scale) ;
-   flags = (unsigned char *)malloc(sizeof(unsigned char)*columns) ;
+   flags = (unsigned char *)malloc2(sizeof(unsigned char), columns) ;
    if (flags == NULL) pm_perror("out of memory") ;
 
    pbm_writepbminit(stdout, columns*scale, rows*scale, 0) ;
diff -urN netpbm-9.25.orig/pbm/pbmreduce.c netpbm-9.25/pbm/pbmreduce.c
--- netpbm-9.25.orig/pbm/pbmreduce.c    2000-04-26 21:24:02.000000000 +0200
+++ netpbm-9.25/pbm/pbmreduce.c 2004-05-12 11:52:28.435154824 +0200
@@ -92,8 +92,9 @@
 
     if ( halftone == QT_FS ) {
         /* Initialize Floyd-Steinberg. */
-        thiserr = (long*) malloc( ( newcols + 2 ) * sizeof(long) );
-        nexterr = (long*) malloc( ( newcols + 2 ) * sizeof(long) );
+        overflow_add(newcols, 2);
+        thiserr = (long*) malloc2( ( newcols + 2 ), sizeof(long) );
+        nexterr = (long*) malloc2( ( newcols + 2 ), sizeof(long) );
         if ( thiserr == 0 || nexterr == 0 )
           pm_error( "out of memory" );
 
diff -urN netpbm-9.25.orig/pbm/pbmtext.c netpbm-9.25/pbm/pbmtext.c
--- netpbm-9.25.orig/pbm/pbmtext.c      2001-03-20 03:44:49.000000000 +0100
+++ netpbm-9.25/pbm/pbmtext.c   2004-05-12 11:52:28.428155888 +0200
@@ -82,12 +82,14 @@
         
         for (i = 1; i < argc; i++) {
             if (i > 1) {
+               overflow_add(totaltextsize, 1);
                 totaltextsize += 1;
                 cmdline_p->text = realloc(cmdline_p->text, totaltextsize);
                 if (cmdline_p->text == NULL)
                     pm_error("out of memory");
                 strcat(cmdline_p->text, " ");
             } 
+           overflow_add(totaltextsize, strlen(argv[i]));
             totaltextsize += strlen(argv[i]);
             cmdline_p->text = realloc(cmdline_p->text, totaltextsize);
             if (cmdline_p->text == NULL)
@@ -328,11 +330,12 @@
            */
 
     maxlines = 50;  /* initial value */
-    *input_textP = (char**) malloc(maxlines * sizeof(char*));
+    *input_textP = (char**) malloc2(maxlines, sizeof(char*));
     if (*input_textP == NULL)
         pm_error("out of memory");
 
     if (cmdline_text) {
+        overflow_add(strlen(cmdline_text), 1);
         (*input_textP)[0] = malloc(strlen(cmdline_text)+1);
         if ((*input_textP)[0] == NULL)
             pm_error("Out of memory.");
@@ -347,7 +350,9 @@
         while (fgets(buf, sizeof(buf), stdin) != NULL) {
             fix_control_chars(buf, fn);
             if (*linesP >= maxlines) {
+               overflow2(maxlines, 2);
                 maxlines *= 2;
+               overflow2(maxlines, sizeof(char *));
                 *input_textP = (char**) realloc((char*) *input_textP, 
                                                 maxlines * sizeof(char*));
                 if(*input_textP == NULL)
@@ -426,6 +431,7 @@
         hmargin = fn->maxwidth;
        } else {
         vmargin = fn->maxheight;
+        overflow2(2, fn->maxwidth);
         hmargin = 2 * fn->maxwidth;
        }
 
@@ -441,10 +447,15 @@
     } else
         lp = input_text;
     
+    overflow2(2, vmargin);
+    overflow2(lines, fn->maxheight);
+    overflow_add(vmargin * 2, lines * fn->maxheight);
     rows = 2 * vmargin + lines * fn->maxheight;
 
     compute_image_width(lp, lines, fn, cmdline.space, &maxwidth, &maxleftb);
 
+    overflow2(2, hmargin);
+    overflow_add(2*hmargin, maxwidth);
     cols = 2 * hmargin + maxwidth;
     bits = pbm_allocarray(cols, rows);
 
diff -urN netpbm-9.25.orig/pbm/pbmto10x.c netpbm-9.25/pbm/pbmto10x.c
--- netpbm-9.25.orig/pbm/pbmto10x.c     1995-08-13 05:36:40.000000000 +0200
+++ netpbm-9.25/pbm/pbmto10x.c  2004-05-12 11:52:28.436154672 +0200
@@ -50,7 +50,7 @@
                res_60x72();
 
        pm_close(ifp);
-       exit(0);
+       return 0;
 }
 
 static void
@@ -84,6 +84,8 @@
        char            *stripe, *sP;
 
        stripe = malloc(cols);
+        if(stripe == NULL)
+               pm_error("out of memory");
        for (i = 0; i < LOW_RES_ROWS; ++i)
                bitrows[i] = pbm_allocrow(cols);
        printf("\033A\010");            /* '\n' = 8/72 */
@@ -117,6 +119,8 @@
        char            *stripe, *sP;
 
        stripe = malloc(cols);
+       if(stripe == NULL)
+               pm_error("out of memory");
        for (i = 0; i < HIGH_RES_ROWS; ++i)
                bitrows[i] = pbm_allocrow(cols);
        printf("\0333\001");                    /* \n = 1/144" */
diff -urN netpbm-9.25.orig/pbm/pbmtoascii.c netpbm-9.25/pbm/pbmtoascii.c
--- netpbm-9.25.orig/pbm/pbmtoascii.c   2000-03-25 23:23:05.000000000 +0100
+++ netpbm-9.25/pbm/pbmtoascii.c        2004-05-12 11:52:28.437154520 +0200
@@ -115,9 +115,11 @@
         pm_usage( usage );
 
     pbm_readpbminit( ifp, &cols, &rows, &format );
+    overflow_add(cols, gridx);
     ccols = ( cols + gridx - 1 ) / gridx;
     bitrow = pbm_allocrow( cols );
     sig = (int*) pm_allocrow( ccols, sizeof(int) );
+    overflow_add(ccols, 1);
     line = (char*) pm_allocrow( ccols + 1, sizeof(char) );
 
     for ( row = 0; row < rows; row += gridy )
diff -urN netpbm-9.25.orig/pbm/pbmtoatk.c netpbm-9.25/pbm/pbmtoatk.c
--- netpbm-9.25.orig/pbm/pbmtoatk.c     2000-06-09 09:05:24.000000000 +0200
+++ netpbm-9.25/pbm/pbmtoatk.c  2004-05-12 11:52:28.437154520 +0200
@@ -65,6 +65,7 @@
     bitrow = pbm_allocrow( cols );
 
     /* Compute padding to round cols up to the nearest multiple of 16. */
+    overflow_add(cols, 15);
     padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
 
     printf ("\\begindata{raster,%d}\n", 1);
diff -urN netpbm-9.25.orig/pbm/pbmtocmuwm.c netpbm-9.25/pbm/pbmtocmuwm.c
--- netpbm-9.25.orig/pbm/pbmtocmuwm.c   1993-10-04 10:10:46.000000000 +0100
+++ netpbm-9.25/pbm/pbmtocmuwm.c        2004-05-12 11:52:28.438154368 +0200
@@ -43,6 +43,7 @@
     bitrow = pbm_allocrow( cols );
     
     /* Round cols up to the nearest multiple of 8. */
+    overflow_add(cols, 7);
     padright = ( ( cols + 7 ) / 8 ) * 8 - cols;
 
     putinit( rows, cols );
diff -urN netpbm-9.25.orig/pbm/pbmtogem.c netpbm-9.25/pbm/pbmtogem.c
--- netpbm-9.25.orig/pbm/pbmtogem.c     2000-06-09 09:07:05.000000000 +0200
+++ netpbm-9.25/pbm/pbmtogem.c  2004-05-12 11:52:28.432155280 +0200
@@ -123,6 +123,7 @@
   bitsperitem = 0;
   bitshift = 7;
   outcol = 0;
+  overflow_add(cols, 7);
   outmax = (cols + 7) / 8;
   outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
   lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
diff -urN netpbm-9.25.orig/pbm/pbmtogo.c netpbm-9.25/pbm/pbmtogo.c
--- netpbm-9.25.orig/pbm/pbmtogo.c      2000-06-09 09:07:04.000000000 +0200
+++ netpbm-9.25/pbm/pbmtogo.c   2004-05-12 11:52:28.439154216 +0200
@@ -90,6 +90,7 @@
     bitrow = pbm_allocrow(cols);
 
     /* Round cols up to the nearest multiple of 8. */
+    overflow_add(cols, 7);
     rucols = ( cols + 7 ) / 8;
     bytesperrow = rucols;       /* GraphOn uses bytes */
     rucols = rucols * 8;
diff -urN netpbm-9.25.orig/pbm/pbmtoicon.c netpbm-9.25/pbm/pbmtoicon.c
--- netpbm-9.25.orig/pbm/pbmtoicon.c    1993-10-04 10:10:50.000000000 +0100
+++ netpbm-9.25/pbm/pbmtoicon.c 2004-05-12 11:52:28.439154216 +0200
@@ -42,6 +42,7 @@
     bitrow = pbm_allocrow( cols );
     
     /* Round cols up to the nearest multiple of 16. */
+    overflow_add(cols, 15);
     pad = ( ( cols + 15 ) / 16 ) * 16 - cols;
     padleft = pad / 2;
     padright = pad - padleft;
diff -urN netpbm-9.25.orig/pbm/pbmtolj.c netpbm-9.25/pbm/pbmtolj.c
--- netpbm-9.25.orig/pbm/pbmtolj.c      2002-02-22 05:32:44.000000000 +0100
+++ netpbm-9.25/pbm/pbmtolj.c   2004-05-12 11:52:28.441153912 +0200
@@ -30,6 +30,7 @@
 #include "pbm.h"
 #include <string.h>
 #include <assert.h>
+#include <string.h>
 
 static int dpi = 75;
 static int floating = 0;  /* suppress the ``ESC & l 0 E'' ? */
@@ -123,7 +124,11 @@
     pbm_readpbminit( ifp, &cols, &rows, &format );
     bitrow = pbm_allocrow( cols );
 
+    overflow_add(cols, 8);
     rowBufferSize = (cols + 7) / 8;
+    overflow_add(rowBufferSize, 128);
+    overflow_add(rowBufferSize, rowBufferSize+128);
+    overflow_add(rowBufferSize+10, rowBufferSize/8);
     packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
     deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
 
diff -urN netpbm-9.25.orig/pbm/pbmtomacp.c netpbm-9.25/pbm/pbmtomacp.c
--- netpbm-9.25.orig/pbm/pbmtomacp.c    2000-03-03 03:27:33.000000000 +0100
+++ netpbm-9.25/pbm/pbmtomacp.c 2004-05-12 11:52:28.440154064 +0200
@@ -102,6 +102,7 @@
   if( !lflg )
     left = 0;
 
+  overflow_add(left, MAX_COLS - 1);
   if( rflg )
   { if( right - left >= MAX_COLS )
       right = left + MAX_COLS - 1;
@@ -112,6 +113,8 @@
   if( !tflg )
     top = 0;
 
+  overflow_add(top, MAX_LINES - 1);
+
   if( bflg )
   { if( bottom - top >= MAX_LINES )
       bottom = top + MAX_LINES - 1;
diff -urN netpbm-9.25.orig/pbm/pbmtomda.c netpbm-9.25/pbm/pbmtomda.c
--- netpbm-9.25.orig/pbm/pbmtomda.c     2000-05-06 11:28:11.000000000 +0200
+++ netpbm-9.25/pbm/pbmtomda.c  2004-05-12 11:52:28.441153912 +0200
@@ -152,6 +152,8 @@
 
        if (bScale)     nOutRows = nInRows / 2;
        else            nOutRows = nInRows;
+
+       overflow_add(nOutRows, 3);
        nOutRows = ((nOutRows + 3) / 4) * 4;
                                         /* MDA wants rows a multiple of 4 */   
        nOutCols = nInCols / 8;
diff -urN netpbm-9.25.orig/pbm/pbmtomgr.c netpbm-9.25/pbm/pbmtomgr.c
--- netpbm-9.25.orig/pbm/pbmtomgr.c     1993-10-04 10:10:50.000000000 +0100
+++ netpbm-9.25/pbm/pbmtomgr.c  2004-05-12 11:52:28.440154064 +0200
@@ -43,6 +43,7 @@
     bitrow = pbm_allocrow( cols );
     
     /* Round cols up to the nearest multiple of 8. */
+    overflow_add(cols, 7);
     padright = ( ( cols + 7 ) / 8 ) * 8 - cols;
 
     putinit( rows, cols );
diff -urN netpbm-9.25.orig/pbm/pbmtoppa/pbm.c netpbm-9.25/pbm/pbmtoppa/pbm.c
--- netpbm-9.25.orig/pbm/pbmtoppa/pbm.c 2000-06-01 19:20:30.000000000 +0200
+++ netpbm-9.25/pbm/pbmtoppa/pbm.c      2004-05-12 11:52:28.444153456 +0200
@@ -105,6 +105,7 @@
     return 0;
 
   case P4:
+    overflow_add(pbm->width, 7);
     tmp=(pbm->width+7)/8;
     tmp2=fread(data,1,tmp,pbm->fptr);
     if(tmp2 == tmp)
@@ -129,7 +130,8 @@
     return;
 
   pbm->unread = 1;
-  pbm->revdata = malloc ((pbm->width+7)/8);
+  overflow_add(pbm->width, 7);
+  pbm->revdata = malloc((pbm->width+7)/8);
   memcpy (pbm->revdata, data, (pbm->width+7)/8);
   pbm->current_line--;
 }
diff -urN netpbm-9.25.orig/pbm/pbmtoppa/pbmtoppa.c netpbm-9.25/pbm/pbmtoppa/pbmtoppa.c
--- netpbm-9.25.orig/pbm/pbmtoppa/pbmtoppa.c    2002-03-13 04:20:11.000000000 +0100
+++ netpbm-9.25/pbm/pbmtoppa/pbmtoppa.c 2004-05-12 11:52:28.443153608 +0200
@@ -471,6 +471,7 @@
     }
   }
 
+  overflow_add(Width, 7);
   Pwidth=(Width+7)/8;
   printer.fptr=out;
 
diff -urN netpbm-9.25.orig/pbm/pbmtox10bm.c netpbm-9.25/pbm/pbmtox10bm.c
--- netpbm-9.25.orig/pbm/pbmtox10bm.c   2000-06-09 09:07:01.000000000 +0200
+++ netpbm-9.25/pbm/pbmtox10bm.c        2004-05-12 11:52:28.438154368 +0200
@@ -57,6 +57,7 @@
     bitrow = pbm_allocrow( cols );
 
     /* Compute padding to round cols up to the nearest multiple of 16. */
+    overflow_add(cols, 15);
     padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
 
     printf( "#define %s_width %d\n", name, cols );
diff -urN netpbm-9.25.orig/pbm/pbmtoxbm.c netpbm-9.25/pbm/pbmtoxbm.c
--- netpbm-9.25.orig/pbm/pbmtoxbm.c     2000-03-19 03:45:05.000000000 +0100
+++ netpbm-9.25/pbm/pbmtoxbm.c  2004-05-12 11:52:28.438154368 +0200
@@ -93,6 +93,8 @@
     bitrow = pbm_allocrow( cols );
     
     /* Compute padding to round cols up to the nearest multiple of 8. */
+
+    overflow_add(cols, 8);
     padright = ( ( cols + 7 ) / 8 ) * 8 - cols;
 
     printf( "#define %s_width %d\n", name, cols );
diff -urN netpbm-9.25.orig/pbm/pbmtoybm.c netpbm-9.25/pbm/pbmtoybm.c
--- netpbm-9.25.orig/pbm/pbmtoybm.c     1993-10-04 10:10:43.000000000 +0100
+++ netpbm-9.25/pbm/pbmtoybm.c  2004-05-12 11:52:28.436154672 +0200
@@ -45,6 +45,7 @@
     bitrow = pbm_allocrow( cols );
     
     /* Compute padding to round cols up to the nearest multiple of 16. */
+    overflow_add(cols, 16);
     padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
 
     putinit( cols, rows );
diff -urN netpbm-9.25.orig/pbm/pbmtozinc.c netpbm-9.25/pbm/pbmtozinc.c
--- netpbm-9.25.orig/pbm/pbmtozinc.c    2000-06-09 09:07:21.000000000 +0200
+++ netpbm-9.25/pbm/pbmtozinc.c 2004-05-12 11:52:28.436154672 +0200
@@ -66,6 +66,7 @@
     bitrow = pbm_allocrow( cols );
 
     /* Compute padding to round cols up to the nearest multiple of 16. */
+    overflow_add(cols, 16);
     padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
 
     printf( "USHORT %s[] = {\n",name);
diff -urN netpbm-9.25.orig/pbm/pm.h netpbm-9.25/pbm/pm.h
--- netpbm-9.25.orig/pbm/pm.h   2002-01-03 21:35:23.000000000 +0100
+++ netpbm-9.25/pbm/pm.h        2004-05-12 11:52:28.450152544 +0200
@@ -218,6 +218,12 @@
          enum pm_check_code * const retval_p);
 
