--- /dev/null
+diff -urN netpbm-9.25.orig/COPYRIGHT.PATENT netpbm-9.25/COPYRIGHT.PATENT
+--- netpbm-9.25.orig/COPYRIGHT.PATENT 2001-11-12 20:16:00.000000000 +0100
++++ netpbm-9.25/COPYRIGHT.PATENT 2004-05-12 11:53:57.823565720 +0200
+@@ -23,6 +23,11 @@
+ The copyrights on individual components of this package are detailed
+ at appropriate places within the package.
+
++These security fixes for netpbm are (c) Copyright 2002 Red Hat Inc.
++Red Hat has not fixed those items with patent claims or commercial
++use restrictions. These changes include NO WARRANTY and are provided
++under the Open Software License v.1 (see file OPENLICENSE).
++
+
+ PATENTS
+ -------
+diff -urN netpbm-9.25.orig/OPENLICENSE netpbm-9.25/OPENLICENSE
+--- netpbm-9.25.orig/OPENLICENSE 1970-01-01 01:00:00.000000000 +0100
++++ netpbm-9.25/OPENLICENSE 2004-05-12 11:53:57.831564504 +0200
+@@ -0,0 +1,163 @@
++ The Open Software License
++ v. 1.1
++
++This Open Software License (the "License") applies to any original work of
++authorship (the "Original Work") whose owner (the "Licensor") has placed the
++following notice immediately following the copyright notice for the Original
++Work:
++
++Licensed under the Open Software License version 1.1
++
++1) Grant of Copyright License. Licensor hereby grants You a world-wide,
++royalty-free, non-exclusive, perpetual, non-sublicenseable license to do the
++following:
++
++a) to reproduce the Original Work in copies;
++
++b) to prepare derivative works ("Derivative Works") based upon the Original
++Work;
++
++c) to distribute copies of the Original Work and Derivative Works to the
++public, with the proviso that copies of Original Work or Derivative Works that
++You distribute shall be licensed under the Open Software License;
++
++d) to perform the Original Work publicly; and
++
++e) to display the Original Work publicly.
++
++2) Grant of Patent License. Licensor hereby grants You a world-wide,
++royalty-free, non-exclusive, perpetual, non-sublicenseable license, under
++patent claims owned or controlled by the Licensor that are embodied in the
++Original Work as furnished by the Licensor ("Licensed Claims") to make, use,
++sell and offer for sale the Original Work. Licensor hereby grants You a
++world-wide, royalty-free, non-exclusive, perpetual, non-sublicenseable license
++under the Licensed Claims to make, use, sell and offer for sale Derivative Works.
++
++3) Grant of Source Code License. The term "Source Code" means the preferred
++form of the Original Work for making modifications to it and all available
++documentation describing how to modify the Original Work. Licensor hereby
++agrees to provide a machine-readable copy of the Source Code of the Original
++Work along with each copy of the Original Work that Licensor distributes.
++Licensor reserves the right to satisfy this obligation by placing a
++machine-readable copy of the Source Code in an information repository reasonably
++calculated to permit inexpensive and convenient access by You for as long as
++ Licensor continues to distribute the Original Work, and by publishing the
++address of that information repository in a notice immediately following the
++copyright notice that applies to the Original Work.
++
++
++4) Exclusions From License Grant. Nothing in this License shall be deemed to
++grant any rights to trademarks, copyrights, patents, trade secrets or any
++other intellectual property of Licensor except as expressly stated herein. No
++patent license is granted to make, use, sell or offer to sell embodiments of
++any patent claims other than the Licensed Claims defined in Section 2. No
++right is granted to the trademarks of Licensor even if such marks are included
++in the Original Work. Nothing in this License shall be interpreted to prohibit
++Licensor from licensing under different terms from this License any Original
++Work that Licensor otherwise would have a right to license.
++
++5) External Deployment. The term "External Deployment" means the use or
++distribution of the Original Work or Derivative Works in any way such that the
++Original Work or Derivative Works may be used by anyone other than You,
++whether the Original Work or Derivative Works are distributed to those persons
++or made available as an application intended for use over a computer network.
++As an express condition for the grants of license hereunder, You agree that
++any External Deployment by You of a Derivative Work shall be deemed a
++distribution and shall be licensed to all under the terms of this License, as
++prescribed in section 1(c) herein.
++
++6) Attribution Rights. You must retain, in the Source Code of any Derivative
++Works that You create, all copyright, patent or trademark notices from the
++Source Code of the Original Work, as well as any notices of licensing and any
++descriptive text identified therein as an "Attribution Notice." You must cause
++the Source Code for any Derivative Works that You create to carry a prominent
++Attribution Notice reasonably calculated to inform recipients that You have
++modified the Original Work.
++
++7) Warranty and Disclaimer of Warranty. Licensor warrants that the copyright
++in and to the Original Work is owned by the Licensor or that the Original Work
++is distributed by Licensor under a valid current license from the copyright
++owner. Except as expressly stated in the immediately proceeding sentence, the
++Original Work is provided under this License on an "AS IS" BASIS and WITHOUT
++WARRANTY, either express or implied, including, without limitation, the
++warranties of NON-INFRINGEMENT, MERCHANTABILITY or FITNESS FOR A PARTICULAR
++PURPOSE. THE ENTIRE RISK AS TO THE QUALITY OF THE ORIGINAL WORK IS WITH YOU.
++This DISCLAIMER OF WARRANTY constitutes an essential part of this License. No
++license to Original Work is granted hereunder except under this disclaimer.
++
++8) Limitation of Liability. Under no circumstances and under no legal theory,
++whether in tort (including negligence), contract, or otherwise, shall the
++Licensor be liable to any person for any direct, indirect, special, incidental,
++or consequential damages of any character arising as a result of this License
++or the use of the Original Work including, without limitation, damages for
++loss of goodwill, work stoppage, computer failure or malfunction, or any and
++all other commercial damages or losses. This limitation of liability shall not
++apply to liability for death or personal injury resulting from Licensor's
++negligence to the extent applicable law prohibits such limitation. Some
++jurisdictions do not allow the exclusion or limitation of incidental or
++consequential damages, so this exclusion and limitation may not apply to You.
++
++
++9) Acceptance and Termination. If You distribute copies of the Original Work
++or a Derivative Work, You must make a reasonable effort under the circumstances
++to obtain the express and volitional assent of recipients to the terms of this
++License. Nothing else but this License (or another written agreement between
++Licensor and You) grants You permission to create Derivative Works based upon
++the Original Work or to exercise any of the rights granted in Sections 1 herein,
++and any attempt to do so except under the terms of this License (or another
++written agreement between Licensor and You) is expressly prohibited by U.S.
++copyright law, the equivalent laws of other countries, and by international
++treaty. Therefore, by exercising any of the rights granted to You in Sections
++1 herein, You indicate Your acceptance of this License and all of its terms and
++conditions. This License shall terminate immediately and you may no longer
++exercise any of the rights granted to You by this License upon Your failure to
++honor the proviso in Section 1(c) herein.
++
++10) Mutual Termination for Patent Action. This License shall terminate
++automatically and You may no longer exercise any of the rights granted to You
++by this License if You file a lawsuit in any court alleging that any OSI
++Certified open source software that is licensed under any license containing
++this "Mutual Termination for Patent Action" clause infringes any patent claims
++that are essential to use that software.
++
++11) Jurisdiction, Venue and Governing Law. Any action or suit relating to this
++License may be brought only in the courts of a jurisdiction wherein the Licensor
++resides or in which Licensor conducts its primary business, and under the laws
++of that jurisdiction excluding its conflict-of-law provisions. The application
++of the United Nations Convention on Contracts for the International Sale of
++Goods is expressly excluded. Any use of the Original Work outside the scope of
++this License or after its termination shall be subject to the requirements and
++penalties of the U.S. Copyright Act, 17 U.S.C. å¤ 101 et seq., the equivalent
++laws of other countries, and international treaty. This section shall survive
++the termination of this License.
++
++12) Attorneys Fees. In any action to enforce the terms of this License or
++seeking damages relating thereto, the prevailing party shall be entitled to
++recover its costs and expenses, including, without limitation, reasonable
++attorneys' fees and costs incurred in connection with such action, including
++any appeal of such action. This section shall survive the termination of this
++License.
++
++13) Miscellaneous. This License represents the complete agreement concerning
++the subject matter hereof. If any provision of this License is held to be
++unenforceable, such provision shall be reformed only to the extent necessary
++to make it enforceable.
++
++14) Definition of "You" in This License. "You" throughout this License,
++whether in upper or lower case, means an individual or a legal entity exercising
++rights under, and complying with all of the terms of, this License. For legal
++entities, "You" includes any entity that controls, is controlled by, or is under
++common control with you. For purposes of this definition, "control" means (i)
++the power, direct or indirect, to cause the direction or management of such
++entity, whether by contract or otherwise, or (ii) ownership of fifty percent
++(50%) or more of the outstanding shares, or (iii) beneficial ownership of such
++entity.
++
++15) Right to Use. You may use the Original Work in all ways not otherwise
++restricted or conditioned by this License or by law, and Licensor promises not
++to interfere with or be responsible for such uses by You.
++
++This license is Copyright (C) 2002 Lawrence E. Rosen. All rights reserved.
++Permission is hereby granted to copy and distribute this license without
++modification. This license may not be modified without the express written
++permission of its copyright owner.
+diff -urN netpbm-9.25.orig/pbm/atktopbm.c netpbm-9.25/pbm/atktopbm.c
+--- netpbm-9.25.orig/pbm/atktopbm.c 2000-03-19 05:33:36.000000000 +0100
++++ netpbm-9.25/pbm/atktopbm.c 2004-05-12 11:52:28.426156192 +0200
+@@ -322,8 +322,7 @@
+ *rwidth = width;
+ *rheight = height;
+ rowlen = (width + 7) / 8;
+- *destaddr = (unsigned char *) malloc (sizeof(unsigned char) * height *
+-rowlen);
++ *destaddr = (unsigned char *) malloc3 (sizeof(unsigned char), height, rowlen);
+ for (row = 0; row < height; row++)
+ {
+ long c;
+diff -urN netpbm-9.25.orig/pbm/icontopbm.c netpbm-9.25/pbm/icontopbm.c
+--- netpbm-9.25.orig/pbm/icontopbm.c 1993-10-04 10:10:28.000000000 +0100
++++ netpbm-9.25/pbm/icontopbm.c 2004-05-12 11:52:28.428155888 +0200
+@@ -10,6 +10,8 @@
+ ** implied warranty.
+ */
+
++#include <string.h>
++#include <limits.h>
+ #include "pbm.h"
+
+ static void ReadIconFile ARGS(( FILE* file, int* width, int* height, short** data ));
+@@ -137,6 +139,11 @@
+ if ( *height <= 0 )
+ pm_error( "invalid height: %d", *height );
+
++ if ( *width > INT_MAX - 16 || *width < 0)
++ pm_error( "invalid width: %d", *width);
++
++ overflow2(*width + 16, *height);
++
+ data_length = BitmapSize( *width, *height );
+ *data = (short*) malloc( data_length );
+ if ( *data == NULL )
+diff -urN netpbm-9.25.orig/pbm/libpbm1.c netpbm-9.25/pbm/libpbm1.c
+--- netpbm-9.25.orig/pbm/libpbm1.c 2002-01-03 21:09:23.000000000 +0100
++++ netpbm-9.25/pbm/libpbm1.c 2004-05-12 11:52:28.426156192 +0200
+@@ -36,13 +36,18 @@
+ const int format, const int cols, const int rows,
+ enum pm_check_code * const retval_p) {
+
++ if (rows < 0 || cols < 0)
++ pm_error("invalid image");
+ if (check_type != PM_CHECK_BASIC) {
+ if (retval_p) *retval_p = PM_CHECK_UNKNOWN_TYPE;
+ } else if (format != RPBM_FORMAT) {
+ if (retval_p) *retval_p = PM_CHECK_UNCHECKABLE;
+ } else {
++ /* signed to unsigned so wont wrap */
+ const unsigned int bytes_per_row = (cols+7)/8;
+ const unsigned int need_raster_size = rows * bytes_per_row;
++
++ overflow2(bytes_per_row, rows);
+
+ pm_check(file, check_type, need_raster_size, retval_p);
+ }
+diff -urN netpbm-9.25.orig/pbm/libpbm5.c netpbm-9.25/pbm/libpbm5.c
+--- netpbm-9.25.orig/pbm/libpbm5.c 2000-05-06 08:30:12.000000000 +0200
++++ netpbm-9.25/pbm/libpbm5.c 2004-05-12 11:52:28.424156496 +0200
+@@ -767,15 +767,18 @@
+ fn->frows = frows;
+ fn->fcols = fcols;
+
+- glyph = (struct glyph*) malloc( sizeof(struct glyph) * 95 );
++ glyph = (struct glyph*) malloc2( sizeof(struct glyph), 95 );
+ if ( glyph == (struct glyph*) 0 )
+ pm_error( "out of memory allocating glyphs" );
+
+- bmap = (char*) malloc( fn->maxwidth * fn->maxheight * 95 );
++ bmap = (char*) malloc3( fn->maxwidth, fn->maxheight, 95 );
+ if ( bmap == (char*) 0)
+ pm_error( "out of memory allocating glyph data" );
+
+ /* Now fill in the 0,0 coords. */
++ overflow2(char_height, 2);
++ overflow2(char_width, 2);
++
+ row = char_height * 2;
+ col = char_width * 2;
+ for ( ch = 0; ch < 95; ++ch )
+@@ -1022,7 +1025,7 @@
+ glyph->x = atoi(arg[3]);
+ glyph->y = atoi(arg[4]);
+
+- if (!(glyph->bmap = (char*)malloc(glyph->width * glyph->height)))
++ if (!(glyph->bmap = (char*)malloc2(glyph->width, glyph->height)))
+ pm_error("no memory for font glyph byte map");
+
+ if (readline(fp, line, arg) < 0) { fclose(fp); return 0; }
+diff -urN netpbm-9.25.orig/pbm/libpbmvms.c netpbm-9.25/pbm/libpbmvms.c
+--- netpbm-9.25.orig/pbm/libpbmvms.c 2000-05-26 20:34:55.000000000 +0200
++++ netpbm-9.25/pbm/libpbmvms.c 2004-05-12 11:52:28.448152848 +0200
+@@ -1,3 +1,5 @@
++#warning "NOT AUDITED"
++
+ /***************************************************************************
+ This file contains library routines needed to build Netpbm for VMS.
+ However, as of 2000.05.26, when these were split out of libpbm1.c
+diff -urN netpbm-9.25.orig/pbm/libpm.c netpbm-9.25/pbm/libpm.c
+--- netpbm-9.25.orig/pbm/libpm.c 2002-02-24 23:37:29.000000000 +0100
++++ netpbm-9.25/pbm/libpm.c 2004-05-12 11:52:28.449152696 +0200
+@@ -14,6 +14,7 @@
+ **************************************************************************/
+
+ #include <stdio.h>
++#include <limits.h>
+ #include "version.h"
+ #include "compile.h"
+ #include "shhopt.h"
+@@ -90,7 +91,7 @@
+ pm_allocrow(int const cols, int const size) {
+ register char* itrow;
+
+- itrow = (char*) malloc( cols * size );
++ itrow = (char*) malloc2( cols , size );
+ if ( itrow == (char*) 0 )
+ pm_error( "out of memory allocating a row" );
+ return itrow;
+@@ -108,10 +109,10 @@
+ char** its;
+ int i;
+
+- its = (char**) malloc( rows * sizeof(char*) );
++ its = (char**) malloc2( rows, sizeof(char*) );
+ if ( its == (char**) 0 )
+ pm_error( "out of memory allocating an array" );
+- its[0] = (char*) malloc( rows * cols * size );
++ its[0] = (char*) malloc3( rows, cols, size );
+ if ( its[0] == (char*) 0 )
+ pm_error( "out of memory allocating an array" );
+ for ( i = 1; i < rows; ++i )
+@@ -129,10 +130,12 @@
+ pm_allocarray(int const cols, int const rows, int const size) {
+ char** its;
+ int i;
+- its = (char**) malloc( (rows + 1) * sizeof(char*) );
++
++ overflow_add(rows, 1);
++ its = (char**) malloc2( (rows + 1), sizeof(char*) );
+ if ( its == (char**) 0 )
+ pm_error( "out of memory allocating an array" );
+- its[rows] = its[0] = (char*) malloc( rows * cols * size );
++ its[rows] = its[0] = (char*) malloc3( rows. cols, size );
+ if ( its[0] != (char*) 0 )
+ for ( i = 1; i < rows; ++i )
+ its[i] = &(its[0][i * cols * size]);
+@@ -958,4 +961,53 @@
+ }
+
+
++/*
++ * Maths wrapping
++ */
++
++void overflow2(int a, int b)
++{
++ if(a < 0 || b < 0)
++ pm_error("object too large");
++ if(b == 0)
++ return;
++ if(a > INT_MAX / b)
++ pm_error("object too large");
++}
++
++void overflow3(int a, int b, int c)
++{
++ overflow2(a,b);
++ overflow2(a*b, c);
++}
++
++void overflow_add(int a, int b)
++{
++ if( a > INT_MAX - b)
++ pm_error("object too large");
++}
++
++void *malloc2(int a, int b)
++{
++ overflow2(a, b);
++ if(a*b == 0)
++ pm_error("Zero byte allocation");
++ return malloc(a*b);
++}
++
++void *malloc3(int a, int b, int c)
++{
++ overflow3(a, b, c);
++ if(a*b*c == 0)
++ pm_error("Zero byte allocation");
++ return malloc(a*b*c);
++}
++
++void *realloc2(void * a, int b, int c)
++{
++ overflow2(b, c);
++ if(b*c == 0)
++ pm_error("Zero byte allocation");
++ return realloc(a, b*c);
++}
+
+diff -urN netpbm-9.25.orig/pbm/mdatopbm.c netpbm-9.25/pbm/mdatopbm.c
+--- netpbm-9.25.orig/pbm/mdatopbm.c 2000-05-06 11:28:53.000000000 +0200
++++ netpbm-9.25/pbm/mdatopbm.c 2004-05-12 11:52:28.442153760 +0200
+@@ -235,9 +235,14 @@
+ pm_readlittleshort(infile, &yy); nInRows = yy;
+ pm_readlittleshort(infile, &yy); nInCols = yy;
+
++ overflow2(nOutCols, 8);
+ nOutCols = 8*nInCols;
+ nOutRows = nInRows;
+- if (bScale) nOutRows *= 2;
++ if (bScale)
++ {
++ overflow2(nOutRows, 2);
++ nOutRows *= 2;
++ }
+
+ data = pbm_allocarray(nOutCols, nOutRows);
+ mdrow = malloc(nInCols);
+diff -urN netpbm-9.25.orig/pbm/mgrtopbm.c netpbm-9.25/pbm/mgrtopbm.c
+--- netpbm-9.25.orig/pbm/mgrtopbm.c 2000-03-03 02:02:09.000000000 +0100
++++ netpbm-9.25/pbm/mgrtopbm.c 2004-05-12 11:52:28.432155280 +0200
+@@ -108,6 +108,12 @@
+ head.magic[0], head.magic[1] );
+ pad = -1; /* should never reach here */
+ }
++
++ if(head.h_wide < ' ' || head.l_wide < ' ')
++ pm_error("bad width/height chars in MGR file");
++
++ overflow_add(*colsP, pad);
++
+ *colsP = ( ( (int) head.h_wide - ' ' ) << 6 ) + ( (int) head.l_wide - ' ' );
+ *rowsP = ( ( (int) head.h_high - ' ' ) << 6 ) + ( (int) head.l_high - ' ' );
+ *padrightP = ( ( *colsP + pad - 1 ) / pad ) * pad - *colsP;
+diff -urN netpbm-9.25.orig/pbm/pbmlife.c netpbm-9.25/pbm/pbmlife.c
+--- netpbm-9.25.orig/pbm/pbmlife.c 1993-10-04 10:10:37.000000000 +0100
++++ netpbm-9.25/pbm/pbmlife.c 2004-05-12 11:52:28.435154824 +0200
+@@ -54,7 +54,7 @@
+ prevrow = thisrow;
+ thisrow = nextrow;
+ nextrow = temprow;
+- if ( row < rows - 1 )
++ if ( row <= rows )
+ pbm_readpbmrow( ifp, nextrow, cols, format );
+
+ for ( col = 0; col < cols; ++col )
+diff -urN netpbm-9.25.orig/pbm/pbmpage.c netpbm-9.25/pbm/pbmpage.c
+--- netpbm-9.25.orig/pbm/pbmpage.c 2002-03-13 04:08:09.000000000 +0100
++++ netpbm-9.25/pbm/pbmpage.c 2004-05-12 11:52:28.443153608 +0200
+@@ -15,6 +15,7 @@
+ #include <math.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <string.h>
+ #include "pbm.h"
+
+ /* Support both US and A4. */
+@@ -157,6 +158,9 @@
+ /* We round the allocated row space up to a multiple of 8 so the ugly
+ fast code below can work.
