dist-git conversion

#2781)

.gitignore

@@ -22,3 +22,4 @@ ghostscript-8.60-r8117.tar.bz2
 ghostscript-8.60.tar.bz2
 ghostscript-8.61.tar.bz2
 ghostscript-8.62.tar.bz2
+ghostscript-8.63.tar.bz2

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: ghostscript
-# $Id: Makefile,v 1.1 2004/09/09 05:07:56 cvsdist Exp $
-NAME := ghostscript
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

ghostscript-CVE-2008-6679.patch

@@ -0,0 +1,12 @@
+diff -up ghostscript-8.63/src/gdevpdtb.c.CVE-2008-6679 ghostscript-8.63/src/gdevpdtb.c
+--- ghostscript-8.63/src/gdevpdtb.c.CVE-2008-6679	2008-04-04 09:53:57.000000000 +0100
++++ ghostscript-8.63/src/gdevpdtb.c	2009-04-15 16:57:25.000000000 +0100
+@@ -133,7 +133,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev,
+ 			&st_pdf_base_font, "pdf_base_font_alloc");
+     const gs_font_name *pfname = &font->font_name;
+     gs_const_string font_name;
+-    char fnbuf[3 + sizeof(long) / 3 + 1]; /* .F#######\0 */
++    char fnbuf[2*sizeof(long) + 3]; /* .F########\0 */
+     int code;
+ 
+     if (pbfont == 0)

ghostscript-CVE-2009-0196.patch

@@ -0,0 +1,19 @@
+diff -up ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c
+--- ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196	2007-12-11 08:29:58.000000000 +0000
++++ ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c	2009-04-15 16:55:34.000000000 +0100
+@@ -699,6 +699,15 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+         exrunlength = params->SDNUMEXSYMS;
+       else
+         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
++      if (exrunlength > params->SDNUMEXSYMS - j) {
++        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++          "runlength too large in export symbol table (%d > %d - %d)\n",
++          exrunlength, params->SDNUMEXSYMS, j);
++        jbig2_sd_release(ctx, SDEXSYMS);
++        /* skip to the cleanup code and return SDEXSYMS = NULL */
++        SDEXSYMS = NULL;
++        break;
++      }
+       for(k = 0; k < exrunlength; k++)
+         if (exflag) {
+           SDEXSYMS->glyphs[j++] = (i < m) ? 