 
+void *malloc2(int, int);
+void *malloc3(int, int, int);
+void overflow2(int, int);
+void overflow3(int, int, int);
+void overflow_add(int, int);
+
 /* By making this <> instead of "", we avoid making shhopt.h a dependency
    of every program in the package when we do make dep.
 */
diff -urN netpbm-9.25.orig/pbm/pm.h.orig netpbm-9.25/pbm/pm.h.orig
--- netpbm-9.25.orig/pbm/pm.h.orig      1970-01-01 01:00:00.000000000 +0100
+++ netpbm-9.25/pbm/pm.h.orig   2002-01-03 21:35:23.000000000 +0100
@@ -0,0 +1,243 @@
+/* pm.h - interface to format-independent part of libpbm.
+**
+** Copyright (C) 1988, 1989, 1991 by Jef Poskanzer.
+**
+** Permission to use, copy, modify, and distribute this software and its
+** documentation for any purpose and without fee is hereby granted, provided
+** that the above copyright notice appear in all copies and that both that
+** copyright notice and this permission notice appear in supporting
+** documentation.  This software is provided "as is" without express or
+** implied warranty.
+*/
+
+#ifndef _PM_H_
+#define _PM_H_
+
+#include "pm_config.h"
+
+#include <sys/types.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/stat.h>
+
+#ifdef VMS
+#include <perror.h>
+#endif
+
+/* NOTE: do not use "bool" as a type in an external interface.  It could
+   have different definitions on either side of the interface.  Even if both
+   sides include this interface header file, the conditional compilation
+   here means one side may use the typedef below and the other side may
+   use some other definition.  For an external interface, be safe and just
+   use "int".
+*/
+
+#ifndef TRUE
+#define TRUE 1
+#define FALSE 0
+/* C++ has a "bool" type built in. */
+#ifndef __cplusplus
+typedef int bool;
+#endif
+#elif defined(__DECC)
+/* Tru64 defines TRUE in standard header files, but not bool. 2001.09.21 */
+typedef int bool;
+#endif
+
+#undef max
+#define max(a,b) ((a) > (b) ? (a) : (b))
+#undef min
+#define min(a,b) ((a) < (b) ? (a) : (b))
+#undef abs
+#define abs(a) ((a) >= 0 ? (a) : -(a))
+#undef odd
+#define odd(n) ((n) & 1)
+
+
+/* Definitions to make Netpbm programs work with either ANSI C or C
+   Classic.
+
+   This is obsolete, as all compilers recognize the ANSI syntax now.
+
+   We are slowly removing all the ARGS invocations from the programs
+   (and replacing them with explicit ANSI syntax), but we have a lot
+   of programs where we have removed ARGS from the definition but not
+   the prototype, and we have discovered that the Sun compiler
+   considers the resulting mismatch between definition and prototype
+   to be an error.  So we make ARGS create the ANSI syntax
+   unconditionally to avoid having to fix all those mismatches.  */
+
+#if 0
+#if __STDC__
+#define ARGS(alist) alist
+#else /*__STDC__*/
+#define ARGS(alist) ()
+#define const
+#endif /*__STDC__*/
+#endif
+#define ARGS(alist) alist
+
+
+void 
+pm_init(const char * const progname, unsigned int const flags);
+
+void 
+pm_proginit(int* const argcP, char* argv[]);
+
+void
+pm_setMessage(int const newState, int * const oldStateP);
+
+void
+pm_nextimage(FILE * const file, int * const eofP);
+
+/* Variable-sized arrays definitions. */
+
+char** 
+pm_allocarray (int const cols, int const rows, int const size );
+
+char* 
+pm_allocrow (int const cols, int const size);
+
+void 
+pm_freearray (char** const its, int const rows);
+
+void 
+pm_freerow(char* const itrow);
+
+
+/* Obsolete -- use shhopt instead */
+int 
+pm_keymatch (char* const str, char* const keyword, int const minchars);
+
+
+int 
+pm_maxvaltobits (int const maxval);
+
+int 
+pm_bitstomaxval (int const bits);
+
+unsigned int 
+pm_lcm (const unsigned int x, 
+        const unsigned int y,
+        const unsigned int z,
+        const unsigned int limit);
+
+/* GNU_PRINTF_ATTR lets the GNU compiler check pm_message() and pm_error()
+   calls to be sure the arguments match the format string, thus preventing
+   runtime segmentation faults and incorrect messages.
+*/
+#ifdef __GNUC__
+#define GNU_PRINTF_ATTR __attribute__ ((format (printf, 1,2)))
+#else
+#define GNU_PRINTF_ATTR
+#endif
+
+void GNU_PRINTF_ATTR
+pm_message (const char format[], ...);     
+
+void GNU_PRINTF_ATTR
+pm_error (const char reason[], ...);       
+
+/* Obsolete - use helpful error message instead */
+void
+pm_perror (const char reason[]);           
+
+/* Obsolete - use shhopt and man page instead */
+void 
+pm_usage (const char usage[]);             
+
+FILE* 
+pm_openr (const char* const name);
+         
+FILE*    
+pm_openw (const char* const name);
+         
+FILE *
+pm_openr_seekable(const char name[]);
+
+void     
+pm_close (FILE* const f);
+
+void 
+pm_closer (FILE* const f);
+          
+void      
+pm_closew (FILE* const f);
+
+
+
+int
+pm_readbigshort ( FILE* const in, short* const sP );
+
+int
+pm_writebigshort ( FILE* const out, short const s );
+
+int
+pm_readbiglong ( FILE* const in, long* const lP );
+
+int
+pm_writebiglong ( FILE* const out, long const l );
+
+int
+pm_readlittleshort ( FILE* const in, short* const sP );
+
+int
+pm_writelittleshort ( FILE* const out, short const s );
+
+int
+pm_readlittlelong ( FILE* const in, long* const lP );
+
+int
+pm_writelittlelong ( FILE* const out, long const l );
+
+char* 
+pm_read_unknown_size(FILE* const file, long* const buf);
+
+unsigned int
+pm_tell(FILE * const fileP);
+
+void
+pm_seek(FILE * const fileP, unsigned long filepos);
+
+enum pm_check_code {
+    PM_CHECK_OK,
+    PM_CHECK_UNKNOWN_TYPE,
+    PM_CHECK_TOO_LONG,
+    PM_CHECK_UNCHECKABLE,
+    PM_CHECK_TOO_SHORT
+};
+
+enum pm_check_type {
+    PM_CHECK_BASIC
+};
+
+void
+pm_check(FILE * const file, const enum pm_check_type check_type, 
+         const unsigned int need_raster_size,
+         enum pm_check_code * const retval_p);
+
+
+/* By making this <> instead of "", we avoid making shhopt.h a dependency
+   of every program in the package when we do make dep.
+*/
+#include <shhopt.h>
+
+/* Use pm_optParseOptions instead of optParseOptions in order to use the
+   shared Netpbm libraries
+*/
+void 
+pm_optParseOptions(int * const argc, char *argv[],
+                   optStruct opt[], int const allowNegNum);
+void 
+pm_optParseOptions2(int * const argc, char *argv[],
+                    const optStruct2 opt, const unsigned long flags);
+void
+pm_optParseOptions3(int * const argc_p, char *argv[], const optStruct3 opt, 
+                 const unsigned int optStructSize, const unsigned long flags);
+
+char *
+pm_arg0toprogname(const char arg0[]);
+
+#endif
+
diff -urN netpbm-9.25.orig/pbm/thinkjettopbm.l netpbm-9.25/pbm/thinkjettopbm.l
--- netpbm-9.25.orig/pbm/thinkjettopbm.l        2002-03-13 04:06:09.000000000 +0100
+++ netpbm-9.25/pbm/thinkjettopbm.l     2004-05-12 11:52:28.450152544 +0200
@@ -74,7 +74,9 @@
 <RASTERMODE>\033\*b{DIG}+W  {
                             int l;
                             if (rowCount >= rowCapacity) {
+                               overflow_add(rowCapacity, 100);
                                 rowCapacity += 100;
+                               overflow2(rowCapacity, sizeof *rows);
                                 rows = realloc (rows, rowCapacity * sizeof *rows);
                                 if (rows == NULL)
                                     pm_error ("Out of memory.");
@@ -167,6 +169,8 @@
     /*
      * Quite simple since ThinkJet bit arrangement matches PBM
      */
+
+    overflow2(maxRowLength, 8);
     pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0);
 
     packed_bitrow = malloc(maxRowLength);
diff -urN netpbm-9.25.orig/pbm/ybmtopbm.c netpbm-9.25/pbm/ybmtopbm.c
--- netpbm-9.25.orig/pbm/ybmtopbm.c     1993-10-04 10:10:35.000000000 +0100
+++ netpbm-9.25/pbm/ybmtopbm.c  2004-05-12 11:52:28.433155128 +0200
@@ -88,6 +88,7 @@
        pm_error( "EOF / read error" );
 
     *depthP = 1;
+    overflow_add(*colsP, 15);
     *padrightP = ( ( *colsP + 15 ) / 16 ) * 16 - *colsP;
     bitsperitem = 0;
     }
diff -urN netpbm-9.25.orig/pgm/lispmtopgm.c netpbm-9.25/pgm/lispmtopgm.c
--- netpbm-9.25.orig/pgm/lispmtopgm.c   2002-01-04 18:11:11.000000000 +0100
+++ netpbm-9.25/pgm/lispmtopgm.c        2004-05-12 11:52:28.454151936 +0200
@@ -55,6 +55,7 @@
         pm_error( "depth (%d bits) is too large", depth);
 
     pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 );
+    overflow_add(cols, 7);
     grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 );
 
     for ( row = 0; row < rows; ++row )
@@ -100,6 +101,8 @@
     if ( *depthP == 0 )
        *depthP = 1;    /* very old file */
     
+    overflow_add(colsP, 31);
+
     *padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP;
     
     if ( *colsP != (cols_32 - *padrightP) ) {
diff -urN netpbm-9.25.orig/pgm/pbmtopgm.c netpbm-9.25/pgm/pbmtopgm.c
--- netpbm-9.25.orig/pgm/pbmtopgm.c     1993-10-06 14:24:38.000000000 +0100
+++ netpbm-9.25/pgm/pbmtopgm.c  2004-05-12 11:52:28.454151936 +0200
@@ -42,6 +42,7 @@
       pm_error("sample size greater than bitmap size");
 
    outrow = pgm_allocrow(cols) ;
+   overflow2(width, height);
    maxval = width*height;
    pgm_writepgminit(stdout, cols, rows, maxval, 0) ;
 
diff -urN netpbm-9.25.orig/pgm/pgmcrater.c netpbm-9.25/pgm/pgmcrater.c
--- netpbm-9.25.orig/pgm/pgmcrater.c    2001-06-26 05:18:48.000000000 +0200
+++ netpbm-9.25/pgm/pgmcrater.c 2004-05-12 11:52:28.457151480 +0200
@@ -131,7 +131,7 @@
     /* Acquire the elevation array and initialise it to mean
        surface elevation. */
 
-    aux = (unsigned short *) malloc(SCRX * SCRY * sizeof(short));
+    aux = (unsigned short *) malloc3(SCRX, SCRY, sizeof(short));
     if (aux == (unsigned short *) 0) {
         pm_error("out of memory allocating elevation array");
     }
@@ -258,7 +258,7 @@
     }
 
     i = max((slopemax - slopemin) + 1, 1);
-    slopemap = (unsigned char *) malloc(i * sizeof(unsigned char));
+    slopemap = (unsigned char *) malloc2(i, sizeof(unsigned char));
     if (slopemap == (unsigned char *) 0) {
         pm_error("out of memory allocating slope map");
     }
diff -urN netpbm-9.25.orig/pgm/pgmhist.c netpbm-9.25/pgm/pgmhist.c
--- netpbm-9.25.orig/pgm/pgmhist.c      1993-10-04 10:11:17.000000000 +0100
+++ netpbm-9.25/pgm/pgmhist.c   2004-05-12 11:52:28.457151480 +0200
@@ -45,8 +45,9 @@
     grayrow = pgm_allocrow( cols );
 
     /* Build histogram. */
-    hist = (int *) malloc( ( maxval + 1 ) * sizeof(int) );
-    rcount = (int *) malloc( ( maxval + 1 ) * sizeof(int) );
+    overflow_add(maxval, 1);
+    hist = (int *) malloc2( ( maxval + 1 ),  sizeof(int) );
+    rcount = (int *) malloc2( ( maxval + 1 ), sizeof(int) );
     if ( hist == (int *) 0 || rcount == (int *) 0 )
        pm_error( "out of memory" );
     for ( i = 0; i <= maxval; i++ )
diff -urN netpbm-9.25.orig/pgm/pgmkernel.c netpbm-9.25/pgm/pgmkernel.c
--- netpbm-9.25.orig/pgm/pgmkernel.c    2000-03-03 04:20:34.000000000 +0100
+++ netpbm-9.25/pgm/pgmkernel.c 2004-05-12 11:52:28.459151176 +0200
@@ -67,7 +67,7 @@
     kycenter = (fysize - 1) / 2.0;
     ixsize = fxsize + 0.999;
     iysize = fysize + 0.999;
-    fkernel = (double *) malloc ((unsigned)(ixsize*iysize*sizeof(double)));
+    fkernel = (double *) malloc3 (ixsize, iysize, sizeof(double));
     for (i = 0; i < iysize; i++) 
        for (j = 0; j < ixsize; j++) {
            fkernel[i*ixsize+j] = 1.0 / (1.0 + w * sqrt((double)
diff -urN netpbm-9.25.orig/pgm/pgmtexture.c netpbm-9.25/pgm/pgmtexture.c
--- netpbm-9.25.orig/pgm/pgmtexture.c   2001-03-30 19:01:00.000000000 +0200
+++ netpbm-9.25/pgm/pgmtexture.c        2004-05-12 11:52:28.458151328 +0200
@@ -722,8 +722,10 @@
 float *vector (int nl, int nh)
 {
   float *v;
-
-  v = (float *) malloc ((unsigned) (nh - nl + 1) * sizeof (float));
+  overflow_add(nh, 1);
+  if(nh < nl)
+       pm_error("assert: h < l");
+  v = (float *) malloc2 ((nh - nl + 1), sizeof (float));
   if (!v)
     fprintf (stderr, "memory allocation failure"), exit (1);
   return v - nl;
@@ -738,15 +740,21 @@
   float **m;
 
   /* allocate pointers to rows */
-  m = (float **) malloc ((unsigned) (nrh - nrl + 1) * sizeof (float *));
+  overflow_add(nrh, 1);
+  if(nrh < nrl)
+       pm_error("assert: nrh < nrl");
+  m = (float **) malloc2(nrh - nrl + 1, sizeof (float *));
   if (!m)
     fprintf (stderr, "memory allocation failure"), exit (1);
   m -= ncl;
 
+  if(nch < ncl)
+       pm_error("assert: nch < ncl");
+  overflow_add(nch, 1);
   /* allocate rows and set pointers to them */
   for (i = nrl; i <= nrh; i++)
   {
-    m[i] = (float *) malloc ((unsigned) (nch - ncl + 1) * sizeof (float));
+    m[i] = (float *) malloc2(nch - ncl + 1, sizeof (float));
     if (!m[i])
       fprintf (stderr, "memory allocation failure"), exit (2);
     m[i] -= ncl;
diff -urN netpbm-9.25.orig/pgm/pgmtopbm.c netpbm-9.25/pgm/pgmtopbm.c
--- netpbm-9.25.orig/pgm/pgmtopbm.c     2001-09-03 20:11:42.000000000 +0200
+++ netpbm-9.25/pgm/pgmtopbm.c  2004-05-12 11:52:28.453152088 +0200
@@ -129,6 +129,7 @@
        {
        case QT_FS:
            /* Initialize Floyd-Steinberg error vectors. */
+           overflow_add(cols, 2);
            thiserr = (long*) pm_allocrow( cols + 2, sizeof(long) );
            nexterr = (long*) pm_allocrow( cols + 2, sizeof(long) );
            srand( (int) ( time( 0 ) ^ getpid( ) ) );
diff -urN netpbm-9.25.orig/pgm/psidtopgm.c netpbm-9.25/pgm/psidtopgm.c
--- netpbm-9.25.orig/pgm/psidtopgm.c    2002-01-04 18:11:10.000000000 +0100
+++ netpbm-9.25/pgm/psidtopgm.c 2004-05-12 11:52:28.458151328 +0200
@@ -60,6 +60,7 @@
            "bits/sample (%d) is too large.", bitspersample );
 
     pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 );
+    overflow_add(cols, 7);
     grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 );
     for ( row = 0; row < rows; ++row)
        {
diff -urN netpbm-9.25.orig/pnm/anytopnm netpbm-9.25/pnm/anytopnm
--- netpbm-9.25.orig/pnm/anytopnm       2000-07-26 03:54:08.000000000 +0200
+++ netpbm-9.25/pnm/anytopnm    2004-05-12 11:52:28.497145400 +0200
@@ -21,7 +21,7 @@
     exit 1
 fi
 
-tmpfiles=""
+tmpdir=$(mktemp -d -t anytopnm.XXXXXXXXXX) || exit 1 #219019
 
 # Take out all spaces
 # Find the filename extension for last-ditch efforts later
@@ -29,8 +29,9 @@
 
 # Sanitize the filename by making our own temporary files as safely as
 # possible.
-file="/tmp/atn.stdin.$$"
-rm -f "$file"
+# file="/tmp/atn.stdin.$$"
+#rm -f "$file"
+file="$tmpdir/atn.stdin"
 if [ $# -eq 0 -o "$1" = "-" ] ; then
        cat > "$file"
 else
@@ -57,9 +58,6 @@
     cat < "$1" > "$file"
 fi
 
-tmpfiles="$tmpfiles $file"
-
-
 
 filetype=`file "$file" | cut -d: -f2-`
 
@@ -70,7 +68,8 @@
     ;;
 
     *uuencoded* )
-    newfile="/tmp/atn.decode.$$"
+#    newfile="/tmp/atn.decode.$$"
+    newfile="$tmpdir/atn.decode"
     rm -f "$newfile"
     (echo begin 600 $newfile; tail +2 < "$file") | uudecode
     tmpfiles="$tmpfiles $newfile"
@@ -258,7 +257,7 @@
 esac
 
 
-if [ "$tmpfiles" ] ; then
-    rm -f $tmpfiles
+if [ "$tmpdir" ] ; then
+    rm -rf "$tmpdir"
 fi
 exit 0
diff -urN netpbm-9.25.orig/pnm/gemtopnm.c netpbm-9.25/pnm/gemtopnm.c
--- netpbm-9.25.orig/pnm/gemtopnm.c     2000-04-30 14:42:15.000000000 +0200
+++ netpbm-9.25/pnm/gemtopnm.c  2004-05-12 11:52:28.469149656 +0200
@@ -106,6 +106,7 @@
 
        pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 );
 
+    overflow_add(cols, padright);
     { 
         /* allocate input row data structure */
         int plane;
diff -urN netpbm-9.25.orig/pnm/jpegtopnm.c netpbm-9.25/pnm/jpegtopnm.c
--- netpbm-9.25.orig/pnm/jpegtopnm.c    2002-03-13 04:53:22.000000000 +0100
+++ netpbm-9.25/pnm/jpegtopnm.c 2004-05-12 11:52:28.485147224 +0200
@@ -173,7 +173,7 @@
     unsigned int option_def_index;
 
     int argc_parse;       /* argc, except we modify it as we parse */
-    char ** const argv_parse = malloc(argc*sizeof(char *));
+    char ** const argv_parse = malloc2(argc, sizeof(char *));
     /* argv, except we modify it as we parse */
 
     option_def_index = 0;   /* incremented by OPTENTRY */
@@ -846,6 +846,8 @@
   /* Calculate output image dimensions so we can allocate space */
   jpeg_calc_output_dimensions(&cinfo);
 
+  overflow2(cinfo.output_width, cinfo.output_components);
+
   jpegbuffer = ((*cinfo.mem->alloc_sarray)
                 ((j_common_ptr) &cinfo, JPOOL_IMAGE,
                  cinfo.output_width * cinfo.output_components, (JDIMENSION) 1)
diff -urN netpbm-9.25.orig/pnm/libpam.c netpbm-9.25/pnm/libpam.c
--- netpbm-9.25.orig/pnm/libpam.c       2002-03-06 04:39:37.000000000 +0100
+++ netpbm-9.25/pnm/libpam.c    2004-05-12 11:53:57.752576512 +0200
@@ -155,7 +155,8 @@
         themselves.  Each tuple consists of 'depth' samples.  
     */
 
-    tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytes_per_tuple));
+    overflow_add(sizeof(tuple *), bytes_per_tuple);
+    tuplerow = malloc2(pamP->width, sizeof(tuple *) + bytes_per_tuple);
     if (tuplerow == NULL)
         pm_error("Out of memory allocating space for a tuple row of\n"
                  "%d tuples by %d samples per tuple by %d bytes per sample.",
@@ -190,7 +191,7 @@
        by allocating one large chunk.
        */
     
-    tuplearray = malloc(pamP->height * sizeof(tuple*));
+    tuplearray = malloc2(pamP->height, sizeof(tuple*));
     if (tuplearray == NULL) 
         pm_error("Out of memory allocating the row pointer section of "
                  "a %u row array", pamP->height);
diff -urN netpbm-9.25.orig/pnm/libpnm4.c netpbm-9.25/pnm/libpnm4.c
--- netpbm-9.25.orig/pnm/libpnm4.c      1993-10-04 10:11:33.000000000 +0100
+++ netpbm-9.25/pnm/libpnm4.c   2004-05-12 11:52:28.464150416 +0200
@@ -43,11 +43,16 @@
     ** not to be the case.  In reality, all of Sun's code rounds up to
     ** a short, not a long.
     */
+
+    overflow_add(depth,15);
+    overflow2(w, depth+15);
+    overflow2(w * depth + 15, 2);
+
     m->md_linebytes = ( w * depth + 15 ) / 16 * 2;
     m->md_offset.x = 0;
     m->md_offset.y = 0;
     m->md_flags = 0;
-    m->md_image = (unsigned char*) malloc( m->md_linebytes * h );
+    m->md_image = (unsigned char*) malloc2( m->md_linebytes,  h );
     if ( m->md_image == NULL )
        {
        free( m );
@@ -104,12 +109,15 @@
        case RT_STANDARD:
        case RT_FORMAT_RGB:
        /* Ignore hP->ras_length. */
+       overflow2(p->pr_size.y, p->pr_data->md_linebytes);
        h.ras_length = p->pr_size.y * p->pr_data->md_linebytes;
        break;
 
        case RT_BYTE_ENCODED:
+       overflow2(p->pr_size.y, p->pr_data->md_linebytes);
        size = p->pr_size.y * p->pr_data->md_linebytes;
        bp = p->pr_data->md_image;
+       overflow2(size, 3);
        beimage = (unsigned char*) malloc( size * 3 / 2 );      /* worst case */
        if ( beimage == NULL )
            return PIX_ERR;
@@ -191,6 +199,7 @@
            {
            case RMT_EQUAL_RGB:
            h.ras_maplength = colormap->length * 3;
+           overflow2(colormap->length, 3);
            break;
 
            case RMT_RAW:
@@ -395,6 +404,7 @@
        case RT_FORMAT_RGB:
        /* Ignore hP->ras_length. */
        i = p->pr_size.y * p->pr_data->md_linebytes;
+       overflow2(p->pr_size.y, p->pr_data->md_linebytes);
        if ( fread( p->pr_data->md_image, 1, i, in ) != i )
            {
            mem_free( p );
diff -urN netpbm-9.25.orig/pnm/pamcut.c netpbm-9.25/pnm/pamcut.c
--- netpbm-9.25.orig/pnm/pamcut.c       2001-11-12 06:11:27.000000000 +0100
+++ netpbm-9.25/pnm/pamcut.c    2004-05-12 11:53:57.753576360 +0200
@@ -380,6 +380,8 @@
     outpam.width = rightcol-leftcol+1;
     outpam.height = bottomrow-toprow+1;
 