+ */
++
++ overflow_add(Width, 7);
++
+ pbmrow = pbm_allocrow(((Width+7)/8)*8);
+
+ bitmap_cursor = 0;
+diff -urN netpbm-9.25.orig/pbm/pbmpscale.c netpbm-9.25/pbm/pbmpscale.c
+--- netpbm-9.25.orig/pbm/pbmpscale.c 2000-03-03 02:14:24.000000000 +0100
++++ netpbm-9.25/pbm/pbmpscale.c 2004-05-12 11:52:28.427156040 +0200
+@@ -108,8 +108,9 @@
+ inrow[0] = inrow[1] = inrow[2] = NULL;
+ pbm_readpbminit(ifd, &columns, &rows, &format) ;
+
++ overflow2(columns, scale);
+ outrow = pbm_allocrow(columns*scale) ;
+- flags = (unsigned char *)malloc(sizeof(unsigned char)*columns) ;
++ flags = (unsigned char *)malloc2(sizeof(unsigned char), columns) ;
+ if (flags == NULL) pm_perror("out of memory") ;
+
+ pbm_writepbminit(stdout, columns*scale, rows*scale, 0) ;
+diff -urN netpbm-9.25.orig/pbm/pbmreduce.c netpbm-9.25/pbm/pbmreduce.c
+--- netpbm-9.25.orig/pbm/pbmreduce.c 2000-04-26 21:24:02.000000000 +0200
++++ netpbm-9.25/pbm/pbmreduce.c 2004-05-12 11:52:28.435154824 +0200
+@@ -92,8 +92,9 @@
+
+ if ( halftone == QT_FS ) {
+ /* Initialize Floyd-Steinberg. */
+- thiserr = (long*) malloc( ( newcols + 2 ) * sizeof(long) );
+- nexterr = (long*) malloc( ( newcols + 2 ) * sizeof(long) );
++ overflow_add(newcols, 2);
++ thiserr = (long*) malloc2( ( newcols + 2 ), sizeof(long) );
++ nexterr = (long*) malloc2( ( newcols + 2 ), sizeof(long) );
+ if ( thiserr == 0 || nexterr == 0 )
+ pm_error( "out of memory" );
+
+diff -urN netpbm-9.25.orig/pbm/pbmtext.c netpbm-9.25/pbm/pbmtext.c
+--- netpbm-9.25.orig/pbm/pbmtext.c 2001-03-20 03:44:49.000000000 +0100
++++ netpbm-9.25/pbm/pbmtext.c 2004-05-12 11:52:28.428155888 +0200
+@@ -82,12 +82,14 @@
+
+ for (i = 1; i < argc; i++) {
+ if (i > 1) {
++ overflow_add(totaltextsize, 1);
+ totaltextsize += 1;
+ cmdline_p->text = realloc(cmdline_p->text, totaltextsize);
+ if (cmdline_p->text == NULL)
+ pm_error("out of memory");
+ strcat(cmdline_p->text, " ");
+ }
++ overflow_add(totaltextsize, strlen(argv[i]));
+ totaltextsize += strlen(argv[i]);
+ cmdline_p->text = realloc(cmdline_p->text, totaltextsize);
+ if (cmdline_p->text == NULL)
+@@ -328,11 +330,12 @@
+ */
+
+ maxlines = 50; /* initial value */
+- *input_textP = (char**) malloc(maxlines * sizeof(char*));
++ *input_textP = (char**) malloc2(maxlines, sizeof(char*));
+ if (*input_textP == NULL)
+ pm_error("out of memory");
+
+ if (cmdline_text) {
++ overflow_add(strlen(cmdline_text), 1);
+ (*input_textP)[0] = malloc(strlen(cmdline_text)+1);
+ if ((*input_textP)[0] == NULL)
+ pm_error("Out of memory.");
+@@ -347,7 +350,9 @@
+ while (fgets(buf, sizeof(buf), stdin) != NULL) {
+ fix_control_chars(buf, fn);
+ if (*linesP >= maxlines) {
++ overflow2(maxlines, 2);
+ maxlines *= 2;
++ overflow2(maxlines, sizeof(char *));
+ *input_textP = (char**) realloc((char*) *input_textP,
+ maxlines * sizeof(char*));
+ if(*input_textP == NULL)
+@@ -426,6 +431,7 @@
+ hmargin = fn->maxwidth;
+ } else {
+ vmargin = fn->maxheight;
++ overflow2(2, fn->maxwidth);
+ hmargin = 2 * fn->maxwidth;
+ }
+
+@@ -441,10 +447,15 @@
+ } else
+ lp = input_text;
+
++ overflow2(2, vmargin);
++ overflow2(lines, fn->maxheight);
++ overflow_add(vmargin * 2, lines * fn->maxheight);
+ rows = 2 * vmargin + lines * fn->maxheight;
+
+ compute_image_width(lp, lines, fn, cmdline.space, &maxwidth, &maxleftb);
+
++ overflow2(2, hmargin);
++ overflow_add(2*hmargin, maxwidth);
+ cols = 2 * hmargin + maxwidth;
+ bits = pbm_allocarray(cols, rows);
+
+diff -urN netpbm-9.25.orig/pbm/pbmto10x.c netpbm-9.25/pbm/pbmto10x.c
+--- netpbm-9.25.orig/pbm/pbmto10x.c 1995-08-13 05:36:40.000000000 +0200
++++ netpbm-9.25/pbm/pbmto10x.c 2004-05-12 11:52:28.436154672 +0200
+@@ -50,7 +50,7 @@
+ res_60x72();
+
+ pm_close(ifp);
+- exit(0);
++ return 0;
+ }
+
+ static void
+@@ -84,6 +84,8 @@
+ char *stripe, *sP;
+
+ stripe = malloc(cols);
++ if(stripe == NULL)
++ pm_error("out of memory");
+ for (i = 0; i < LOW_RES_ROWS; ++i)
+ bitrows[i] = pbm_allocrow(cols);
+ printf("\033A\010"); /* '\n' = 8/72 */
+@@ -117,6 +119,8 @@
+ char *stripe, *sP;
+
+ stripe = malloc(cols);
++ if(stripe == NULL)
++ pm_error("out of memory");
+ for (i = 0; i < HIGH_RES_ROWS; ++i)
+ bitrows[i] = pbm_allocrow(cols);
+ printf("\0333\001"); /* \n = 1/144" */
+diff -urN netpbm-9.25.orig/pbm/pbmtoascii.c netpbm-9.25/pbm/pbmtoascii.c
+--- netpbm-9.25.orig/pbm/pbmtoascii.c 2000-03-25 23:23:05.000000000 +0100
++++ netpbm-9.25/pbm/pbmtoascii.c 2004-05-12 11:52:28.437154520 +0200
+@@ -115,9 +115,11 @@
+ pm_usage( usage );
+
+ pbm_readpbminit( ifp, &cols, &rows, &format );
++ overflow_add(cols, gridx);
+ ccols = ( cols + gridx - 1 ) / gridx;
+ bitrow = pbm_allocrow( cols );
+ sig = (int*) pm_allocrow( ccols, sizeof(int) );
++ overflow_add(ccols, 1);
+ line = (char*) pm_allocrow( ccols + 1, sizeof(char) );
+
+ for ( row = 0; row < rows; row += gridy )
+diff -urN netpbm-9.25.orig/pbm/pbmtoatk.c netpbm-9.25/pbm/pbmtoatk.c
+--- netpbm-9.25.orig/pbm/pbmtoatk.c 2000-06-09 09:05:24.000000000 +0200
++++ netpbm-9.25/pbm/pbmtoatk.c 2004-05-12 11:52:28.437154520 +0200
+@@ -65,6 +65,7 @@
+ bitrow = pbm_allocrow( cols );
+
+ /* Compute padding to round cols up to the nearest multiple of 16. */
++ overflow_add(cols, 15);
+ padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+
+ printf ("\\begindata{raster,%d}\n", 1);
+diff -urN netpbm-9.25.orig/pbm/pbmtocmuwm.c netpbm-9.25/pbm/pbmtocmuwm.c
+--- netpbm-9.25.orig/pbm/pbmtocmuwm.c 1993-10-04 10:10:46.000000000 +0100
++++ netpbm-9.25/pbm/pbmtocmuwm.c 2004-05-12 11:52:28.438154368 +0200
+@@ -43,6 +43,7 @@
+ bitrow = pbm_allocrow( cols );
+
+ /* Round cols up to the nearest multiple of 8. */
++ overflow_add(cols, 7);
+ padright = ( ( cols + 7 ) / 8 ) * 8 - cols;
+
+ putinit( rows, cols );
+diff -urN netpbm-9.25.orig/pbm/pbmtogem.c netpbm-9.25/pbm/pbmtogem.c
+--- netpbm-9.25.orig/pbm/pbmtogem.c 2000-06-09 09:07:05.000000000 +0200
++++ netpbm-9.25/pbm/pbmtogem.c 2004-05-12 11:52:28.432155280 +0200
+@@ -123,6 +123,7 @@
+ bitsperitem = 0;
+ bitshift = 7;
+ outcol = 0;
++ overflow_add(cols, 7);
+ outmax = (cols + 7) / 8;
+ outrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
+ lastrow = (unsigned char *) pm_allocrow (outmax, sizeof (unsigned char));
+diff -urN netpbm-9.25.orig/pbm/pbmtogo.c netpbm-9.25/pbm/pbmtogo.c
+--- netpbm-9.25.orig/pbm/pbmtogo.c 2000-06-09 09:07:04.000000000 +0200
++++ netpbm-9.25/pbm/pbmtogo.c 2004-05-12 11:52:28.439154216 +0200
+@@ -90,6 +90,7 @@
+ bitrow = pbm_allocrow(cols);
+
+ /* Round cols up to the nearest multiple of 8. */
++ overflow_add(cols, 7);
+ rucols = ( cols + 7 ) / 8;
+ bytesperrow = rucols; /* GraphOn uses bytes */
+ rucols = rucols * 8;
+diff -urN netpbm-9.25.orig/pbm/pbmtoicon.c netpbm-9.25/pbm/pbmtoicon.c
+--- netpbm-9.25.orig/pbm/pbmtoicon.c 1993-10-04 10:10:50.000000000 +0100
++++ netpbm-9.25/pbm/pbmtoicon.c 2004-05-12 11:52:28.439154216 +0200
+@@ -42,6 +42,7 @@
+ bitrow = pbm_allocrow( cols );
+
+ /* Round cols up to the nearest multiple of 16. */
++ overflow_add(cols, 15);
+ pad = ( ( cols + 15 ) / 16 ) * 16 - cols;
+ padleft = pad / 2;
+ padright = pad - padleft;
+diff -urN netpbm-9.25.orig/pbm/pbmtolj.c netpbm-9.25/pbm/pbmtolj.c
+--- netpbm-9.25.orig/pbm/pbmtolj.c 2002-02-22 05:32:44.000000000 +0100
++++ netpbm-9.25/pbm/pbmtolj.c 2004-05-12 11:52:28.441153912 +0200
+@@ -30,6 +30,7 @@
+ #include "pbm.h"
+ #include <string.h>
+ #include <assert.h>
++#include <string.h>
+
+ static int dpi = 75;
+ static int floating = 0; /* suppress the ``ESC & l 0 E'' ? */
+@@ -123,7 +124,11 @@
+ pbm_readpbminit( ifp, &cols, &rows, &format );
+ bitrow = pbm_allocrow( cols );
+
++ overflow_add(cols, 8);
+ rowBufferSize = (cols + 7) / 8;
++ overflow_add(rowBufferSize, 128);
++ overflow_add(rowBufferSize, rowBufferSize+128);
++ overflow_add(rowBufferSize+10, rowBufferSize/8);
+ packBufferSize = rowBufferSize + (rowBufferSize + 127) / 128 + 1;
+ deltaBufferSize = rowBufferSize + rowBufferSize / 8 + 10;
+
+diff -urN netpbm-9.25.orig/pbm/pbmtomacp.c netpbm-9.25/pbm/pbmtomacp.c
+--- netpbm-9.25.orig/pbm/pbmtomacp.c 2000-03-03 03:27:33.000000000 +0100
++++ netpbm-9.25/pbm/pbmtomacp.c 2004-05-12 11:52:28.440154064 +0200
+@@ -102,6 +102,7 @@
+ if( !lflg )
+ left = 0;
+
++ overflow_add(left, MAX_COLS - 1);
+ if( rflg )
+ { if( right - left >= MAX_COLS )
+ right = left + MAX_COLS - 1;
+@@ -112,6 +113,8 @@
+ if( !tflg )
+ top = 0;
+
++ overflow_add(top, MAX_LINES - 1);
++
+ if( bflg )
+ { if( bottom - top >= MAX_LINES )
+ bottom = top + MAX_LINES - 1;
+diff -urN netpbm-9.25.orig/pbm/pbmtomda.c netpbm-9.25/pbm/pbmtomda.c
+--- netpbm-9.25.orig/pbm/pbmtomda.c 2000-05-06 11:28:11.000000000 +0200
++++ netpbm-9.25/pbm/pbmtomda.c 2004-05-12 11:52:28.441153912 +0200
+@@ -152,6 +152,8 @@
+
+ if (bScale) nOutRows = nInRows / 2;
+ else nOutRows = nInRows;
++
++ overflow_add(nOutRows, 3);
+ nOutRows = ((nOutRows + 3) / 4) * 4;
+ /* MDA wants rows a multiple of 4 */
+ nOutCols = nInCols / 8;
+diff -urN netpbm-9.25.orig/pbm/pbmtomgr.c netpbm-9.25/pbm/pbmtomgr.c
+--- netpbm-9.25.orig/pbm/pbmtomgr.c 1993-10-04 10:10:50.000000000 +0100
++++ netpbm-9.25/pbm/pbmtomgr.c 2004-05-12 11:52:28.440154064 +0200
+@@ -43,6 +43,7 @@
+ bitrow = pbm_allocrow( cols );
+
+ /* Round cols up to the nearest multiple of 8. */
++ overflow_add(cols, 7);
+ padright = ( ( cols + 7 ) / 8 ) * 8 - cols;
+
+ putinit( rows, cols );
+diff -urN netpbm-9.25.orig/pbm/pbmtoppa/pbm.c netpbm-9.25/pbm/pbmtoppa/pbm.c
+--- netpbm-9.25.orig/pbm/pbmtoppa/pbm.c 2000-06-01 19:20:30.000000000 +0200
++++ netpbm-9.25/pbm/pbmtoppa/pbm.c 2004-05-12 11:52:28.444153456 +0200
+@@ -105,6 +105,7 @@
+ return 0;
+
+ case P4:
++ overflow_add(pbm->width, 7);
+ tmp=(pbm->width+7)/8;
+ tmp2=fread(data,1,tmp,pbm->fptr);
+ if(tmp2 == tmp)
+@@ -129,7 +130,8 @@
+ return;
+
+ pbm->unread = 1;
+- pbm->revdata = malloc ((pbm->width+7)/8);
++ overflow_add(pbm->width, 7);
++ pbm->revdata = malloc((pbm->width+7)/8);
+ memcpy (pbm->revdata, data, (pbm->width+7)/8);
+ pbm->current_line--;
+ }
+diff -urN netpbm-9.25.orig/pbm/pbmtoppa/pbmtoppa.c netpbm-9.25/pbm/pbmtoppa/pbmtoppa.c
+--- netpbm-9.25.orig/pbm/pbmtoppa/pbmtoppa.c 2002-03-13 04:20:11.000000000 +0100
++++ netpbm-9.25/pbm/pbmtoppa/pbmtoppa.c 2004-05-12 11:52:28.443153608 +0200
+@@ -471,6 +471,7 @@
+ }
+ }
+
++ overflow_add(Width, 7);
+ Pwidth=(Width+7)/8;
+ printer.fptr=out;
+
+diff -urN netpbm-9.25.orig/pbm/pbmtox10bm.c netpbm-9.25/pbm/pbmtox10bm.c
+--- netpbm-9.25.orig/pbm/pbmtox10bm.c 2000-06-09 09:07:01.000000000 +0200
++++ netpbm-9.25/pbm/pbmtox10bm.c 2004-05-12 11:52:28.438154368 +0200
+@@ -57,6 +57,7 @@
+ bitrow = pbm_allocrow( cols );
+
+ /* Compute padding to round cols up to the nearest multiple of 16. */
++ overflow_add(cols, 15);
+ padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+
+ printf( "#define %s_width %d\n", name, cols );
+diff -urN netpbm-9.25.orig/pbm/pbmtoxbm.c netpbm-9.25/pbm/pbmtoxbm.c
+--- netpbm-9.25.orig/pbm/pbmtoxbm.c 2000-03-19 03:45:05.000000000 +0100
++++ netpbm-9.25/pbm/pbmtoxbm.c 2004-05-12 11:52:28.438154368 +0200
+@@ -93,6 +93,8 @@
+ bitrow = pbm_allocrow( cols );
+
+ /* Compute padding to round cols up to the nearest multiple of 8. */
++
++ overflow_add(cols, 8);
+ padright = ( ( cols + 7 ) / 8 ) * 8 - cols;
+
+ printf( "#define %s_width %d\n", name, cols );
+diff -urN netpbm-9.25.orig/pbm/pbmtoybm.c netpbm-9.25/pbm/pbmtoybm.c
+--- netpbm-9.25.orig/pbm/pbmtoybm.c 1993-10-04 10:10:43.000000000 +0100
++++ netpbm-9.25/pbm/pbmtoybm.c 2004-05-12 11:52:28.436154672 +0200
+@@ -45,6 +45,7 @@
+ bitrow = pbm_allocrow( cols );
+
+ /* Compute padding to round cols up to the nearest multiple of 16. */
++ overflow_add(cols, 16);
+ padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+
+ putinit( cols, rows );
+diff -urN netpbm-9.25.orig/pbm/pbmtozinc.c netpbm-9.25/pbm/pbmtozinc.c
+--- netpbm-9.25.orig/pbm/pbmtozinc.c 2000-06-09 09:07:21.000000000 +0200
++++ netpbm-9.25/pbm/pbmtozinc.c 2004-05-12 11:52:28.436154672 +0200
+@@ -66,6 +66,7 @@
+ bitrow = pbm_allocrow( cols );
+
+ /* Compute padding to round cols up to the nearest multiple of 16. */
++ overflow_add(cols, 16);
+ padright = ( ( cols + 15 ) / 16 ) * 16 - cols;
+
+ printf( "USHORT %s[] = {\n",name);
+diff -urN netpbm-9.25.orig/pbm/pm.h netpbm-9.25/pbm/pm.h
+--- netpbm-9.25.orig/pbm/pm.h 2002-01-03 21:35:23.000000000 +0100
++++ netpbm-9.25/pbm/pm.h 2004-05-12 11:52:28.450152544 +0200
+@@ -218,6 +218,12 @@
+ enum pm_check_code * const retval_p);
+
+
++void *malloc2(int, int);
++void *malloc3(int, int, int);
++void overflow2(int, int);
++void overflow3(int, int, int);
++void overflow_add(int, int);
++
+ /* By making this <> instead of "", we avoid making shhopt.h a dependency
+ of every program in the package when we do make dep.
+ */
+diff -urN netpbm-9.25.orig/pbm/pm.h.orig netpbm-9.25/pbm/pm.h.orig
+--- netpbm-9.25.orig/pbm/pm.h.orig 1970-01-01 01:00:00.000000000 +0100
++++ netpbm-9.25/pbm/pm.h.orig 2002-01-03 21:35:23.000000000 +0100
+@@ -0,0 +1,243 @@
++/* pm.h - interface to format-independent part of libpbm.
++**
++** Copyright (C) 1988, 1989, 1991 by Jef Poskanzer.
++**
++** Permission to use, copy, modify, and distribute this software and its
++** documentation for any purpose and without fee is hereby granted, provided
++** that the above copyright notice appear in all copies and that both that
++** copyright notice and this permission notice appear in supporting
++** documentation. This software is provided "as is" without express or
++** implied warranty.
++*/
++
++#ifndef _PM_H_
++#define _PM_H_
++
++#include "pm_config.h"
++
++#include <sys/types.h>
++#include <ctype.h>
++#include <stdio.h>
++#include <errno.h>
++#include <sys/stat.h>
++
++#ifdef VMS
++#include <perror.h>
++#endif
++
++/* NOTE: do not use "bool" as a type in an external interface. It could
++ have different definitions on either side of the interface. Even if both
++ sides include this interface header file, the conditional compilation
++ here means one side may use the typedef below and the other side may
++ use some other definition. For an external interface, be safe and just
++ use "int".
++*/
++
++#ifndef TRUE
++#define TRUE 1
++#define FALSE 0
++/* C++ has a "bool" type built in. */
++#ifndef __cplusplus
++typedef int bool;
++#endif
++#elif defined(__DECC)
++/* Tru64 defines TRUE in standard header files, but not bool. 2001.09.21 */
++typedef int bool;
++#endif
++
++#undef max
++#define max(a,b) ((a) > (b) ? (a) : (b))
++#undef min
++#define min(a,b) ((a) < (b) ? (a) : (b))
++#undef abs
++#define abs(a) ((a) >= 0 ? (a) : -(a))
++#undef odd
++#define odd(n) ((n) & 1)
++
++
++/* Definitions to make Netpbm programs work with either ANSI C or C
++ Classic.
++
++ This is obsolete, as all compilers recognize the ANSI syntax now.
++
++ We are slowly removing all the ARGS invocations from the programs
++ (and replacing them with explicit ANSI syntax), but we have a lot
++ of programs where we have removed ARGS from the definition but not
++ the prototype, and we have discovered that the Sun compiler
++ considers the resulting mismatch between definition and prototype
++ to be an error. So we make ARGS create the ANSI syntax
++ unconditionally to avoid having to fix all those mismatches. */
++
++#if 0
++#if __STDC__
++#define ARGS(alist) alist
++#else /*__STDC__*/
++#define ARGS(alist) ()
++#define const
++#endif /*__STDC__*/
++#endif
++#define ARGS(alist) alist
++
++
++void
++pm_init(const char * const progname, unsigned int const flags);
++
++void
++pm_proginit(int* const argcP, char* argv[]);
++
++void
++pm_setMessage(int const newState, int * const oldStateP);
++
++void
++pm_nextimage(FILE * const file, int * const eofP);
++
++/* Variable-sized arrays definitions. */
++
++char**
++pm_allocarray (int const cols, int const rows, int const size );
++
++char*
++pm_allocrow (int const cols, int const size);
++
++void
++pm_freearray (char** const its, int const rows);
++
++void
++pm_freerow(char* const itrow);
++
++
++/* Obsolete -- use shhopt instead */
++int
++pm_keymatch (char* const str, char* const keyword, int const minchars);
++
++
++int
++pm_maxvaltobits (int const maxval);
++
++int
++pm_bitstomaxval (int const bits);
++
++unsigned int
++pm_lcm (const unsigned int x,
++ const unsigned int y,
++ const unsigned int z,
++ const unsigned int limit);
++
++/* GNU_PRINTF_ATTR lets the GNU compiler check pm_message() and pm_error()
++ calls to be sure the arguments match the format string, thus preventing
++ runtime segmentation faults and incorrect messages.
++*/
++#ifdef __GNUC__
++#define GNU_PRINTF_ATTR __attribute__ ((format (printf, 1,2)))
++#else
++#define GNU_PRINTF_ATTR
++#endif
++
++void GNU_PRINTF_ATTR
++pm_message (const char format[], ...);
++
++void GNU_PRINTF_ATTR
++pm_error (const char reason[], ...);
++
++/* Obsolete - use helpful error message instead */
++void
++pm_perror (const char reason[]);
++
++/* Obsolete - use shhopt and man page instead */
++void
++pm_usage (const char usage[]);
++
++FILE*
++pm_openr (const char* const name);
++
++FILE*
++pm_openw (const char* const name);
++
++FILE *
++pm_openr_seekable(const char name[]);
++
++void
++pm_close (FILE* const f);
++
++void
++pm_closer (FILE* const f);
++
++void
++pm_closew (FILE* const f);
++
++
++
++int
++pm_readbigshort ( FILE* const in, short* const sP );
++
++int
++pm_writebigshort ( FILE* const out, short const s );
++
++int
++pm_readbiglong ( FILE* const in, long* const lP );
++
++int
++pm_writebiglong ( FILE* const out, long const l );
++
++int
++pm_readlittleshort ( FILE* const in, short* const sP );
++
++int
++pm_writelittleshort ( FILE* const out, short const s );
++
++int
++pm_readlittlelong ( FILE* const in, long* const lP );
++
++int
++pm_writelittlelong ( FILE* const out, long const l );
++
++char*
++pm_read_unknown_size(FILE* const file, long* const buf);
++
++unsigned int
++pm_tell(FILE * const fileP);
++
++void
++pm_seek(FILE * const fileP, unsigned long filepos);
++
++enum pm_check_code {
++ PM_CHECK_OK,
++ PM_CHECK_UNKNOWN_TYPE,
++ PM_CHECK_TOO_LONG,
++ PM_CHECK_UNCHECKABLE,
++ PM_CHECK_TOO_SHORT
++};
++
++enum pm_check_type {
++ PM_CHECK_BASIC
++};
++
++void
++pm_check(FILE * const file, const enum pm_check_type check_type,
++ const unsigned int need_raster_size,
++ enum pm_check_code * const retval_p);
++
++
++/* By making this <> instead of "", we avoid making shhopt.h a dependency
++ of every program in the package when we do make dep.