ghostscript-CVE-2009-0583,0584.patch

@@ -0,0 +1,989 @@
+diff -up ghostscript-8.63/icclib/icc.c.CVE-2009-0583,0584 ghostscript-8.63/icclib/icc.c
+--- ghostscript-8.63/icclib/icc.c.CVE-2009-0583,0584	2008-05-09 05:12:01.000000000 +0100
++++ ghostscript-8.63/icclib/icc.c	2009-03-20 11:54:43.000000000 +0000
+@@ -152,6 +152,8 @@
+  *      Various bug fixes and enhancements.
+  */
+ 
++#include <limits.h>
++#include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stdarg.h>
+@@ -313,8 +315,11 @@ size_t count
+ 	icmFileMem *p = (icmFileMem *)pp;
+ 	size_t len;
+ 
++	if (count > 0 && size > SIZE_MAX / count)
++		return 0;
++
+ 	len = size * count;
+-	if ((p->cur + len) >= p->end) {		/* Too much */
++	if (len > (p->end - p->cur)) { /* Too much */
+ 		if (size > 0)
+ 			count = (p->end - p->cur)/size;
+ 		else
+@@ -1634,6 +1639,8 @@ static int icmUInt8Array_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmUInt8Array_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -1698,7 +1705,7 @@ static int icmUInt8Array_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) {
++		if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
+ 			sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -1749,6 +1756,10 @@ static unsigned int icmUInt16Array_get_s
+ 	icmUInt16Array *p = (icmUInt16Array *)pp;
+ 	unsigned int len = 0;
+ 	len += 8;			/* 8 bytes for tag and padding */
++	if (p->size > (UINT_MAX - len) / 2) {
++		p->icp->errc = 1;
++		return (unsigned int) -1;
++	}
+ 	len += p->size * 2;	/* 2 bytes for each UInt16 */
+ 	return len;
+ }
+@@ -1821,6 +1832,8 @@ static int icmUInt16Array_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmUInt16Array_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -1885,7 +1898,7 @@ static int icmUInt16Array_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) {
++		if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
+ 			sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -1936,6 +1949,10 @@ static unsigned int icmUInt32Array_get_s
+ 	icmUInt32Array *p = (icmUInt32Array *)pp;
+ 	unsigned int len = 0;
+ 	len += 8;			/* 8 bytes for tag and padding */
++	if (p->size > (UINT_MAX - len) / 4) {
++		p->icp->errc = 1;
++		return (unsigned int) -1;
++	}
+ 	len += p->size * 4;	/* 4 bytes for each UInt32 */
+ 	return len;
+ }
+@@ -2008,6 +2025,8 @@ static int icmUInt32Array_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmUInt32Array_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -2072,7 +2091,7 @@ static int icmUInt32Array_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) {
++		if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
+ 			sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -2123,6 +2142,10 @@ static unsigned int icmUInt64Array_get_s
+ 	icmUInt64Array *p = (icmUInt64Array *)pp;
+ 	unsigned int len = 0;
+ 	len += 8;			/* 8 bytes for tag and padding */
++	if (p->size > (UINT_MAX - len) / 8) {
++		p->icp->errc = 1;
++		return (unsigned int) -1;
++	}
+ 	len += p->size * 8;	/* 8 bytes for each UInt64 */
+ 	return len;
+ }
+@@ -2195,6 +2218,8 @@ static int icmUInt64Array_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmUInt64Array_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -2259,7 +2284,7 @@ static int icmUInt64Array_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (icmUint64 *) icp->al->malloc(icp->al, p->size * sizeof(icmUint64))) == NULL) {
++		if ((p->data = (icmUint64 *) icp->al->calloc(icp->al, p->size, sizeof(icmUint64))) == NULL) {
+ 			sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -2310,6 +2335,10 @@ static unsigned int icmU16Fixed16Array_g