+    overflow_add(rightcol, 1);
+    overflow_add(toprow, 1);
     pnm_writepaminit(&outpam);
 
     outputRow = pnm_allocpamrow(&outpam);
diff -urN netpbm-9.25.orig/pnm/pamoil.c netpbm-9.25/pnm/pamoil.c
--- netpbm-9.25.orig/pnm/pamoil.c       2001-06-29 08:13:03.000000000 +0200
+++ netpbm-9.25/pnm/pamoil.c    2004-05-12 11:53:57.758575600 +0200
@@ -112,7 +112,8 @@
     tuples = pnm_readpam(ifp, &inpam, sizeof(inpam));
     pm_close(ifp);
 
-    hist = malloc((inpam.maxval + 1) * sizeof(sample));
+    overflow_add(inpam.maxval, 1);
+    hist = malloc2((inpam.maxval + 1), sizeof(sample));
 
     outpam = inpam; outpam.file = stdout;
 
diff -urN netpbm-9.25.orig/pnm/pngtopnm.c netpbm-9.25/pnm/pngtopnm.c
--- netpbm-9.25.orig/pnm/pngtopnm.c     2002-01-04 18:22:43.000000000 +0100
+++ netpbm-9.25/pnm/pngtopnm.c  2004-05-12 11:52:28.460151024 +0200
@@ -371,18 +371,30 @@
   }
 
   if (info_ptr->bit_depth == 16)
+  {
+    overflow2(2, info_ptr->width);
     linesize = 2 * info_ptr->width;
+  }
   else
     linesize = info_ptr->width;
 
   if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+  {
     linesize *= 2;
+    overflow2(2, linesize);
+  }
   else
   if (info_ptr->color_type == PNG_COLOR_TYPE_RGB)
+  {
+    overflow2(3, linesize);
     linesize *= 3;
+  }
   else
   if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
+  {
+    overflow2(4, linesize);
     linesize *= 4;
+  }
 
   for (y = 0 ; y < info_ptr->height ; y++) {
     png_image[y] = malloc (linesize);
diff -urN netpbm-9.25.orig/pnm/pnmcat.c netpbm-9.25/pnm/pnmcat.c
--- netpbm-9.25.orig/pnm/pnmcat.c       1993-10-04 10:11:35.000000000 +0100
+++ netpbm-9.25/pnm/pnmcat.c    2004-05-12 11:52:28.464150416 +0200
@@ -83,13 +83,13 @@
        nfiles = argc - argn;
     else
        nfiles = 1;
-    ifp = (FILE**) malloc( nfiles * sizeof(FILE*) );
-    xelrow = (xel**) malloc( nfiles * sizeof(xel*) );
-    background = (xel*) malloc( nfiles * sizeof(xel) );
-    maxval = (xelval*) malloc( nfiles * sizeof(xelval) );
-    rows = (int*) malloc( nfiles * sizeof(int) );
-    cols = (int*) malloc( nfiles * sizeof(int) );
-    format = (int*) malloc( nfiles * sizeof(int) );
+    ifp = (FILE**) malloc2( nfiles, sizeof(FILE*) );
+    xelrow = (xel**) malloc2( nfiles, sizeof(xel*) );
+    background = (xel*) malloc2( nfiles, sizeof(xel) );
+    maxval = (xelval*) malloc2( nfiles, sizeof(xelval) );
+    rows = (int*) malloc2( nfiles, sizeof(int) );
+    cols = (int*) malloc2( nfiles, sizeof(int) );
+    format = (int*) malloc2( nfiles, sizeof(int) );
     if ( ifp == (FILE**) 0 || xelrow == (xel**) 0 || background == (xel*) 0 ||
         maxval == (xelval*) 0 || rows == (int*) 0 || cols == (int*) 0 ||
         format == (int*) 0 )
diff -urN netpbm-9.25.orig/pnm/pnmcrop.c netpbm-9.25/pnm/pnmcrop.c
--- netpbm-9.25.orig/pnm/pnmcrop.c      2001-05-20 09:24:08.000000000 +0200
+++ netpbm-9.25/pnm/pnmcrop.c   2004-05-12 11:52:28.463150568 +0200
@@ -378,6 +378,8 @@
 
         xelrow = pnm_allocrow(cols);
 
+       overflow_add(right, 1);
+       overflow_add(bottom, 1);
         newcols = right - left + 1;
         newrows = bottom - top + 1;
         pnm_writepnminit(stdout, newcols, newrows, maxval, format, 0);
diff -urN netpbm-9.25.orig/pnm/pnmcut.c netpbm-9.25/pnm/pnmcut.c
--- netpbm-9.25.orig/pnm/pnmcut.c       2001-11-05 05:23:49.000000000 +0100
+++ netpbm-9.25/pnm/pnmcut.c    2004-05-12 11:52:28.467149960 +0200
@@ -372,6 +372,7 @@
                    toprow, leftcol, bottomrow, rightcol);
     }
 
+    overflow_add(rightcol, 1);
     output_cols = rightcol-leftcol+1;
     output_row = pnm_allocrow(output_cols);
     
diff -urN netpbm-9.25.orig/pnm/pnmenlarge.c netpbm-9.25/pnm/pnmenlarge.c
--- netpbm-9.25.orig/pnm/pnmenlarge.c   1993-10-04 10:11:39.000000000 +0100
+++ netpbm-9.25/pnm/pnmenlarge.c        2004-05-12 11:52:28.468149808 +0200
@@ -52,6 +52,9 @@
 
     pnm_readpnminit( ifp, &cols, &rows, &maxval, &format );
     xelrow = pnm_allocrow( cols );
+
+    overflow2(cols, n);
+    overflow2(rows, n);
     pnm_writepnminit( stdout, cols * n, rows * n, maxval, format, 0 );
     newxelrow = pnm_allocrow( cols * n );
 
diff -urN netpbm-9.25.orig/pnm/pnmflip.c netpbm-9.25/pnm/pnmflip.c
--- netpbm-9.25.orig/pnm/pnmflip.c      2001-09-07 17:49:30.000000000 +0200
+++ netpbm-9.25/pnm/pnmflip.c   2004-05-12 11:52:28.470149504 +0200
@@ -289,6 +289,13 @@
     
     pnm_readpnminit( ifp, &cols, &rows, &maxval, &format );
 
+    overflow2(abs(xform.a), cols);
+    overflow2(abs(xform.b), cols);
+    overflow2(abs(xform.c), rows);
+    overflow2(abs(xform.d), rows);
+    overflow_add(abs( xform.a ) * cols, abs( xform.c ) * rows);
+    overflow_add(abs( xform.b ) * cols, abs( xform.d ) * rows);
+
     newcols = abs( xform.a ) * cols + abs( xform.c ) * rows;
     newrows = abs( xform.b ) * cols + abs( xform.d ) * rows;
     
diff -urN netpbm-9.25.orig/pnm/pnmgamma.c netpbm-9.25/pnm/pnmgamma.c
--- netpbm-9.25.orig/pnm/pnmgamma.c     2002-03-13 04:53:23.000000000 +0100
+++ netpbm-9.25/pnm/pnmgamma.c  2004-05-12 11:52:28.472149200 +0200
@@ -271,9 +271,11 @@
                   xelval **rtableP, xelval **gtableP, xelval **btableP) {
 
     /* Allocate space for the tables. */
-    *rtableP = (xelval*) malloc( (maxval+1) * sizeof(xelval) );
-    *gtableP = (xelval*) malloc( (maxval+1) * sizeof(xelval) );
-    *btableP = (xelval*) malloc( (maxval+1) * sizeof(xelval) );
+
+    overflow_add(maxval, 1);
+    *rtableP = (xelval*) malloc2( (maxval+1) , sizeof(xelval) );
+    *gtableP = (xelval*) malloc2( (maxval+1) , sizeof(xelval) );
+    *btableP = (xelval*) malloc2( (maxval+1) , sizeof(xelval) );
     if (*rtableP == NULL || *gtableP == NULL || *btableP == NULL)
         pm_error( "out of memory" );
 
diff -urN netpbm-9.25.orig/pnm/pnmhisteq.c netpbm-9.25/pnm/pnmhisteq.c
--- netpbm-9.25.orig/pnm/pnmhisteq.c    2000-06-09 09:51:45.000000000 +0200
+++ netpbm-9.25/pnm/pnmhisteq.c 2004-05-12 11:52:28.493146008 +0200
@@ -210,6 +210,7 @@
        user has specified an input map file, read it in at
        this point. */
 
+    overflow_add(maxval, 1);
     lumahist = (long *) pm_allocrow(maxval + 1, sizeof(long));
     memset((char *) lumahist, 0, (maxval + 1) * sizeof(long));
 
diff -urN netpbm-9.25.orig/pnm/pnmindex netpbm-9.25/pnm/pnmindex
--- netpbm-9.25.orig/pnm/pnmindex       2001-08-30 04:21:14.000000000 +0200
+++ netpbm-9.25/pnm/pnmindex    2004-05-12 11:52:28.497145400 +0200
@@ -94,8 +94,9 @@
 fi
 
 #tmpfile=`tempfile -p pi -m 600`
-tmpfile=$TMPDIR/pi.tmp.$$
-rm -f $tmpfile
+#tmpfile=$TMPDIR/pi.tmp.$$
+#rm -f $tmpfile
+tmpfile=$(mktemp -t pi.XXXXXXXX) || exit 1 #219019
 maxformat=PBM
 
 rowfiles=()
diff -urN netpbm-9.25.orig/pnm/pnmmargin netpbm-9.25/pnm/pnmmargin
--- netpbm-9.25.orig/pnm/pnmmargin      1993-10-04 10:11:44.000000000 +0100
+++ netpbm-9.25/pnm/pnmmargin   2004-05-12 11:52:28.498145248 +0200
@@ -11,11 +11,16 @@
 # documentation.  This software is provided "as is" without express or
 # implied warranty.
 
-tmp1=/tmp/pnmm1$$
-tmp2=/tmp/pnmm2$$
-tmp3=/tmp/pnmm3$$
-tmp4=/tmp/pnmm4$$
-rm -f $tmp1 $tmp2 $tmp3 $tmp4
+#tmp1=.tmppnmm1$$
+#tmp2=.tmppnmm2$$
+#tmp3=.tmppnmm3$$
+#tmp4=.tmppnmm4$$
+#rm -f $tmp1 $tmp2 $tmp3 $tmp4
+tmpdir=$(mktemp -d -t ppmmargin.XXXXXXX) || exit 1 #219019
+tmp1=$tmpdir/tmp1
+tmp2=$tmpdir/tmp2
+tmp3=$tmpdir/tmp3
+tmp4=$tmpdir/tmp4
 
 color="-gofigure"
 
@@ -83,4 +88,4 @@
 pnmcat -tb $tmp3 $tmp4 $tmp3
 
 # All done.
-rm -f $tmp1 $tmp2 $tmp3 $tmp4
+rm -rf $tmpdir
diff -urN netpbm-9.25.orig/pnm/pnmmontage.c netpbm-9.25/pnm/pnmmontage.c
--- netpbm-9.25.orig/pnm/pnmmontage.c   2001-01-01 20:59:04.000000000 +0100
+++ netpbm-9.25/pnm/pnmmontage.c        2004-05-12 11:53:57.755576056 +0200
@@ -229,9 +229,9 @@
   else
     nfiles = 1;
 
-  imgs = (struct pam*)malloc(nfiles * sizeof(struct pam));
-  coords = (coord *)malloc(nfiles * sizeof(coord));
-  names = (char **)malloc(nfiles * sizeof(char *));
+  imgs = (struct pam*)malloc2(nfiles, sizeof(struct pam));
+  coords = (coord *)malloc2(nfiles, sizeof(coord));
+  names = (char **)malloc2(nfiles, sizeof(char *));
   if (!imgs || !coords || !names)
     pm_error("out of memory");
 
diff -urN netpbm-9.25.orig/pnm/pnmpaste.c netpbm-9.25/pnm/pnmpaste.c
--- netpbm-9.25.orig/pnm/pnmpaste.c     1993-10-04 10:11:53.000000000 +0100
+++ netpbm-9.25/pnm/pnmpaste.c  2004-05-12 11:52:28.486147072 +0200
@@ -100,11 +100,16 @@
            "y is too large -- the second anymap has only %d rows",
            rows2 );
 
+    overflow_add(x, cols2);
+    overflow_add(y, rows2);
     if ( x < 0 )
        x += cols2;
     if ( y < 0 )
        y += rows2;
 
+    overflow_add(x, cols1);
+    overflow_add(y, rows1);
+
     if ( x + cols1 > cols2 )
        pm_error( "x + width is too large by %d pixels", x + cols1 - cols2 );
     if ( y + rows1 > rows2 )
diff -urN netpbm-9.25.orig/pnm/pnmrotate.c netpbm-9.25/pnm/pnmrotate.c
--- netpbm-9.25.orig/pnm/pnmrotate.c    2001-06-25 05:34:52.000000000 +0200
+++ netpbm-9.25/pnm/pnmrotate.c 2004-05-12 11:52:28.487146920 +0200
@@ -11,6 +11,7 @@
 */
 
 #include <math.h>
+#include <limits.h>
 #include "pnm.h"
 #ifndef M_PI
 #define M_PI    3.14159265358979323846
@@ -93,11 +94,18 @@
         newmaxval = maxval;
     }
 
+    overflow2(rows, xshearfac);
+    overflow_add(cols, 1);
+    overflow_add(rows * xshearfac, cols);
+
     tempcols = rows * xshearfac + cols + 0.999999;
     yshearjunk = ( tempcols - cols ) * yshearfac;
     newrows = tempcols * yshearfac + rows + 0.999999;
     x2shearjunk = ( newrows - rows - yshearjunk ) * xshearfac;
     newrows -= 2 * yshearjunk;
+
+    if(newrows * xshearfac + tempcols + 0.999999 - 2 * x2shearjunk > INT_MAX)
+       pm_error("image too large");
     newcols = newrows * xshearfac + tempcols + 0.999999 - 2 * x2shearjunk;
 
     bgxel = pnm_backgroundxelrow( xelrow, cols, newmaxval, format );
diff -urN netpbm-9.25.orig/pnm/pnmscalefixed.c netpbm-9.25/pnm/pnmscalefixed.c
--- netpbm-9.25.orig/pnm/pnmscalefixed.c        2002-01-04 18:22:44.000000000 +0100
+++ netpbm-9.25/pnm/pnmscalefixed.c     2004-05-12 11:53:57.756575904 +0200
@@ -208,6 +208,8 @@
                           const int rows, const int cols,
                           int * newrowsP, int * newcolsP) {
 
+    overflow2(rows, cols);
+
     if (cmdline.pixels) {
         if (rows * cols <= cmdline.pixels) {
             *newrowsP = rows;
@@ -259,6 +261,8 @@
 
     if (*newcolsP < 1) *newcolsP = 1;
     if (*newrowsP < 1) *newrowsP = 1;
+
+    overflow2(*newcolsP, *newrowsP);
 }        
 
 
@@ -440,6 +444,9 @@
        unfilled.  We can address that by stretching, whereas the other
        case would require throwing away some of the input.
     */
+
+    overflow2(newcols, SCALE);
+    overflow2(newrows, SCALE);
     sxscale = SCALE * newcols / cols;
     syscale = SCALE * newrows / rows;
 
diff -urN netpbm-9.25.orig/pnm/pnmshear.c netpbm-9.25/pnm/pnmshear.c
--- netpbm-9.25.orig/pnm/pnmshear.c     2001-06-26 06:43:02.000000000 +0200
+++ netpbm-9.25/pnm/pnmshear.c  2004-05-12 11:52:28.487146920 +0200
@@ -11,6 +11,7 @@
 */
 
 #include <math.h>
+#include <limits.h>
 #include "pnm.h"
 #ifndef M_PI
 #define M_PI    3.14159265358979323846
@@ -194,6 +195,11 @@
     if ( shearfac < 0.0 )
         shearfac = -shearfac;
 
+    if(rows * shearfac >= INT_MAX-1)
+       pm_error("image too large");
+
+    overflow_add(rows * shearfac, cols+1);
+
     newcols = rows * shearfac + cols + 0.999999;
 
     pnm_writepnminit( stdout, newcols, rows, newmaxval, newformat, 0 );
diff -urN netpbm-9.25.orig/pnm/pnmsplit.c netpbm-9.25/pnm/pnmsplit.c
--- netpbm-9.25.orig/pnm/pnmsplit.c     2001-09-07 17:49:44.000000000 +0200
+++ netpbm-9.25/pnm/pnmsplit.c  2004-05-12 11:52:28.496145552 +0200
@@ -120,6 +120,7 @@
     *(strstr(before_sub, "%d")) = '\0';
     after_sub = strstr(output_file_pattern, "%d") + 2;
 
+    overflow_add(strlen(output_file_pattern), 9);
     size = strlen(output_file_pattern) - 2 + 10 + 1;
     *output_name_p = malloc(size);
 
diff -urN netpbm-9.25.orig/pnm/pnmtoddif.c netpbm-9.25/pnm/pnmtoddif.c
--- netpbm-9.25.orig/pnm/pnmtoddif.c    2000-05-06 08:30:12.000000000 +0200
+++ netpbm-9.25/pnm/pnmtoddif.c 2004-05-12 11:52:28.493146008 +0200
@@ -477,6 +477,7 @@
   switch (PNM_FORMAT_TYPE(format)) {
   case PBM_TYPE:
      ip.bits_per_pixel = 1;
+     overflow_add(cols, 7);
      ip.bytes_per_line = (cols + 7) / 8;
      ip.spectral = 2;
      ip.components = 1;
@@ -492,6 +493,7 @@
      ip.polarity = 2;
     break;
   case PPM_TYPE:
+     overflow2(cols, 3);
      ip.bytes_per_line = 3 * cols;
      ip.bits_per_pixel = 24;
      ip.spectral = 5;
diff -urN netpbm-9.25.orig/pnm/pnmtojpeg.c netpbm-9.25/pnm/pnmtojpeg.c
--- netpbm-9.25.orig/pnm/pnmtojpeg.c    2001-09-20 19:57:40.000000000 +0200
+++ netpbm-9.25/pnm/pnmtojpeg.c 2004-05-12 11:53:57.759575448 +0200
@@ -149,7 +149,7 @@
     unsigned int option_def_index;
 
     int argc_parse;       /* argc, except we modify it as we parse */
-    char ** const argv_parse = malloc(argc*sizeof(char *));
+    char ** const argv_parse = malloc2(argc,sizeof(char *));
     /* argv, except we modify it as we parse */
 
     option_def_index = 0;   /* incremented by OPTENTRY */
@@ -543,6 +543,8 @@
   const long half_maxval = maxval / 2;
   long val;
 