++*/
++#include <shhopt.h>
++
++/* Use pm_optParseOptions instead of optParseOptions in order to use the
++ shared Netpbm libraries
++*/
++void
++pm_optParseOptions(int * const argc, char *argv[],
++ optStruct opt[], int const allowNegNum);
++void
++pm_optParseOptions2(int * const argc, char *argv[],
++ const optStruct2 opt, const unsigned long flags);
++void
++pm_optParseOptions3(int * const argc_p, char *argv[], const optStruct3 opt,
++ const unsigned int optStructSize, const unsigned long flags);
++
++char *
++pm_arg0toprogname(const char arg0[]);
++
++#endif
++
+diff -urN netpbm-9.25.orig/pbm/thinkjettopbm.l netpbm-9.25/pbm/thinkjettopbm.l
+--- netpbm-9.25.orig/pbm/thinkjettopbm.l 2002-03-13 04:06:09.000000000 +0100
++++ netpbm-9.25/pbm/thinkjettopbm.l 2004-05-12 11:52:28.450152544 +0200
+@@ -74,7 +74,9 @@
+ <RASTERMODE>\033\*b{DIG}+W {
+ int l;
+ if (rowCount >= rowCapacity) {
++ overflow_add(rowCapacity, 100);
+ rowCapacity += 100;
++ overflow2(rowCapacity, sizeof *rows);
+ rows = realloc (rows, rowCapacity * sizeof *rows);
+ if (rows == NULL)
+ pm_error ("Out of memory.");
+@@ -167,6 +169,8 @@
+ /*
+ * Quite simple since ThinkJet bit arrangement matches PBM
+ */
++
++ overflow2(maxRowLength, 8);
+ pbm_writepbminit(stdout, maxRowLength*8, rowCount, 0);
+
+ packed_bitrow = malloc(maxRowLength);
+diff -urN netpbm-9.25.orig/pbm/ybmtopbm.c netpbm-9.25/pbm/ybmtopbm.c
+--- netpbm-9.25.orig/pbm/ybmtopbm.c 1993-10-04 10:10:35.000000000 +0100
++++ netpbm-9.25/pbm/ybmtopbm.c 2004-05-12 11:52:28.433155128 +0200
+@@ -88,6 +88,7 @@
+ pm_error( "EOF / read error" );
+
+ *depthP = 1;
++ overflow_add(*colsP, 15);
+ *padrightP = ( ( *colsP + 15 ) / 16 ) * 16 - *colsP;
+ bitsperitem = 0;
+ }
+diff -urN netpbm-9.25.orig/pgm/lispmtopgm.c netpbm-9.25/pgm/lispmtopgm.c
+--- netpbm-9.25.orig/pgm/lispmtopgm.c 2002-01-04 18:11:11.000000000 +0100
++++ netpbm-9.25/pgm/lispmtopgm.c 2004-05-12 11:52:28.454151936 +0200
+@@ -55,6 +55,7 @@
+ pm_error( "depth (%d bits) is too large", depth);
+
+ pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 );
++ overflow_add(cols, 7);
+ grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 );
+
+ for ( row = 0; row < rows; ++row )
+@@ -100,6 +101,8 @@
+ if ( *depthP == 0 )
+ *depthP = 1; /* very old file */
+
++ overflow_add(colsP, 31);
++
+ *padrightP = ( ( *colsP + 31 ) / 32 ) * 32 - *colsP;
+
+ if ( *colsP != (cols_32 - *padrightP) ) {
+diff -urN netpbm-9.25.orig/pgm/pbmtopgm.c netpbm-9.25/pgm/pbmtopgm.c
+--- netpbm-9.25.orig/pgm/pbmtopgm.c 1993-10-06 14:24:38.000000000 +0100
++++ netpbm-9.25/pgm/pbmtopgm.c 2004-05-12 11:52:28.454151936 +0200
+@@ -42,6 +42,7 @@
+ pm_error("sample size greater than bitmap size");
+
+ outrow = pgm_allocrow(cols) ;
++ overflow2(width, height);
+ maxval = width*height;
+ pgm_writepgminit(stdout, cols, rows, maxval, 0) ;
+
+diff -urN netpbm-9.25.orig/pgm/pgmcrater.c netpbm-9.25/pgm/pgmcrater.c
+--- netpbm-9.25.orig/pgm/pgmcrater.c 2001-06-26 05:18:48.000000000 +0200
++++ netpbm-9.25/pgm/pgmcrater.c 2004-05-12 11:52:28.457151480 +0200
+@@ -131,7 +131,7 @@
+ /* Acquire the elevation array and initialise it to mean
+ surface elevation. */
+
+- aux = (unsigned short *) malloc(SCRX * SCRY * sizeof(short));
++ aux = (unsigned short *) malloc3(SCRX, SCRY, sizeof(short));
+ if (aux == (unsigned short *) 0) {
+ pm_error("out of memory allocating elevation array");
+ }
+@@ -258,7 +258,7 @@
+ }
+
+ i = max((slopemax - slopemin) + 1, 1);
+- slopemap = (unsigned char *) malloc(i * sizeof(unsigned char));
++ slopemap = (unsigned char *) malloc2(i, sizeof(unsigned char));
+ if (slopemap == (unsigned char *) 0) {
+ pm_error("out of memory allocating slope map");
+ }
+diff -urN netpbm-9.25.orig/pgm/pgmhist.c netpbm-9.25/pgm/pgmhist.c
+--- netpbm-9.25.orig/pgm/pgmhist.c 1993-10-04 10:11:17.000000000 +0100
++++ netpbm-9.25/pgm/pgmhist.c 2004-05-12 11:52:28.457151480 +0200
+@@ -45,8 +45,9 @@
+ grayrow = pgm_allocrow( cols );
+
+ /* Build histogram. */
+- hist = (int *) malloc( ( maxval + 1 ) * sizeof(int) );
+- rcount = (int *) malloc( ( maxval + 1 ) * sizeof(int) );
++ overflow_add(maxval, 1);
++ hist = (int *) malloc2( ( maxval + 1 ), sizeof(int) );
++ rcount = (int *) malloc2( ( maxval + 1 ), sizeof(int) );
+ if ( hist == (int *) 0 || rcount == (int *) 0 )
+ pm_error( "out of memory" );
+ for ( i = 0; i <= maxval; i++ )
+diff -urN netpbm-9.25.orig/pgm/pgmkernel.c netpbm-9.25/pgm/pgmkernel.c
+--- netpbm-9.25.orig/pgm/pgmkernel.c 2000-03-03 04:20:34.000000000 +0100
++++ netpbm-9.25/pgm/pgmkernel.c 2004-05-12 11:52:28.459151176 +0200
+@@ -67,7 +67,7 @@
+ kycenter = (fysize - 1) / 2.0;
+ ixsize = fxsize + 0.999;
+ iysize = fysize + 0.999;
+- fkernel = (double *) malloc ((unsigned)(ixsize*iysize*sizeof(double)));
++ fkernel = (double *) malloc3 (ixsize, iysize, sizeof(double));
+ for (i = 0; i < iysize; i++)
+ for (j = 0; j < ixsize; j++) {
+ fkernel[i*ixsize+j] = 1.0 / (1.0 + w * sqrt((double)
+diff -urN netpbm-9.25.orig/pgm/pgmtexture.c netpbm-9.25/pgm/pgmtexture.c
+--- netpbm-9.25.orig/pgm/pgmtexture.c 2001-03-30 19:01:00.000000000 +0200
++++ netpbm-9.25/pgm/pgmtexture.c 2004-05-12 11:52:28.458151328 +0200
+@@ -722,8 +722,10 @@
+ float *vector (int nl, int nh)
+ {
+ float *v;
+-
+- v = (float *) malloc ((unsigned) (nh - nl + 1) * sizeof (float));
++ overflow_add(nh, 1);
++ if(nh < nl)
++ pm_error("assert: h < l");
++ v = (float *) malloc2 ((nh - nl + 1), sizeof (float));
+ if (!v)
+ fprintf (stderr, "memory allocation failure"), exit (1);
+ return v - nl;
+@@ -738,15 +740,21 @@
+ float **m;
+
+ /* allocate pointers to rows */
+- m = (float **) malloc ((unsigned) (nrh - nrl + 1) * sizeof (float *));
++ overflow_add(nrh, 1);
++ if(nrh < nrl)
++ pm_error("assert: nrh < nrl");
++ m = (float **) malloc2(nrh - nrl + 1, sizeof (float *));
+ if (!m)
+ fprintf (stderr, "memory allocation failure"), exit (1);
+ m -= ncl;
+
++ if(nch < ncl)
++ pm_error("assert: nch < ncl");
++ overflow_add(nch, 1);
+ /* allocate rows and set pointers to them */
+ for (i = nrl; i <= nrh; i++)
+ {
+- m[i] = (float *) malloc ((unsigned) (nch - ncl + 1) * sizeof (float));
++ m[i] = (float *) malloc2(nch - ncl + 1, sizeof (float));
+ if (!m[i])
+ fprintf (stderr, "memory allocation failure"), exit (2);
+ m[i] -= ncl;
+diff -urN netpbm-9.25.orig/pgm/pgmtopbm.c netpbm-9.25/pgm/pgmtopbm.c
+--- netpbm-9.25.orig/pgm/pgmtopbm.c 2001-09-03 20:11:42.000000000 +0200
++++ netpbm-9.25/pgm/pgmtopbm.c 2004-05-12 11:52:28.453152088 +0200
+@@ -129,6 +129,7 @@
+ {
+ case QT_FS:
+ /* Initialize Floyd-Steinberg error vectors. */
++ overflow_add(cols, 2);
+ thiserr = (long*) pm_allocrow( cols + 2, sizeof(long) );
+ nexterr = (long*) pm_allocrow( cols + 2, sizeof(long) );
+ srand( (int) ( time( 0 ) ^ getpid( ) ) );
+diff -urN netpbm-9.25.orig/pgm/psidtopgm.c netpbm-9.25/pgm/psidtopgm.c
+--- netpbm-9.25.orig/pgm/psidtopgm.c 2002-01-04 18:11:10.000000000 +0100
++++ netpbm-9.25/pgm/psidtopgm.c 2004-05-12 11:52:28.458151328 +0200
+@@ -60,6 +60,7 @@
+ "bits/sample (%d) is too large.", bitspersample );
+
+ pgm_writepgminit( stdout, cols, rows, (gray) maxval, 0 );
++ overflow_add(cols, 7);
+ grayrow = pgm_allocrow( ( cols + 7 ) / 8 * 8 );
+ for ( row = 0; row < rows; ++row)
+ {
+diff -urN netpbm-9.25.orig/pnm/anytopnm netpbm-9.25/pnm/anytopnm
+--- netpbm-9.25.orig/pnm/anytopnm 2000-07-26 03:54:08.000000000 +0200
++++ netpbm-9.25/pnm/anytopnm 2004-05-12 11:52:28.497145400 +0200
+@@ -21,7 +21,7 @@
+ exit 1
+ fi
+
+-tmpfiles=""
++tmpdir=$(mktemp -d -t anytopnm.XXXXXXXXXX) || exit 1 #219019
+
+ # Take out all spaces
+ # Find the filename extension for last-ditch efforts later
+@@ -29,8 +29,9 @@
+
+ # Sanitize the filename by making our own temporary files as safely as
+ # possible.
+-file="/tmp/atn.stdin.$$"
+-rm -f "$file"
++# file="/tmp/atn.stdin.$$"
++#rm -f "$file"
++file="$tmpdir/atn.stdin"
+ if [ $# -eq 0 -o "$1" = "-" ] ; then
+ cat > "$file"
+ else
+@@ -57,9 +58,6 @@
+ cat < "$1" > "$file"
+ fi
+
+-tmpfiles="$tmpfiles $file"
+-
+-
+
+ filetype=`file "$file" | cut -d: -f2-`
+
+@@ -70,7 +68,8 @@
+ ;;
+
+ *uuencoded* )
+- newfile="/tmp/atn.decode.$$"
++# newfile="/tmp/atn.decode.$$"
++ newfile="$tmpdir/atn.decode"
+ rm -f "$newfile"
+ (echo begin 600 $newfile; tail +2 < "$file") | uudecode
+ tmpfiles="$tmpfiles $newfile"
+@@ -258,7 +257,7 @@
+ esac
+
+
+-if [ "$tmpfiles" ] ; then
+- rm -f $tmpfiles
++if [ "$tmpdir" ] ; then
++ rm -rf "$tmpdir"
+ fi
+ exit 0
+diff -urN netpbm-9.25.orig/pnm/gemtopnm.c netpbm-9.25/pnm/gemtopnm.c
+--- netpbm-9.25.orig/pnm/gemtopnm.c 2000-04-30 14:42:15.000000000 +0200
++++ netpbm-9.25/pnm/gemtopnm.c 2004-05-12 11:52:28.469149656 +0200
+@@ -106,6 +106,7 @@
+
+ pnm_writepnminit( stdout, cols, rows, MAXVAL, type, 0 );
+
++ overflow_add(cols, padright);
+ {
+ /* allocate input row data structure */
+ int plane;
+diff -urN netpbm-9.25.orig/pnm/jpegtopnm.c netpbm-9.25/pnm/jpegtopnm.c
+--- netpbm-9.25.orig/pnm/jpegtopnm.c 2002-03-13 04:53:22.000000000 +0100
++++ netpbm-9.25/pnm/jpegtopnm.c 2004-05-12 11:52:28.485147224 +0200
+@@ -173,7 +173,7 @@
+ unsigned int option_def_index;
+
+ int argc_parse; /* argc, except we modify it as we parse */
+- char ** const argv_parse = malloc(argc*sizeof(char *));
++ char ** const argv_parse = malloc2(argc, sizeof(char *));
+ /* argv, except we modify it as we parse */
+
+ option_def_index = 0; /* incremented by OPTENTRY */
+@@ -846,6 +846,8 @@
+ /* Calculate output image dimensions so we can allocate space */
+ jpeg_calc_output_dimensions(&cinfo);
+
++ overflow2(cinfo.output_width, cinfo.output_components);
++
+ jpegbuffer = ((*cinfo.mem->alloc_sarray)
+ ((j_common_ptr) &cinfo, JPOOL_IMAGE,
+ cinfo.output_width * cinfo.output_components, (JDIMENSION) 1)
+diff -urN netpbm-9.25.orig/pnm/libpam.c netpbm-9.25/pnm/libpam.c
+--- netpbm-9.25.orig/pnm/libpam.c 2002-03-06 04:39:37.000000000 +0100
++++ netpbm-9.25/pnm/libpam.c 2004-05-12 11:53:57.752576512 +0200
+@@ -155,7 +155,8 @@
+ themselves. Each tuple consists of 'depth' samples.
+ */
+
+- tuplerow = malloc(pamP->width * (sizeof(tuple *) + bytes_per_tuple));
++ overflow_add(sizeof(tuple *), bytes_per_tuple);
++ tuplerow = malloc2(pamP->width, sizeof(tuple *) + bytes_per_tuple);
+ if (tuplerow == NULL)
+ pm_error("Out of memory allocating space for a tuple row of\n"
+ "%d tuples by %d samples per tuple by %d bytes per sample.",
+@@ -190,7 +191,7 @@
+ by allocating one large chunk.
+ */
+
+- tuplearray = malloc(pamP->height * sizeof(tuple*));
++ tuplearray = malloc2(pamP->height, sizeof(tuple*));
+ if (tuplearray == NULL)
+ pm_error("Out of memory allocating the row pointer section of "
+ "a %u row array", pamP->height);
+diff -urN netpbm-9.25.orig/pnm/libpnm4.c netpbm-9.25/pnm/libpnm4.c
+--- netpbm-9.25.orig/pnm/libpnm4.c 1993-10-04 10:11:33.000000000 +0100
++++ netpbm-9.25/pnm/libpnm4.c 2004-05-12 11:52:28.464150416 +0200
+@@ -43,11 +43,16 @@
+ ** not to be the case. In reality, all of Sun's code rounds up to
+ ** a short, not a long.
+ */
++
++ overflow_add(depth,15);
++ overflow2(w, depth+15);
++ overflow2(w * depth + 15, 2);
++
+ m->md_linebytes = ( w * depth + 15 ) / 16 * 2;
+ m->md_offset.x = 0;
+ m->md_offset.y = 0;
+ m->md_flags = 0;
+- m->md_image = (unsigned char*) malloc( m->md_linebytes * h );
++ m->md_image = (unsigned char*) malloc2( m->md_linebytes, h );
+ if ( m->md_image == NULL )
+ {
+ free( m );
+@@ -104,12 +109,15 @@
+ case RT_STANDARD:
+ case RT_FORMAT_RGB:
+ /* Ignore hP->ras_length. */
++ overflow2(p->pr_size.y, p->pr_data->md_linebytes);
+ h.ras_length = p->pr_size.y * p->pr_data->md_linebytes;
+ break;
+
+ case RT_BYTE_ENCODED:
++ overflow2(p->pr_size.y, p->pr_data->md_linebytes);
+ size = p->pr_size.y * p->pr_data->md_linebytes;
+ bp = p->pr_data->md_image;
++ overflow2(size, 3);
+ beimage = (unsigned char*) malloc( size * 3 / 2 ); /* worst case */
+ if ( beimage == NULL )
+ return PIX_ERR;
+@@ -191,6 +199,7 @@
+ {
+ case RMT_EQUAL_RGB:
+ h.ras_maplength = colormap->length * 3;
++ overflow2(colormap->length, 3);
+ break;
+
+ case RMT_RAW:
+@@ -395,6 +404,7 @@
+ case RT_FORMAT_RGB:
+ /* Ignore hP->ras_length. */
+ i = p->pr_size.y * p->pr_data->md_linebytes;
++ overflow2(p->pr_size.y, p->pr_data->md_linebytes);
+ if ( fread( p->pr_data->md_image, 1, i, in ) != i )
+ {
+ mem_free( p );
+diff -urN netpbm-9.25.orig/pnm/pamcut.c netpbm-9.25/pnm/pamcut.c
+--- netpbm-9.25.orig/pnm/pamcut.c 2001-11-12 06:11:27.000000000 +0100
++++ netpbm-9.25/pnm/pamcut.c 2004-05-12 11:53:57.753576360 +0200
+@@ -380,6 +380,8 @@
+ outpam.width = rightcol-leftcol+1;
+ outpam.height = bottomrow-toprow+1;
+
++ overflow_add(rightcol, 1);
++ overflow_add(toprow, 1);
+ pnm_writepaminit(&outpam);
+
+ outputRow = pnm_allocpamrow(&outpam);
+diff -urN netpbm-9.25.orig/pnm/pamoil.c netpbm-9.25/pnm/pamoil.c
+--- netpbm-9.25.orig/pnm/pamoil.c 2001-06-29 08:13:03.000000000 +0200
++++ netpbm-9.25/pnm/pamoil.c 2004-05-12 11:53:57.758575600 +0200
+@@ -112,7 +112,8 @@
+ tuples = pnm_readpam(ifp, &inpam, sizeof(inpam));
+ pm_close(ifp);
+
+- hist = malloc((inpam.maxval + 1) * sizeof(sample));
++ overflow_add(inpam.maxval, 1);
++ hist = malloc2((inpam.maxval + 1), sizeof(sample));
+
+ outpam = inpam; outpam.file = stdout;
+
+diff -urN netpbm-9.25.orig/pnm/pngtopnm.c netpbm-9.25/pnm/pngtopnm.c
+--- netpbm-9.25.orig/pnm/pngtopnm.c 2002-01-04 18:22:43.000000000 +0100
++++ netpbm-9.25/pnm/pngtopnm.c 2004-05-12 11:52:28.460151024 +0200
+@@ -371,18 +371,30 @@
+ }
+
+ if (info_ptr->bit_depth == 16)
++ {
++ overflow2(2, info_ptr->width);
+ linesize = 2 * info_ptr->width;
++ }
+ else
+ linesize = info_ptr->width;
+
+ if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
++ {
+ linesize *= 2;
++ overflow2(2, linesize);
++ }
+ else
+ if (info_ptr->color_type == PNG_COLOR_TYPE_RGB)
++ {
++ overflow2(3, linesize);
+ linesize *= 3;
++ }
+ else
+ if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
++ {
++ overflow2(4, linesize);
+ linesize *= 4;
++ }
+
+ for (y = 0 ; y < info_ptr->height ; y++) {
+ png_image[y] = malloc (linesize);
+diff -urN netpbm-9.25.orig/pnm/pnmcat.c netpbm-9.25/pnm/pnmcat.c
+--- netpbm-9.25.orig/pnm/pnmcat.c 1993-10-04 10:11:35.000000000 +0100
++++ netpbm-9.25/pnm/pnmcat.c 2004-05-12 11:52:28.464150416 +0200
+@@ -83,13 +83,13 @@
+ nfiles = argc - argn;
+ else
+ nfiles = 1;
+- ifp = (FILE**) malloc( nfiles * sizeof(FILE*) );
+- xelrow = (xel**) malloc( nfiles * sizeof(xel*) );
+- background = (xel*) malloc( nfiles * sizeof(xel) );
+- maxval = (xelval*) malloc( nfiles * sizeof(xelval) );
+- rows = (int*) malloc( nfiles * sizeof(int) );
+- cols = (int*) malloc( nfiles * sizeof(int) );
+- format = (int*) malloc( nfiles * sizeof(int) );
++ ifp = (FILE**) malloc2( nfiles, sizeof(FILE*) );
++ xelrow = (xel**) malloc2( nfiles, sizeof(xel*) );
++ background = (xel*) malloc2( nfiles, sizeof(xel) );
++ maxval = (xelval*) malloc2( nfiles, sizeof(xelval) );
++ rows = (int*) malloc2( nfiles, sizeof(int) );
++ cols = (int*) malloc2( nfiles, sizeof(int) );
++ format = (int*) malloc2( nfiles, sizeof(int) );
+ if ( ifp == (FILE**) 0 || xelrow == (xel**) 0 || background == (xel*) 0 ||
+ maxval == (xelval*) 0 || rows == (int*) 0 || cols == (int*) 0 ||
+ format == (int*) 0 )
+diff -urN netpbm-9.25.orig/pnm/pnmcrop.c netpbm-9.25/pnm/pnmcrop.c
+--- netpbm-9.25.orig/pnm/pnmcrop.c 2001-05-20 09:24:08.000000000 +0200
++++ netpbm-9.25/pnm/pnmcrop.c 2004-05-12 11:52:28.463150568 +0200
+@@ -378,6 +378,8 @@
+
+ xelrow = pnm_allocrow(cols);
+
++ overflow_add(right, 1);
++ overflow_add(bottom, 1);
+ newcols = right - left + 1;
+ newrows = bottom - top + 1;
+ pnm_writepnminit(stdout, newcols, newrows, maxval, format, 0);
+diff -urN netpbm-9.25.orig/pnm/pnmcut.c netpbm-9.25/pnm/pnmcut.c
+--- netpbm-9.25.orig/pnm/pnmcut.c 2001-11-05 05:23:49.000000000 +0100
++++ netpbm-9.25/pnm/pnmcut.c 2004-05-12 11:52:28.467149960 +0200
+@@ -372,6 +372,7 @@
+ toprow, leftcol, bottomrow, rightcol);
+ }
+
++ overflow_add(rightcol, 1);
+ output_cols = rightcol-leftcol+1;
+ output_row = pnm_allocrow(output_cols);
+
+diff -urN netpbm-9.25.orig/pnm/pnmenlarge.c netpbm-9.25/pnm/pnmenlarge.c
+--- netpbm-9.25.orig/pnm/pnmenlarge.c 1993-10-04 10:11:39.000000000 +0100
++++ netpbm-9.25/pnm/pnmenlarge.c 2004-05-12 11:52:28.468149808 +0200
+@@ -52,6 +52,9 @@
+
+ pnm_readpnminit( ifp, &cols, &rows, &maxval, &format );
+ xelrow = pnm_allocrow( cols );
++
++ overflow2(cols, n);
++ overflow2(rows, n);
+ pnm_writepnminit( stdout, cols * n, rows * n, maxval, format, 0 );
+ newxelrow = pnm_allocrow( cols * n );
+
+diff -urN netpbm-9.25.orig/pnm/pnmflip.c netpbm-9.25/pnm/pnmflip.c
+--- netpbm-9.25.orig/pnm/pnmflip.c 2001-09-07 17:49:30.000000000 +0200
++++ netpbm-9.25/pnm/pnmflip.c 2004-05-12 11:52:28.470149504 +0200
+@@ -289,6 +289,13 @@
+
+ pnm_readpnminit( ifp, &cols, &rows, &maxval, &format );
+
++ overflow2(abs(xform.a), cols);
++ overflow2(abs(xform.b), cols);
++ overflow2(abs(xform.c), rows);
++ overflow2(abs(xform.d), rows);
++ overflow_add(abs( xform.a ) * cols, abs( xform.c ) * rows);
++ overflow_add(abs( xform.b ) * cols, abs( xform.d ) * rows);
++
+ newcols = abs( xform.a ) * cols + abs( xform.c ) * rows;
+ newrows = abs( xform.b ) * cols + abs( xform.d ) * rows;
+
+diff -urN netpbm-9.25.orig/pnm/pnmgamma.c netpbm-9.25/pnm/pnmgamma.c
+--- netpbm-9.25.orig/pnm/pnmgamma.c 2002-03-13 04:53:23.000000000 +0100
++++ netpbm-9.25/pnm/pnmgamma.c 2004-05-12 11:52:28.472149200 +0200
+@@ -271,9 +271,11 @@
+ xelval **rtableP, xelval **gtableP, xelval **btableP) {
+
+ /* Allocate space for the tables. */
+- *rtableP = (xelval*) malloc( (maxval+1) * sizeof(xelval) );
+- *gtableP = (xelval*) malloc( (maxval+1) * sizeof(xelval) );
+- *btableP = (xelval*) malloc( (maxval+1) * sizeof(xelval) );
++
++ overflow_add(maxval, 1);
++ *rtableP = (xelval*) malloc2( (maxval+1) , sizeof(xelval) );
++ *gtableP = (xelval*) malloc2( (maxval+1) , sizeof(xelval) );
++ *btableP = (xelval*) malloc2( (maxval+1) , sizeof(xelval) );
+ if (*rtableP == NULL || *gtableP == NULL || *btableP == NULL)
+ pm_error( "out of memory" );
+
+diff -urN netpbm-9.25.orig/pnm/pnmhisteq.c netpbm-9.25/pnm/pnmhisteq.c
+--- netpbm-9.25.orig/pnm/pnmhisteq.c 2000-06-09 09:51:45.000000000 +0200
++++ netpbm-9.25/pnm/pnmhisteq.c 2004-05-12 11:52:28.493146008 +0200
+@@ -210,6 +210,7 @@
+ user has specified an input map file, read it in at
+ this point. */
+
++ overflow_add(maxval, 1);
+ lumahist = (long *) pm_allocrow(maxval + 1, sizeof(long));
+ memset((char *) lumahist, 0, (maxval + 1) * sizeof(long));
+
+diff -urN netpbm-9.25.orig/pnm/pnmindex netpbm-9.25/pnm/pnmindex
+--- netpbm-9.25.orig/pnm/pnmindex 2001-08-30 04:21:14.000000000 +0200
++++ netpbm-9.25/pnm/pnmindex 2004-05-12 11:52:28.497145400 +0200
+@@ -94,8 +94,9 @@
+ fi
+
+ #tmpfile=`tempfile -p pi -m 600`
+-tmpfile=$TMPDIR/pi.tmp.$$
+-rm -f $tmpfile
++#tmpfile=$TMPDIR/pi.tmp.$$
++#rm -f $tmpfile
++tmpfile=$(mktemp -t pi.XXXXXXXX) || exit 1 #219019
+ maxformat=PBM
+
+ rowfiles=()
+diff -urN netpbm-9.25.orig/pnm/pnmmargin netpbm-9.25/pnm/pnmmargin
+--- netpbm-9.25.orig/pnm/pnmmargin 1993-10-04 10:11:44.000000000 +0100
++++ netpbm-9.25/pnm/pnmmargin 2004-05-12 11:52:28.498145248 +0200
+@@ -11,11 +11,16 @@
+ # documentation. This software is provided "as is" without express or
+ # implied warranty.