+ 	icmU16Fixed16Array *p = (icmU16Fixed16Array *)pp;
+ 	unsigned int len = 0;
+ 	len += 8;			/* 8 bytes for tag and padding */
++	if (p->size > (UINT_MAX - len) / 4) {
++		p->icp->errc = 1;
++		return (unsigned int) -1;
++	}
+ 	len += p->size * 4;	/* 4 byte for each U16Fixed16 */
+ 	return len;
+ }
+@@ -2382,6 +2411,8 @@ static int icmU16Fixed16Array_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -2446,7 +2477,7 @@ static int icmU16Fixed16Array_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) {
++		if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
+ 			sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -2497,6 +2528,10 @@ static unsigned int icmS15Fixed16Array_g
+ 	icmS15Fixed16Array *p = (icmS15Fixed16Array *)pp;
+ 	unsigned int len = 0;
+ 	len += 8;			/* 8 bytes for tag and padding */
++	if (p->size > (UINT_MAX - len) / 4) {
++		p->icp->errc = 1;
++		return (unsigned int) - 1;
++	}
+ 	len += p->size * 4;	/* 4 byte for each S15Fixed16 */
+ 	return len;
+ }
+@@ -2569,6 +2604,8 @@ static int icmS15Fixed16Array_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -2633,7 +2670,7 @@ static int icmS15Fixed16Array_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) {
++		if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
+ 			sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -2726,6 +2763,10 @@ static unsigned int icmXYZArray_get_size
+ 	icmXYZArray *p = (icmXYZArray *)pp;
+ 	unsigned int len = 0;
+ 	len += 8;				/* 8 bytes for tag and padding */
++	if (p->size > (UINT_MAX - len) / 12) {
++		p->icp->errc = 1;
++		return (unsigned int) - 1;
++	}
+ 	len += p->size * 12;	/* 12 bytes for each XYZ */
+ 	return len;
+ }
+@@ -2798,6 +2839,8 @@ static int icmXYZArray_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmXYZArray_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -2865,7 +2908,7 @@ static int icmXYZArray_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (icmXYZNumber *) icp->al->malloc(icp->al, p->size * sizeof(icmXYZNumber))) == NULL) {
++		if ((p->data = (icmXYZNumber *) icp->al->calloc(icp->al, p->size, sizeof(icmXYZNumber))) == NULL) {
+ 			sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -3001,7 +3044,7 @@ static int icmTable_setup_bwd(
+ 			int nf;			/* Next free slot */
+ 			if (rt->rlists[j] == NULL) {	/* No allocation */
+ 				as = 5;						/* Start with space for 5 */
+-				if ((rt->rlists[j] = (int *) icp->al->malloc(icp->al, sizeof(int) * as)) == NULL) {
++				if ((rt->rlists[j] = (int *) icp->al->calloc(icp->al, sizeof(int), as)) == NULL) {
+ 					return 2;
+ 				}
+ 				rt->rlists[j][0] = as;
+@@ -3141,6 +3184,10 @@ static unsigned int icmCurve_get_size(
+ 	icmCurve *p = (icmCurve *)pp;
+ 	unsigned int len = 0;
+ 	len += 12;			/* 12 bytes for tag, padding and count */
++	if (p->size > (UINT_MAX - len) / 2) {
++		p->icp->errc = 1;
++		return (unsigned int) - 1;
++	}
+ 	len += p->size * 2;	/* 2 bytes for each UInt16 */
+ 	return len;
+ }
+@@ -3238,6 +3285,8 @@ static int icmCurve_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmCurve_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -3347,7 +3396,7 @@ static int icmCurve_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) {
++		if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
+ 			sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -3493,6 +3542,8 @@ static int icmData_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmData_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -3745,6 +3796,8 @@ static int icmText_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmText_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -4038,6 +4091,8 @@ static int icmDateTimeNumber_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmDateTimeNumber_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -4128,11 +4183,15 @@ static icmBase *new_icmDateTimeNumber(