+  overflow_add(maxval, 1);
+  overflow2(maxval+1, sizeof(JSAMPLE));
   *rescale_p = (JSAMPLE *)
     (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE,
                               (size_t) (((long) maxval + 1L) * 
@@ -619,6 +621,7 @@
     */
 
   /* Allocate the libpnm output and compressor input buffers */
+  overflow2(cinfo_p->image_width, cinfo_p->input_components);
   buffer = (*cinfo_p->mem->alloc_sarray)
     ((j_common_ptr) cinfo_p, JPOOL_IMAGE,
      (unsigned int) cinfo_p->image_width * cinfo_p->input_components, 
@@ -886,7 +889,9 @@
          * want JPOOL_PERMANENT.  
          */
         const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info);
-        jpeg_scan_info *scan_info = 
+        jpeg_scan_info *scan_info;
+       overflow2(nscans, sizeof(jpeg_scan_info));
+       scan_info =
             (jpeg_scan_info *)
             (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
                                         scan_info_size);
diff -urN netpbm-9.25.orig/pnm/pnmtopalm/palmcolormap.c netpbm-9.25/pnm/pnmtopalm/palmcolormap.c
--- netpbm-9.25.orig/pnm/pnmtopalm/palmcolormap.c       2001-12-30 20:19:14.000000000 +0100
+++ netpbm-9.25/pnm/pnmtopalm/palmcolormap.c    2004-05-12 11:53:57.756575904 +0200
@@ -229,7 +229,7 @@
     return 0;
 
   colormap = malloc(sizeof(Colormap_s));
-  colormap->color_entries = malloc(sizeof(Color_s) * ncolors);
+  colormap->color_entries = malloc2(sizeof(Color_s), ncolors);
   colormap->nentries = ncolors;
   colormap->ncolors = ncolors;
 
diff -urN netpbm-9.25.orig/pnm/pnmtopalm/palmtopnm.c netpbm-9.25/pnm/pnmtopalm/palmtopnm.c
--- netpbm-9.25.orig/pnm/pnmtopalm/palmtopnm.c  2001-12-30 19:54:24.000000000 +0100
+++ netpbm-9.25/pnm/pnmtopalm/palmtopnm.c       2004-05-12 11:53:57.757575752 +0200
@@ -14,7 +14,7 @@
     int i;
     xelval *map;
 
-    map = (xelval *) malloc(sizeof(xelval) * ncolors);
+    map = (xelval *) malloc2(sizeof(xelval), ncolors);
     for (i = 0;  i < ncolors;  i++)
     {
         map[i] = maxval - (i * (maxval - minval)) / (ncolors - 1);
@@ -244,7 +244,7 @@
         graymap = figure_graymap(ncolors, 0, maxval);
     if (showhist)
     {
-        seen = (unsigned int *) malloc(sizeof(unsigned int) * ncolors);
+        seen = (unsigned int *) malloc2(sizeof(unsigned int), ncolors);
         if (!seen)
             pm_error("Can't allocate %d bytes for keeping track of "
                      "which pixels were seen.", 
diff -urN netpbm-9.25.orig/pnm/pnmtopng.c netpbm-9.25/pnm/pnmtopng.c
--- netpbm-9.25.orig/pnm/pnmtopng.c     2001-12-17 23:05:22.000000000 +0100
+++ netpbm-9.25/pnm/pnmtopng.c  2004-05-12 11:52:28.495145704 +0200
@@ -211,14 +211,17 @@
   int c;
   char *cp;
 
-  /* GRR:  need to check for malloc failure here */
-  info_ptr->text = (png_text *)malloc (MAXCOMMENTS * sizeof (png_text));
+  info_ptr->text = (png_text *)malloc2 (MAXCOMMENTS, sizeof (png_text));
+  if(info_ptr->text == NULL)
+       pm_error("out of memory");
   j = 0;
   textpos = 0;
   while ((c = getc (tfp)) != EOF) {
     if (c != '\n' && c != EOF) {
+      overflow_add(textpos, 1);
       textline[textpos++] = c;
     } else {
+      overflow_add(textpos, 1);
       textline[textpos++] = '\0';
       if ((textline[0] != ' ') && (textline[0] != '\t')) {
         /* the following is a not that accurate check on Author or Title */
@@ -248,6 +251,7 @@
         j++;
       } else {
         j--;
+        overflow_add(info_ptr->text[j].text_length, textpos);
         cp = malloc (info_ptr->text[j].text_length + textpos);
         strcpy (cp, info_ptr->text[j].text);
         strcat (cp, "\n");
@@ -901,12 +905,21 @@
       }
     if (alpha) {
       if (pnm_type == PPM_TYPE)
+      {
+        overflow2(depth, 4);
         fulldepth = 4 * depth;
+      }
       else
+      {
+        overflow2(depth, 2);
         fulldepth = 2 * depth;
+      }
     } else {
       if (pnm_type == PPM_TYPE)
+      {
+        overflow2(depth, 3);
         fulldepth = 3 * depth;
+      }
       else
         fulldepth = depth;
     }
@@ -1229,7 +1242,7 @@
   png_set_packing (png_ptr);
 
   /* max: 3 color channels, one alpha channel, 16-bit */
-  if ((line = (png_byte *) malloc (cols*8)) == NULL)
+  if ((line = (png_byte *) malloc2(cols, 8)) == NULL)
   {
     png_destroy_write_struct (&png_ptr, &info_ptr);
     pm_closer (ifp);
diff -urN netpbm-9.25.orig/pnm/pnmtops.c netpbm-9.25/pnm/pnmtops.c
--- netpbm-9.25.orig/pnm/pnmtops.c      2002-01-09 16:32:19.000000000 +0100
+++ netpbm-9.25/pnm/pnmtops.c   2004-05-12 11:52:28.488146768 +0200
@@ -136,15 +136,24 @@
     cmdlineP->center  = !nocenter;
     cmdlineP->canturn = !noturn;
     
+    overflow2(width, 72);
+    overflow2(height, 72);
+
     cmdlineP->width  = width * 72;
     cmdlineP->height = height * 72;
 
     if (imagewidth_spec)
+    {
+       overflow2(imagewidth, 72);
         cmdlineP->imagewidth = imagewidth * 72;
+    }
     else
         cmdlineP->imagewidth = 0;
     if (imageheight_spec)
+    {
+        overflow2(imageheight, 72);
         cmdlineP->imageheight = imageheight * 72;
+    }
     else
         cmdlineP->imageheight = 0;
 
diff -urN netpbm-9.25.orig/pnm/pnmtorast.c netpbm-9.25/pnm/pnmtorast.c
--- netpbm-9.25.orig/pnm/pnmtorast.c    1993-10-04 10:11:58.000000000 +0100
+++ netpbm-9.25/pnm/pnmtorast.c 2004-05-12 11:52:28.489146616 +0200
@@ -299,11 +299,11 @@
     pr_colormapP->type = RMT_EQUAL_RGB;
     pr_colormapP->length = MAXCOLORS;
     pr_colormapP->map[0] =
-       (unsigned char*) malloc( MAXCOLORS * sizeof(unsigned char) );
+       (unsigned char*) malloc2( MAXCOLORS, sizeof(unsigned char) );
     pr_colormapP->map[1] =
-       (unsigned char*) malloc( MAXCOLORS * sizeof(unsigned char) );
+       (unsigned char*) malloc2( MAXCOLORS, sizeof(unsigned char) );
     pr_colormapP->map[2] =
-       (unsigned char*) malloc( MAXCOLORS * sizeof(unsigned char) );
+       (unsigned char*) malloc2( MAXCOLORS, sizeof(unsigned char) );
     if ( pr_colormapP->map[0] == 0 || pr_colormapP->map[1] == 0 ||
         pr_colormapP->map[2] == 0 )
        pm_error( "out of memory" );
diff -urN netpbm-9.25.orig/pnm/pnmtorle.c netpbm-9.25/pnm/pnmtorle.c
--- netpbm-9.25.orig/pnm/pnmtorle.c     2002-03-13 04:50:50.000000000 +0100
+++ netpbm-9.25/pnm/pnmtorle.c  2004-05-12 11:52:28.496145552 +0200
@@ -19,6 +19,8 @@
  * If you modify this software, you should include a notice giving the
  * name of the person performing the modification, the date of modification,
  * and the reason for such modification.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 /*
  * pnmtorle - A program which will convert pbmplus (ppm or pgm) images
@@ -134,7 +136,7 @@
  */
    /*xelrow = pnm_allowcrow(width);*/
    xelrow = (xel*) pm_allocrow( width, sizeof(xel) );
-   scanlines = (rle_pixel ***)malloc( height * sizeof(rle_pixel **) );
+   scanlines = (rle_pixel ***)malloc2( height,  sizeof(rle_pixel **) );
    RLE_CHECK_ALLOC( hdr.cmd, scanlines, "scanline pointers" );
 
    for ( scan = 0; scan < height; scan++ )
diff -urN netpbm-9.25.orig/pnm/pnmtosgi.c netpbm-9.25/pnm/pnmtosgi.c
--- netpbm-9.25.orig/pnm/pnmtosgi.c     2001-06-03 10:35:32.000000000 +0200
+++ netpbm-9.25/pnm/pnmtosgi.c  2004-05-12 11:52:28.469149656 +0200
@@ -37,7 +37,8 @@
 static ScanElem *compress ARGS((ScanElem *temp, int row, int rows, int cols, int chan_no, long *table, int bpc));
 static int rle_compress ARGS((ScanElem *inbuf, int cols));
 static void * xmalloc ARGS((int bytes));
-#define MALLOC(n, type)     (type *)xmalloc((n) * sizeof(type))
+static void * xmalloc2 ARGS((int x, int y));
+#define MALLOC(n, type)     (type *)xmalloc2((n), sizeof(type))
 
 #define WORSTCOMPR(x)   (2*(x) + 2)
 
@@ -224,6 +225,22 @@
     return mem;
 }
 
+static void *
+xmalloc2(int x, int y)
+{
+    void *mem;
+
+    overflow2(x,y);
+    if( x * y == 0 )
+        return NULL;
+
+    mem = malloc2(x, y);
+    if( mem == NULL )
+        pm_error("out of memory allocating %d bytes", x * y);
+    return mem;
+}
+
+
 static void
 put_big_short(short s)
 {
@@ -261,6 +278,7 @@
 #endif
 
     if( storage != STORAGE_VERBATIM ) {
+        overflow2(channels, rows);
         table = MALLOC(channels * rows, long);
         rletemp = MALLOC(WORSTCOMPR(cols), ScanElem);
     }
@@ -314,6 +332,8 @@
             break;
         case STORAGE_RLE:
             tabrow = chan_no * rows + row;
+            overflow2(chan_no, rows);
+            overflow_add(chan_no* rows, row);
             len = rle_compress(temp, cols);     /* writes result into rletemp */
             channel[chan_no][row].length = len;
             channel[chan_no][row].data = p = MALLOC(len, ScanElem);
diff -urN netpbm-9.25.orig/pnm/pstopnm.c netpbm-9.25/pnm/pstopnm.c
--- netpbm-9.25.orig/pnm/pstopnm.c      2001-09-07 17:49:59.000000000 +0200
+++ netpbm-9.25/pnm/pstopnm.c   2004-05-12 11:53:57.751576664 +0200
@@ -175,6 +175,7 @@
     else {
         char *filespec_plus_ps;
 
+        overflow_add(strlen(orig_filespec), 4);
         filespec_plus_ps = malloc(strlen(orig_filespec) + 4);
         strcpy(filespec_plus_ps, orig_filespec);
         strcat(filespec_plus_ps, ".ps");
@@ -416,6 +417,7 @@
 
     char *retval;  /* malloc'ed */
 
+    overflow_add(strlen(cmdline.input_filespec), 10);
     retval = malloc(strlen(cmdline.input_filespec) + 10);
 
     if (cmdline.goto_stdout)
diff -urN netpbm-9.25.orig/pnm/rletopnm.c netpbm-9.25/pnm/rletopnm.c
--- netpbm-9.25.orig/pnm/rletopnm.c     2002-03-13 04:50:54.000000000 +0100
+++ netpbm-9.25/pnm/rletopnm.c  2004-05-12 11:52:28.498145248 +0200
@@ -19,6 +19,8 @@
  * If you modify this software, you should include a notice giving the
  * name of the person performing the modification, the date of modification,
  * and the reason for such modification.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 /*
  * rletopnm - A conversion program to convert from Utah's "rle" image format
@@ -187,7 +189,7 @@
    pixelrow = ppm_allocrow(width);
    alpharow = pgm_allocrow(width);
 
-   scanlines = (rle_pixel ***)malloc( height * sizeof(rle_pixel **) );
+   scanlines = (rle_pixel ***)malloc2( height,  sizeof(rle_pixel **) );
    RLE_CHECK_ALLOC( hdr.cmd, scanlines, "scanline pointers" );
 
    for ( scan = 0; scan < height; scan++ )
@@ -286,7 +288,7 @@
    pixelrow = pgm_allocrow(width);
    alpharow = pgm_allocrow(width);
 
-   scanlines = (rle_pixel ***)malloc( height * sizeof(rle_pixel **) );
+   scanlines = (rle_pixel ***)malloc2( height, sizeof(rle_pixel **) );
    RLE_CHECK_ALLOC( hdr.cmd, scanlines, "scanline pointers" );
 
    for ( scan = 0; scan < height; scan++ )
diff -urN netpbm-9.25.orig/pnm/sgitopnm.c netpbm-9.25/pnm/sgitopnm.c
--- netpbm-9.25.orig/pnm/sgitopnm.c     2002-01-04 18:29:11.000000000 +0100
+++ netpbm-9.25/pnm/sgitopnm.c  2004-05-12 11:52:28.474148896 +0200
@@ -44,8 +44,8 @@
 static short get_big_short ARGS((FILE *f));
 static short get_byte_as_short ARGS((FILE *f));
 static void readerr ARGS((FILE *f));
-static void * xmalloc ARGS((int bytes));
-#define MALLOC(n, type)     (type *)xmalloc((n) * sizeof(type))
+static void * xmalloc2 ARGS((int x, int y));
+#define MALLOC(n, type)     (type *)xmalloc2((n), sizeof(type))
 static char * compression_name ARGS((char compr));
 static void       read_bytes ARGS((FILE *ifp, int n, char *buf));
 static Header *   read_header ARGS((FILE *ifp, int channel));
@@ -252,12 +252,18 @@
 
     if (ochan < 0) {
         maxchannel = (head->zsize < 3) ? head->zsize : 3;
+        overflow2(head->ysize, maxchannel);
         image = MALLOC(head->ysize * maxchannel, ScanLine);
     } else {
         maxchannel = ochan + 1;
         image = MALLOC(head->ysize, ScanLine);
     }
-    if( table ) temp = MALLOC(WORSTCOMPR(head->xsize), ScanElem);
+    if( table )
+    {
+       overflow2(head->xsize, 2);
+       overflow_add(head->xsize*2, 2);
+       temp = MALLOC(WORSTCOMPR(head->xsize), ScanElem);
+    }
 
     for( channel = 0; channel < maxchannel;  channel++ ) {
 #ifdef DEBUG
@@ -447,17 +453,19 @@
 
 
 static void *
-xmalloc(bytes)
-    int bytes;
+xmalloc2(x, y)
+    int x;
+    int y;
 {
     void *mem;
 
-    if( bytes == 0 )
+    overflow2(x, y);
+    if( x * y == 0 )
         return NULL;
 
-    mem = malloc(bytes);
+    mem = malloc2(x, y);
     if( mem == NULL )
-        pm_error("out of memory allocating %d bytes", bytes);
+        pm_error("out of memory allocating %d bytes", x * y);
     return mem;
 }
 
diff -urN netpbm-9.25.orig/pnm/sirtopnm.c netpbm-9.25/pnm/sirtopnm.c
--- netpbm-9.25.orig/pnm/sirtopnm.c     2002-01-04 18:22:45.000000000 +0100
+++ netpbm-9.25/pnm/sirtopnm.c  2004-05-12 11:52:28.460151024 +0200
@@ -69,6 +69,7 @@
            }
            break;
        case PPM_TYPE:
+           overflow3(cols, rows, 3);
            picsize = cols * rows * 3;
            planesize = cols * rows;
             if ( !( sirarray = (unsigned char*) malloc( picsize ) ) ) 
diff -urN netpbm-9.25.orig/pnm/tifftopnm.c netpbm-9.25/pnm/tifftopnm.c
--- netpbm-9.25.orig/pnm/tifftopnm.c    2002-03-03 18:24:54.000000000 +0100
+++ netpbm-9.25/pnm/tifftopnm.c 2004-05-12 11:52:28.490146464 +0200
@@ -597,7 +597,7 @@
     if (scanbuf == NULL)
         pm_error("can't allocate memory for scanline buffer");
 
-    samplebuf = (unsigned short *) malloc(cols * sizeof(unsigned short) * spp);
+    samplebuf = (unsigned short *) malloc3(cols , sizeof(unsigned short) , spp);
     if (samplebuf == NULL)
         pm_error ("can't allocate memory for row buffer");
 
diff -urN netpbm-9.25.orig/pnm/xwdtopnm.c netpbm-9.25/pnm/xwdtopnm.c
--- netpbm-9.25.orig/pnm/xwdtopnm.c     2002-01-17 00:15:55.000000000 +0100
+++ netpbm-9.25/pnm/xwdtopnm.c  2004-05-12 11:52:28.491146312 +0200
@@ -186,8 +186,8 @@
        if ( h10P->window_ncolors != 0 )
            {
            /* Read X10 colormap. */
-           x10colors = (X10Color*) malloc(
-               h10P->window_ncolors * sizeof(X10Color) );
+           x10colors = (X10Color*) malloc2(
+               h10P->window_ncolors, sizeof(X10Color) );
            if ( x10colors == 0 )
                pm_error( "out of memory" );
            for ( i = 0; i < h10P->window_ncolors; ++i )
@@ -214,6 +214,9 @@
            *colorsP = pnm_allocrow( 2 );
            PNM_ASSIGN1( (*colorsP)[0], 0 );
            PNM_ASSIGN1( (*colorsP)[1], *maxvalP );
+           overflow_add(h10P->pixmap_width, 15);
+           if(h10P->pixmap_width < 0)
+               pm_error("assert: negative width");
            *padrightP =
                ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width;
            *bits_per_itemP = 16;
@@ -224,9 +227,13 @@
            *formatP = PGM_TYPE;
            *visualclassP = StaticGray;
            *maxvalP = ( 1 << h10P->display_planes ) - 1;
+           overflow_add(*maxvalP, 1);
            *colorsP = pnm_allocrow( *maxvalP + 1 );
            for ( i = 0; i <= *maxvalP; ++i )
                PNM_ASSIGN1( (*colorsP)[i], i );
+           overflow_add(h10P->pixmap_width, 15);
+           if(h10P->pixmap_width < 0)
+               pm_error("assert: negative width");
            *padrightP =
                ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width;
            *bits_per_itemP = 16;
@@ -321,8 +328,8 @@
        if ( h11P->ncolors > 0 )
            {
            /* Read X11 colormap. */
-           x11colors = (X11XColor*) malloc(
-               h11P->ncolors * sizeof(X11XColor) );
+           x11colors = (X11XColor*) malloc2(
+               h11P->ncolors, sizeof(X11XColor) );
            if ( x11colors == 0 )
                pm_error( "out of memory" );
            if ( fread( x11colors, sizeof(X11XColor), h11P->ncolors, file ) !=
@@ -384,6 +391,7 @@
            {
            *formatP = PGM_TYPE;
            *maxvalP = ( 1 << h11P->bits_per_pixel ) - 1;
+           overflow_add(*maxvalP, 1);
            *colorsP = pnm_allocrow( *maxvalP + 1 );
            for ( i = 0; i <= *maxvalP; ++i )
                PNM_ASSIGN1( (*colorsP)[i], i );
@@ -405,6 +413,7 @@
 