+
+-tmp1=/tmp/pnmm1$$
+-tmp2=/tmp/pnmm2$$
+-tmp3=/tmp/pnmm3$$
+-tmp4=/tmp/pnmm4$$
+-rm -f $tmp1 $tmp2 $tmp3 $tmp4
++#tmp1=.tmppnmm1$$
++#tmp2=.tmppnmm2$$
++#tmp3=.tmppnmm3$$
++#tmp4=.tmppnmm4$$
++#rm -f $tmp1 $tmp2 $tmp3 $tmp4
++tmpdir=$(mktemp -d -t ppmmargin.XXXXXXX) || exit 1 #219019
++tmp1=$tmpdir/tmp1
++tmp2=$tmpdir/tmp2
++tmp3=$tmpdir/tmp3
++tmp4=$tmpdir/tmp4
+
+ color="-gofigure"
+
+@@ -83,4 +88,4 @@
+ pnmcat -tb $tmp3 $tmp4 $tmp3
+
+ # All done.
+-rm -f $tmp1 $tmp2 $tmp3 $tmp4
++rm -rf $tmpdir
+diff -urN netpbm-9.25.orig/pnm/pnmmontage.c netpbm-9.25/pnm/pnmmontage.c
+--- netpbm-9.25.orig/pnm/pnmmontage.c 2001-01-01 20:59:04.000000000 +0100
++++ netpbm-9.25/pnm/pnmmontage.c 2004-05-12 11:53:57.755576056 +0200
+@@ -229,9 +229,9 @@
+ else
+ nfiles = 1;
+
+- imgs = (struct pam*)malloc(nfiles * sizeof(struct pam));
+- coords = (coord *)malloc(nfiles * sizeof(coord));
+- names = (char **)malloc(nfiles * sizeof(char *));
++ imgs = (struct pam*)malloc2(nfiles, sizeof(struct pam));
++ coords = (coord *)malloc2(nfiles, sizeof(coord));
++ names = (char **)malloc2(nfiles, sizeof(char *));
+ if (!imgs || !coords || !names)
+ pm_error("out of memory");
+
+diff -urN netpbm-9.25.orig/pnm/pnmpaste.c netpbm-9.25/pnm/pnmpaste.c
+--- netpbm-9.25.orig/pnm/pnmpaste.c 1993-10-04 10:11:53.000000000 +0100
++++ netpbm-9.25/pnm/pnmpaste.c 2004-05-12 11:52:28.486147072 +0200
+@@ -100,11 +100,16 @@
+ "y is too large -- the second anymap has only %d rows",
+ rows2 );
+
++ overflow_add(x, cols2);
++ overflow_add(y, rows2);
+ if ( x < 0 )
+ x += cols2;
+ if ( y < 0 )
+ y += rows2;
+
++ overflow_add(x, cols1);
++ overflow_add(y, rows1);
++
+ if ( x + cols1 > cols2 )
+ pm_error( "x + width is too large by %d pixels", x + cols1 - cols2 );
+ if ( y + rows1 > rows2 )
+diff -urN netpbm-9.25.orig/pnm/pnmrotate.c netpbm-9.25/pnm/pnmrotate.c
+--- netpbm-9.25.orig/pnm/pnmrotate.c 2001-06-25 05:34:52.000000000 +0200
++++ netpbm-9.25/pnm/pnmrotate.c 2004-05-12 11:52:28.487146920 +0200
+@@ -11,6 +11,7 @@
+ */
+
+ #include <math.h>
++#include <limits.h>
+ #include "pnm.h"
+ #ifndef M_PI
+ #define M_PI 3.14159265358979323846
+@@ -93,11 +94,18 @@
+ newmaxval = maxval;
+ }
+
++ overflow2(rows, xshearfac);
++ overflow_add(cols, 1);
++ overflow_add(rows * xshearfac, cols);
++
+ tempcols = rows * xshearfac + cols + 0.999999;
+ yshearjunk = ( tempcols - cols ) * yshearfac;
+ newrows = tempcols * yshearfac + rows + 0.999999;
+ x2shearjunk = ( newrows - rows - yshearjunk ) * xshearfac;
+ newrows -= 2 * yshearjunk;
++
++ if(newrows * xshearfac + tempcols + 0.999999 - 2 * x2shearjunk > INT_MAX)
++ pm_error("image too large");
+ newcols = newrows * xshearfac + tempcols + 0.999999 - 2 * x2shearjunk;
+
+ bgxel = pnm_backgroundxelrow( xelrow, cols, newmaxval, format );
+diff -urN netpbm-9.25.orig/pnm/pnmscalefixed.c netpbm-9.25/pnm/pnmscalefixed.c
+--- netpbm-9.25.orig/pnm/pnmscalefixed.c 2002-01-04 18:22:44.000000000 +0100
++++ netpbm-9.25/pnm/pnmscalefixed.c 2004-05-12 11:53:57.756575904 +0200
+@@ -208,6 +208,8 @@
+ const int rows, const int cols,
+ int * newrowsP, int * newcolsP) {
+
++ overflow2(rows, cols);
++
+ if (cmdline.pixels) {
+ if (rows * cols <= cmdline.pixels) {
+ *newrowsP = rows;
+@@ -259,6 +261,8 @@
+
+ if (*newcolsP < 1) *newcolsP = 1;
+ if (*newrowsP < 1) *newrowsP = 1;
++
++ overflow2(*newcolsP, *newrowsP);
+ }
+
+
+@@ -440,6 +444,9 @@
+ unfilled. We can address that by stretching, whereas the other
+ case would require throwing away some of the input.
+ */
++
++ overflow2(newcols, SCALE);
++ overflow2(newrows, SCALE);
+ sxscale = SCALE * newcols / cols;
+ syscale = SCALE * newrows / rows;
+
+diff -urN netpbm-9.25.orig/pnm/pnmshear.c netpbm-9.25/pnm/pnmshear.c
+--- netpbm-9.25.orig/pnm/pnmshear.c 2001-06-26 06:43:02.000000000 +0200
++++ netpbm-9.25/pnm/pnmshear.c 2004-05-12 11:52:28.487146920 +0200
+@@ -11,6 +11,7 @@
+ */
+
+ #include <math.h>
++#include <limits.h>
+ #include "pnm.h"
+ #ifndef M_PI
+ #define M_PI 3.14159265358979323846
+@@ -194,6 +195,11 @@
+ if ( shearfac < 0.0 )
+ shearfac = -shearfac;
+
++ if(rows * shearfac >= INT_MAX-1)
++ pm_error("image too large");
++
++ overflow_add(rows * shearfac, cols+1);
++
+ newcols = rows * shearfac + cols + 0.999999;
+
+ pnm_writepnminit( stdout, newcols, rows, newmaxval, newformat, 0 );
+diff -urN netpbm-9.25.orig/pnm/pnmsplit.c netpbm-9.25/pnm/pnmsplit.c
+--- netpbm-9.25.orig/pnm/pnmsplit.c 2001-09-07 17:49:44.000000000 +0200
++++ netpbm-9.25/pnm/pnmsplit.c 2004-05-12 11:52:28.496145552 +0200
+@@ -120,6 +120,7 @@
+ *(strstr(before_sub, "%d")) = '\0';
+ after_sub = strstr(output_file_pattern, "%d") + 2;
+
++ overflow_add(strlen(output_file_pattern), 9);
+ size = strlen(output_file_pattern) - 2 + 10 + 1;
+ *output_name_p = malloc(size);
+
+diff -urN netpbm-9.25.orig/pnm/pnmtoddif.c netpbm-9.25/pnm/pnmtoddif.c
+--- netpbm-9.25.orig/pnm/pnmtoddif.c 2000-05-06 08:30:12.000000000 +0200
++++ netpbm-9.25/pnm/pnmtoddif.c 2004-05-12 11:52:28.493146008 +0200
+@@ -477,6 +477,7 @@
+ switch (PNM_FORMAT_TYPE(format)) {
+ case PBM_TYPE:
+ ip.bits_per_pixel = 1;
++ overflow_add(cols, 7);
+ ip.bytes_per_line = (cols + 7) / 8;
+ ip.spectral = 2;
+ ip.components = 1;
+@@ -492,6 +493,7 @@
+ ip.polarity = 2;
+ break;
+ case PPM_TYPE:
++ overflow2(cols, 3);
+ ip.bytes_per_line = 3 * cols;
+ ip.bits_per_pixel = 24;
+ ip.spectral = 5;
+diff -urN netpbm-9.25.orig/pnm/pnmtojpeg.c netpbm-9.25/pnm/pnmtojpeg.c
+--- netpbm-9.25.orig/pnm/pnmtojpeg.c 2001-09-20 19:57:40.000000000 +0200
++++ netpbm-9.25/pnm/pnmtojpeg.c 2004-05-12 11:53:57.759575448 +0200
+@@ -149,7 +149,7 @@
+ unsigned int option_def_index;
+
+ int argc_parse; /* argc, except we modify it as we parse */
+- char ** const argv_parse = malloc(argc*sizeof(char *));
++ char ** const argv_parse = malloc2(argc,sizeof(char *));
+ /* argv, except we modify it as we parse */
+
+ option_def_index = 0; /* incremented by OPTENTRY */
+@@ -543,6 +543,8 @@
+ const long half_maxval = maxval / 2;
+ long val;
+
++ overflow_add(maxval, 1);
++ overflow2(maxval+1, sizeof(JSAMPLE));
+ *rescale_p = (JSAMPLE *)
+ (cinfo.mem->alloc_small) ((j_common_ptr) &cinfo, JPOOL_IMAGE,
+ (size_t) (((long) maxval + 1L) *
+@@ -619,6 +621,7 @@
+ */
+
+ /* Allocate the libpnm output and compressor input buffers */
++ overflow2(cinfo_p->image_width, cinfo_p->input_components);
+ buffer = (*cinfo_p->mem->alloc_sarray)
+ ((j_common_ptr) cinfo_p, JPOOL_IMAGE,
+ (unsigned int) cinfo_p->image_width * cinfo_p->input_components,
+@@ -886,7 +889,9 @@
+ * want JPOOL_PERMANENT.
+ */
+ const unsigned int scan_info_size = nscans * sizeof(jpeg_scan_info);
+- jpeg_scan_info *scan_info =
++ jpeg_scan_info *scan_info;
++ overflow2(nscans, sizeof(jpeg_scan_info));
++ scan_info =
+ (jpeg_scan_info *)
+ (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
+ scan_info_size);
+diff -urN netpbm-9.25.orig/pnm/pnmtopalm/palmcolormap.c netpbm-9.25/pnm/pnmtopalm/palmcolormap.c
+--- netpbm-9.25.orig/pnm/pnmtopalm/palmcolormap.c 2001-12-30 20:19:14.000000000 +0100
++++ netpbm-9.25/pnm/pnmtopalm/palmcolormap.c 2004-05-12 11:53:57.756575904 +0200
+@@ -229,7 +229,7 @@
+ return 0;
+
+ colormap = malloc(sizeof(Colormap_s));
+- colormap->color_entries = malloc(sizeof(Color_s) * ncolors);
++ colormap->color_entries = malloc2(sizeof(Color_s), ncolors);
+ colormap->nentries = ncolors;
+ colormap->ncolors = ncolors;
+
+diff -urN netpbm-9.25.orig/pnm/pnmtopalm/palmtopnm.c netpbm-9.25/pnm/pnmtopalm/palmtopnm.c
+--- netpbm-9.25.orig/pnm/pnmtopalm/palmtopnm.c 2001-12-30 19:54:24.000000000 +0100
++++ netpbm-9.25/pnm/pnmtopalm/palmtopnm.c 2004-05-12 11:53:57.757575752 +0200
+@@ -14,7 +14,7 @@
+ int i;
+ xelval *map;
+
+- map = (xelval *) malloc(sizeof(xelval) * ncolors);
++ map = (xelval *) malloc2(sizeof(xelval), ncolors);
+ for (i = 0; i < ncolors; i++)
+ {
+ map[i] = maxval - (i * (maxval - minval)) / (ncolors - 1);
+@@ -244,7 +244,7 @@
+ graymap = figure_graymap(ncolors, 0, maxval);
+ if (showhist)
+ {
+- seen = (unsigned int *) malloc(sizeof(unsigned int) * ncolors);
++ seen = (unsigned int *) malloc2(sizeof(unsigned int), ncolors);
+ if (!seen)
+ pm_error("Can't allocate %d bytes for keeping track of "
+ "which pixels were seen.",
+diff -urN netpbm-9.25.orig/pnm/pnmtopng.c netpbm-9.25/pnm/pnmtopng.c
+--- netpbm-9.25.orig/pnm/pnmtopng.c 2001-12-17 23:05:22.000000000 +0100
++++ netpbm-9.25/pnm/pnmtopng.c 2004-05-12 11:52:28.495145704 +0200
+@@ -211,14 +211,17 @@
+ int c;
+ char *cp;
+
+- /* GRR: need to check for malloc failure here */
+- info_ptr->text = (png_text *)malloc (MAXCOMMENTS * sizeof (png_text));
++ info_ptr->text = (png_text *)malloc2 (MAXCOMMENTS, sizeof (png_text));
++ if(info_ptr->text == NULL)
++ pm_error("out of memory");
+ j = 0;
+ textpos = 0;
+ while ((c = getc (tfp)) != EOF) {
+ if (c != '\n' && c != EOF) {
++ overflow_add(textpos, 1);
+ textline[textpos++] = c;
+ } else {
++ overflow_add(textpos, 1);
+ textline[textpos++] = '\0';
+ if ((textline[0] != ' ') && (textline[0] != '\t')) {
+ /* the following is a not that accurate check on Author or Title */
+@@ -248,6 +251,7 @@
+ j++;
+ } else {
+ j--;
++ overflow_add(info_ptr->text[j].text_length, textpos);
+ cp = malloc (info_ptr->text[j].text_length + textpos);
+ strcpy (cp, info_ptr->text[j].text);
+ strcat (cp, "\n");
+@@ -901,12 +905,21 @@
+ }
+ if (alpha) {
+ if (pnm_type == PPM_TYPE)
++ {
++ overflow2(depth, 4);
+ fulldepth = 4 * depth;
++ }
+ else
++ {
++ overflow2(depth, 2);
+ fulldepth = 2 * depth;
++ }
+ } else {
+ if (pnm_type == PPM_TYPE)
++ {
++ overflow2(depth, 3);
+ fulldepth = 3 * depth;
++ }
+ else
+ fulldepth = depth;
+ }
+@@ -1229,7 +1242,7 @@
+ png_set_packing (png_ptr);
+
+ /* max: 3 color channels, one alpha channel, 16-bit */
+- if ((line = (png_byte *) malloc (cols*8)) == NULL)
++ if ((line = (png_byte *) malloc2(cols, 8)) == NULL)
+ {
+ png_destroy_write_struct (&png_ptr, &info_ptr);
+ pm_closer (ifp);
+diff -urN netpbm-9.25.orig/pnm/pnmtops.c netpbm-9.25/pnm/pnmtops.c
+--- netpbm-9.25.orig/pnm/pnmtops.c 2002-01-09 16:32:19.000000000 +0100
++++ netpbm-9.25/pnm/pnmtops.c 2004-05-12 11:52:28.488146768 +0200
+@@ -136,15 +136,24 @@
+ cmdlineP->center = !nocenter;
+ cmdlineP->canturn = !noturn;
+
++ overflow2(width, 72);
++ overflow2(height, 72);
++
+ cmdlineP->width = width * 72;
+ cmdlineP->height = height * 72;
+
+ if (imagewidth_spec)
++ {
++ overflow2(imagewidth, 72);
+ cmdlineP->imagewidth = imagewidth * 72;
++ }
+ else
+ cmdlineP->imagewidth = 0;
+ if (imageheight_spec)
++ {
++ overflow2(imageheight, 72);
+ cmdlineP->imageheight = imageheight * 72;
++ }
+ else
+ cmdlineP->imageheight = 0;
+
+diff -urN netpbm-9.25.orig/pnm/pnmtorast.c netpbm-9.25/pnm/pnmtorast.c
+--- netpbm-9.25.orig/pnm/pnmtorast.c 1993-10-04 10:11:58.000000000 +0100
++++ netpbm-9.25/pnm/pnmtorast.c 2004-05-12 11:52:28.489146616 +0200
+@@ -299,11 +299,11 @@
+ pr_colormapP->type = RMT_EQUAL_RGB;
+ pr_colormapP->length = MAXCOLORS;
+ pr_colormapP->map[0] =
+- (unsigned char*) malloc( MAXCOLORS * sizeof(unsigned char) );
++ (unsigned char*) malloc2( MAXCOLORS, sizeof(unsigned char) );
+ pr_colormapP->map[1] =
+- (unsigned char*) malloc( MAXCOLORS * sizeof(unsigned char) );
++ (unsigned char*) malloc2( MAXCOLORS, sizeof(unsigned char) );
+ pr_colormapP->map[2] =
+- (unsigned char*) malloc( MAXCOLORS * sizeof(unsigned char) );
++ (unsigned char*) malloc2( MAXCOLORS, sizeof(unsigned char) );
+ if ( pr_colormapP->map[0] == 0 || pr_colormapP->map[1] == 0 ||
+ pr_colormapP->map[2] == 0 )
+ pm_error( "out of memory" );
+diff -urN netpbm-9.25.orig/pnm/pnmtorle.c netpbm-9.25/pnm/pnmtorle.c
+--- netpbm-9.25.orig/pnm/pnmtorle.c 2002-03-13 04:50:50.000000000 +0100
++++ netpbm-9.25/pnm/pnmtorle.c 2004-05-12 11:52:28.496145552 +0200
+@@ -19,6 +19,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * pnmtorle - A program which will convert pbmplus (ppm or pgm) images
+@@ -134,7 +136,7 @@
+ */
+ /*xelrow = pnm_allowcrow(width);*/
+ xelrow = (xel*) pm_allocrow( width, sizeof(xel) );
+- scanlines = (rle_pixel ***)malloc( height * sizeof(rle_pixel **) );
++ scanlines = (rle_pixel ***)malloc2( height, sizeof(rle_pixel **) );
+ RLE_CHECK_ALLOC( hdr.cmd, scanlines, "scanline pointers" );
+
+ for ( scan = 0; scan < height; scan++ )
+diff -urN netpbm-9.25.orig/pnm/pnmtosgi.c netpbm-9.25/pnm/pnmtosgi.c
+--- netpbm-9.25.orig/pnm/pnmtosgi.c 2001-06-03 10:35:32.000000000 +0200
++++ netpbm-9.25/pnm/pnmtosgi.c 2004-05-12 11:52:28.469149656 +0200
+@@ -37,7 +37,8 @@
+ static ScanElem *compress ARGS((ScanElem *temp, int row, int rows, int cols, int chan_no, long *table, int bpc));
+ static int rle_compress ARGS((ScanElem *inbuf, int cols));
+ static void * xmalloc ARGS((int bytes));
+-#define MALLOC(n, type) (type *)xmalloc((n) * sizeof(type))
++static void * xmalloc2 ARGS((int x, int y));
++#define MALLOC(n, type) (type *)xmalloc2((n), sizeof(type))
+
+ #define WORSTCOMPR(x) (2*(x) + 2)
+
+@@ -224,6 +225,22 @@
+ return mem;
+ }
+
++static void *
++xmalloc2(int x, int y)
++{
++ void *mem;
++
++ overflow2(x,y);
++ if( x * y == 0 )
++ return NULL;
++
++ mem = malloc2(x, y);
++ if( mem == NULL )
++ pm_error("out of memory allocating %d bytes", x * y);
++ return mem;
++}
++
++
+ static void
+ put_big_short(short s)
+ {
+@@ -261,6 +278,7 @@
+ #endif
+
+ if( storage != STORAGE_VERBATIM ) {
++ overflow2(channels, rows);
+ table = MALLOC(channels * rows, long);
+ rletemp = MALLOC(WORSTCOMPR(cols), ScanElem);
+ }
+@@ -314,6 +332,8 @@
+ break;
+ case STORAGE_RLE:
+ tabrow = chan_no * rows + row;
++ overflow2(chan_no, rows);
++ overflow_add(chan_no* rows, row);
+ len = rle_compress(temp, cols); /* writes result into rletemp */
+ channel[chan_no][row].length = len;