+ /* icmLut object */
+ 
+ /* Utility function - raise one integer to an integer power */
+-static unsigned int uipow(unsigned int a, unsigned int b) {
++static int uipow(unsigned int a, unsigned int b, unsigned int *ret) {
+ 	unsigned int rv = 1;
+-	for (; b > 0; b--)
++	for (; b > 0; b--) {
++		if (a > 0 && rv > UINT_MAX / a)
++			return 1;
+ 		rv *= a;
+-	return rv;
++	}
++	*ret = rv;
++	return 0;
+ }
+ 
+ /* - - - - - - - - - - - - - - - - */
+@@ -4268,7 +4327,7 @@ double *in		/* Input array[outputChan] *
+ 	if (p->inputChan <= 8) {
+ 		gw = GW;				/* Use stack allocation */
+ 	} else {
+-		if ((gw = (double *) icp->al->malloc(icp->al, (1 << p->inputChan) * sizeof(double))) == NULL) {
++		if ((gw = (double *) icp->al->calloc(icp->al, (1 << p->inputChan), sizeof(double))) == NULL) {
+ 			sprintf(icp->err,"icmLut_lookup_clut: malloc() failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -4819,19 +4878,50 @@ static unsigned int icmLut_get_size(
+ ) {
+ 	icmLut *p = (icmLut *)pp;
+ 	unsigned int len = 0;
++	unsigned int pw;
+ 
+ 	if (p->ttype == icSigLut8Type) {
+ 		len += 48;			/* tag and header */
++		if (p->inputChan > 0 &&
++		    p->inputEnt > (UINT_MAX - len) / p->inputChan / 1)
++			goto overflow;
++
+ 		len += 1 * (p->inputChan * p->inputEnt);
+-		len += 1 * (p->outputChan * uipow(p->clutPoints,p->inputChan));
++		if (uipow(p->clutPoints,p->inputChan, &pw) ||
++		    (p->outputChan > 0 &&
++		     pw > (UINT_MAX - len) / p->outputChan / 1))
++			goto overflow;
++
++		len += 1 * (p->outputChan * pw);
++		if (p->outputChan > 0 &&
++		    p->outputEnt > (UINT_MAX - len) / p->outputChan / 1)
++			goto overflow;
++
+ 		len += 1 * (p->outputChan * p->outputEnt);
+ 	} else {
+ 		len += 52;			/* tag and header */
++		if (p->inputChan > 0 &&
++		    p->inputEnt > (UINT_MAX - len) / p->inputChan / 2)
++			goto overflow;
++
+ 		len += 2 * (p->inputChan * p->inputEnt);
+-		len += 2 * (p->outputChan * uipow(p->clutPoints,p->inputChan));
++		if (uipow(p->clutPoints,p->inputChan, &pw) ||
++		    (p->outputChan > 0 &&
++		     pw > (UINT_MAX - len) / p->outputChan / 2))
++			goto overflow;
++
++		len += 2 * (p->outputChan * pw);
++		if (p->outputChan > 0 &&
++		    p->outputEnt > (UINT_MAX - len) / p->outputChan / 2)
++			goto overflow;
++
+ 		len += 2 * (p->outputChan * p->outputEnt);
+ 	}
+ 	return len;
++
++  overflow:
++	p->icp->errc = 1;
++	return (unsigned int) -1;
+ }
+ 
+ /* read the object, return 0 on success, error code on fail */
+@@ -4844,6 +4934,7 @@ static int icmLut_read(
+ 	icc *icp = p->icp;
+ 	int rv = 0;
+ 	unsigned long i, j, g, size;
++	unsigned int pw;
+ 	char *bp, *buf;
+ 
+ 	if (len < 4) {
+@@ -4904,6 +4995,11 @@ static int icmLut_read(
+ 		return icp->errc = 1;
+ 	}
+ 
++	if (p->clutPoints > 100) {
++		sprintf(icp->err,"icmLut_read: too many clutPoints");
++		return icp->errc = 1;
++	}
++
+ 	/* Read 3x3 transform matrix */
+ 	for (j = 0; j < 3; j++) {		/* Rows */
+ 		for (i = 0; i < 3; i++) {	/* Columns */
+@@ -4921,13 +5017,18 @@ static int icmLut_read(
+ 		bp = buf+52;
+ 	}
+ 
+-	if (len < icmLut_get_size((icmBase *)p)) {
++	if (len < icmLut_get_size((icmBase *)p) || icp->errc) {
+ 		sprintf(icp->err,"icmLut_read: Tag too small for contents");
+ 		icp->al->free(icp->al, buf);
+ 		return icp->errc = 1;
+ 	}
+ 
+ 	/* Read the input tables */