        *colsP = h11P->pixmap_width;
        *rowsP = h11P->pixmap_height;
+       overflow2(h11P->bytes_per_line, 8);
        *padrightP =
            h11P->bytes_per_line * 8 / h11P->bits_per_pixel -
            h11P->pixmap_width;
diff -urN netpbm-9.25.orig/ppm/411toppm.c netpbm-9.25/ppm/411toppm.c
--- netpbm-9.25.orig/ppm/411toppm.c     2001-05-16 18:26:22.000000000 +0200
+++ netpbm-9.25/ppm/411toppm.c  2004-05-12 11:53:57.806568304 +0200
@@ -147,17 +147,18 @@
          uint8 *** const orig_cbP) {
     int y;
 
-    *orig_yP = (uint8 **) malloc(sizeof(uint8 *) * height);
+    *orig_yP = (uint8 **) malloc2(sizeof(uint8 *), height);
     for (y = 0; y < height; y++) {
-        (*orig_yP)[y] = (uint8 *) malloc(sizeof(uint8) * width);
+        (*orig_yP)[y] = (uint8 *) malloc2(sizeof(uint8), width);
     }
 
-    *orig_crP = (uint8 **) malloc(sizeof(uint8 *) * height);
+    overflow2(width, sizeof(uint8 *));
+    *orig_crP = (uint8 **) malloc2(sizeof(uint8 *),  height);
     for (y = 0; y < height; y++) {
         (*orig_crP)[y] = (uint8 *) malloc(sizeof(uint8) * width / 4);
     }
 
-    *orig_cbP = (uint8 **) malloc(sizeof(uint8 *) * height);
+    *orig_cbP = (uint8 **) malloc2(sizeof(uint8 *),  height);
     for (y = 0; y < height; y++) {
         (*orig_cbP)[y] = (uint8 *) malloc(sizeof(uint8) * width / 4);
     }
@@ -177,19 +178,20 @@
 
     /* first, allocate tons of memory */
 
-    Y = (int **) malloc(sizeof(int *) * height);
+    Y = (int **) malloc2(sizeof(int *),  height);
     for (y = 0; y < height; y++) {
-        Y[y] = (int *) malloc(sizeof(int) * width);
+       Y[y] = (int *) malloc2(sizeof(int),  width);
     }
     
-    U = (int **) malloc(sizeof(int *) * height);
+    U = (int **) malloc2(sizeof(int *) , height);
+    overflow2(sizeof(int), width);
     for (y = 0; y < height; y++) {
         U[y] = (int *) malloc(sizeof(int) * width / 4);
     }
 
-    V = (int **) malloc(sizeof(int *) * height);
+    V = (int **) malloc2(sizeof(int *),  height);
     for (y = 0; y < height; y++) {
-        V[y] = (int *) malloc(sizeof(int) * width / 4);
+       V[y] = (int *) malloc2(sizeof(int),  width / 4);
     }
 
        for ( y = 0; y < height; y ++ ) {
diff -urN netpbm-9.25.orig/ppm/ilbmtoppm.c netpbm-9.25/ppm/ilbmtoppm.c
--- netpbm-9.25.orig/ppm/ilbmtoppm.c    2002-01-04 16:26:40.000000000 +0100
+++ netpbm-9.25/ppm/ilbmtoppm.c 2004-05-12 11:53:57.761575144 +0200
@@ -123,7 +123,8 @@
 static ColorMap * alloc_cmap ARGS((void));
 static void check_cmap ARGS((BitMapHeader *bmhd, ColorMap *cmap));
 static void * xmalloc ARGS((int bytes));
-#define MALLOC(n, type)     (type *)xmalloc((n) * sizeof(type))
+static void * xmalloc2 ARGS((int x, int y));
+#define MALLOC(n, type)     (type *)xmalloc2((n), sizeof(type))
 
 #define FACTOR_4BIT     17      /* scale factor maxval 15 -> maxval 255 */
 
@@ -348,6 +349,7 @@
                 }
 
                 if( typeid == ID_ILBM ) {
+                    overflow_add(bmhd->w, 15);
                     ilbmrow = MALLOC(RowBytes(bmhd->w), unsigned char);
                     viewportmodes |= fakeviewport;      /* -isham/-isehb */
 
@@ -932,6 +934,9 @@
     if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval )
         pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval));
 
+    overflow_add(redmaxval, 1);
+    overflow_add(greenmaxval, 1);
+    overflow_add(bluemaxval, 1);
     redtable   = MALLOC(redmaxval  +1, pixval);
     greentable = MALLOC(greenmaxval+1, pixval);
     bluetable  = MALLOC(bluemaxval +1, pixval);
@@ -1281,6 +1286,7 @@
     rawtype *chp;
 
     cols = bmhd->w;
+    overflow_add(cols, 15);
     bytes = RowBytes(cols);
     for( plane = 0; plane < nPlanes; plane++ ) {
         int mask;
@@ -1321,6 +1327,7 @@
         case mskNone:
             break;
         case mskHasMask:        /* mask plane */
+            overflow_add(cols, 15);
             read_ilbm_plane(ifp, chunksizeP, RowBytes(cols), bmhd->compression);
             if( maskfile ) {
                 ilp = ilbmrow;
@@ -1394,6 +1401,23 @@
     return mem;
 }
 
+static void *
+xmalloc2(x, y)
+    int x;
+    int y;
+{
+    void *mem;
+
+    overflow2(x,y);
+    if( x * y == 0 )
+        return NULL;
+
+    mem = malloc2(x,y);
+    if( mem == NULL )
+        pm_error("out of memory allocating %d bytes", x * y);
+    return mem;
+}
+
 
 static char *
 ID2string(id)
@@ -1582,6 +1606,9 @@
         cmap->mp_change[i] = NULL;
     if( PCHG.StartLine < 0 ) {
         int nch;
+        if(PCHG.MaxReg < PCHG.MinReg)
+               pm_error("assert: MinReg > MaxReg");
+        overflow_add(PCHG.MaxReg-PCHG.MinReg, 2);
         nch = PCHG.MaxReg - PCHG.MinReg +1;
         cmap->mp_init = MALLOC(nch + 1, PaletteChange);
         for( i = 0; i < nch; i++ )
@@ -1712,7 +1739,9 @@
             ChangeCount32 = *data++;
             datasize -= 2;
 
+           overflow_add(ChangeCount16, ChangeCount32);
             changes = ChangeCount16 + ChangeCount32;
+            overflow_add(changes, 1);
             cmap->mp_change[row] = MALLOC(changes + 1, PaletteChange);
             for( i = 0; i < changes; i++ ) {
                 if( totalchanges >= PCHG->TotalChanges ) goto fail;
@@ -1798,6 +1827,7 @@
             if( datasize < 2 ) goto fail;
             changes = BIG_WORD(data); data += 2; datasize -= 2;
 
+           overflow_add(changes, 1);
             cmap->mp_change[row] = MALLOC(changes + 1, PaletteChange);
             for( i = 0; i < changes; i++ ) {
                 if( totalchanges >= PCHG->TotalChanges ) goto fail;
diff -urN netpbm-9.25.orig/ppm/imgtoppm.c netpbm-9.25/ppm/imgtoppm.c
--- netpbm-9.25.orig/ppm/imgtoppm.c     2002-01-04 16:24:57.000000000 +0100
+++ netpbm-9.25/ppm/imgtoppm.c  2004-05-12 11:53:57.762574992 +0200
@@ -83,6 +83,7 @@
             len = atoi((char*) buf );
             if ( fread( buf, len, 1, ifp ) != 1 )
                 pm_error( "bad colormap buf" );
+            overflow2(cmaplen, 3);
             if ( cmaplen * 3 != len )
             {
                 pm_message(
@@ -104,6 +105,7 @@
                 pm_error( "bad pixel data header" );
             buf[8] = '\0';
             len = atoi((char*) buf );
+            overflow2(cols, rows);
             if ( len != cols * rows )
                 pm_message(
                     "pixel data length (%d) does not match image size (%d)",
diff -urN netpbm-9.25.orig/ppm/libppm5.c netpbm-9.25/ppm/libppm5.c
--- netpbm-9.25.orig/ppm/libppm5.c      2000-03-23 05:27:06.000000000 +0100
+++ netpbm-9.25/ppm/libppm5.c   2004-05-12 11:53:57.769573928 +0200
@@ -440,7 +440,7 @@
     if ( fh == 0 )
        pm_error( "out of memory allocating a fillhandle" );
     fh->n = 0;
-    fh->coords = (coord*) malloc( SOME * sizeof(coord) );
+    fh->coords = (coord*) malloc2( SOME , sizeof(coord) );
     if ( fh->coords == 0 )
        pm_error( "out of memory allocating a fillhandle" );
     fh->size = SOME;
@@ -481,9 +481,10 @@
     /* Ok, these are new; check if there's room for two more coords. */
     if ( fh->n + 1 >= fh->size )
        {
+       overflow_add(fh->size, SOME);
        fh->size += SOME;
-       fh->coords = (coord*) realloc(
-           (char*) fh->coords, fh->size * sizeof(coord) );
+       fh->coords = (coord*) realloc2(
+           (char*) fh->coords, fh->size,  sizeof(coord) );
        if ( fh->coords == 0 )
            pm_error( "out of memory enlarging a fillhandle" );
        }
diff -urN netpbm-9.25.orig/ppm/pcxtoppm.c netpbm-9.25/ppm/pcxtoppm.c
--- netpbm-9.25.orig/ppm/pcxtoppm.c     2002-02-10 19:39:26.000000000 +0100
+++ netpbm-9.25/ppm/pcxtoppm.c  2004-05-12 11:53:57.795569976 +0200
@@ -548,6 +548,8 @@
     /*
      * clear the pixel buffer
      */
+
+    overflow2(bytesperline, 8);
     npixels = (bytesperline * 8) / bitsperpixel;
     p    = pixels;
     while (--npixels >= 0)
diff -urN netpbm-9.25.orig/ppm/picttoppm.c netpbm-9.25/ppm/picttoppm.c
--- netpbm-9.25.orig/ppm/picttoppm.c    2002-01-04 16:26:12.000000000 +0100
+++ netpbm-9.25/ppm/picttoppm.c 2004-05-12 11:53:57.772573472 +0200
@@ -1,3 +1,5 @@
+#error "Unfixable. Don't ship me"
+
 /*
  * picttoppm.c -- convert a MacIntosh PICT file to PPM format.
  *
diff -urN netpbm-9.25.orig/ppm/pjtoppm.c netpbm-9.25/ppm/pjtoppm.c
--- netpbm-9.25.orig/ppm/pjtoppm.c      2000-03-03 06:32:09.000000000 +0100
+++ netpbm-9.25/ppm/pjtoppm.c   2004-05-12 11:53:57.774573168 +0200
@@ -127,17 +127,21 @@
                case 'W':       /* send last plane */
                    if (rows == -1 || r >= rows || image == NULL) {
                        if (rows == -1 || r >= rows)
+                       {
+                           overflow_add(rows, 100);
                            rows += 100;
+                       }
                        if (image == NULL) {
                            image = (unsigned char **) 
-                               malloc(rows * planes * sizeof(unsigned char *));
-                           imlen = (int *) malloc(rows * planes * sizeof(int));
+                               malloc3(rows , planes , sizeof(unsigned char *));
+                           imlen = (int *) malloc3(rows , planes,  sizeof(int));
                        }
                        else {
+                           overflow2(rows,planes);
                            image = (unsigned char **) 
-                               realloc(image, rows * planes * 
+                               realloc2(image, rows * planes,
                                        sizeof(unsigned char *));
-                           imlen = (int *) realloc(imlen, rows * planes * 
+                           imlen = (int *) realloc2(imlen, rows * planes,
                                                    sizeof(int));
                        }
                    }
@@ -148,7 +152,7 @@
                    cols = cols > val ? cols : val;
                    imlen[r * planes + p] = val;
                    image[r * planes + p] = (unsigned char *) 
-                       malloc(val * sizeof(unsigned char));
+                       malloc2(val , sizeof(unsigned char));
                    if (image[r * planes + p] == NULL) 
                        pm_error("out of memory");
                    if (fread(image[r * planes + p], 1, val, fp) != val) 
@@ -205,7 +209,7 @@
            if (image[r * planes] == NULL)
                continue;
            for (p = 0; p < planes; p++) {
-               buf = (unsigned char *) malloc(newcols * 
+               buf = (unsigned char *) malloc2(newcols ,
                                               sizeof(unsigned char *));
                if (buf == NULL) 
                    pm_error("out of memory");
@@ -213,7 +217,10 @@
                    for (cmd = image[p + r * planes][c],
                         val = image[p + r * planes][c+1]; 
                         cmd >= 0 && i < newcols; cmd--, i++) 
+                   {
                         buf[i] = val;
+                        overflow_add(i, 1);
+                   }
                cols = cols > i ? cols : i;
                free(image[p + r * planes]);
                /* 
@@ -224,6 +231,7 @@
                image[p + r * planes] = (unsigned char *) realloc(buf, i);
            }
        }
+       overflow2(cols, 8);
        cols *= 8;
     }
                        
diff -urN netpbm-9.25.orig/ppm/ppmdist.c netpbm-9.25/ppm/ppmdist.c
--- netpbm-9.25.orig/ppm/ppmdist.c      2000-03-03 06:41:40.000000000 +0100
+++ netpbm-9.25/ppm/ppmdist.c   2004-05-12 11:53:57.788571040 +0200
@@ -90,7 +90,7 @@
 
     /* copy the colors into another structure for sorting */
     colorToGrayMap = (struct colorToGrayEntry *)
-       malloc(sizeof(struct colorToGrayEntry) * colors);
+       malloc2(sizeof(struct colorToGrayEntry),  colors);
     for (color = 0; color < colors; color++) {
        colorToGrayMap[color].color = hist[color].color;
        colorToGrayMap[color].frequency = hist[color].value;
diff -urN netpbm-9.25.orig/ppm/ppmdither.c netpbm-9.25/ppm/ppmdither.c
--- netpbm-9.25.orig/ppm/ppmdither.c    2002-02-22 05:56:35.000000000 +0100
+++ netpbm-9.25/ppm/ppmdither.c 2004-05-12 11:53:57.774573168 +0200
@@ -93,6 +93,10 @@
         const unsigned int dith_mat_sz = 
             (dith_dim * sizeof(int *)) + /* pointers */
             (dith_dim * dith_dim * sizeof(int)); /* data */
+
+        overflow2(dith_dim, sizeof(int *));
+        overflow3(dith_dim, dith_dim, sizeof(int));
+        overflow_add(dith_dim * sizeof(int *), dith_dim * dith_dim * sizeof(int));
         dith_mat = (unsigned int **) malloc(dith_mat_sz);
 
         if (dith_mat == NULL) 
@@ -139,7 +143,9 @@
     if (dith_nb < 2) 
        pm_error("too few shades for blue, minimum of 2");
 
-    *ptab_p = malloc(dith_nr * dith_ng * dith_nb * sizeof(pixel));
+    overflow2(dith_nr, dith_ng);
+    *ptab_p = malloc3(dith_nr * dith_ng, dith_nb, sizeof(pixel));
+
     if (*ptab_p == NULL) 
         pm_error("Unable to allocate space for the color lookup table "
                  "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb);
diff -urN netpbm-9.25.orig/ppm/ppmquantall netpbm-9.25/ppm/ppmquantall
--- netpbm-9.25.orig/ppm/ppmquantall    2001-04-16 09:49:37.000000000 +0200
+++ netpbm-9.25/ppm/ppmquantall 2004-05-12 11:53:57.822565872 +0200
@@ -66,6 +66,97 @@
 done
 
 #all=`tempfile -p pqa.all -m 600`
+#all=.tmp.pqa.all.$$
+#rm -f $all
+all=$(mktemp -t pqa.all.XXXXXXXXXX) || exit 1 #219019
+
+pnmcat -topbottom -jleft -white ${files[@]} | ppmquant $newcolors > $all
+if [ $? != 0 ]; then
+    exit $?
+fi
+
+y=0
+i=0
+
+while [ $i -lt $nfiles ]; do
+    pnmcut -left 0 -top $y -width ${widths[$i]} -height ${heights[$i]} $all \
+        > ${files[$i]}$ext
+    if [ $? != 0 ]; then
+        exit $?
+    fi
+    y=$(($y + ${heights[$i]}))
+    i=$(($i + 1))
+done
+
+rm -f $all
+#!/bin/sh
+#
+# ppmquantall - run ppmquant on a bunch of files all at once, so they share
+#               a common colormap
+#
+# WARNING: overwrites the source files with the results!!!
+#
+# Verbose explanation: Let's say you've got a dozen pixmaps that you want
+# to display on the screen all at the same time.  Your screen can only
+# display 256 different colors, but the pixmaps have a total of a thousand
+# or so different colors.  For a single pixmap you solve this problem with
+# ppmquant; this script solves it for multiple pixmaps.  All it does is
+# concatenate them together into one big pixmap, run ppmquant on that, and
+# then split it up into little pixmaps again.
+
+usage()
+{
+    echo "usage: $0 [-ext extension] <newcolours> <ppmfile> ..."
+    exit 1
+}
+
+ext=
+
+while :; do
+
+    case "$1" in
+    -ext*)
+        if [ $# -lt 2 ]; then
+            usage
+        fi
+        ext=".$2"
+        shift
+        shift
+    ;;
+
+    *)  
+        break
+    ;;
+
+    esac
+done
+
+if [ $# -lt 2 ]; then
+    usage
+fi
+
+newcolors=$1
+shift
+nfiles=$#
+files=($@)
+
+# Extract the width and height of each of the images.
+# Here, we make the assumption that the width and height are on the
+# second line, even though the PPM format doesn't require that.
+# To be robust, we need to use Pnmfile to get that information, or 
+# Put this program in C and use ppm_readppminit().
+
+set widths=()
+set heights=()
+
+for i in ${files[@]}; do
+    widths=(${widths[*]} `egrep -v '^#' $i | head -2 | tail -1 | \
+            sed 's/ .*//'` )
+    heights=(${heights[*]} `egrep -v '^#' $i | head -2 | tail -1 | \
+            sed 's/.* //'` )
+done
+
+#all=`tempfile -p pqa.all -m 600`
 all=/tmp/pqa.all.$$
 rm -f $all
 
diff -urN netpbm-9.25.orig/ppm/ppmquantall.csh netpbm-9.25/ppm/ppmquantall.csh
--- netpbm-9.25.orig/ppm/ppmquantall.csh        2000-07-28 04:29:36.000000000 +0200
+++ netpbm-9.25/ppm/ppmquantall.csh     2004-05-12 11:53:57.816566784 +0200
@@ -34,7 +34,7 @@
     set heights=( $heights `head -2 $i | tail -1 | sed 's/.* //'` )
 end
 
-set all=/tmp/pqa.all.$$
+set all=.tmp.pqa.all.$$
 rm -f $all
 pnmcat -topbottom -jleft -white $files | ppmquant -quiet $newcolors > $all
 if ( $status != 0 ) exit $status
diff -urN netpbm-9.25.orig/ppm/ppmqvga.c netpbm-9.25/ppm/ppmqvga.c
--- netpbm-9.25.orig/ppm/ppmqvga.c      2001-06-11 01:33:18.000000000 +0200
+++ netpbm-9.25/ppm/ppmqvga.c   2004-05-12 11:53:57.763574840 +0200
@@ -438,6 +438,8 @@
   ppm_writeppminit( stdout, cols, rows, maxval, 0 );
 
   if (dither) {
+    overflow_add(cols, 2);
+    overflow2(cols+2, sizeof(fs_err_array));
     fs_err_lines = (fs_err_array *) calloc((cols + 2), sizeof(fs_err_array));
 
     if (fs_err_lines == NULL) {
diff -urN netpbm-9.25.orig/ppm/ppmshadow netpbm-9.25/ppm/ppmshadow
--- netpbm-9.25.orig/ppm/ppmshadow      2000-03-24 19:37:26.000000000 +0100
+++ netpbm-9.25/ppm/ppmshadow   2004-05-12 11:53:57.801569064 +0200
@@ -22,7 +22,11 @@
 #
 #
 
-    $fname = "/tmp/_PPMshadow$$";          # Temporary filepath prefix
+#    $fname = ".tmp._PPMshadow$$";          # Temporary filepath prefix
+    chomp($fname = `mktemp -d -t PPMshadow.XXXXXX`);
+    if ($? >> 8) {
+        die "Can't create tmpdir";
+    }
 
     #   Process command line options
 
@@ -99,8 +103,8 @@
     if ((!(defined $ifile)) || ($ifile eq '-')) {
         #   Input default to standard input
         $stdin = 1;
-        $ifile = "$fname-0.ppm";
-        system("cat >$fname-0.ppm");
+        $ifile = "$fname/0.ppm";
+        system("cat >$fname/0.ppm");
     }
 
     #   Determine the size of the source image
@@ -112,15 +116,15 @@
 
     #   Create a blank background bitmap the size of the source bitmap
 
-    system("pnmcut 0 0 1 1 $ifile | pnmscale -xsize $xsize -ysize $ysize >$fname-5.ppm");
+    system("pnmcut 0 0 1 1 $ifile | pnmscale -xsize $xsize -ysize $ysize >$fname/5.ppm");
 
     #   Create positive mask file from input image
 
-    system("pnmarith -difference $ifile $fname-5.ppm | pnminvert | ppmtopgm | pgmtopbm -thresh -value 1.0 >$fname-1.ppm");
+    system("pnmarith -difference $ifile $fname/5.ppm | pnminvert | ppmtopgm | pgmtopbm -thresh -value 1.0 >$fname/1.ppm");
 
     #   Create convolution kernel file to generate shadow
 
-    open(OF, ">$fname-2.ppm");
+    open(OF, ">$fname/2.ppm");
     $ckern = $convolve <= 11 ? $convolve : 11;
     printf(OF "P2\n$ckern $ckern\n%d\n", $ckern * $ckern * 2);
     $a = ($ckern * $ckern) + 1;
@@ -136,60 +140,61 @@
         #   Convolve the input colour image with the kernel
         #   to create a translucent shadow image.
 