+ channel[chan_no][row].data = p = MALLOC(len, ScanElem);
+diff -urN netpbm-9.25.orig/pnm/pstopnm.c netpbm-9.25/pnm/pstopnm.c
+--- netpbm-9.25.orig/pnm/pstopnm.c 2001-09-07 17:49:59.000000000 +0200
++++ netpbm-9.25/pnm/pstopnm.c 2004-05-12 11:53:57.751576664 +0200
+@@ -175,6 +175,7 @@
+ else {
+ char *filespec_plus_ps;
+
++ overflow_add(strlen(orig_filespec), 4);
+ filespec_plus_ps = malloc(strlen(orig_filespec) + 4);
+ strcpy(filespec_plus_ps, orig_filespec);
+ strcat(filespec_plus_ps, ".ps");
+@@ -416,6 +417,7 @@
+
+ char *retval; /* malloc'ed */
+
++ overflow_add(strlen(cmdline.input_filespec), 10);
+ retval = malloc(strlen(cmdline.input_filespec) + 10);
+
+ if (cmdline.goto_stdout)
+diff -urN netpbm-9.25.orig/pnm/rletopnm.c netpbm-9.25/pnm/rletopnm.c
+--- netpbm-9.25.orig/pnm/rletopnm.c 2002-03-13 04:50:54.000000000 +0100
++++ netpbm-9.25/pnm/rletopnm.c 2004-05-12 11:52:28.498145248 +0200
+@@ -19,6 +19,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rletopnm - A conversion program to convert from Utah's "rle" image format
+@@ -187,7 +189,7 @@
+ pixelrow = ppm_allocrow(width);
+ alpharow = pgm_allocrow(width);
+
+- scanlines = (rle_pixel ***)malloc( height * sizeof(rle_pixel **) );
++ scanlines = (rle_pixel ***)malloc2( height, sizeof(rle_pixel **) );
+ RLE_CHECK_ALLOC( hdr.cmd, scanlines, "scanline pointers" );
+
+ for ( scan = 0; scan < height; scan++ )
+@@ -286,7 +288,7 @@
+ pixelrow = pgm_allocrow(width);
+ alpharow = pgm_allocrow(width);
+
+- scanlines = (rle_pixel ***)malloc( height * sizeof(rle_pixel **) );
++ scanlines = (rle_pixel ***)malloc2( height, sizeof(rle_pixel **) );
+ RLE_CHECK_ALLOC( hdr.cmd, scanlines, "scanline pointers" );
+
+ for ( scan = 0; scan < height; scan++ )
+diff -urN netpbm-9.25.orig/pnm/sgitopnm.c netpbm-9.25/pnm/sgitopnm.c
+--- netpbm-9.25.orig/pnm/sgitopnm.c 2002-01-04 18:29:11.000000000 +0100
++++ netpbm-9.25/pnm/sgitopnm.c 2004-05-12 11:52:28.474148896 +0200
+@@ -44,8 +44,8 @@
+ static short get_big_short ARGS((FILE *f));
+ static short get_byte_as_short ARGS((FILE *f));
+ static void readerr ARGS((FILE *f));
+-static void * xmalloc ARGS((int bytes));
+-#define MALLOC(n, type) (type *)xmalloc((n) * sizeof(type))
++static void * xmalloc2 ARGS((int x, int y));
++#define MALLOC(n, type) (type *)xmalloc2((n), sizeof(type))
+ static char * compression_name ARGS((char compr));
+ static void read_bytes ARGS((FILE *ifp, int n, char *buf));
+ static Header * read_header ARGS((FILE *ifp, int channel));
+@@ -252,12 +252,18 @@
+
+ if (ochan < 0) {
+ maxchannel = (head->zsize < 3) ? head->zsize : 3;
++ overflow2(head->ysize, maxchannel);
+ image = MALLOC(head->ysize * maxchannel, ScanLine);
+ } else {
+ maxchannel = ochan + 1;
+ image = MALLOC(head->ysize, ScanLine);
+ }
+- if( table ) temp = MALLOC(WORSTCOMPR(head->xsize), ScanElem);
++ if( table )
++ {
++ overflow2(head->xsize, 2);
++ overflow_add(head->xsize*2, 2);
++ temp = MALLOC(WORSTCOMPR(head->xsize), ScanElem);
++ }
+
+ for( channel = 0; channel < maxchannel; channel++ ) {
+ #ifdef DEBUG
+@@ -447,17 +453,19 @@
+
+
+ static void *
+-xmalloc(bytes)
+- int bytes;
++xmalloc2(x, y)
++ int x;
++ int y;
+ {
+ void *mem;
+
+- if( bytes == 0 )
++ overflow2(x, y);
++ if( x * y == 0 )
+ return NULL;
+
+- mem = malloc(bytes);
++ mem = malloc2(x, y);
+ if( mem == NULL )
+- pm_error("out of memory allocating %d bytes", bytes);
++ pm_error("out of memory allocating %d bytes", x * y);
+ return mem;
+ }
+
+diff -urN netpbm-9.25.orig/pnm/sirtopnm.c netpbm-9.25/pnm/sirtopnm.c
+--- netpbm-9.25.orig/pnm/sirtopnm.c 2002-01-04 18:22:45.000000000 +0100
++++ netpbm-9.25/pnm/sirtopnm.c 2004-05-12 11:52:28.460151024 +0200
+@@ -69,6 +69,7 @@
+ }
+ break;
+ case PPM_TYPE:
++ overflow3(cols, rows, 3);
+ picsize = cols * rows * 3;
+ planesize = cols * rows;
+ if ( !( sirarray = (unsigned char*) malloc( picsize ) ) )
+diff -urN netpbm-9.25.orig/pnm/tifftopnm.c netpbm-9.25/pnm/tifftopnm.c
+--- netpbm-9.25.orig/pnm/tifftopnm.c 2002-03-03 18:24:54.000000000 +0100
++++ netpbm-9.25/pnm/tifftopnm.c 2004-05-12 11:52:28.490146464 +0200
+@@ -597,7 +597,7 @@
+ if (scanbuf == NULL)
+ pm_error("can't allocate memory for scanline buffer");
+
+- samplebuf = (unsigned short *) malloc(cols * sizeof(unsigned short) * spp);
++ samplebuf = (unsigned short *) malloc3(cols , sizeof(unsigned short) , spp);
+ if (samplebuf == NULL)
+ pm_error ("can't allocate memory for row buffer");
+
+diff -urN netpbm-9.25.orig/pnm/xwdtopnm.c netpbm-9.25/pnm/xwdtopnm.c
+--- netpbm-9.25.orig/pnm/xwdtopnm.c 2002-01-17 00:15:55.000000000 +0100
++++ netpbm-9.25/pnm/xwdtopnm.c 2004-05-12 11:52:28.491146312 +0200
+@@ -186,8 +186,8 @@
+ if ( h10P->window_ncolors != 0 )
+ {
+ /* Read X10 colormap. */
+- x10colors = (X10Color*) malloc(
+- h10P->window_ncolors * sizeof(X10Color) );
++ x10colors = (X10Color*) malloc2(
++ h10P->window_ncolors, sizeof(X10Color) );
+ if ( x10colors == 0 )
+ pm_error( "out of memory" );
+ for ( i = 0; i < h10P->window_ncolors; ++i )
+@@ -214,6 +214,9 @@
+ *colorsP = pnm_allocrow( 2 );
+ PNM_ASSIGN1( (*colorsP)[0], 0 );
+ PNM_ASSIGN1( (*colorsP)[1], *maxvalP );
++ overflow_add(h10P->pixmap_width, 15);
++ if(h10P->pixmap_width < 0)
++ pm_error("assert: negative width");
+ *padrightP =
+ ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width;
+ *bits_per_itemP = 16;
+@@ -224,9 +227,13 @@
+ *formatP = PGM_TYPE;
+ *visualclassP = StaticGray;
+ *maxvalP = ( 1 << h10P->display_planes ) - 1;
++ overflow_add(*maxvalP, 1);
+ *colorsP = pnm_allocrow( *maxvalP + 1 );
+ for ( i = 0; i <= *maxvalP; ++i )
+ PNM_ASSIGN1( (*colorsP)[i], i );
++ overflow_add(h10P->pixmap_width, 15);
++ if(h10P->pixmap_width < 0)
++ pm_error("assert: negative width");
+ *padrightP =
+ ( ( h10P->pixmap_width + 15 ) / 16 ) * 16 - h10P->pixmap_width;
+ *bits_per_itemP = 16;
+@@ -321,8 +328,8 @@
+ if ( h11P->ncolors > 0 )
+ {
+ /* Read X11 colormap. */
+- x11colors = (X11XColor*) malloc(
+- h11P->ncolors * sizeof(X11XColor) );
++ x11colors = (X11XColor*) malloc2(
++ h11P->ncolors, sizeof(X11XColor) );
+ if ( x11colors == 0 )
+ pm_error( "out of memory" );
+ if ( fread( x11colors, sizeof(X11XColor), h11P->ncolors, file ) !=
+@@ -384,6 +391,7 @@
+ {
+ *formatP = PGM_TYPE;
+ *maxvalP = ( 1 << h11P->bits_per_pixel ) - 1;
++ overflow_add(*maxvalP, 1);
+ *colorsP = pnm_allocrow( *maxvalP + 1 );
+ for ( i = 0; i <= *maxvalP; ++i )
+ PNM_ASSIGN1( (*colorsP)[i], i );
+@@ -405,6 +413,7 @@
+
+ *colsP = h11P->pixmap_width;
+ *rowsP = h11P->pixmap_height;
++ overflow2(h11P->bytes_per_line, 8);
+ *padrightP =
+ h11P->bytes_per_line * 8 / h11P->bits_per_pixel -
+ h11P->pixmap_width;
+diff -urN netpbm-9.25.orig/ppm/411toppm.c netpbm-9.25/ppm/411toppm.c
+--- netpbm-9.25.orig/ppm/411toppm.c 2001-05-16 18:26:22.000000000 +0200
++++ netpbm-9.25/ppm/411toppm.c 2004-05-12 11:53:57.806568304 +0200
+@@ -147,17 +147,18 @@
+ uint8 *** const orig_cbP) {
+ int y;
+
+- *orig_yP = (uint8 **) malloc(sizeof(uint8 *) * height);
++ *orig_yP = (uint8 **) malloc2(sizeof(uint8 *), height);
+ for (y = 0; y < height; y++) {
+- (*orig_yP)[y] = (uint8 *) malloc(sizeof(uint8) * width);
++ (*orig_yP)[y] = (uint8 *) malloc2(sizeof(uint8), width);
+ }
+
+- *orig_crP = (uint8 **) malloc(sizeof(uint8 *) * height);
++ overflow2(width, sizeof(uint8 *));
++ *orig_crP = (uint8 **) malloc2(sizeof(uint8 *), height);
+ for (y = 0; y < height; y++) {
+ (*orig_crP)[y] = (uint8 *) malloc(sizeof(uint8) * width / 4);
+ }
+
+- *orig_cbP = (uint8 **) malloc(sizeof(uint8 *) * height);
++ *orig_cbP = (uint8 **) malloc2(sizeof(uint8 *), height);
+ for (y = 0; y < height; y++) {
+ (*orig_cbP)[y] = (uint8 *) malloc(sizeof(uint8) * width / 4);
+ }
+@@ -177,19 +178,20 @@
+
+ /* first, allocate tons of memory */
+
+- Y = (int **) malloc(sizeof(int *) * height);
++ Y = (int **) malloc2(sizeof(int *), height);
+ for (y = 0; y < height; y++) {
+- Y[y] = (int *) malloc(sizeof(int) * width);
++ Y[y] = (int *) malloc2(sizeof(int), width);
+ }
+
+- U = (int **) malloc(sizeof(int *) * height);
++ U = (int **) malloc2(sizeof(int *) , height);
++ overflow2(sizeof(int), width);
+ for (y = 0; y < height; y++) {
+ U[y] = (int *) malloc(sizeof(int) * width / 4);
+ }
+
+- V = (int **) malloc(sizeof(int *) * height);
++ V = (int **) malloc2(sizeof(int *), height);
+ for (y = 0; y < height; y++) {
+- V[y] = (int *) malloc(sizeof(int) * width / 4);
++ V[y] = (int *) malloc2(sizeof(int), width / 4);
+ }
+
+ for ( y = 0; y < height; y ++ ) {
+diff -urN netpbm-9.25.orig/ppm/ilbmtoppm.c netpbm-9.25/ppm/ilbmtoppm.c
+--- netpbm-9.25.orig/ppm/ilbmtoppm.c 2002-01-04 16:26:40.000000000 +0100
++++ netpbm-9.25/ppm/ilbmtoppm.c 2004-05-12 11:53:57.761575144 +0200
+@@ -123,7 +123,8 @@
+ static ColorMap * alloc_cmap ARGS((void));
+ static void check_cmap ARGS((BitMapHeader *bmhd, ColorMap *cmap));
+ static void * xmalloc ARGS((int bytes));
+-#define MALLOC(n, type) (type *)xmalloc((n) * sizeof(type))
++static void * xmalloc2 ARGS((int x, int y));
++#define MALLOC(n, type) (type *)xmalloc2((n), sizeof(type))
+
+ #define FACTOR_4BIT 17 /* scale factor maxval 15 -> maxval 255 */
+
+@@ -348,6 +349,7 @@
+ }
+
+ if( typeid == ID_ILBM ) {
++ overflow_add(bmhd->w, 15);
+ ilbmrow = MALLOC(RowBytes(bmhd->w), unsigned char);
+ viewportmodes |= fakeviewport; /* -isham/-isehb */
+
+@@ -932,6 +934,9 @@
+ if( redmaxval != maxval || greenmaxval != maxval || bluemaxval != maxval )
+ pm_message("scaling colors to %d bits", pm_maxvaltobits(maxval));
+
++ overflow_add(redmaxval, 1);
++ overflow_add(greenmaxval, 1);
++ overflow_add(bluemaxval, 1);
+ redtable = MALLOC(redmaxval +1, pixval);
+ greentable = MALLOC(greenmaxval+1, pixval);
+ bluetable = MALLOC(bluemaxval +1, pixval);
+@@ -1281,6 +1286,7 @@
+ rawtype *chp;
+
+ cols = bmhd->w;
++ overflow_add(cols, 15);
+ bytes = RowBytes(cols);
+ for( plane = 0; plane < nPlanes; plane++ ) {
+ int mask;
+@@ -1321,6 +1327,7 @@
+ case mskNone:
+ break;
+ case mskHasMask: /* mask plane */
++ overflow_add(cols, 15);
+ read_ilbm_plane(ifp, chunksizeP, RowBytes(cols), bmhd->compression);
+ if( maskfile ) {
+ ilp = ilbmrow;
+@@ -1394,6 +1401,23 @@
+ return mem;
+ }
+
++static void *
++xmalloc2(x, y)
++ int x;
++ int y;
++{
++ void *mem;
++
++ overflow2(x,y);
++ if( x * y == 0 )
++ return NULL;
++
++ mem = malloc2(x,y);
++ if( mem == NULL )
++ pm_error("out of memory allocating %d bytes", x * y);
++ return mem;
++}
++
+
+ static char *
+ ID2string(id)
+@@ -1582,6 +1606,9 @@
+ cmap->mp_change[i] = NULL;
+ if( PCHG.StartLine < 0 ) {
+ int nch;
++ if(PCHG.MaxReg < PCHG.MinReg)
++ pm_error("assert: MinReg > MaxReg");
++ overflow_add(PCHG.MaxReg-PCHG.MinReg, 2);
+ nch = PCHG.MaxReg - PCHG.MinReg +1;
+ cmap->mp_init = MALLOC(nch + 1, PaletteChange);
+ for( i = 0; i < nch; i++ )
+@@ -1712,7 +1739,9 @@
+ ChangeCount32 = *data++;
+ datasize -= 2;
+
++ overflow_add(ChangeCount16, ChangeCount32);
+ changes = ChangeCount16 + ChangeCount32;
++ overflow_add(changes, 1);
+ cmap->mp_change[row] = MALLOC(changes + 1, PaletteChange);
+ for( i = 0; i < changes; i++ ) {
+ if( totalchanges >= PCHG->TotalChanges ) goto fail;
+@@ -1798,6 +1827,7 @@
+ if( datasize < 2 ) goto fail;
+ changes = BIG_WORD(data); data += 2; datasize -= 2;
+
++ overflow_add(changes, 1);
+ cmap->mp_change[row] = MALLOC(changes + 1, PaletteChange);
+ for( i = 0; i < changes; i++ ) {
+ if( totalchanges >= PCHG->TotalChanges ) goto fail;
+diff -urN netpbm-9.25.orig/ppm/imgtoppm.c netpbm-9.25/ppm/imgtoppm.c
+--- netpbm-9.25.orig/ppm/imgtoppm.c 2002-01-04 16:24:57.000000000 +0100
++++ netpbm-9.25/ppm/imgtoppm.c 2004-05-12 11:53:57.762574992 +0200
+@@ -83,6 +83,7 @@
+ len = atoi((char*) buf );
+ if ( fread( buf, len, 1, ifp ) != 1 )
+ pm_error( "bad colormap buf" );
++ overflow2(cmaplen, 3);
+ if ( cmaplen * 3 != len )
+ {
+ pm_message(
+@@ -104,6 +105,7 @@
+ pm_error( "bad pixel data header" );
+ buf[8] = '\0';
+ len = atoi((char*) buf );
++ overflow2(cols, rows);
+ if ( len != cols * rows )
+ pm_message(
+ "pixel data length (%d) does not match image size (%d)",
+diff -urN netpbm-9.25.orig/ppm/libppm5.c netpbm-9.25/ppm/libppm5.c
+--- netpbm-9.25.orig/ppm/libppm5.c 2000-03-23 05:27:06.000000000 +0100
++++ netpbm-9.25/ppm/libppm5.c 2004-05-12 11:53:57.769573928 +0200
+@@ -440,7 +440,7 @@
+ if ( fh == 0 )
+ pm_error( "out of memory allocating a fillhandle" );
+ fh->n = 0;
+- fh->coords = (coord*) malloc( SOME * sizeof(coord) );
++ fh->coords = (coord*) malloc2( SOME , sizeof(coord) );
+ if ( fh->coords == 0 )
+ pm_error( "out of memory allocating a fillhandle" );
+ fh->size = SOME;
+@@ -481,9 +481,10 @@
+ /* Ok, these are new; check if there's room for two more coords. */
+ if ( fh->n + 1 >= fh->size )
+ {
++ overflow_add(fh->size, SOME);
+ fh->size += SOME;
+- fh->coords = (coord*) realloc(
+- (char*) fh->coords, fh->size * sizeof(coord) );
++ fh->coords = (coord*) realloc2(
++ (char*) fh->coords, fh->size, sizeof(coord) );
+ if ( fh->coords == 0 )
+ pm_error( "out of memory enlarging a fillhandle" );
+ }
+diff -urN netpbm-9.25.orig/ppm/pcxtoppm.c netpbm-9.25/ppm/pcxtoppm.c
+--- netpbm-9.25.orig/ppm/pcxtoppm.c 2002-02-10 19:39:26.000000000 +0100
++++ netpbm-9.25/ppm/pcxtoppm.c 2004-05-12 11:53:57.795569976 +0200
+@@ -548,6 +548,8 @@
+ /*
+ * clear the pixel buffer
+ */
++
++ overflow2(bytesperline, 8);
+ npixels = (bytesperline * 8) / bitsperpixel;
+ p = pixels;
+ while (--npixels >= 0)
+diff -urN netpbm-9.25.orig/ppm/picttoppm.c netpbm-9.25/ppm/picttoppm.c
+--- netpbm-9.25.orig/ppm/picttoppm.c 2002-01-04 16:26:12.000000000 +0100
++++ netpbm-9.25/ppm/picttoppm.c 2004-05-12 11:53:57.772573472 +0200
+@@ -1,3 +1,5 @@
++#error "Unfixable. Don't ship me"
++
+ /*
+ * picttoppm.c -- convert a MacIntosh PICT file to PPM format.