-        system("pnmconvol $fname-2.ppm $ifile >$fname-10.ppm");
-        system("rm $fname-2.ppm") if $purge;
+        system("pnmconvol $fname/2.ppm $ifile >$fname/10.ppm");
+#        system("rm $fname-2.ppm") if $purge;
         while ($ckern < $convolve) {
-            system("pnmsmooth $fname-10.ppm >$fname-10a.ppm");
-            system("mv $fname-10a.ppm $fname-10.ppm");
+            system("pnmsmooth $fname/10.ppm >$fname/10a.ppm");
+            system("mv $fname/10a.ppm $fname/10.ppm");
             $ckern++;
         }
     } else {
 
         #   Convolve the positive mask with the kernel to create shadow
 
-        system("pnmconvol $fname-2.ppm $fname-1.ppm >$fname-3.ppm");
-        system("rm $fname-2.ppm") if $purge;
+        system("pnmconvol $fname/2.ppm $fname/1.ppm >$fname/3.ppm");
+#        system("rm $fname-2.ppm") if $purge;
         while ($ckern < $convolve) {
-            system("pnmsmooth $fname-3.ppm >$fname-3a.ppm");
-            system("mv $fname-3a.ppm $fname-3.ppm");
+            system("pnmsmooth $fname/3.ppm >$fname/3a.ppm");
+            system("mv $fname/3a.ppm $fname/3.ppm");
             $ckern++;
         }
 
         #   Multiply the shadow by the background colour
 
-        system("pnmarith -multiply $fname-3.ppm $fname-5.ppm >$fname-10.ppm");
-        system("rm $fname-3.ppm") if $purge;
+        system("pnmarith -multiply $fname/3.ppm $fname/5.ppm >$fname/10.ppm");
+        system("rm $fname/3.ppm") if $purge;
     }
 
     #   Cut an offset rectangle from the shadow image
 
     $i = $xsize - $xoffset;
     $j = $ysize - $yoffset;
-    system("pnmcut 0 0 $i $j $fname-10.ppm >$fname-4.ppm");
-    system("rm $fname-10.ppm") if $purge;
+    system("pnmcut 0 0 $i $j $fname/10.ppm >$fname/4.ppm");
+#    system("rm $fname-10.ppm") if $purge;
 
     #   Create offset shadow image
 
-    system("pnmpaste -replace $fname-4.ppm $xoffset $yoffset $fname-5.ppm >$fname-6.ppm");
-    system("rm $fname-4.ppm $fname-5.ppm") if $purge;
+    system("pnmpaste -replace $fname/4.ppm $xoffset $yoffset $fname/5.ppm >$fname/6.ppm");
+#    system("rm $fname-4.ppm $fname-5.ppm") if $purge;
 
     #   Create inverse mask
 
-    system("pnminvert $fname-1.ppm >$fname-7.ppm");
+    system("pnminvert $fname/1.ppm >$fname/7.ppm");
 
     #   Multiply original image by inverse mask
 
-    system("pnmarith -multiply $ifile $fname-7.ppm >$fname-8.ppm");
-    system("rm $fname-7.ppm") if $purge;
-    system("rm $fname-0.ppm") if ($purge && $stdin);
+    system("pnmarith -multiply $ifile $fname/7.ppm >$fname/8.ppm");
+#    system("rm $fname-7.ppm") if $purge;
+#    system("rm $fname-0.ppm") if ($purge && $stdin);
 
     #   Multiply shadow by mask
 
-    system("pnmarith -multiply $fname-6.ppm $fname-1.ppm >$fname-9.ppm");
-    system("rm $fname-6.ppm $fname-1.ppm") if $purge;
+    system("pnmarith -multiply $fname/6.ppm $fname/1.ppm >$fname/9.ppm");
+#    system("rm $fname-6.ppm $fname-1.ppm") if $purge;
 
     #   Add masked image and shadow to obtain result, which this
     #   last call on pnmarith sends to standard output.
 
-    system("pnmarith -add $fname-8.ppm $fname-9.ppm");
-    system("rm $fname-8.ppm $fname-9.ppm") if $purge;
+    system("pnmarith -add $fname/8.ppm $fname/9.ppm");
+#    system("rm $fname-8.ppm $fname-9.ppm") if $purge;
+    system("rm -rf $fname/") if $purge;
diff -urN netpbm-9.25.orig/ppm/ppmtoeyuv.c netpbm-9.25/ppm/ppmtoeyuv.c
--- netpbm-9.25.orig/ppm/ppmtoeyuv.c    2001-09-07 17:48:09.000000000 +0200
+++ netpbm-9.25/ppm/ppmtoeyuv.c 2004-05-12 11:53:57.801569064 +0200
@@ -112,14 +112,15 @@
 
     int index;
 
-    mult299   = (float *) malloc(sizeof(float) * (maxval+1));
-    mult587   = (float *) malloc(sizeof(float) * (maxval+1));
-    mult114   = (float *) malloc(sizeof(float) * (maxval+1));
-    mult16874 = (float *) malloc(sizeof(float) * (maxval+1));
-    mult33126 = (float *) malloc(sizeof(float) * (maxval+1));
-    mult5     = (float *) malloc(sizeof(float) * (maxval+1));
-    mult41869 = (float *) malloc(sizeof(float) * (maxval+1));
-    mult08131 = (float *) malloc(sizeof(float) * (maxval+1));
+    overflow_add(maxval, 1);
+    mult299   = (float *) malloc2(sizeof(float), (maxval+1));
+    mult587   = (float *) malloc2(sizeof(float), (maxval+1));
+    mult114   = (float *) malloc2(sizeof(float), (maxval+1));
+    mult16874 = (float *) malloc2(sizeof(float), (maxval+1));
+    mult33126 = (float *) malloc2(sizeof(float), (maxval+1));
+    mult5     = (float *) malloc2(sizeof(float), (maxval+1));
+    mult41869 = (float *) malloc2(sizeof(float), (maxval+1));
+    mult08131 = (float *) malloc2(sizeof(float), (maxval+1));
 
     if (maxval == YUVMAXVAL) {
         /* fast path */
@@ -265,10 +266,10 @@
     uint8 ** orig_cr;
     uint8 ** orig_cb;
 
-    *orig_yP = (uint8 **) malloc(sizeof(uint8 *) * height);
+    *orig_yP = (uint8 **) malloc2(sizeof(uint8 *) , height);
     orig_y = *orig_yP;
     for (y = 0; y < height; y++) {
-        orig_y[y] = (uint8 *) malloc(sizeof(uint8) * width);
+        orig_y[y] = (uint8 *) malloc2(sizeof(uint8) , width);
     }
 
     *orig_crP = (uint8 **) malloc(sizeof(uint8 *) * height / 2);
diff -urN netpbm-9.25.orig/ppm/ppmtoicr.c netpbm-9.25/ppm/ppmtoicr.c
--- netpbm-9.25.orig/ppm/ppmtoicr.c     1993-10-04 10:12:38.000000000 +0100
+++ netpbm-9.25/ppm/ppmtoicr.c  2004-05-12 11:53:57.783571800 +0200
@@ -170,7 +170,7 @@
 
        if (rleflag) {  
                pm_message("sending run-length encoded picture data ..." );
-               testimage = (char*) malloc(rows*cols);
+               testimage = (char*) malloc2(rows, cols);
                p = testimage;
                for (i=0; i<rows; i++)
                        for (j=0; j<cols; j++) 
diff -urN netpbm-9.25.orig/ppm/ppmtoilbm.c netpbm-9.25/ppm/ppmtoilbm.c
--- netpbm-9.25.orig/ppm/ppmtoilbm.c    2002-01-04 16:24:55.000000000 +0100
+++ netpbm-9.25/ppm/ppmtoilbm.c 2004-05-12 11:53:57.785571496 +0200
@@ -117,7 +117,8 @@
 static pixel * next_pixrow ARGS((FILE *fp, int row));
 static int * make_val_table ARGS((int oldmaxval, int newmaxval));
 static void * xmalloc ARGS((int bytes));
-#define MALLOC(n, type)     (type *)xmalloc((n) * sizeof(type))
+static void * xmalloc2 ARGS((int x, int y));
+#define MALLOC(n, type)     (type *)xmalloc2((n) , sizeof(type))
 static void init_read ARGS((FILE *fp, int *colsP, int *rowsP, pixval *maxvalP, int *formatP, int readall));
 static void write_body_rows ARGS((void));
 static void write_camg ARGS((void));
@@ -785,11 +786,16 @@
 
     if( mode != MODE_CMAP ) {
         register int i;
+        overflow_add(cols, 15);
         coded_rowbuf = MALLOC(RowBytes(cols), unsigned char);
         for( i = 0; i < RowBytes(cols); i++ )
             coded_rowbuf[i] = 0;
         if( DO_COMPRESS )
+        {
+            overflow2(cols,2);
+            overflow_add(cols *2, 2);
             compr_rowbuf = MALLOC(WORSTCOMPR(RowBytes(cols)), unsigned char);
+        }
     }
 
     switch( mode ) {
@@ -981,7 +987,7 @@
     pm_message("initializing HAM colormap...");
 
     colors = 1<<(3*hbits);
-    hmap = malloc(colors * sizeof(hentry));
+    hmap = malloc2(colors,  sizeof(hentry));
     if (hmap == NULL)
         pm_error("Unable to allocate memory for HAM colormap.");
     hmaxval = pm_bitstomaxval(hbits);
@@ -1839,6 +1845,7 @@
 
     maskmethod = 0;     /* no masking - RGB8 uses genlock bits */
     compmethod = 4;     /* RGB8 files are always compressed */
+    overflow2(cols, 4);
     compr_row = MALLOC(cols * 4, unsigned char);
 
     if( maxval != 255 ) {
@@ -1926,6 +1933,7 @@
 
     maskmethod = 0;     /* no masking - RGBN uses genlock bits */
     compmethod = 4;     /* RGBN files are always compressed */
+    overflow2(cols, 2);
     compr_row = MALLOC(cols * 2, unsigned char);
 
     if( maxval != 15 ) {
@@ -2397,6 +2405,7 @@
     int i;
     int *table;
 
+    overflow_add(oldmaxval, 1);
     table = MALLOC(oldmaxval + 1, int);
     for(i = 0; i <= oldmaxval; i++ )
         table[i] = (i * newmaxval + oldmaxval/2) / oldmaxval;
@@ -2417,6 +2426,21 @@
     return mem;
 }
 
+static void *
+xmalloc2(x,y)
+    int x;
+    int y;
+{
+    void *mem;
+
+    overflow2(x, y);
+
+    mem = malloc2(x, y);
+    if( mem == NULL )
+        pm_error("out of memory allocating %d bytes", x * y);
+    return mem;
+}
+
 
 static int  gFormat;
 static int  gCols;
diff -urN netpbm-9.25.orig/ppm/ppmtolj.c netpbm-9.25/ppm/ppmtolj.c
--- netpbm-9.25.orig/ppm/ppmtolj.c      2000-12-03 00:36:01.000000000 +0100
+++ netpbm-9.25/ppm/ppmtolj.c   2004-05-12 11:53:57.805568456 +0200
@@ -180,6 +180,7 @@
     pixels = ppm_readppm( ifp, &cols, &rows, &maxval );
 
     pm_close( ifp );
+    overflow2(cols,6);
     obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char));
     cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char));
     if (mode == C_TRANS_MODE_DELTA)
diff -urN netpbm-9.25.orig/ppm/ppmtomitsu.c netpbm-9.25/ppm/ppmtomitsu.c
--- netpbm-9.25.orig/ppm/ppmtomitsu.c   2002-01-04 16:24:55.000000000 +0100
+++ netpbm-9.25/ppm/ppmtomitsu.c        2004-05-12 11:53:57.773573320 +0200
@@ -125,6 +125,8 @@
         medias = MSize_User;
 
         if (dpi300) {
+               overflow2(medias.maxcols, 2);
+               overflow2(medias.maxrows, 2);
                 medias.maxcols *= 2;
                 medias.maxrows *= 2;
         }
diff -urN netpbm-9.25.orig/ppm/ppmtompeg/frame.c netpbm-9.25/ppm/ppmtompeg/frame.c
--- netpbm-9.25.orig/ppm/ppmtompeg/frame.c      2001-03-31 09:32:30.000000000 +0200
+++ netpbm-9.25/ppm/ppmtompeg/frame.c   2004-05-12 11:53:57.810567696 +0200
@@ -140,15 +140,16 @@
 omfrw->orig_y = NULL;
 Fsize_x = out_x;
 /* Allocate new frame memory */
-    omfrw->orig_y = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y);
+    omfrw->orig_y = (uint8 **) malloc2(sizeof(uint8 *) , Fsize_y);
     ERRCHK(omfrw->orig_y, "malloc");
     for (y = 0; y < Fsize_y; y++) {
-       omfrw->orig_y[y] = (uint8 *) malloc(sizeof(uint8) * out_x);
+       omfrw->orig_y[y] = (uint8 *) malloc2(sizeof(uint8) , out_x);
        ERRCHK(omfrw->orig_y[y], "malloc");
     }
 
-    omfrw->orig_cr = (uint8 **) malloc(sizeof(int8 *) * Fsize_y / 2);
+    omfrw->orig_cr = (uint8 **) malloc2(sizeof(int8 *) , Fsize_y / 2);
     ERRCHK(omfrw->orig_cr, "malloc");
+    overflow2(out_x, sizeof(int8));
     for (y = 0; y < Fsize_y / 2; y++) {
        omfrw->orig_cr[y] = (uint8 *) malloc(sizeof(int8) * out_x / 2);
        ERRCHK(omfrw->orig_cr[y], "malloc");
@@ -208,15 +209,17 @@
 Fsize_y = out_y;
 
 /* Allocate new frame memory */
-    omfrh->orig_y = (uint8 **) malloc(sizeof(uint8 *) * out_y);
+    omfrh->orig_y = (uint8 **) malloc2(sizeof(uint8 *),  out_y);
     ERRCHK(omfrh->orig_y, "malloc");
     for (y = 0; y < out_y; y++) {
-       omfrh->orig_y[y] = (uint8 *) malloc(sizeof(uint8) * Fsize_x);
+       omfrh->orig_y[y] = (uint8 *) malloc2(sizeof(uint8) ,  Fsize_x);
        ERRCHK(omfrh->orig_y[y], "malloc");
     }
 
+    overflow2(out_y, sizeof(int8 *));
     omfrh->orig_cr = (uint8 **) malloc(sizeof(int8 *) * out_y / 2);
     ERRCHK(omfrh->orig_cr, "malloc");
+    overflow2(sizeof(int8), Fsize_x);
     for (y = 0; y < out_y / 2; y++) {
        omfrh->orig_cr[y] = (uint8 *) malloc(sizeof(int8) * Fsize_x / 2);
        ERRCHK(omfrh->orig_cr[y], "malloc");
@@ -532,11 +535,11 @@
        return;
     }
 
-    frame->ppm_data = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y);
+    frame->ppm_data = (uint8 **) malloc2(sizeof(uint8 *) ,  Fsize_y);
     ERRCHK(frame->ppm_data, "malloc");
 
     for ( y = 0; y < Fsize_y; y++ ) {
-       frame->ppm_data[y] = (uint8 *) malloc(3*sizeof(uint8) * Fsize_x);
+       frame->ppm_data[y] = (uint8 *) malloc3(3, sizeof(uint8), Fsize_x);
        ERRCHK(frame->ppm_data[y], "malloc");
     }
 }
@@ -567,20 +570,20 @@
     dctx = Fsize_x / DCTSIZE;
     dcty = Fsize_y / DCTSIZE;
 
-    frame->y_blocks = (Block **) malloc(sizeof(Block *) * dcty);
+    frame->y_blocks = (Block **) malloc2(sizeof(Block *),  dcty);
     ERRCHK(frame->y_blocks, "malloc");
     for (i = 0; i < dcty; i++) {
-       frame->y_blocks[i] = (Block *) malloc(sizeof(Block) * dctx);
+       frame->y_blocks[i] = (Block *) malloc2(sizeof(Block), dctx);
        ERRCHK(frame->y_blocks[i], "malloc");
     }
 
-    frame->cr_blocks = (Block **) malloc(sizeof(Block *) * (dcty >> 1));
-    frame->cb_blocks = (Block **) malloc(sizeof(Block *) * (dcty >> 1));
+    frame->cr_blocks = (Block **) malloc2(sizeof(Block *) , (dcty >> 1));
+    frame->cb_blocks = (Block **) malloc2(sizeof(Block *) , (dcty >> 1));
     ERRCHK(frame->cr_blocks, "malloc");
     ERRCHK(frame->cb_blocks, "malloc");
     for (i = 0; i < (dcty >> 1); i++) {
-       frame->cr_blocks[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1));
-       frame->cb_blocks[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1));
+       frame->cr_blocks[i] = (Block *) malloc2(sizeof(Block) , (dctx >> 1));
+       frame->cb_blocks[i] = (Block *) malloc2(sizeof(Block) , (dctx >> 1));
        ERRCHK(frame->cr_blocks[i], "malloc");
        ERRCHK(frame->cb_blocks[i], "malloc");
     }
@@ -612,10 +615,10 @@
     /*
      * first, allocate tons of memory
      */
-    frame->orig_y = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y);
+    frame->orig_y = (uint8 **) malloc2(sizeof(uint8 *), Fsize_y);
     ERRCHK(frame->orig_y, "malloc");
     for (y = 0; y < Fsize_y; y++) {
-       frame->orig_y[y] = (uint8 *) malloc(sizeof(uint8) * Fsize_x);
+       frame->orig_y[y] = (uint8 *) malloc2(sizeof(uint8), Fsize_x);
        ERRCHK(frame->orig_y[y], "malloc");
     }
 