+ *
+diff -urN netpbm-9.25.orig/ppm/pjtoppm.c netpbm-9.25/ppm/pjtoppm.c
+--- netpbm-9.25.orig/ppm/pjtoppm.c 2000-03-03 06:32:09.000000000 +0100
++++ netpbm-9.25/ppm/pjtoppm.c 2004-05-12 11:53:57.774573168 +0200
+@@ -127,17 +127,21 @@
+ case 'W': /* send last plane */
+ if (rows == -1 || r >= rows || image == NULL) {
+ if (rows == -1 || r >= rows)
++ {
++ overflow_add(rows, 100);
+ rows += 100;
++ }
+ if (image == NULL) {
+ image = (unsigned char **)
+- malloc(rows * planes * sizeof(unsigned char *));
+- imlen = (int *) malloc(rows * planes * sizeof(int));
++ malloc3(rows , planes , sizeof(unsigned char *));
++ imlen = (int *) malloc3(rows , planes, sizeof(int));
+ }
+ else {
++ overflow2(rows,planes);
+ image = (unsigned char **)
+- realloc(image, rows * planes *
++ realloc2(image, rows * planes,
+ sizeof(unsigned char *));
+- imlen = (int *) realloc(imlen, rows * planes *
++ imlen = (int *) realloc2(imlen, rows * planes,
+ sizeof(int));
+ }
+ }
+@@ -148,7 +152,7 @@
+ cols = cols > val ? cols : val;
+ imlen[r * planes + p] = val;
+ image[r * planes + p] = (unsigned char *)
+- malloc(val * sizeof(unsigned char));
++ malloc2(val , sizeof(unsigned char));
+ if (image[r * planes + p] == NULL)
+ pm_error("out of memory");
+ if (fread(image[r * planes + p], 1, val, fp) != val)
+@@ -205,7 +209,7 @@
+ if (image[r * planes] == NULL)
+ continue;
+ for (p = 0; p < planes; p++) {
+- buf = (unsigned char *) malloc(newcols *
++ buf = (unsigned char *) malloc2(newcols ,
+ sizeof(unsigned char *));
+ if (buf == NULL)
+ pm_error("out of memory");
+@@ -213,7 +217,10 @@
+ for (cmd = image[p + r * planes][c],
+ val = image[p + r * planes][c+1];
+ cmd >= 0 && i < newcols; cmd--, i++)
++ {
+ buf[i] = val;
++ overflow_add(i, 1);
++ }
+ cols = cols > i ? cols : i;
+ free(image[p + r * planes]);
+ /*
+@@ -224,6 +231,7 @@
+ image[p + r * planes] = (unsigned char *) realloc(buf, i);
+ }
+ }
++ overflow2(cols, 8);
+ cols *= 8;
+ }
+
+diff -urN netpbm-9.25.orig/ppm/ppmdist.c netpbm-9.25/ppm/ppmdist.c
+--- netpbm-9.25.orig/ppm/ppmdist.c 2000-03-03 06:41:40.000000000 +0100
++++ netpbm-9.25/ppm/ppmdist.c 2004-05-12 11:53:57.788571040 +0200
+@@ -90,7 +90,7 @@
+
+ /* copy the colors into another structure for sorting */
+ colorToGrayMap = (struct colorToGrayEntry *)
+- malloc(sizeof(struct colorToGrayEntry) * colors);
++ malloc2(sizeof(struct colorToGrayEntry), colors);
+ for (color = 0; color < colors; color++) {
+ colorToGrayMap[color].color = hist[color].color;
+ colorToGrayMap[color].frequency = hist[color].value;
+diff -urN netpbm-9.25.orig/ppm/ppmdither.c netpbm-9.25/ppm/ppmdither.c
+--- netpbm-9.25.orig/ppm/ppmdither.c 2002-02-22 05:56:35.000000000 +0100
++++ netpbm-9.25/ppm/ppmdither.c 2004-05-12 11:53:57.774573168 +0200
+@@ -93,6 +93,10 @@
+ const unsigned int dith_mat_sz =
+ (dith_dim * sizeof(int *)) + /* pointers */
+ (dith_dim * dith_dim * sizeof(int)); /* data */
++
++ overflow2(dith_dim, sizeof(int *));
++ overflow3(dith_dim, dith_dim, sizeof(int));
++ overflow_add(dith_dim * sizeof(int *), dith_dim * dith_dim * sizeof(int));
+ dith_mat = (unsigned int **) malloc(dith_mat_sz);
+
+ if (dith_mat == NULL)
+@@ -139,7 +143,9 @@
+ if (dith_nb < 2)
+ pm_error("too few shades for blue, minimum of 2");
+
+- *ptab_p = malloc(dith_nr * dith_ng * dith_nb * sizeof(pixel));
++ overflow2(dith_nr, dith_ng);
++ *ptab_p = malloc3(dith_nr * dith_ng, dith_nb, sizeof(pixel));
++
+ if (*ptab_p == NULL)
+ pm_error("Unable to allocate space for the color lookup table "
+ "(%d by %d by %d pixels).", dith_nr, dith_ng, dith_nb);
+diff -urN netpbm-9.25.orig/ppm/ppmquantall netpbm-9.25/ppm/ppmquantall
+--- netpbm-9.25.orig/ppm/ppmquantall 2001-04-16 09:49:37.000000000 +0200
++++ netpbm-9.25/ppm/ppmquantall 2004-05-12 11:53:57.822565872 +0200
+@@ -66,6 +66,97 @@
+ done
+
+ #all=`tempfile -p pqa.all -m 600`
++#all=.tmp.pqa.all.$$
++#rm -f $all
++all=$(mktemp -t pqa.all.XXXXXXXXXX) || exit 1 #219019
++
++pnmcat -topbottom -jleft -white ${files[@]} | ppmquant $newcolors > $all
++if [ $? != 0 ]; then
++ exit $?
++fi
++
++y=0
++i=0
++
++while [ $i -lt $nfiles ]; do
++ pnmcut -left 0 -top $y -width ${widths[$i]} -height ${heights[$i]} $all \
++ > ${files[$i]}$ext
++ if [ $? != 0 ]; then
++ exit $?
++ fi
++ y=$(($y + ${heights[$i]}))
++ i=$(($i + 1))
++done
++
++rm -f $all
++#!/bin/sh
++#
++# ppmquantall - run ppmquant on a bunch of files all at once, so they share
++# a common colormap
++#
++# WARNING: overwrites the source files with the results!!!
++#
++# Verbose explanation: Let's say you've got a dozen pixmaps that you want
++# to display on the screen all at the same time. Your screen can only
++# display 256 different colors, but the pixmaps have a total of a thousand
++# or so different colors. For a single pixmap you solve this problem with
++# ppmquant; this script solves it for multiple pixmaps. All it does is
++# concatenate them together into one big pixmap, run ppmquant on that, and
++# then split it up into little pixmaps again.
++
++usage()
++{
++ echo "usage: $0 [-ext extension] <newcolours> <ppmfile> ..."
++ exit 1
++}
++
++ext=
++
++while :; do
++
++ case "$1" in
++ -ext*)
++ if [ $# -lt 2 ]; then
++ usage
++ fi
++ ext=".$2"
++ shift
++ shift
++ ;;
++
++ *)
++ break
++ ;;
++
++ esac
++done
++
++if [ $# -lt 2 ]; then
++ usage
++fi
++
++newcolors=$1
++shift
++nfiles=$#
++files=($@)
++
++# Extract the width and height of each of the images.
++# Here, we make the assumption that the width and height are on the
++# second line, even though the PPM format doesn't require that.
++# To be robust, we need to use Pnmfile to get that information, or
++# Put this program in C and use ppm_readppminit().
++
++set widths=()
++set heights=()
++
++for i in ${files[@]}; do
++ widths=(${widths[*]} `egrep -v '^#' $i | head -2 | tail -1 | \
++ sed 's/ .*//'` )
++ heights=(${heights[*]} `egrep -v '^#' $i | head -2 | tail -1 | \
++ sed 's/.* //'` )
++done
++
++#all=`tempfile -p pqa.all -m 600`
+ all=/tmp/pqa.all.$$
+ rm -f $all
+
+diff -urN netpbm-9.25.orig/ppm/ppmquantall.csh netpbm-9.25/ppm/ppmquantall.csh
+--- netpbm-9.25.orig/ppm/ppmquantall.csh 2000-07-28 04:29:36.000000000 +0200
++++ netpbm-9.25/ppm/ppmquantall.csh 2004-05-12 11:53:57.816566784 +0200
+@@ -34,7 +34,7 @@
+ set heights=( $heights `head -2 $i | tail -1 | sed 's/.* //'` )
+ end
+
+-set all=/tmp/pqa.all.$$
++set all=.tmp.pqa.all.$$
+ rm -f $all
+ pnmcat -topbottom -jleft -white $files | ppmquant -quiet $newcolors > $all
+ if ( $status != 0 ) exit $status
+diff -urN netpbm-9.25.orig/ppm/ppmqvga.c netpbm-9.25/ppm/ppmqvga.c
+--- netpbm-9.25.orig/ppm/ppmqvga.c 2001-06-11 01:33:18.000000000 +0200
++++ netpbm-9.25/ppm/ppmqvga.c 2004-05-12 11:53:57.763574840 +0200
+@@ -438,6 +438,8 @@
+ ppm_writeppminit( stdout, cols, rows, maxval, 0 );
+
+ if (dither) {
++ overflow_add(cols, 2);
++ overflow2(cols+2, sizeof(fs_err_array));
+ fs_err_lines = (fs_err_array *) calloc((cols + 2), sizeof(fs_err_array));
+
+ if (fs_err_lines == NULL) {
+diff -urN netpbm-9.25.orig/ppm/ppmshadow netpbm-9.25/ppm/ppmshadow
+--- netpbm-9.25.orig/ppm/ppmshadow 2000-03-24 19:37:26.000000000 +0100
++++ netpbm-9.25/ppm/ppmshadow 2004-05-12 11:53:57.801569064 +0200
+@@ -22,7 +22,11 @@
+ #
+ #
+
+- $fname = "/tmp/_PPMshadow$$"; # Temporary filepath prefix
++# $fname = ".tmp._PPMshadow$$"; # Temporary filepath prefix
++ chomp($fname = `mktemp -d -t PPMshadow.XXXXXX`);
++ if ($? >> 8) {
++ die "Can't create tmpdir";
++ }
+
+ # Process command line options
+
+@@ -99,8 +103,8 @@
+ if ((!(defined $ifile)) || ($ifile eq '-')) {
+ # Input default to standard input
+ $stdin = 1;
+- $ifile = "$fname-0.ppm";
+- system("cat >$fname-0.ppm");
++ $ifile = "$fname/0.ppm";
++ system("cat >$fname/0.ppm");
+ }
+
+ # Determine the size of the source image
+@@ -112,15 +116,15 @@
+
+ # Create a blank background bitmap the size of the source bitmap
+
+- system("pnmcut 0 0 1 1 $ifile | pnmscale -xsize $xsize -ysize $ysize >$fname-5.ppm");
++ system("pnmcut 0 0 1 1 $ifile | pnmscale -xsize $xsize -ysize $ysize >$fname/5.ppm");
+
+ # Create positive mask file from input image
+
+- system("pnmarith -difference $ifile $fname-5.ppm | pnminvert | ppmtopgm | pgmtopbm -thresh -value 1.0 >$fname-1.ppm");
++ system("pnmarith -difference $ifile $fname/5.ppm | pnminvert | ppmtopgm | pgmtopbm -thresh -value 1.0 >$fname/1.ppm");
+
+ # Create convolution kernel file to generate shadow
+
+- open(OF, ">$fname-2.ppm");
++ open(OF, ">$fname/2.ppm");
+ $ckern = $convolve <= 11 ? $convolve : 11;
+ printf(OF "P2\n$ckern $ckern\n%d\n", $ckern * $ckern * 2);
+ $a = ($ckern * $ckern) + 1;
+@@ -136,60 +140,61 @@
+ # Convolve the input colour image with the kernel
+ # to create a translucent shadow image.
+
+- system("pnmconvol $fname-2.ppm $ifile >$fname-10.ppm");
+- system("rm $fname-2.ppm") if $purge;
++ system("pnmconvol $fname/2.ppm $ifile >$fname/10.ppm");
++# system("rm $fname-2.ppm") if $purge;
+ while ($ckern < $convolve) {
+- system("pnmsmooth $fname-10.ppm >$fname-10a.ppm");
+- system("mv $fname-10a.ppm $fname-10.ppm");
++ system("pnmsmooth $fname/10.ppm >$fname/10a.ppm");
++ system("mv $fname/10a.ppm $fname/10.ppm");
+ $ckern++;
+ }
+ } else {
+
+ # Convolve the positive mask with the kernel to create shadow
+
+- system("pnmconvol $fname-2.ppm $fname-1.ppm >$fname-3.ppm");
+- system("rm $fname-2.ppm") if $purge;
++ system("pnmconvol $fname/2.ppm $fname/1.ppm >$fname/3.ppm");
++# system("rm $fname-2.ppm") if $purge;
+ while ($ckern < $convolve) {
+- system("pnmsmooth $fname-3.ppm >$fname-3a.ppm");
+- system("mv $fname-3a.ppm $fname-3.ppm");
++ system("pnmsmooth $fname/3.ppm >$fname/3a.ppm");
++ system("mv $fname/3a.ppm $fname/3.ppm");
+ $ckern++;
+ }
+
+ # Multiply the shadow by the background colour
+
+- system("pnmarith -multiply $fname-3.ppm $fname-5.ppm >$fname-10.ppm");
+- system("rm $fname-3.ppm") if $purge;
++ system("pnmarith -multiply $fname/3.ppm $fname/5.ppm >$fname/10.ppm");
++ system("rm $fname/3.ppm") if $purge;
+ }
+
+ # Cut an offset rectangle from the shadow image
+
+ $i = $xsize - $xoffset;
+ $j = $ysize - $yoffset;
+- system("pnmcut 0 0 $i $j $fname-10.ppm >$fname-4.ppm");
+- system("rm $fname-10.ppm") if $purge;
++ system("pnmcut 0 0 $i $j $fname/10.ppm >$fname/4.ppm");
++# system("rm $fname-10.ppm") if $purge;
+
+ # Create offset shadow image
+
+- system("pnmpaste -replace $fname-4.ppm $xoffset $yoffset $fname-5.ppm >$fname-6.ppm");
+- system("rm $fname-4.ppm $fname-5.ppm") if $purge;
++ system("pnmpaste -replace $fname/4.ppm $xoffset $yoffset $fname/5.ppm >$fname/6.ppm");
++# system("rm $fname-4.ppm $fname-5.ppm") if $purge;
+
+ # Create inverse mask
+
+- system("pnminvert $fname-1.ppm >$fname-7.ppm");
++ system("pnminvert $fname/1.ppm >$fname/7.ppm");
+
+ # Multiply original image by inverse mask
+
+- system("pnmarith -multiply $ifile $fname-7.ppm >$fname-8.ppm");
+- system("rm $fname-7.ppm") if $purge;
+- system("rm $fname-0.ppm") if ($purge && $stdin);
++ system("pnmarith -multiply $ifile $fname/7.ppm >$fname/8.ppm");
++# system("rm $fname-7.ppm") if $purge;
++# system("rm $fname-0.ppm") if ($purge && $stdin);
+
+ # Multiply shadow by mask
+
+- system("pnmarith -multiply $fname-6.ppm $fname-1.ppm >$fname-9.ppm");
+- system("rm $fname-6.ppm $fname-1.ppm") if $purge;
++ system("pnmarith -multiply $fname/6.ppm $fname/1.ppm >$fname/9.ppm");
++# system("rm $fname-6.ppm $fname-1.ppm") if $purge;
+
+ # Add masked image and shadow to obtain result, which this
+ # last call on pnmarith sends to standard output.
+
+- system("pnmarith -add $fname-8.ppm $fname-9.ppm");
+- system("rm $fname-8.ppm $fname-9.ppm") if $purge;
++ system("pnmarith -add $fname/8.ppm $fname/9.ppm");
++# system("rm $fname-8.ppm $fname-9.ppm") if $purge;
++ system("rm -rf $fname/") if $purge;
+diff -urN netpbm-9.25.orig/ppm/ppmtoeyuv.c netpbm-9.25/ppm/ppmtoeyuv.c
+--- netpbm-9.25.orig/ppm/ppmtoeyuv.c 2001-09-07 17:48:09.000000000 +0200
++++ netpbm-9.25/ppm/ppmtoeyuv.c 2004-05-12 11:53:57.801569064 +0200
+@@ -112,14 +112,15 @@
+
+ int index;
+
+- mult299 = (float *) malloc(sizeof(float) * (maxval+1));
+- mult587 = (float *) malloc(sizeof(float) * (maxval+1));
+- mult114 = (float *) malloc(sizeof(float) * (maxval+1));
+- mult16874 = (float *) malloc(sizeof(float) * (maxval+1));
+- mult33126 = (float *) malloc(sizeof(float) * (maxval+1));
+- mult5 = (float *) malloc(sizeof(float) * (maxval+1));
+- mult41869 = (float *) malloc(sizeof(float) * (maxval+1));
+- mult08131 = (float *) malloc(sizeof(float) * (maxval+1));
++ overflow_add(maxval, 1);
++ mult299 = (float *) malloc2(sizeof(float), (maxval+1));
++ mult587 = (float *) malloc2(sizeof(float), (maxval+1));
++ mult114 = (float *) malloc2(sizeof(float), (maxval+1));
++ mult16874 = (float *) malloc2(sizeof(float), (maxval+1));
++ mult33126 = (float *) malloc2(sizeof(float), (maxval+1));
++ mult5 = (float *) malloc2(sizeof(float), (maxval+1));
++ mult41869 = (float *) malloc2(sizeof(float), (maxval+1));
++ mult08131 = (float *) malloc2(sizeof(float), (maxval+1));
+
+ if (maxval == YUVMAXVAL) {
+ /* fast path */
+@@ -265,10 +266,10 @@
+ uint8 ** orig_cr;
+ uint8 ** orig_cb;
+
+- *orig_yP = (uint8 **) malloc(sizeof(uint8 *) * height);
++ *orig_yP = (uint8 **) malloc2(sizeof(uint8 *) , height);
+ orig_y = *orig_yP;
+ for (y = 0; y < height; y++) {
+- orig_y[y] = (uint8 *) malloc(sizeof(uint8) * width);
++ orig_y[y] = (uint8 *) malloc2(sizeof(uint8) , width);
+ }
+
+ *orig_crP = (uint8 **) malloc(sizeof(uint8 *) * height / 2);
+diff -urN netpbm-9.25.orig/ppm/ppmtoicr.c netpbm-9.25/ppm/ppmtoicr.c
+--- netpbm-9.25.orig/ppm/ppmtoicr.c 1993-10-04 10:12:38.000000000 +0100
++++ netpbm-9.25/ppm/ppmtoicr.c 2004-05-12 11:53:57.783571800 +0200
+@@ -170,7 +170,7 @@
+
+ if (rleflag) {
+ pm_message("sending run-length encoded picture data ..." );
+- testimage = (char*) malloc(rows*cols);
++ testimage = (char*) malloc2(rows, cols);
+ p = testimage;
+ for (i=0; i<rows; i++)
+ for (j=0; j<cols; j++)
+diff -urN netpbm-9.25.orig/ppm/ppmtoilbm.c netpbm-9.25/ppm/ppmtoilbm.c
+--- netpbm-9.25.orig/ppm/ppmtoilbm.c 2002-01-04 16:24:55.000000000 +0100
++++ netpbm-9.25/ppm/ppmtoilbm.c 2004-05-12 11:53:57.785571496 +0200
+@@ -117,7 +117,8 @@
+ static pixel * next_pixrow ARGS((FILE *fp, int row));
+ static int * make_val_table ARGS((int oldmaxval, int newmaxval));
+ static void * xmalloc ARGS((int bytes));
+-#define MALLOC(n, type) (type *)xmalloc((n) * sizeof(type))
++static void * xmalloc2 ARGS((int x, int y));
++#define MALLOC(n, type) (type *)xmalloc2((n) , sizeof(type))
+ static void init_read ARGS((FILE *fp, int *colsP, int *rowsP, pixval *maxvalP, int *formatP, int readall));
+ static void write_body_rows ARGS((void));
+ static void write_camg ARGS((void));
+@@ -785,11 +786,16 @@
+
+ if( mode != MODE_CMAP ) {
+ register int i;
++ overflow_add(cols, 15);
+ coded_rowbuf = MALLOC(RowBytes(cols), unsigned char);
+ for( i = 0; i < RowBytes(cols); i++ )
+ coded_rowbuf[i] = 0;
+ if( DO_COMPRESS )
++ {
++ overflow2(cols,2);
++ overflow_add(cols *2, 2);
+ compr_rowbuf = MALLOC(WORSTCOMPR(RowBytes(cols)), unsigned char);
++ }
+ }
+
+ switch( mode ) {
+@@ -981,7 +987,7 @@
+ pm_message("initializing HAM colormap...");
+
+ colors = 1<<(3*hbits);
+- hmap = malloc(colors * sizeof(hentry));
++ hmap = malloc2(colors, sizeof(hentry));
+ if (hmap == NULL)
+ pm_error("Unable to allocate memory for HAM colormap.");
+ hmaxval = pm_bitstomaxval(hbits);
+@@ -1839,6 +1845,7 @@
+
+ maskmethod = 0; /* no masking - RGB8 uses genlock bits */
+ compmethod = 4; /* RGB8 files are always compressed */
++ overflow2(cols, 4);
+ compr_row = MALLOC(cols * 4, unsigned char);
+
+ if( maxval != 255 ) {
+@@ -1926,6 +1933,7 @@
+
+ maskmethod = 0; /* no masking - RGBN uses genlock bits */
+ compmethod = 4; /* RGBN files are always compressed */
++ overflow2(cols, 2);
+ compr_row = MALLOC(cols * 2, unsigned char);
+
+ if( maxval != 15 ) {
+@@ -2397,6 +2405,7 @@
+ int i;
+ int *table;
+
++ overflow_add(oldmaxval, 1);
+ table = MALLOC(oldmaxval + 1, int);
+ for(i = 0; i <= oldmaxval; i++ )
+ table[i] = (i * newmaxval + oldmaxval/2) / oldmaxval;
+@@ -2417,6 +2426,21 @@
+ return mem;
+ }
+
++static void *
++xmalloc2(x,y)
++ int x;
++ int y;
++{
++ void *mem;
++
++ overflow2(x, y);
++
++ mem = malloc2(x, y);
++ if( mem == NULL )
++ pm_error("out of memory allocating %d bytes", x * y);
++ return mem;
++}
++
+
+ static int gFormat;
+ static int gCols;
+diff -urN netpbm-9.25.orig/ppm/ppmtolj.c netpbm-9.25/ppm/ppmtolj.c
+--- netpbm-9.25.orig/ppm/ppmtolj.c 2000-12-03 00:36:01.000000000 +0100
++++ netpbm-9.25/ppm/ppmtolj.c 2004-05-12 11:53:57.805568456 +0200
+@@ -180,6 +180,7 @@
+ pixels = ppm_readppm( ifp, &cols, &rows, &maxval );
+
+ pm_close( ifp );
++ overflow2(cols,6);
+ obuf = (unsigned char *) pm_allocrow(cols * 3, sizeof(unsigned char));
+ cbuf = (unsigned char *) pm_allocrow(cols * 6, sizeof(unsigned char));
+ if (mode == C_TRANS_MODE_DELTA)
+diff -urN netpbm-9.25.orig/ppm/ppmtomitsu.c netpbm-9.25/ppm/ppmtomitsu.c
+--- netpbm-9.25.orig/ppm/ppmtomitsu.c 2002-01-04 16:24:55.000000000 +0100