@@ -663,22 +666,24 @@
         return;
     }
 
-       frame->halfX = (uint8 **) malloc(Fsize_y*sizeof(uint8 *));
+       frame->halfX = (uint8 **) malloc2(Fsize_y, sizeof(uint8 *));
        ERRCHK(frame->halfX, "malloc");
-       frame->halfY = (uint8 **) malloc((Fsize_y-1)*sizeof(uint8 *));
+       if(Fsize_y == 0 || Fsize_x == 0)
+               pm_error("assert: zero size");
+       frame->halfY = (uint8 **) malloc2((Fsize_y-1), sizeof(uint8 *));
        ERRCHK(frame->halfY, "malloc");
-       frame->halfBoth = (uint8 **) malloc((Fsize_y-1)*sizeof(uint8 *));
+       frame->halfBoth = (uint8 **) malloc2((Fsize_y-1), sizeof(uint8 *));
        ERRCHK(frame->halfBoth, "malloc");
        for ( y = 0; y < Fsize_y; y++ ) {
-           frame->halfX[y] = (uint8 *) malloc((Fsize_x-1)*sizeof(uint8));
+           frame->halfX[y] = (uint8 *) malloc2((Fsize_x-1), sizeof(uint8));
            ERRCHK(frame->halfX[y], "malloc");
        }
        for ( y = 0; y < Fsize_y-1; y++ ) {
-           frame->halfY[y] = (uint8 *) malloc(Fsize_x*sizeof(uint8));
+           frame->halfY[y] = (uint8 *) malloc2(Fsize_x, sizeof(uint8));
            ERRCHK(frame->halfY[y], "malloc");
        }
        for ( y = 0; y < Fsize_y-1; y++ ) {
-           frame->halfBoth[y] = (uint8 *) malloc((Fsize_x-1)*sizeof(uint8));
+           frame->halfBoth[y] = (uint8 *) malloc2((Fsize_x-1), sizeof(uint8));
            ERRCHK(frame->halfBoth[y], "malloc");
        }
 }
@@ -712,24 +717,24 @@
        it for some reason, so do it this way at least for now -- more
        flexible
      */
-    frame->decoded_y = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y);
+    frame->decoded_y = (uint8 **) malloc2(sizeof(uint8 *),  Fsize_y);
     ERRCHK(frame->decoded_y, "malloc");
     for (y = 0; y < Fsize_y; y++) {
-       frame->decoded_y[y] = (uint8 *) malloc(sizeof(uint8) * Fsize_x);
+       frame->decoded_y[y] = (uint8 *) malloc2(sizeof(uint8), Fsize_x);
        ERRCHK(frame->decoded_y[y], "malloc");
     }
 
-    frame->decoded_cr = (uint8 **) malloc(sizeof(int8 *) * (Fsize_y >> 1));
+    frame->decoded_cr = (uint8 **) malloc2(sizeof(int8 *), (Fsize_y >> 1));
     ERRCHK(frame->decoded_cr, "malloc");
     for (y = 0; y < (Fsize_y >> 1); y++) {
-       frame->decoded_cr[y] = (uint8 *) malloc(sizeof(uint8) * (Fsize_x >> 1));
+       frame->decoded_cr[y] = (uint8 *) malloc2(sizeof(uint8),  (Fsize_x >> 1));
        ERRCHK(frame->decoded_cr[y], "malloc");
     }
 
-    frame->decoded_cb = (uint8 **) malloc(sizeof(int8 *) * (Fsize_y >> 1));
+    frame->decoded_cb = (uint8 **) malloc2(sizeof(int8 *), (Fsize_y >> 1));
     ERRCHK(frame->decoded_cb, "malloc");
     for (y = 0; y < (Fsize_y >> 1); y++) {
-       frame->decoded_cb[y] = (uint8 *) malloc(sizeof(uint8) * (Fsize_x >> 1));
+       frame->decoded_cb[y] = (uint8 *) malloc2(sizeof(uint8), (Fsize_x >> 1));
        ERRCHK(frame->decoded_cb[y], "malloc");
     }
 
diff -urN netpbm-9.25.orig/ppm/ppmtompeg/iframe.c netpbm-9.25/ppm/ppmtompeg/iframe.c
--- netpbm-9.25.orig/ppm/ppmtompeg/iframe.c     1995-08-15 00:30:06.000000000 +0200
+++ netpbm-9.25/ppm/ppmtompeg/iframe.c  2004-05-12 11:53:57.812567392 +0200
@@ -857,6 +857,8 @@
     int ysz = (Fsize_y>>3) * sizeof(int32 *);
     int xsz = (Fsize_x>>3);
     
+    overflow2(Fsize_y>>3, sizeof(int32 *));
+
     needs_init = FALSE;
     for (y=0; y<3; y++) {
       varDiff[y] = ratio[y] = total[y] = 0.0;
@@ -875,6 +877,7 @@
       fprintf(stderr, "Out of memory in BlockComputeSNR\n");
       exit(-1);
     }
+    overflow2(xsz, 4);
     for (y = 0; y < ySize[0]>>3; y++) {
       SignalY[y]  = (int32 *) calloc(xsz,4);
       SignalCr[y]  = (int32 *) calloc(xsz,4);
@@ -1030,27 +1033,27 @@
     dctx = Fsize_x / DCTSIZE;
     dcty = Fsize_y / DCTSIZE;
 
-    dct = (Block **) malloc(sizeof(Block *) * dcty);
+    dct = (Block **) malloc2(sizeof(Block *), dcty);
     ERRCHK(dct, "malloc");
     for (i = 0; i < dcty; i++) {
-       dct[i] = (Block *) malloc(sizeof(Block) * dctx);
+       dct[i] = (Block *) malloc2(sizeof(Block), dctx);
        ERRCHK(dct[i], "malloc");
     }
 
-    dct_data = (dct_data_type **) malloc(sizeof(dct_data_type *) * dcty);
+    dct_data = (dct_data_type **) malloc2(sizeof(dct_data_type *), dcty);
     ERRCHK(dct_data, "malloc");
     for (i = 0; i < dcty; i++) {
-       dct_data[i] = (dct_data_type *) malloc(sizeof(dct_data_type) * dctx);
+       dct_data[i] = (dct_data_type *) malloc2(sizeof(dct_data_type),dctx);
        ERRCHK(dct[i], "malloc");
     }
 
-    dctr = (Block **) malloc(sizeof(Block *) * (dcty >> 1));
-    dctb = (Block **) malloc(sizeof(Block *) * (dcty >> 1));
+    dctr = (Block **) malloc2(sizeof(Block *), (dcty >> 1));
+    dctb = (Block **) malloc2(sizeof(Block *), (dcty >> 1));
     ERRCHK(dctr, "malloc");
     ERRCHK(dctb, "malloc");
     for (i = 0; i < (dcty >> 1); i++) {
-       dctr[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1));
-       dctb[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1));
+       dctr[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1));
+       dctb[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1));
        ERRCHK(dctr[i], "malloc");
        ERRCHK(dctb[i], "malloc");
     }
diff -urN netpbm-9.25.orig/ppm/ppmtompeg/jpeg.c netpbm-9.25/ppm/ppmtompeg/jpeg.c
--- netpbm-9.25.orig/ppm/ppmtompeg/jpeg.c       2001-08-31 22:48:06.000000000 +0200
+++ netpbm-9.25/ppm/ppmtompeg/jpeg.c    2004-05-12 11:53:57.812567392 +0200
@@ -228,7 +228,7 @@
       exit(1);
     }  
 
-  inoffsets = (int *)malloc(no_frames*sizeof(int));
+  inoffsets = (int *)malloc2(no_frames, sizeof(int));
     
   if (fread (&(width),sizeof(int),1,inFile) != 1)
     {
diff -urN netpbm-9.25.orig/ppm/ppmtompeg/parallel.c netpbm-9.25/ppm/ppmtompeg/parallel.c
--- netpbm-9.25.orig/ppm/ppmtompeg/parallel.c   2001-08-31 22:48:30.000000000 +0200
+++ netpbm-9.25/ppm/ppmtompeg/parallel.c        2004-05-12 11:53:57.814567088 +0200
@@ -343,7 +343,7 @@
          free(bigBuffer);
        }
 
-       bigBuffer = (unsigned char *) malloc(bigBufferSize*
+       bigBuffer = (unsigned char *) malloc2(bigBufferSize,
                                             sizeof(unsigned char));
       }
 
@@ -663,7 +663,7 @@
   
   TransmitPortNum(parallelHostName, portNum, combinePortNum);
   
-  frameDone = (boolean *) malloc(numInputFiles*sizeof(boolean));
+  frameDone = (boolean *) malloc2(numInputFiles, sizeof(boolean));
   memset((char *)frameDone, 0, numInputFiles*sizeof(boolean));
   
   if ( (ofp = fopen(outputFileName, "wb")) == NULL ) {
@@ -1269,6 +1269,8 @@
 
     /* should keep list of port numbers to notify when frames become ready */
 
+    overflow2(numInputFiles, sizeof(int));
+    overflow2(numInputFiles, sizeof(boolean));
     ready = (boolean *) calloc(numInputFiles, sizeof(boolean));
     waitMachine = (int *) calloc(numInputFiles, sizeof(int));
     waitPort = (int *) malloc(numMachines*sizeof(int));
diff -urN netpbm-9.25.orig/ppm/ppmtompeg/psearch.c netpbm-9.25/ppm/ppmtompeg/psearch.c
--- netpbm-9.25.orig/ppm/ppmtompeg/psearch.c    2001-09-26 17:11:53.000000000 +0200
+++ netpbm-9.25/ppm/ppmtompeg/psearch.c 2004-05-12 11:53:57.815566936 +0200
@@ -299,6 +299,13 @@
     ((searchRangeP>searchRangeB)?searchRangeP:searchRangeB)
       : ((searchRangeB>searchRangeB)?searchRangeB:searchRangeB);
     
+    overflow2(searchRangeP, 2);
+    overflow2(searchRangeB, 2);
+    overflow_add(searchRangeP*2, 3);
+    overflow_add(searchRangeB*2, 3);
+    overflow2(2*searchRangeB+3, sizeof(int));
+    overflow2(2*searchRangeP+3, sizeof(int));
+
     pmvHistogram = (int **) malloc((2*searchRangeP+3)*sizeof(int *));
     bbmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *));
     bfmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *));
@@ -891,6 +898,9 @@
     int *columnTotals;
     int rowTotal;
 
+    overflow2(searchRangeP, 2);
+    overflow_add(searchRangeP*2,  3);
+    overflow2(searchRangeP*2+3, sizeof(int));
     columnTotals = (int *) calloc(2*searchRangeP+3, sizeof(int));
 
 #ifdef COMPLETE_DISPLAY
@@ -938,6 +948,9 @@
 
     fprintf(fpointer, "B-frame Backwards:\n");
 
+    overflow2(searchRangeB, 2);
+    overflow_add(searchRangeB*2,  3);
+    overflow2(searchRangeB*2+3, sizeof(int));
     columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int));
 
 #ifdef COMPLETE_DISPLAY
@@ -985,6 +998,9 @@
 
     fprintf(fpointer, "B-frame Forwards:\n");
 
+    overflow2(searchRangeB, 2);
+    overflow_add(searchRangeB*2,  3);
+    overflow2(searchRangeB*2+3, sizeof(int));
     columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int));
 
 #ifdef COMPLETE_DISPLAY
diff -urN netpbm-9.25.orig/ppm/ppmtompeg/rgbtoycc.c netpbm-9.25/ppm/ppmtompeg/rgbtoycc.c
--- netpbm-9.25.orig/ppm/ppmtompeg/rgbtoycc.c   2000-06-05 04:31:33.000000000 +0200
+++ netpbm-9.25/ppm/ppmtompeg/rgbtoycc.c        2004-05-12 11:53:57.816566784 +0200
@@ -96,6 +96,8 @@
         } 
         table_maxval = maxval;
 
+       overflow_add(table_maxval, 1);
+       overflow2(table_maxval+1, sizeof(float));
         mult299   = malloc((table_maxval+1)*sizeof(float));
         mult587   = malloc((table_maxval+1)*sizeof(float));
         mult114   = malloc((table_maxval+1)*sizeof(float));
diff -urN netpbm-9.25.orig/ppm/ppmtopcx.c netpbm-9.25/ppm/ppmtopcx.c
--- netpbm-9.25.orig/ppm/ppmtopcx.c     2002-02-10 19:34:06.000000000 +0100
+++ netpbm-9.25/ppm/ppmtopcx.c  2004-05-12 11:53:57.797569672 +0200
@@ -185,6 +185,8 @@
         else                    Planes = 1;
     }
 
+    overflow2(BitsPerPixel, cols);
+    overflow_add(BitsPerPixel * cols, 7);
     BytesPerLine    = ((cols * BitsPerPixel) + 7) / 8;
     rawrow = (unsigned char *)pm_allocrow(cols, sizeof(unsigned char));
     planesrow = (unsigned char *)
diff -urN netpbm-9.25.orig/ppm/ppmtopict.c netpbm-9.25/ppm/ppmtopict.c
--- netpbm-9.25.orig/ppm/ppmtopict.c    1993-10-04 10:12:45.000000000 +0100
+++ netpbm-9.25/ppm/ppmtopict.c 2004-05-12 11:53:57.786571344 +0200
@@ -246,6 +246,8 @@
        putShort(stdout, 0);                    /* mode */
 
        /* Finally, write out the data. */
+       overflow_add(cols/MAX_COUNT, 1);
+        overflow_add(cols, cols/MAX_COUNT+1);
        packed = (char*) malloc((unsigned)(cols+cols/MAX_COUNT+1));
        oc = 0;
        for (row = 0; row < rows; row++)
diff -urN netpbm-9.25.orig/ppm/ppmtopj.c netpbm-9.25/ppm/ppmtopj.c
--- netpbm-9.25.orig/ppm/ppmtopj.c      2000-03-03 07:09:24.000000000 +0100
+++ netpbm-9.25/ppm/ppmtopj.c   2004-05-12 11:53:57.787571192 +0200
@@ -176,6 +176,7 @@
        pixels = ppm_readppm( ifp, &cols, &rows, &maxval );
 
        pm_close( ifp );
+       overflow2(cols,2);
        obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char));
        cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char));
 
diff -urN netpbm-9.25.orig/ppm/ppmtouil.c netpbm-9.25/ppm/ppmtouil.c
--- netpbm-9.25.orig/ppm/ppmtouil.c     2002-01-04 16:24:54.000000000 +0100
+++ netpbm-9.25/ppm/ppmtouil.c  2004-05-12 11:53:57.787571192 +0200
@@ -201,6 +201,7 @@
     int d;
 
     /* Allocate memory for printed number.  Abort if error. */
+    overflow_add(digits, 1);
     str = (char*) malloc( digits + 1 );
     if ( str == 0 )
        pm_error( "out of memory allocating number string" );
@@ -268,6 +269,7 @@
            }
 
        /* Copy it. */
+       overflow_add(strlen(colorname), 1);
        cmap[i].rgbname = (char*) malloc( strlen( colorname ) + 1 );
        if ( cmap[i].rgbname == 0 )
            pm_error( "out of memory allocating color name" );
diff -urN netpbm-9.25.orig/ppm/ppmtowinicon.c netpbm-9.25/ppm/ppmtowinicon.c
--- netpbm-9.25.orig/ppm/ppmtowinicon.c 2002-01-28 04:42:08.000000000 +0100
+++ netpbm-9.25/ppm/ppmtowinicon.c      2004-05-12 11:53:57.803568760 +0200
@@ -27,6 +27,8 @@
  */
 
 #include <math.h>
+#include <string.h>
+#include <stdlib.h>
 #include "winico.h"
 #include "ppm.h"
 #include "ppmcmap.h"
@@ -193,12 +195,12 @@
       wt = (wt & ~3) + 4;
    }
    xBytes = wt;
-   rowData = malloc ( rows * sizeof (char *));
+   rowData = malloc2 ( rows,  sizeof (char *));
    icBitmap->xBytes = xBytes;
    icBitmap->data   = rowData;
    icBitmap->size   = xBytes * rows;
    for (y=0;y<rows;y++) {
-      u1 * row = malloc ( xBytes * sizeof (u1));
+      u1 * row = malloc2 ( xBytes , sizeof (u1));
       int byteOn = 0;
       int bitOn = 128;
       int value;
@@ -250,13 +252,15 @@
       wt = (wt & ~3) + 4;
    }
    xBytes = wt;
-   rowData = malloc ( rows * sizeof (char *));
+   rowData = malloc2 ( rows , sizeof (char *));
    icBitmap->xBytes = xBytes;
    icBitmap->data   = rowData;
+   overflow2(xBytes, rows);
    icBitmap->size   = xBytes * rows;
+   overflow2(xBytes, rows);
 
    for (y=0;y<rows;y++) {
-      u1 * row = malloc ( xBytes * sizeof (u1));
+      u1 * row = malloc2 ( xBytes, sizeof (u1));
       int byteOn = 0;
       int nibble = 1;   /* high nibble = 1, low nibble = 0; */
       int value;
@@ -304,13 +308,14 @@
       wt = (wt & ~3) + 4;
    }
    xBytes = wt;
-   rowData = malloc ( rows * sizeof (char *));
+   rowData = malloc2 ( rows,  sizeof (char *));
    icBitmap->xBytes = xBytes;
    icBitmap->data   = rowData;
    icBitmap->size   = xBytes * rows;
+   overflow2(xBytes, rows);
 
    for (y=0;y<rows;y++) {
-      u1 * row = malloc ( xBytes * sizeof (u1));
+      u1 * row = malloc2 ( xBytes, sizeof (u1));
       memset (row, 0, xBytes);
       rowData[rows-y-1] = row;
       /* 
@@ -351,7 +356,7 @@
 createCleanPalette(void) {
    IC_Palette palette = malloc ( sizeof (* palette) );
    int x;
-   palette->colors = malloc (MAXCOLORS * sizeof(IC_Color *));
+   palette->colors = malloc(MAXCOLORS * sizeof(IC_Color *));
    for (x=0;x<MAXCOLORS;x++ ){
       palette->colors[x] = NULL;
    }
diff -urN netpbm-9.25.orig/ppm/ppmtoxpm.c netpbm-9.25/ppm/ppmtoxpm.c
--- netpbm-9.25.orig/ppm/ppmtoxpm.c     2002-03-13 04:23:45.000000000 +0100
+++ netpbm-9.25/ppm/ppmtoxpm.c  2004-05-12 11:53:57.764574688 +0200
@@ -207,6 +207,7 @@
         continue;
     }
     /* Allocate memory for ascii name.  Abort if error. */
+    overflow_add(strlen(name), 1);
     if (!(rgbname = (char *) malloc(strlen(name) + 1)))
         pm_error("out of memory allocating rgb name");
         
@@ -251,6 +252,7 @@
     int i;
 
     /* Allocate memory for printed number.  Abort if error. */
+    overflow_add(digits, 1);
     if (!(str = (char *) malloc(digits + 1)))
         pm_error("out of memory");
 
@@ -292,7 +294,8 @@
     char *str;
     cixel_map * cmap;  /* malloc'ed */
 
-    cmap = malloc(sizeof(cixel_map) * (ncolors+1));
+    overflow_add(ncolors,1);
+    cmap = malloc2(sizeof(cixel_map), (ncolors+1));
     if (cmapP == NULL)
         pm_error("Out of memory allocating %d bytes for a color map.",
                  sizeof(cixel_map) * (ncolors+1));
@@ -384,6 +387,7 @@
         if (r == rgbn[j].r && g == rgbn[j].g && b == rgbn[j].b) {
 
             /* Matched.  Allocate string, copy mnemonic, and exit. */
+            overflow_add(strlen(rgbn[j].name), 1);
             if (!(str = (char *) malloc(strlen(rgbn[j].name) + 1)))
             pm_error("out of memory");
             strcpy(str, rgbn[j].name);
diff -urN netpbm-9.25.orig/ppm/qrttoppm.c netpbm-9.25/ppm/qrttoppm.c
--- netpbm-9.25.orig/ppm/qrttoppm.c     1993-10-04 10:12:56.000000000 +0100
+++ netpbm-9.25/ppm/qrttoppm.c  2004-05-12 11:53:57.788571040 +0200
@@ -46,7 +46,7 @@
 
     ppm_writeppminit( stdout, cols, rows, maxval, 0 );
     pixelrow = ppm_allocrow( cols );
-    buf = (unsigned char *) malloc( 3 * cols );
+    buf = (unsigned char *) malloc2( 3 , cols );
     if ( buf == (unsigned char *) 0 )
        pm_error( "out of memory" );
 
diff -urN netpbm-9.25.orig/ppm/sldtoppm.c netpbm-9.25/ppm/sldtoppm.c
--- netpbm-9.25.orig/ppm/sldtoppm.c     2000-03-03 07:15:55.000000000 +0100
+++ netpbm-9.25/ppm/sldtoppm.c  2004-05-12 11:53:57.789570888 +0200
@@ -303,6 +303,8 @@
 