++++ netpbm-9.25/ppm/ppmtomitsu.c 2004-05-12 11:53:57.773573320 +0200
+@@ -125,6 +125,8 @@
+ medias = MSize_User;
+
+ if (dpi300) {
++ overflow2(medias.maxcols, 2);
++ overflow2(medias.maxrows, 2);
+ medias.maxcols *= 2;
+ medias.maxrows *= 2;
+ }
+diff -urN netpbm-9.25.orig/ppm/ppmtompeg/frame.c netpbm-9.25/ppm/ppmtompeg/frame.c
+--- netpbm-9.25.orig/ppm/ppmtompeg/frame.c 2001-03-31 09:32:30.000000000 +0200
++++ netpbm-9.25/ppm/ppmtompeg/frame.c 2004-05-12 11:53:57.810567696 +0200
+@@ -140,15 +140,16 @@
+ omfrw->orig_y = NULL;
+ Fsize_x = out_x;
+ /* Allocate new frame memory */
+- omfrw->orig_y = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y);
++ omfrw->orig_y = (uint8 **) malloc2(sizeof(uint8 *) , Fsize_y);
+ ERRCHK(omfrw->orig_y, "malloc");
+ for (y = 0; y < Fsize_y; y++) {
+- omfrw->orig_y[y] = (uint8 *) malloc(sizeof(uint8) * out_x);
++ omfrw->orig_y[y] = (uint8 *) malloc2(sizeof(uint8) , out_x);
+ ERRCHK(omfrw->orig_y[y], "malloc");
+ }
+
+- omfrw->orig_cr = (uint8 **) malloc(sizeof(int8 *) * Fsize_y / 2);
++ omfrw->orig_cr = (uint8 **) malloc2(sizeof(int8 *) , Fsize_y / 2);
+ ERRCHK(omfrw->orig_cr, "malloc");
++ overflow2(out_x, sizeof(int8));
+ for (y = 0; y < Fsize_y / 2; y++) {
+ omfrw->orig_cr[y] = (uint8 *) malloc(sizeof(int8) * out_x / 2);
+ ERRCHK(omfrw->orig_cr[y], "malloc");
+@@ -208,15 +209,17 @@
+ Fsize_y = out_y;
+
+ /* Allocate new frame memory */
+- omfrh->orig_y = (uint8 **) malloc(sizeof(uint8 *) * out_y);
++ omfrh->orig_y = (uint8 **) malloc2(sizeof(uint8 *), out_y);
+ ERRCHK(omfrh->orig_y, "malloc");
+ for (y = 0; y < out_y; y++) {
+- omfrh->orig_y[y] = (uint8 *) malloc(sizeof(uint8) * Fsize_x);
++ omfrh->orig_y[y] = (uint8 *) malloc2(sizeof(uint8) , Fsize_x);
+ ERRCHK(omfrh->orig_y[y], "malloc");
+ }
+
++ overflow2(out_y, sizeof(int8 *));
+ omfrh->orig_cr = (uint8 **) malloc(sizeof(int8 *) * out_y / 2);
+ ERRCHK(omfrh->orig_cr, "malloc");
++ overflow2(sizeof(int8), Fsize_x);
+ for (y = 0; y < out_y / 2; y++) {
+ omfrh->orig_cr[y] = (uint8 *) malloc(sizeof(int8) * Fsize_x / 2);
+ ERRCHK(omfrh->orig_cr[y], "malloc");
+@@ -532,11 +535,11 @@
+ return;
+ }
+
+- frame->ppm_data = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y);
++ frame->ppm_data = (uint8 **) malloc2(sizeof(uint8 *) , Fsize_y);
+ ERRCHK(frame->ppm_data, "malloc");
+
+ for ( y = 0; y < Fsize_y; y++ ) {
+- frame->ppm_data[y] = (uint8 *) malloc(3*sizeof(uint8) * Fsize_x);
++ frame->ppm_data[y] = (uint8 *) malloc3(3, sizeof(uint8), Fsize_x);
+ ERRCHK(frame->ppm_data[y], "malloc");
+ }
+ }
+@@ -567,20 +570,20 @@
+ dctx = Fsize_x / DCTSIZE;
+ dcty = Fsize_y / DCTSIZE;
+
+- frame->y_blocks = (Block **) malloc(sizeof(Block *) * dcty);
++ frame->y_blocks = (Block **) malloc2(sizeof(Block *), dcty);
+ ERRCHK(frame->y_blocks, "malloc");
+ for (i = 0; i < dcty; i++) {
+- frame->y_blocks[i] = (Block *) malloc(sizeof(Block) * dctx);
++ frame->y_blocks[i] = (Block *) malloc2(sizeof(Block), dctx);
+ ERRCHK(frame->y_blocks[i], "malloc");
+ }
+
+- frame->cr_blocks = (Block **) malloc(sizeof(Block *) * (dcty >> 1));
+- frame->cb_blocks = (Block **) malloc(sizeof(Block *) * (dcty >> 1));
++ frame->cr_blocks = (Block **) malloc2(sizeof(Block *) , (dcty >> 1));
++ frame->cb_blocks = (Block **) malloc2(sizeof(Block *) , (dcty >> 1));
+ ERRCHK(frame->cr_blocks, "malloc");
+ ERRCHK(frame->cb_blocks, "malloc");
+ for (i = 0; i < (dcty >> 1); i++) {
+- frame->cr_blocks[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1));
+- frame->cb_blocks[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1));
++ frame->cr_blocks[i] = (Block *) malloc2(sizeof(Block) , (dctx >> 1));
++ frame->cb_blocks[i] = (Block *) malloc2(sizeof(Block) , (dctx >> 1));
+ ERRCHK(frame->cr_blocks[i], "malloc");
+ ERRCHK(frame->cb_blocks[i], "malloc");
+ }
+@@ -612,10 +615,10 @@
+ /*
+ * first, allocate tons of memory
+ */
+- frame->orig_y = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y);
++ frame->orig_y = (uint8 **) malloc2(sizeof(uint8 *), Fsize_y);
+ ERRCHK(frame->orig_y, "malloc");
+ for (y = 0; y < Fsize_y; y++) {
+- frame->orig_y[y] = (uint8 *) malloc(sizeof(uint8) * Fsize_x);
++ frame->orig_y[y] = (uint8 *) malloc2(sizeof(uint8), Fsize_x);
+ ERRCHK(frame->orig_y[y], "malloc");
+ }
+
+@@ -663,22 +666,24 @@
+ return;
+ }
+
+- frame->halfX = (uint8 **) malloc(Fsize_y*sizeof(uint8 *));
++ frame->halfX = (uint8 **) malloc2(Fsize_y, sizeof(uint8 *));
+ ERRCHK(frame->halfX, "malloc");
+- frame->halfY = (uint8 **) malloc((Fsize_y-1)*sizeof(uint8 *));
++ if(Fsize_y == 0 || Fsize_x == 0)
++ pm_error("assert: zero size");
++ frame->halfY = (uint8 **) malloc2((Fsize_y-1), sizeof(uint8 *));
+ ERRCHK(frame->halfY, "malloc");
+- frame->halfBoth = (uint8 **) malloc((Fsize_y-1)*sizeof(uint8 *));
++ frame->halfBoth = (uint8 **) malloc2((Fsize_y-1), sizeof(uint8 *));
+ ERRCHK(frame->halfBoth, "malloc");
+ for ( y = 0; y < Fsize_y; y++ ) {
+- frame->halfX[y] = (uint8 *) malloc((Fsize_x-1)*sizeof(uint8));
++ frame->halfX[y] = (uint8 *) malloc2((Fsize_x-1), sizeof(uint8));
+ ERRCHK(frame->halfX[y], "malloc");
+ }
+ for ( y = 0; y < Fsize_y-1; y++ ) {
+- frame->halfY[y] = (uint8 *) malloc(Fsize_x*sizeof(uint8));
++ frame->halfY[y] = (uint8 *) malloc2(Fsize_x, sizeof(uint8));
+ ERRCHK(frame->halfY[y], "malloc");
+ }
+ for ( y = 0; y < Fsize_y-1; y++ ) {
+- frame->halfBoth[y] = (uint8 *) malloc((Fsize_x-1)*sizeof(uint8));
++ frame->halfBoth[y] = (uint8 *) malloc2((Fsize_x-1), sizeof(uint8));
+ ERRCHK(frame->halfBoth[y], "malloc");
+ }
+ }
+@@ -712,24 +717,24 @@
+ it for some reason, so do it this way at least for now -- more
+ flexible
+ */
+- frame->decoded_y = (uint8 **) malloc(sizeof(uint8 *) * Fsize_y);
++ frame->decoded_y = (uint8 **) malloc2(sizeof(uint8 *), Fsize_y);
+ ERRCHK(frame->decoded_y, "malloc");
+ for (y = 0; y < Fsize_y; y++) {
+- frame->decoded_y[y] = (uint8 *) malloc(sizeof(uint8) * Fsize_x);
++ frame->decoded_y[y] = (uint8 *) malloc2(sizeof(uint8), Fsize_x);
+ ERRCHK(frame->decoded_y[y], "malloc");
+ }
+
+- frame->decoded_cr = (uint8 **) malloc(sizeof(int8 *) * (Fsize_y >> 1));
++ frame->decoded_cr = (uint8 **) malloc2(sizeof(int8 *), (Fsize_y >> 1));
+ ERRCHK(frame->decoded_cr, "malloc");
+ for (y = 0; y < (Fsize_y >> 1); y++) {
+- frame->decoded_cr[y] = (uint8 *) malloc(sizeof(uint8) * (Fsize_x >> 1));
++ frame->decoded_cr[y] = (uint8 *) malloc2(sizeof(uint8), (Fsize_x >> 1));
+ ERRCHK(frame->decoded_cr[y], "malloc");
+ }
+
+- frame->decoded_cb = (uint8 **) malloc(sizeof(int8 *) * (Fsize_y >> 1));
++ frame->decoded_cb = (uint8 **) malloc2(sizeof(int8 *), (Fsize_y >> 1));
+ ERRCHK(frame->decoded_cb, "malloc");
+ for (y = 0; y < (Fsize_y >> 1); y++) {
+- frame->decoded_cb[y] = (uint8 *) malloc(sizeof(uint8) * (Fsize_x >> 1));
++ frame->decoded_cb[y] = (uint8 *) malloc2(sizeof(uint8), (Fsize_x >> 1));
+ ERRCHK(frame->decoded_cb[y], "malloc");
+ }
+
+diff -urN netpbm-9.25.orig/ppm/ppmtompeg/iframe.c netpbm-9.25/ppm/ppmtompeg/iframe.c
+--- netpbm-9.25.orig/ppm/ppmtompeg/iframe.c 1995-08-15 00:30:06.000000000 +0200
++++ netpbm-9.25/ppm/ppmtompeg/iframe.c 2004-05-12 11:53:57.812567392 +0200
+@@ -857,6 +857,8 @@
+ int ysz = (Fsize_y>>3) * sizeof(int32 *);
+ int xsz = (Fsize_x>>3);
+
++ overflow2(Fsize_y>>3, sizeof(int32 *));
++
+ needs_init = FALSE;
+ for (y=0; y<3; y++) {
+ varDiff[y] = ratio[y] = total[y] = 0.0;
+@@ -875,6 +877,7 @@
+ fprintf(stderr, "Out of memory in BlockComputeSNR\n");
+ exit(-1);
+ }
++ overflow2(xsz, 4);
+ for (y = 0; y < ySize[0]>>3; y++) {
+ SignalY[y] = (int32 *) calloc(xsz,4);
+ SignalCr[y] = (int32 *) calloc(xsz,4);
+@@ -1030,27 +1033,27 @@
+ dctx = Fsize_x / DCTSIZE;
+ dcty = Fsize_y / DCTSIZE;
+
+- dct = (Block **) malloc(sizeof(Block *) * dcty);
++ dct = (Block **) malloc2(sizeof(Block *), dcty);
+ ERRCHK(dct, "malloc");
+ for (i = 0; i < dcty; i++) {
+- dct[i] = (Block *) malloc(sizeof(Block) * dctx);
++ dct[i] = (Block *) malloc2(sizeof(Block), dctx);
+ ERRCHK(dct[i], "malloc");
+ }
+
+- dct_data = (dct_data_type **) malloc(sizeof(dct_data_type *) * dcty);
++ dct_data = (dct_data_type **) malloc2(sizeof(dct_data_type *), dcty);
+ ERRCHK(dct_data, "malloc");
+ for (i = 0; i < dcty; i++) {
+- dct_data[i] = (dct_data_type *) malloc(sizeof(dct_data_type) * dctx);
++ dct_data[i] = (dct_data_type *) malloc2(sizeof(dct_data_type),dctx);
+ ERRCHK(dct[i], "malloc");
+ }
+
+- dctr = (Block **) malloc(sizeof(Block *) * (dcty >> 1));
+- dctb = (Block **) malloc(sizeof(Block *) * (dcty >> 1));
++ dctr = (Block **) malloc2(sizeof(Block *), (dcty >> 1));
++ dctb = (Block **) malloc2(sizeof(Block *), (dcty >> 1));
+ ERRCHK(dctr, "malloc");
+ ERRCHK(dctb, "malloc");
+ for (i = 0; i < (dcty >> 1); i++) {
+- dctr[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1));
+- dctb[i] = (Block *) malloc(sizeof(Block) * (dctx >> 1));
++ dctr[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1));
++ dctb[i] = (Block *) malloc2(sizeof(Block), (dctx >> 1));
+ ERRCHK(dctr[i], "malloc");
+ ERRCHK(dctb[i], "malloc");
+ }
+diff -urN netpbm-9.25.orig/ppm/ppmtompeg/jpeg.c netpbm-9.25/ppm/ppmtompeg/jpeg.c
+--- netpbm-9.25.orig/ppm/ppmtompeg/jpeg.c 2001-08-31 22:48:06.000000000 +0200
++++ netpbm-9.25/ppm/ppmtompeg/jpeg.c 2004-05-12 11:53:57.812567392 +0200
+@@ -228,7 +228,7 @@
+ exit(1);
+ }
+
+- inoffsets = (int *)malloc(no_frames*sizeof(int));
++ inoffsets = (int *)malloc2(no_frames, sizeof(int));
+
+ if (fread (&(width),sizeof(int),1,inFile) != 1)
+ {
+diff -urN netpbm-9.25.orig/ppm/ppmtompeg/parallel.c netpbm-9.25/ppm/ppmtompeg/parallel.c
+--- netpbm-9.25.orig/ppm/ppmtompeg/parallel.c 2001-08-31 22:48:30.000000000 +0200
++++ netpbm-9.25/ppm/ppmtompeg/parallel.c 2004-05-12 11:53:57.814567088 +0200
+@@ -343,7 +343,7 @@
+ free(bigBuffer);
+ }
+
+- bigBuffer = (unsigned char *) malloc(bigBufferSize*
++ bigBuffer = (unsigned char *) malloc2(bigBufferSize,
+ sizeof(unsigned char));
+ }
+
+@@ -663,7 +663,7 @@
+
+ TransmitPortNum(parallelHostName, portNum, combinePortNum);
+
+- frameDone = (boolean *) malloc(numInputFiles*sizeof(boolean));
++ frameDone = (boolean *) malloc2(numInputFiles, sizeof(boolean));
+ memset((char *)frameDone, 0, numInputFiles*sizeof(boolean));
+
+ if ( (ofp = fopen(outputFileName, "wb")) == NULL ) {
+@@ -1269,6 +1269,8 @@
+
+ /* should keep list of port numbers to notify when frames become ready */
+
++ overflow2(numInputFiles, sizeof(int));
++ overflow2(numInputFiles, sizeof(boolean));
+ ready = (boolean *) calloc(numInputFiles, sizeof(boolean));
+ waitMachine = (int *) calloc(numInputFiles, sizeof(int));
+ waitPort = (int *) malloc(numMachines*sizeof(int));
+diff -urN netpbm-9.25.orig/ppm/ppmtompeg/psearch.c netpbm-9.25/ppm/ppmtompeg/psearch.c
+--- netpbm-9.25.orig/ppm/ppmtompeg/psearch.c 2001-09-26 17:11:53.000000000 +0200
++++ netpbm-9.25/ppm/ppmtompeg/psearch.c 2004-05-12 11:53:57.815566936 +0200
+@@ -299,6 +299,13 @@
+ ((searchRangeP>searchRangeB)?searchRangeP:searchRangeB)
+ : ((searchRangeB>searchRangeB)?searchRangeB:searchRangeB);
+
++ overflow2(searchRangeP, 2);
++ overflow2(searchRangeB, 2);
++ overflow_add(searchRangeP*2, 3);
++ overflow_add(searchRangeB*2, 3);
++ overflow2(2*searchRangeB+3, sizeof(int));
++ overflow2(2*searchRangeP+3, sizeof(int));
++
+ pmvHistogram = (int **) malloc((2*searchRangeP+3)*sizeof(int *));
+ bbmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *));
+ bfmvHistogram = (int **) malloc((2*searchRangeB+3)*sizeof(int *));
+@@ -891,6 +898,9 @@
+ int *columnTotals;
+ int rowTotal;
+
++ overflow2(searchRangeP, 2);
++ overflow_add(searchRangeP*2, 3);
++ overflow2(searchRangeP*2+3, sizeof(int));
+ columnTotals = (int *) calloc(2*searchRangeP+3, sizeof(int));
+
+ #ifdef COMPLETE_DISPLAY
+@@ -938,6 +948,9 @@
+
+ fprintf(fpointer, "B-frame Backwards:\n");
+
++ overflow2(searchRangeB, 2);
++ overflow_add(searchRangeB*2, 3);
++ overflow2(searchRangeB*2+3, sizeof(int));
+ columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int));
+
+ #ifdef COMPLETE_DISPLAY
+@@ -985,6 +998,9 @@
+
+ fprintf(fpointer, "B-frame Forwards:\n");
+
++ overflow2(searchRangeB, 2);
++ overflow_add(searchRangeB*2, 3);
++ overflow2(searchRangeB*2+3, sizeof(int));
+ columnTotals = (int *) calloc(2*searchRangeB+3, sizeof(int));
+
+ #ifdef COMPLETE_DISPLAY
+diff -urN netpbm-9.25.orig/ppm/ppmtompeg/rgbtoycc.c netpbm-9.25/ppm/ppmtompeg/rgbtoycc.c
+--- netpbm-9.25.orig/ppm/ppmtompeg/rgbtoycc.c 2000-06-05 04:31:33.000000000 +0200
++++ netpbm-9.25/ppm/ppmtompeg/rgbtoycc.c 2004-05-12 11:53:57.816566784 +0200
+@@ -96,6 +96,8 @@
+ }
+ table_maxval = maxval;
+
++ overflow_add(table_maxval, 1);
++ overflow2(table_maxval+1, sizeof(float));
+ mult299 = malloc((table_maxval+1)*sizeof(float));
+ mult587 = malloc((table_maxval+1)*sizeof(float));
+ mult114 = malloc((table_maxval+1)*sizeof(float));
+diff -urN netpbm-9.25.orig/ppm/ppmtopcx.c netpbm-9.25/ppm/ppmtopcx.c
+--- netpbm-9.25.orig/ppm/ppmtopcx.c 2002-02-10 19:34:06.000000000 +0100
++++ netpbm-9.25/ppm/ppmtopcx.c 2004-05-12 11:53:57.797569672 +0200
+@@ -185,6 +185,8 @@
+ else Planes = 1;
+ }
+
++ overflow2(BitsPerPixel, cols);
++ overflow_add(BitsPerPixel * cols, 7);
+ BytesPerLine = ((cols * BitsPerPixel) + 7) / 8;
+ rawrow = (unsigned char *)pm_allocrow(cols, sizeof(unsigned char));
+ planesrow = (unsigned char *)
+diff -urN netpbm-9.25.orig/ppm/ppmtopict.c netpbm-9.25/ppm/ppmtopict.c
+--- netpbm-9.25.orig/ppm/ppmtopict.c 1993-10-04 10:12:45.000000000 +0100
++++ netpbm-9.25/ppm/ppmtopict.c 2004-05-12 11:53:57.786571344 +0200
+@@ -246,6 +246,8 @@
+ putShort(stdout, 0); /* mode */
+
+ /* Finally, write out the data. */
++ overflow_add(cols/MAX_COUNT, 1);
++ overflow_add(cols, cols/MAX_COUNT+1);
+ packed = (char*) malloc((unsigned)(cols+cols/MAX_COUNT+1));
+ oc = 0;
+ for (row = 0; row < rows; row++)
+diff -urN netpbm-9.25.orig/ppm/ppmtopj.c netpbm-9.25/ppm/ppmtopj.c
+--- netpbm-9.25.orig/ppm/ppmtopj.c 2000-03-03 07:09:24.000000000 +0100
++++ netpbm-9.25/ppm/ppmtopj.c 2004-05-12 11:53:57.787571192 +0200
+@@ -176,6 +176,7 @@
+ pixels = ppm_readppm( ifp, &cols, &rows, &maxval );
+
+ pm_close( ifp );
++ overflow2(cols,2);
+ obuf = (unsigned char *) pm_allocrow(cols, sizeof(unsigned char));
+ cbuf = (unsigned char *) pm_allocrow(cols * 2, sizeof(unsigned char));
+
+diff -urN netpbm-9.25.orig/ppm/ppmtouil.c netpbm-9.25/ppm/ppmtouil.c
+--- netpbm-9.25.orig/ppm/ppmtouil.c 2002-01-04 16:24:54.000000000 +0100
++++ netpbm-9.25/ppm/ppmtouil.c 2004-05-12 11:53:57.787571192 +0200
+@@ -201,6 +201,7 @@
+ int d;
+
+ /* Allocate memory for printed number. Abort if error. */
++ overflow_add(digits, 1);
+ str = (char*) malloc( digits + 1 );
+ if ( str == 0 )
+ pm_error( "out of memory allocating number string" );
+@@ -268,6 +269,7 @@
+ }
+
+ /* Copy it. */
++ overflow_add(strlen(colorname), 1);
+ cmap[i].rgbname = (char*) malloc( strlen( colorname ) + 1 );
+ if ( cmap[i].rgbname == 0 )
+ pm_error( "out of memory allocating color name" );
+diff -urN netpbm-9.25.orig/ppm/ppmtowinicon.c netpbm-9.25/ppm/ppmtowinicon.c
+--- netpbm-9.25.orig/ppm/ppmtowinicon.c 2002-01-28 04:42:08.000000000 +0100
++++ netpbm-9.25/ppm/ppmtowinicon.c 2004-05-12 11:53:57.803568760 +0200
+@@ -27,6 +27,8 @@
+ */
+
+ #include <math.h>
++#include <string.h>
++#include <stdlib.h>
+ #include "winico.h"
+ #include "ppm.h"
+ #include "ppmcmap.h"
+@@ -193,12 +195,12 @@
+ wt = (wt & ~3) + 4;
+ }
+ xBytes = wt;
+- rowData = malloc ( rows * sizeof (char *));
++ rowData = malloc2 ( rows, sizeof (char *));
+ icBitmap->xBytes = xBytes;
+ icBitmap->data = rowData;
+ icBitmap->size = xBytes * rows;
+ for (y=0;y<rows;y++) {
+- u1 * row = malloc ( xBytes * sizeof (u1));
++ u1 * row = malloc2 ( xBytes , sizeof (u1));
+ int byteOn = 0;
+ int bitOn = 128;
+ int value;
+@@ -250,13 +252,15 @@
+ wt = (wt & ~3) + 4;
+ }
+ xBytes = wt;
+- rowData = malloc ( rows * sizeof (char *));
++ rowData = malloc2 ( rows , sizeof (char *));
+ icBitmap->xBytes = xBytes;
+ icBitmap->data = rowData;
++ overflow2(xBytes, rows);
+ icBitmap->size = xBytes * rows;
++ overflow2(xBytes, rows);
+
+ for (y=0;y<rows;y++) {
+- u1 * row = malloc ( xBytes * sizeof (u1));
++ u1 * row = malloc2 ( xBytes, sizeof (u1));
+ int byteOn = 0;
+ int nibble = 1; /* high nibble = 1, low nibble = 0; */
+ int value;
+@@ -304,13 +308,14 @@
+ wt = (wt & ~3) + 4;
+ }
+ xBytes = wt;
+- rowData = malloc ( rows * sizeof (char *));
++ rowData = malloc2 ( rows, sizeof (char *));
+ icBitmap->xBytes = xBytes;
+ icBitmap->data = rowData;
+ icBitmap->size = xBytes * rows;
++ overflow2(xBytes, rows);
+
+ for (y=0;y<rows;y++) {
+- u1 * row = malloc ( xBytes * sizeof (u1));
++ u1 * row = malloc2 ( xBytes, sizeof (u1));
+ memset (row, 0, xBytes);
+ rowData[rows-y-1] = row;
+ /*
+@@ -351,7 +356,7 @@
+ createCleanPalette(void) {
+ IC_Palette palette = malloc ( sizeof (* palette) );
+ int x;
+- palette->colors = malloc (MAXCOLORS * sizeof(IC_Color *));
++ palette->colors = malloc(MAXCOLORS * sizeof(IC_Color *));
+ for (x=0;x<MAXCOLORS;x++ ){
+ palette->colors[x] = NULL;
+ }
+diff -urN netpbm-9.25.orig/ppm/ppmtoxpm.c netpbm-9.25/ppm/ppmtoxpm.c
+--- netpbm-9.25.orig/ppm/ppmtoxpm.c 2002-03-13 04:23:45.000000000 +0100