     /* Allocate image buffer and clear it to black. */
 
+    overflow_add(ixdots,1);
+    overflow_add(iydots,1);
     pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1);
     PPM_ASSIGN(rgbcolour, 0, 0, 0);
     ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0,
diff -urN netpbm-9.25.orig/ppm/ximtoppm.c netpbm-9.25/ppm/ximtoppm.c
--- netpbm-9.25.orig/ppm/ximtoppm.c     2000-06-09 09:33:33.000000000 +0200
+++ netpbm-9.25/ppm/ximtoppm.c  2004-05-12 11:53:57.794570128 +0200
@@ -239,6 +239,7 @@
     header->bits_channel = atoi(a_head.bits_per_channel);
     header->alpha_flag = atoi(a_head.alpha_channel);
     if (strlen(a_head.author)) {
+       overflow_add(strlen(a_head.author),1);
         if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1,
                 1))) {
             pm_message("ReadXimHeader: can't calloc author string" );
@@ -248,6 +249,7 @@
         strncpy(header->author, a_head.author, strlen(a_head.author));
     }
     if (strlen(a_head.date)) {
+        overflow_add(strlen(a_head.date),1);
         if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){
             pm_message("ReadXimHeader: can't calloc date string" );
             return(0);
@@ -256,6 +258,7 @@
         strncpy(header->date, a_head.date, strlen(a_head.date));
     }
     if (strlen(a_head.program)) {
+        overflow_add(strlen(a_head.program),1);
         if (!(header->program = calloc(
                     (unsigned int)strlen(a_head.program) + 1, 1))) {
             pm_message("ReadXimHeader: can't calloc program string" );
@@ -282,6 +285,7 @@
     if (header->nchannels == 3 && header->bits_channel == 8)
         header->ncolors = 0;
     else if (header->nchannels == 1 && header->bits_channel == 8) {
+       overflow2(header->ncolors, sizeof(Color));
         header->colors = (Color *)calloc((unsigned int)header->ncolors,
                 sizeof(Color));
         if (header->colors == NULL) {
diff -urN netpbm-9.25.orig/ppm/xpmtoppm.c netpbm-9.25/ppm/xpmtoppm.c
--- netpbm-9.25.orig/ppm/xpmtoppm.c     2002-01-04 16:34:39.000000000 +0100
+++ netpbm-9.25/ppm/xpmtoppm.c  2004-05-12 11:53:57.799569368 +0200
@@ -528,7 +528,7 @@
     } else {
         /* Over two chars per pixel, we fall back on linear search. */
         *colorsP = ppm_allocrow(*ncolorsP);
-        *ptabP = (int *) malloc(*ncolorsP * sizeof(int));
+        *ptabP = (int *) malloc2(*ncolorsP, sizeof(int));
     }
 
     /* Read color table. */
@@ -674,8 +674,9 @@
                        &ncolors, colorsP, &ptab);
         *transparentP = -1;  /* No transparency in version 1 */
     }
+    overflow2(*widthP, *heightP);
     totalpixels = *widthP * *heightP;
-    *dataP = (int *) malloc(totalpixels * sizeof(int));
+    *dataP = (int *) malloc2(totalpixels, sizeof(int));
     if (*dataP == NULL)
         pm_error("Could not get %d bytes of memory for image", totalpixels);
     cursor = *dataP;
diff -urN netpbm-9.25.orig/ppm/yuvtoppm.c netpbm-9.25/ppm/yuvtoppm.c
--- netpbm-9.25.orig/ppm/yuvtoppm.c     2000-07-27 01:35:16.000000000 +0200
+++ netpbm-9.25/ppm/yuvtoppm.c  2004-05-12 11:53:57.794570128 +0200
@@ -71,7 +71,8 @@
 
        ppm_writeppminit(stdout, cols, rows, (pixval) 255, 0);
        pixrow = ppm_allocrow(cols);
-       yuvbuf = malloc(((cols+1)/2)*sizeof(struct yuv));
+       overflow_add(cols, 1);
+       yuvbuf = malloc2(((cols+1)/2), sizeof(struct yuv));
 
        for (row = 0; row < rows; ++row) {
                int    col;
diff -urN netpbm-9.25.orig/urt/README netpbm-9.25/urt/README
--- netpbm-9.25.orig/urt/README 2000-06-02 22:53:04.000000000 +0200
+++ netpbm-9.25/urt/README      2004-05-12 11:53:57.830564656 +0200
@@ -18,3 +18,8 @@
 defines stdout as a variable, so that wouldn't compile.  So I changed
 it to NULL and added a line to rle_hdr_init to set that field to
 'stdout' dynamically.  2000.06.02 BJH.
+
+Redid the code to check for maths overflows and other crawly horrors.
+Removed pipe through and compress support (unsafe)
+
+Alan Cox <alan@redhat.com>
diff -urN netpbm-9.25.orig/urt/Runput.c netpbm-9.25/urt/Runput.c
--- netpbm-9.25.orig/urt/Runput.c       2002-03-13 05:24:43.000000000 +0100
+++ netpbm-9.25/urt/Runput.c    2004-05-12 11:53:57.827565112 +0200
@@ -17,6 +17,8 @@
  *
  *  Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
  *  to have all "void" functions so declared.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 /* 
  * Runput.c - General purpose Run Length Encoding.
@@ -200,9 +202,11 @@
     if ( the_hdr->background != 0 )
     {
        register int i;
-       register rle_pixel *background =
-           (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
+       register rle_pixel *background;
        register int *bg_color;
+
+       overflow_add(the_hdr->ncolors,1);
+       background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
        /* 
         * If even number of bg color bytes, put out one more to get to 
         * 16 bit boundary.
@@ -222,7 +226,7 @@
        /* Big-endian machines are harder */
        register int i, nmap = (1 << the_hdr->cmaplen) *
                               the_hdr->ncmap;
-       register char *h_cmap = (char *)malloc( nmap * 2 );
+       register char *h_cmap = (char *)malloc2( nmap, 2 );
        if ( h_cmap == NULL )
        {
            fprintf( stderr,
diff -urN netpbm-9.25.orig/urt/rle.h netpbm-9.25/urt/rle.h
--- netpbm-9.25.orig/urt/rle.h  2002-03-13 16:32:34.000000000 +0100
+++ netpbm-9.25/urt/rle.h       2004-05-12 11:53:57.827565112 +0200
@@ -14,6 +14,9 @@
  * If you modify this software, you should include a notice giving the
  * name of the person performing the modification, the date of modification,
  * and the reason for such modification.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ *  Header declarations needed
  */
 /* 
  * rle.h - Global declarations for Utah Raster Toolkit RLE programs.
@@ -169,6 +172,16 @@
  */
 extern rle_hdr rle_dflt_hdr;
 
+/*
+ * Provided by pm library
+ */
+
+extern void overflow_add(int, int);
+extern void overflow2(int, int);
+extern void overflow3(int, int, int);
+extern void *malloc2(int, int);
+extern void *malloc3(int, int, int);
+extern void *realloc2(void *, int, int);
 
 /* Declare RLE library routines. */
 
diff -urN netpbm-9.25.orig/urt/rle_addhist.c netpbm-9.25/urt/rle_addhist.c
--- netpbm-9.25.orig/urt/rle_addhist.c  1992-04-30 16:07:45.000000000 +0200
+++ netpbm-9.25/urt/rle_addhist.c       2004-05-12 11:53:57.829564808 +0200
@@ -14,6 +14,8 @@
  * If you modify this software, you should include a notice giving the
  * name of the person performing the modification, the date of modification,
  * and the reason for such modification.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 /* 
  * rle_addhist.c - Add to the HISTORY comment in header
@@ -68,19 +70,29 @@
 
        length=0;
        for(i=0;argv[i];i++)
+       {
+               overflow_add(length, strlen(argv[i]));
+               overflow_add(length+1, strlen(argv[i]));
                length+= strlen(argv[i]) +1;                                    /* length of each arg plus space. */
-
+       }
        (void)time (&temp);
        timedate=ctime(&temp);
        length+= strlen(timedate);                                              /* length of date and time in ASCII. */
 
+       overflow_add(strlen(padding), 4);
+       overflow_add(strlen(padding)+4, strlen(histoire));
+       overflow_add(length, strlen(padding)+4 + strlen(histoire));
        length+= strlen(padding) + 3 + strlen(histoire) + 1;                    /* length of padding, "on "  and length of history name plus "="*/
        if(in_hdr)                                                              /* if we are interested in the old comments... */
                old=rle_getcom(histoire,in_hdr);                                /* get old comment. */
 
-       if((old) && (*old)) length+= strlen(old);                               /* add length if there. */
+       if((old) && (*old))
+       {
+               overflow_add(length, strlen(old));
+               length+= strlen(old);                           /* add length if there. */
+       }
 
-       length++;                                                               /*Cater for the null. */
+       overflow_add(length, 1);
 
        if((newc=(char *)malloc((unsigned int) length)) == NULL)return;
 
@@ -94,5 +106,4 @@
        (void)strcat(newc,padding);                                                     /* to line up multiple histories.*/
 
        (void)rle_putcom(newc,out_hdr);
-
 }
diff -urN netpbm-9.25.orig/urt/rle_getrow.c netpbm-9.25/urt/rle_getrow.c
--- netpbm-9.25.orig/urt/rle_getrow.c   2002-03-13 05:24:04.000000000 +0100
+++ netpbm-9.25/urt/rle_getrow.c        2004-05-12 11:53:57.825565416 +0200
@@ -17,6 +17,8 @@
  *
  *  Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
  *  to have all "void" functions so declared.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 /* 
  * rle_getrow.c - Read an RLE file in.
@@ -100,10 +102,8 @@
 
     if ( !(setup.h_flags & H_NO_BACKGROUND) && setup.h_ncolors > 0 )
     {
-       the_hdr->bg_color = (int *)malloc(
-           (unsigned)(sizeof(int) * setup.h_ncolors) );
-       bg_color = (rle_pixel *)malloc(
-           (unsigned)(1 + (setup.h_ncolors / 2) * 2) );
+       the_hdr->bg_color = (int *)malloc2(sizeof(int), setup.h_ncolors);
+       bg_color = (rle_pixel *)malloc2(1 + (setup.h_ncolors / 2),2);
        RLE_CHECK_ALLOC( the_hdr->cmd, the_hdr->bg_color && bg_color,
                         "background color" );
        fread( (char *)bg_color, 1, 1 + (setup.h_ncolors / 2) * 2, infile );
@@ -145,9 +145,8 @@
        register int i;
        register char *maptemp;
 
-       the_hdr->cmap = (rle_map *)malloc(
-           (unsigned)(sizeof(rle_map) * maplen) );
-       maptemp = (char *)malloc( 2 * maplen );
+       the_hdr->cmap = (rle_map *)malloc2(sizeof(rle_map), maplen);
+       maptemp = (char *)malloc2(2, maplen);
        if ( the_hdr->cmap == NULL || maptemp == NULL )
        {
            fprintf( stderr,
@@ -170,6 +169,8 @@
        register char * cp;
 
        VAXSHORT( comlen, infile );     /* get comment length */
+
+       overflow_add(comlen, 1);
        evenlen = (comlen + 1) & ~1;    /* make it even */
        if ( evenlen )
        {
@@ -190,7 +191,7 @@
            i++;                        /* extra for NULL pointer at end */
            /* Get space to put pointers to comments */
            the_hdr->comments =
-               (CONST_DECL char **)malloc( (unsigned)(i * sizeof(char *)) );
+               (CONST_DECL char **)malloc2(i, sizeof(char *));
            if ( the_hdr->comments == NULL )
            {
                fprintf( stderr,
diff -urN netpbm-9.25.orig/urt/rle_hdr.c netpbm-9.25/urt/rle_hdr.c
--- netpbm-9.25.orig/urt/rle_hdr.c      2000-06-09 09:49:51.000000000 +0200
+++ netpbm-9.25/urt/rle_hdr.c   2004-05-12 11:53:57.826565264 +0200
@@ -14,6 +14,8 @@
  * If you modify this software, you should include a notice giving the
  * name of the person performing the modification, the date of modification,
  * and the reason for such modification.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 /* 
  * rle_hdr.c - Functions to manipulate rle_hdr structures.
@@ -77,7 +79,10 @@
     /* Fill in with copies of the strings. */
     if ( the_hdr->cmd != pgmname )
     {
-       char *tmp = (char *)malloc( strlen( pgmname ) + 1 );
+       char *tmp ;
+
+       overflow_add(strlen(pgmname), 1);
+       tmp = malloc( strlen( pgmname ) + 1 );
        RLE_CHECK_ALLOC( pgmname, tmp, 0 );
        strcpy( tmp, pgmname );
        the_hdr->cmd = tmp;
@@ -85,7 +90,9 @@
 
     if ( the_hdr->file_name != fname )
     {
-       char *tmp = (char *)malloc( strlen( fname ) + 1 );
+       char *tmp;
+       overflow_add(strlen(fname), 1);
+       tmp = malloc( strlen( fname ) + 1 );
        RLE_CHECK_ALLOC( pgmname, tmp, 0 );
        strcpy( tmp, fname );
        the_hdr->file_name = tmp;
@@ -150,6 +157,7 @@
     if ( to_hdr->bg_color )
     {
        int size = to_hdr->ncolors * sizeof(int);
+       overflow2(to_hdr->ncolors, sizeof(int));
        to_hdr->bg_color = (int *)malloc( size );
        RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" );
        memcpy( to_hdr->bg_color, from_hdr->bg_color, size );
@@ -158,7 +166,7 @@
     if ( to_hdr->cmap )
     {
        int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map);
-       to_hdr->cmap = (rle_map *)malloc( size );
+       to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<<to_hdr->cmaplen, sizeof(rle_map));
        RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" );
        memcpy( to_hdr->cmap, from_hdr->cmap, size );
     }
@@ -171,11 +179,16 @@
        int size = 0;
        CONST_DECL char **cp;
        for ( cp=to_hdr->comments; *cp; cp++ )
+       {
+           overflow_add(size, 1);
            size++;             /* Count the comments. */
+       }
        /* Check if there are really any comments. */
        if ( size )
        {
+           overflow_add(size, 1);
            size++;             /* Copy the NULL pointer, too. */
+           overflow2(size, sizeof(char *));
            size *= sizeof(char *);
            to_hdr->comments = (CONST_DECL char **)malloc( size );
            RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" );
diff -urN netpbm-9.25.orig/urt/rle_open_f.c netpbm-9.25/urt/rle_open_f.c
--- netpbm-9.25.orig/urt/rle_open_f.c   2002-03-13 16:35:54.000000000 +0100
+++ netpbm-9.25/urt/rle_open_f.c        2004-05-12 11:53:57.824565568 +0200
@@ -6,6 +6,9 @@
  *             University of Michigan
  * Date:       11/14/89
  * Copyright (c) 1990, University of Michigan
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ *  Killed of crazy unsafe pipe/compress stuff
  */
 
 #include "rle.h"
@@ -130,7 +133,7 @@
            
        cp = file_name + strlen( (char*) file_name ) - 2;
        /* Pipe case. */
-       if ( *file_name == '|' )
+       if ( *file_name == '|'  && 0 /* BOLLOCKS ARE WE DOING THIS ANY MORE */)
        {
            int thepid;         /* PID from my_popen */
            if ( (fp = my_popen( file_name + 1, mode, &thepid )) == NULL )
@@ -150,9 +153,10 @@
        }
 
        /* Compress case. */
-       else if ( cp > file_name && *cp == '.' && *(cp + 1) == 'Z' )
+       else if (/* SMOKING SOMETHING */ 0 &&  cp > file_name && *cp == '.' && *(cp + 1) == 'Z' )
        {
            int thepid;         /* PID from my_popen. */
+           overflow_add(20, strlen(file_name));
            combuf = (char *)malloc( 20 + strlen( file_name ) );
            if ( combuf == NULL )
            {
diff -urN netpbm-9.25.orig/urt/rle_putcom.c netpbm-9.25/urt/rle_putcom.c
--- netpbm-9.25.orig/urt/rle_putcom.c   2000-05-19 01:12:22.000000000 +0200
+++ netpbm-9.25/urt/rle_putcom.c        2004-05-12 11:53:57.830564656 +0200
@@ -14,6 +14,8 @@
  * If you modify this software, you should include a notice giving the
  * name of the person performing the modification, the date of modification,
  * and the reason for such modification.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 /* 
  * rle_putcom.c - Add a picture comment to the header struct.
@@ -89,19 +91,22 @@
 
     if ( the_hdr->comments == NULL )
     {
-       the_hdr->comments = (CONST_DECL char **)malloc( 2 * sizeof(char *) );
+       the_hdr->comments = (CONST_DECL char **)malloc2( 2, sizeof(char *) );
        the_hdr->comments[0] = value;
        the_hdr->comments[1] = NULL;
     }
     else
     {
        for ( i = 2, cp = the_hdr->comments; *cp != NULL; i++, cp++ )
+       {
+           overflow_add(i, 1);
            if ( match( value, *cp ) != NULL )
            {
                v = *cp;
                *cp = value;
                return v;
            }
+       }
        /* Not found */
        /* Can't realloc because somebody else might be pointing to this
         * comments block.  Of course, if this were true, then the
@@ -111,7 +116,7 @@
         * could copy the pointers, too.
         */
        old_comments = the_hdr->comments;
-       the_hdr->comments = (CONST_DECL char **)malloc(i * sizeof(char *) );
+       the_hdr->comments = (CONST_DECL char **)malloc2(i , sizeof(char *) );
        the_hdr->comments[--i] = NULL;
        the_hdr->comments[--i] = value;
        for ( i--; i >= 0; i-- )
diff -urN netpbm-9.25.orig/urt/scanargs.c netpbm-9.25/urt/scanargs.c
--- netpbm-9.25.orig/urt/scanargs.c     2002-03-13 05:28:13.000000000 +0100
+++ netpbm-9.25/urt/scanargs.c  2004-05-12 11:53:57.828564960 +0200
@@ -38,6 +38,8 @@
  *
  *  Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
  *  to have all "void" functions so declared.
+ *
+ *  2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
  */
 
 #include "rle.h"
@@ -63,8 +65,8 @@
 /* 
  * Storage allocation macros
  */
-#define NEW( type, cnt )       (type *) malloc( (cnt) * sizeof( type ) )
-#define RENEW( type, ptr, cnt )        (type *) realloc( ptr, (cnt) * sizeof( type ) )
+#define NEW( type, cnt )       (type *) malloc2( (cnt) , sizeof( type ) )
+#define RENEW( type, ptr, cnt )        (type *) realloc2( ptr, (cnt), sizeof( type ) )
 
 #if defined(c_plusplus) && !defined(USE_PROTOTYPES)
 #define USE_PROTOTYPES
diff -urN netpbm-9.25.orig/ppm/Makefile netpbm-9.25/ppm/Makefile
--- netpbm-9.25.orig/ppm/Makefile       Wed Mar 13 03:09:21 2002
+++ netpbm-9.25/ppm/Makefile    Wed May 12 12:23:40 2004
@@ -36,7 +36,7 @@
 
 PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
                leaftoppm mtvtoppm neotoppm \
-               pcxtoppm pgmtoppm pi1toppm picttoppm \
+               pcxtoppm pgmtoppm pi1toppm \
                pjtoppm \
                ppm3d ppmbrighten ppmchange ppmcolormask ppmcolors \
                ppmdim ppmdist ppmdither \