++++ netpbm-9.25/ppm/ppmtoxpm.c 2004-05-12 11:53:57.764574688 +0200
+@@ -207,6 +207,7 @@
+ continue;
+ }
+ /* Allocate memory for ascii name. Abort if error. */
++ overflow_add(strlen(name), 1);
+ if (!(rgbname = (char *) malloc(strlen(name) + 1)))
+ pm_error("out of memory allocating rgb name");
+
+@@ -251,6 +252,7 @@
+ int i;
+
+ /* Allocate memory for printed number. Abort if error. */
++ overflow_add(digits, 1);
+ if (!(str = (char *) malloc(digits + 1)))
+ pm_error("out of memory");
+
+@@ -292,7 +294,8 @@
+ char *str;
+ cixel_map * cmap; /* malloc'ed */
+
+- cmap = malloc(sizeof(cixel_map) * (ncolors+1));
++ overflow_add(ncolors,1);
++ cmap = malloc2(sizeof(cixel_map), (ncolors+1));
+ if (cmapP == NULL)
+ pm_error("Out of memory allocating %d bytes for a color map.",
+ sizeof(cixel_map) * (ncolors+1));
+@@ -384,6 +387,7 @@
+ if (r == rgbn[j].r && g == rgbn[j].g && b == rgbn[j].b) {
+
+ /* Matched. Allocate string, copy mnemonic, and exit. */
++ overflow_add(strlen(rgbn[j].name), 1);
+ if (!(str = (char *) malloc(strlen(rgbn[j].name) + 1)))
+ pm_error("out of memory");
+ strcpy(str, rgbn[j].name);
+diff -urN netpbm-9.25.orig/ppm/qrttoppm.c netpbm-9.25/ppm/qrttoppm.c
+--- netpbm-9.25.orig/ppm/qrttoppm.c 1993-10-04 10:12:56.000000000 +0100
++++ netpbm-9.25/ppm/qrttoppm.c 2004-05-12 11:53:57.788571040 +0200
+@@ -46,7 +46,7 @@
+
+ ppm_writeppminit( stdout, cols, rows, maxval, 0 );
+ pixelrow = ppm_allocrow( cols );
+- buf = (unsigned char *) malloc( 3 * cols );
++ buf = (unsigned char *) malloc2( 3 , cols );
+ if ( buf == (unsigned char *) 0 )
+ pm_error( "out of memory" );
+
+diff -urN netpbm-9.25.orig/ppm/sldtoppm.c netpbm-9.25/ppm/sldtoppm.c
+--- netpbm-9.25.orig/ppm/sldtoppm.c 2000-03-03 07:15:55.000000000 +0100
++++ netpbm-9.25/ppm/sldtoppm.c 2004-05-12 11:53:57.789570888 +0200
+@@ -303,6 +303,8 @@
+
+ /* Allocate image buffer and clear it to black. */
+
++ overflow_add(ixdots,1);
++ overflow_add(iydots,1);
+ pixels = ppm_allocarray(pixcols = ixdots + 1, pixrows = iydots + 1);
+ PPM_ASSIGN(rgbcolour, 0, 0, 0);
+ ppmd_filledrectangle(pixels, pixcols, pixrows, pixmaxval, 0, 0,
+diff -urN netpbm-9.25.orig/ppm/ximtoppm.c netpbm-9.25/ppm/ximtoppm.c
+--- netpbm-9.25.orig/ppm/ximtoppm.c 2000-06-09 09:33:33.000000000 +0200
++++ netpbm-9.25/ppm/ximtoppm.c 2004-05-12 11:53:57.794570128 +0200
+@@ -239,6 +239,7 @@
+ header->bits_channel = atoi(a_head.bits_per_channel);
+ header->alpha_flag = atoi(a_head.alpha_channel);
+ if (strlen(a_head.author)) {
++ overflow_add(strlen(a_head.author),1);
+ if (!(header->author = calloc((unsigned int)strlen(a_head.author)+1,
+ 1))) {
+ pm_message("ReadXimHeader: can't calloc author string" );
+@@ -248,6 +249,7 @@
+ strncpy(header->author, a_head.author, strlen(a_head.author));
+ }
+ if (strlen(a_head.date)) {
++ overflow_add(strlen(a_head.date),1);
+ if (!(header->date =calloc((unsigned int)strlen(a_head.date)+1,1))){
+ pm_message("ReadXimHeader: can't calloc date string" );
+ return(0);
+@@ -256,6 +258,7 @@
+ strncpy(header->date, a_head.date, strlen(a_head.date));
+ }
+ if (strlen(a_head.program)) {
++ overflow_add(strlen(a_head.program),1);
+ if (!(header->program = calloc(
+ (unsigned int)strlen(a_head.program) + 1, 1))) {
+ pm_message("ReadXimHeader: can't calloc program string" );
+@@ -282,6 +285,7 @@
+ if (header->nchannels == 3 && header->bits_channel == 8)
+ header->ncolors = 0;
+ else if (header->nchannels == 1 && header->bits_channel == 8) {
++ overflow2(header->ncolors, sizeof(Color));
+ header->colors = (Color *)calloc((unsigned int)header->ncolors,
+ sizeof(Color));
+ if (header->colors == NULL) {
+diff -urN netpbm-9.25.orig/ppm/xpmtoppm.c netpbm-9.25/ppm/xpmtoppm.c
+--- netpbm-9.25.orig/ppm/xpmtoppm.c 2002-01-04 16:34:39.000000000 +0100
++++ netpbm-9.25/ppm/xpmtoppm.c 2004-05-12 11:53:57.799569368 +0200
+@@ -528,7 +528,7 @@
+ } else {
+ /* Over two chars per pixel, we fall back on linear search. */
+ *colorsP = ppm_allocrow(*ncolorsP);
+- *ptabP = (int *) malloc(*ncolorsP * sizeof(int));
++ *ptabP = (int *) malloc2(*ncolorsP, sizeof(int));
+ }
+
+ /* Read color table. */
+@@ -674,8 +674,9 @@
+ &ncolors, colorsP, &ptab);
+ *transparentP = -1; /* No transparency in version 1 */
+ }
++ overflow2(*widthP, *heightP);
+ totalpixels = *widthP * *heightP;
+- *dataP = (int *) malloc(totalpixels * sizeof(int));
++ *dataP = (int *) malloc2(totalpixels, sizeof(int));
+ if (*dataP == NULL)
+ pm_error("Could not get %d bytes of memory for image", totalpixels);
+ cursor = *dataP;
+diff -urN netpbm-9.25.orig/ppm/yuvtoppm.c netpbm-9.25/ppm/yuvtoppm.c
+--- netpbm-9.25.orig/ppm/yuvtoppm.c 2000-07-27 01:35:16.000000000 +0200
++++ netpbm-9.25/ppm/yuvtoppm.c 2004-05-12 11:53:57.794570128 +0200
+@@ -71,7 +71,8 @@
+
+ ppm_writeppminit(stdout, cols, rows, (pixval) 255, 0);
+ pixrow = ppm_allocrow(cols);
+- yuvbuf = malloc(((cols+1)/2)*sizeof(struct yuv));
++ overflow_add(cols, 1);
++ yuvbuf = malloc2(((cols+1)/2), sizeof(struct yuv));
+
+ for (row = 0; row < rows; ++row) {
+ int col;
+diff -urN netpbm-9.25.orig/urt/README netpbm-9.25/urt/README
+--- netpbm-9.25.orig/urt/README 2000-06-02 22:53:04.000000000 +0200
++++ netpbm-9.25/urt/README 2004-05-12 11:53:57.830564656 +0200
+@@ -18,3 +18,8 @@
+ defines stdout as a variable, so that wouldn't compile. So I changed
+ it to NULL and added a line to rle_hdr_init to set that field to
+ 'stdout' dynamically. 2000.06.02 BJH.
++
++Redid the code to check for maths overflows and other crawly horrors.
++Removed pipe through and compress support (unsafe)
++
++Alan Cox <alan@redhat.com>
+diff -urN netpbm-9.25.orig/urt/Runput.c netpbm-9.25/urt/Runput.c
+--- netpbm-9.25.orig/urt/Runput.c 2002-03-13 05:24:43.000000000 +0100
++++ netpbm-9.25/urt/Runput.c 2004-05-12 11:53:57.827565112 +0200
+@@ -17,6 +17,8 @@
+ *
+ * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
+ * to have all "void" functions so declared.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * Runput.c - General purpose Run Length Encoding.
+@@ -200,9 +202,11 @@
+ if ( the_hdr->background != 0 )
+ {
+ register int i;
+- register rle_pixel *background =
+- (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
++ register rle_pixel *background;
+ register int *bg_color;
++
++ overflow_add(the_hdr->ncolors,1);
++ background = (rle_pixel *)malloc( (unsigned)(the_hdr->ncolors + 1) );
+ /*
+ * If even number of bg color bytes, put out one more to get to
+ * 16 bit boundary.
+@@ -222,7 +226,7 @@
+ /* Big-endian machines are harder */
+ register int i, nmap = (1 << the_hdr->cmaplen) *
+ the_hdr->ncmap;
+- register char *h_cmap = (char *)malloc( nmap * 2 );
++ register char *h_cmap = (char *)malloc2( nmap, 2 );
+ if ( h_cmap == NULL )
+ {
+ fprintf( stderr,
+diff -urN netpbm-9.25.orig/urt/rle.h netpbm-9.25/urt/rle.h
+--- netpbm-9.25.orig/urt/rle.h 2002-03-13 16:32:34.000000000 +0100
++++ netpbm-9.25/urt/rle.h 2004-05-12 11:53:57.827565112 +0200
+@@ -14,6 +14,9 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
++ * Header declarations needed
+ */
+ /*
+ * rle.h - Global declarations for Utah Raster Toolkit RLE programs.
+@@ -169,6 +172,16 @@
+ */
+ extern rle_hdr rle_dflt_hdr;
+
++/*
++ * Provided by pm library
++ */
++
++extern void overflow_add(int, int);
++extern void overflow2(int, int);
++extern void overflow3(int, int, int);
++extern void *malloc2(int, int);
++extern void *malloc3(int, int, int);
++extern void *realloc2(void *, int, int);
+
+ /* Declare RLE library routines. */
+
+diff -urN netpbm-9.25.orig/urt/rle_addhist.c netpbm-9.25/urt/rle_addhist.c
+--- netpbm-9.25.orig/urt/rle_addhist.c 1992-04-30 16:07:45.000000000 +0200
++++ netpbm-9.25/urt/rle_addhist.c 2004-05-12 11:53:57.829564808 +0200
+@@ -14,6 +14,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rle_addhist.c - Add to the HISTORY comment in header
+@@ -68,19 +70,29 @@
+
+ length=0;
+ for(i=0;argv[i];i++)
++ {
++ overflow_add(length, strlen(argv[i]));
++ overflow_add(length+1, strlen(argv[i]));
+ length+= strlen(argv[i]) +1; /* length of each arg plus space. */
+-
++ }
+ (void)time (&temp);
+ timedate=ctime(&temp);
+ length+= strlen(timedate); /* length of date and time in ASCII. */
+
++ overflow_add(strlen(padding), 4);
++ overflow_add(strlen(padding)+4, strlen(histoire));
++ overflow_add(length, strlen(padding)+4 + strlen(histoire));
+ length+= strlen(padding) + 3 + strlen(histoire) + 1; /* length of padding, "on " and length of history name plus "="*/
+ if(in_hdr) /* if we are interested in the old comments... */
+ old=rle_getcom(histoire,in_hdr); /* get old comment. */
+
+- if((old) && (*old)) length+= strlen(old); /* add length if there. */
++ if((old) && (*old))
++ {
++ overflow_add(length, strlen(old));
++ length+= strlen(old); /* add length if there. */
++ }
+
+- length++; /*Cater for the null. */
++ overflow_add(length, 1);
+
+ if((newc=(char *)malloc((unsigned int) length)) == NULL)return;
+
+@@ -94,5 +106,4 @@
+ (void)strcat(newc,padding); /* to line up multiple histories.*/
+
+ (void)rle_putcom(newc,out_hdr);
+-
+ }
+diff -urN netpbm-9.25.orig/urt/rle_getrow.c netpbm-9.25/urt/rle_getrow.c
+--- netpbm-9.25.orig/urt/rle_getrow.c 2002-03-13 05:24:04.000000000 +0100
++++ netpbm-9.25/urt/rle_getrow.c 2004-05-12 11:53:57.825565416 +0200
+@@ -17,6 +17,8 @@
+ *
+ * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
+ * to have all "void" functions so declared.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rle_getrow.c - Read an RLE file in.
+@@ -100,10 +102,8 @@
+
+ if ( !(setup.h_flags & H_NO_BACKGROUND) && setup.h_ncolors > 0 )
+ {
+- the_hdr->bg_color = (int *)malloc(
+- (unsigned)(sizeof(int) * setup.h_ncolors) );
+- bg_color = (rle_pixel *)malloc(
+- (unsigned)(1 + (setup.h_ncolors / 2) * 2) );
++ the_hdr->bg_color = (int *)malloc2(sizeof(int), setup.h_ncolors);
++ bg_color = (rle_pixel *)malloc2(1 + (setup.h_ncolors / 2),2);
+ RLE_CHECK_ALLOC( the_hdr->cmd, the_hdr->bg_color && bg_color,
+ "background color" );
+ fread( (char *)bg_color, 1, 1 + (setup.h_ncolors / 2) * 2, infile );
+@@ -145,9 +145,8 @@
+ register int i;
+ register char *maptemp;
+
+- the_hdr->cmap = (rle_map *)malloc(
+- (unsigned)(sizeof(rle_map) * maplen) );
+- maptemp = (char *)malloc( 2 * maplen );
++ the_hdr->cmap = (rle_map *)malloc2(sizeof(rle_map), maplen);
++ maptemp = (char *)malloc2(2, maplen);
+ if ( the_hdr->cmap == NULL || maptemp == NULL )
+ {
+ fprintf( stderr,
+@@ -170,6 +169,8 @@
+ register char * cp;
+
+ VAXSHORT( comlen, infile ); /* get comment length */
++
++ overflow_add(comlen, 1);
+ evenlen = (comlen + 1) & ~1; /* make it even */
+ if ( evenlen )
+ {
+@@ -190,7 +191,7 @@
+ i++; /* extra for NULL pointer at end */
+ /* Get space to put pointers to comments */
+ the_hdr->comments =
+- (CONST_DECL char **)malloc( (unsigned)(i * sizeof(char *)) );
++ (CONST_DECL char **)malloc2(i, sizeof(char *));
+ if ( the_hdr->comments == NULL )
+ {
+ fprintf( stderr,
+diff -urN netpbm-9.25.orig/urt/rle_hdr.c netpbm-9.25/urt/rle_hdr.c
+--- netpbm-9.25.orig/urt/rle_hdr.c 2000-06-09 09:49:51.000000000 +0200
++++ netpbm-9.25/urt/rle_hdr.c 2004-05-12 11:53:57.826565264 +0200
+@@ -14,6 +14,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rle_hdr.c - Functions to manipulate rle_hdr structures.
+@@ -77,7 +79,10 @@
+ /* Fill in with copies of the strings. */
+ if ( the_hdr->cmd != pgmname )
+ {
+- char *tmp = (char *)malloc( strlen( pgmname ) + 1 );
++ char *tmp ;
++
++ overflow_add(strlen(pgmname), 1);
++ tmp = malloc( strlen( pgmname ) + 1 );
+ RLE_CHECK_ALLOC( pgmname, tmp, 0 );
+ strcpy( tmp, pgmname );
+ the_hdr->cmd = tmp;
+@@ -85,7 +90,9 @@
+
+ if ( the_hdr->file_name != fname )
+ {
+- char *tmp = (char *)malloc( strlen( fname ) + 1 );
++ char *tmp;
++ overflow_add(strlen(fname), 1);
++ tmp = malloc( strlen( fname ) + 1 );
+ RLE_CHECK_ALLOC( pgmname, tmp, 0 );
+ strcpy( tmp, fname );
+ the_hdr->file_name = tmp;
+@@ -150,6 +157,7 @@
+ if ( to_hdr->bg_color )
+ {
+ int size = to_hdr->ncolors * sizeof(int);
++ overflow2(to_hdr->ncolors, sizeof(int));
+ to_hdr->bg_color = (int *)malloc( size );
+ RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->bg_color, "background color" );
+ memcpy( to_hdr->bg_color, from_hdr->bg_color, size );
+@@ -158,7 +166,7 @@
+ if ( to_hdr->cmap )
+ {
+ int size = to_hdr->ncmap * (1 << to_hdr->cmaplen) * sizeof(rle_map);
+- to_hdr->cmap = (rle_map *)malloc( size );
++ to_hdr->cmap = (rle_map *)malloc3( to_hdr->ncmap, 1<<to_hdr->cmaplen, sizeof(rle_map));
+ RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->cmap, "color map" );
+ memcpy( to_hdr->cmap, from_hdr->cmap, size );
+ }
+@@ -171,11 +179,16 @@
+ int size = 0;
+ CONST_DECL char **cp;
+ for ( cp=to_hdr->comments; *cp; cp++ )
++ {
++ overflow_add(size, 1);
+ size++; /* Count the comments. */
++ }
+ /* Check if there are really any comments. */
+ if ( size )
+ {
++ overflow_add(size, 1);
+ size++; /* Copy the NULL pointer, too. */
++ overflow2(size, sizeof(char *));
+ size *= sizeof(char *);
+ to_hdr->comments = (CONST_DECL char **)malloc( size );
+ RLE_CHECK_ALLOC( to_hdr->cmd, to_hdr->comments, "comments" );
+diff -urN netpbm-9.25.orig/urt/rle_open_f.c netpbm-9.25/urt/rle_open_f.c
+--- netpbm-9.25.orig/urt/rle_open_f.c 2002-03-13 16:35:54.000000000 +0100
++++ netpbm-9.25/urt/rle_open_f.c 2004-05-12 11:53:57.824565568 +0200
+@@ -6,6 +6,9 @@
+ * University of Michigan
+ * Date: 11/14/89
+ * Copyright (c) 1990, University of Michigan
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
++ * Killed of crazy unsafe pipe/compress stuff
+ */
+
+ #include "rle.h"
+@@ -130,7 +133,7 @@
+
+ cp = file_name + strlen( (char*) file_name ) - 2;
+ /* Pipe case. */
+- if ( *file_name == '|' )
++ if ( *file_name == '|' && 0 /* BOLLOCKS ARE WE DOING THIS ANY MORE */)
+ {
+ int thepid; /* PID from my_popen */
+ if ( (fp = my_popen( file_name + 1, mode, &thepid )) == NULL )
+@@ -150,9 +153,10 @@
+ }
+
+ /* Compress case. */
+- else if ( cp > file_name && *cp == '.' && *(cp + 1) == 'Z' )
++ else if (/* SMOKING SOMETHING */ 0 && cp > file_name && *cp == '.' && *(cp + 1) == 'Z' )
+ {
+ int thepid; /* PID from my_popen. */
++ overflow_add(20, strlen(file_name));
+ combuf = (char *)malloc( 20 + strlen( file_name ) );
+ if ( combuf == NULL )
+ {
+diff -urN netpbm-9.25.orig/urt/rle_putcom.c netpbm-9.25/urt/rle_putcom.c
+--- netpbm-9.25.orig/urt/rle_putcom.c 2000-05-19 01:12:22.000000000 +0200
++++ netpbm-9.25/urt/rle_putcom.c 2004-05-12 11:53:57.830564656 +0200
+@@ -14,6 +14,8 @@
+ * If you modify this software, you should include a notice giving the
+ * name of the person performing the modification, the date of modification,
+ * and the reason for such modification.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+ /*
+ * rle_putcom.c - Add a picture comment to the header struct.
+@@ -89,19 +91,22 @@
+
+ if ( the_hdr->comments == NULL )
+ {
+- the_hdr->comments = (CONST_DECL char **)malloc( 2 * sizeof(char *) );
++ the_hdr->comments = (CONST_DECL char **)malloc2( 2, sizeof(char *) );
+ the_hdr->comments[0] = value;
+ the_hdr->comments[1] = NULL;
+ }
+ else
+ {
+ for ( i = 2, cp = the_hdr->comments; *cp != NULL; i++, cp++ )
++ {
++ overflow_add(i, 1);
+ if ( match( value, *cp ) != NULL )
+ {
+ v = *cp;
+ *cp = value;
+ return v;
+ }
++ }
+ /* Not found */
+ /* Can't realloc because somebody else might be pointing to this
+ * comments block. Of course, if this were true, then the
+@@ -111,7 +116,7 @@
+ * could copy the pointers, too.
+ */
+ old_comments = the_hdr->comments;
+- the_hdr->comments = (CONST_DECL char **)malloc(i * sizeof(char *) );
++ the_hdr->comments = (CONST_DECL char **)malloc2(i , sizeof(char *) );
+ the_hdr->comments[--i] = NULL;
+ the_hdr->comments[--i] = value;
+ for ( i--; i >= 0; i-- )
+diff -urN netpbm-9.25.orig/urt/scanargs.c netpbm-9.25/urt/scanargs.c
+--- netpbm-9.25.orig/urt/scanargs.c 2002-03-13 05:28:13.000000000 +0100
++++ netpbm-9.25/urt/scanargs.c 2004-05-12 11:53:57.828564960 +0200
+@@ -38,6 +38,8 @@
+ *
+ * Modified at BRL 16-May-88 by Mike Muuss to avoid Alliant STDC desire
+ * to have all "void" functions so declared.
++ *
++ * 2002-12-19: Fix maths wrapping bugs. Alan Cox <alan@redhat.com>
+ */
+
+ #include "rle.h"
+@@ -63,8 +65,8 @@
+ /*
+ * Storage allocation macros
+ */
+-#define NEW( type, cnt ) (type *) malloc( (cnt) * sizeof( type ) )
+-#define RENEW( type, ptr, cnt ) (type *) realloc( ptr, (cnt) * sizeof( type ) )
++#define NEW( type, cnt ) (type *) malloc2( (cnt) , sizeof( type ) )
++#define RENEW( type, ptr, cnt ) (type *) realloc2( ptr, (cnt), sizeof( type ) )
+
+ #if defined(c_plusplus) && !defined(USE_PROTOTYPES)
+ #define USE_PROTOTYPES
+diff -urN netpbm-9.25.orig/ppm/Makefile netpbm-9.25/ppm/Makefile
+--- netpbm-9.25.orig/ppm/Makefile Wed Mar 13 03:09:21 2002
++++ netpbm-9.25/ppm/Makefile Wed May 12 12:23:40 2004
+@@ -36,7 +36,7 @@
+
+ PORTBINARIES = 411toppm eyuvtoppm gouldtoppm ilbmtoppm imgtoppm \
+ leaftoppm mtvtoppm neotoppm \
+- pcxtoppm pgmtoppm pi1toppm picttoppm \
++ pcxtoppm pgmtoppm pi1toppm \
+ pjtoppm \
+ ppm3d ppmbrighten ppmchange ppmcolormask ppmcolors \
+ ppmdim ppmdist ppmdither \