++	if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) {
++		sprintf(icp->err,"icmLut_read: overflow");
++		icp->al->free(icp->al, buf);
++		return icp->errc = 1;
++	}
+ 	size = (p->inputChan * p->inputEnt);
+ 	if ((rv = p->allocate((icmBase *)p)) != 0) {
+ 		icp->al->free(icp->al, buf);
+@@ -4942,7 +5043,14 @@ static int icmLut_read(
+ 	}
+ 
+ 	/* Read the clut table */
+-	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));
++	if (uipow(p->clutPoints,p->inputChan,&pw) ||
++	    (p->outputChan > 0 &&
++	     pw > UINT_MAX / p->outputChan)) {
++		sprintf(icp->err,"icmLut_read: overflow");
++		icp->al->free(icp->al, buf);
++		return icp->errc = 1;
++	}
++	size = (p->outputChan * pw);
+ 	if ((rv = p->allocate((icmBase *)p)) != 0) {
+ 		icp->al->free(icp->al, buf);
+ 		return rv;
+@@ -4956,6 +5064,11 @@ static int icmLut_read(
+ 	}
+ 
+ 	/* Read the output tables */
++	if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) {
++		sprintf(icp->err,"icmLut_read: overflow");
++		icp->al->free(icp->al, buf);
++		return icp->errc = 1;
++	}
+ 	size = (p->outputChan * p->outputEnt);
+ 	if ((rv = p->allocate((icmBase *)p)) != 0) {
+ 		icp->al->free(icp->al, buf);
+@@ -4995,12 +5108,14 @@ static int icmLut_write(
+ 	icmLut *p = (icmLut *)pp;
+ 	icc *icp = p->icp;
+ 	unsigned long i,j;
+-	unsigned int len, size;
++	unsigned int len, size, pw;
+ 	char *bp, *buf;		/* Buffer to write from */
+ 	int rv = 0;
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmLut_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -5066,6 +5181,11 @@ static int icmLut_write(
+ 	}
+ 
+ 	/* Write the input tables */
++	if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) {
++		sprintf(icp->err,"icmLut_write: overflow");
++		icp->al->free(icp->al, buf);
++		return icp->errc = 1;
++	}
+ 	size = (p->inputChan * p->inputEnt);
+ 	if (p->ttype == icSigLut8Type) {
+ 		for (i = 0; i < size; i++, bp += 1) {
+@@ -5086,7 +5206,14 @@ static int icmLut_write(
+ 	}
+ 
+ 	/* Write the clut table */
+-	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));
++	if (uipow(p->clutPoints,p->inputChan,&pw) ||
++	    (p->outputChan > 0 &&
++	     pw > UINT_MAX / p->outputChan)) {
++		sprintf(icp->err,"icmLut_write: overflow");
++		icp->al->free(icp->al, buf);
++		return icp->errc = 1;
++	}
++	size = (p->outputChan * pw);
+ 	if (p->ttype == icSigLut8Type) {
+ 		for (i = 0; i < size; i++, bp += 1) {
+ 			if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) {
+@@ -5106,6 +5233,11 @@ static int icmLut_write(
+ 	}
+ 
+ 	/* Write the output tables */
++	if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) {
++		sprintf(icp->err,"icmLut_write: overflow");
++		icp->al->free(icp->al, buf);
++		return icp->errc = 1;
++	}
+ 	size = (p->outputChan * p->outputEnt);
+ 	if (p->ttype == icSigLut8Type) {
+ 		for (i = 0; i < size; i++, bp += 1) {
+@@ -5177,7 +5309,14 @@ static void icmLut_dump(
+ 		if (p->inputChan > MAX_CHAN) {
+ 			fprintf(op,"  !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN);
+ 		} else {
+-			size = (p->outputChan * uipow(p->clutPoints,p->inputChan));
++			unsigned int pw;
++			if (uipow(p->clutPoints,p->inputChan,&pw) ||
++			    (p->outputChan > 0 &&
++			     pw > UINT_MAX / p->outputChan)) {
++				fprintf(op,"Would overflow.\n");
++				return;
++			}
++			size = (p->outputChan * pw);
+ 			for (j = 0; j < p->inputChan; j++)
+ 				ii[j] = 0;
+ 			for (i = 0; i < size;) {
+@@ -5216,7 +5355,7 @@ static void icmLut_dump(
+ static int icmLut_allocate(
+ 	icmBase *pp
+ ) {
+-	unsigned int i, j, g, size;
++	unsigned int i, j, g, size, pw;
+ 	icmLut *p = (icmLut *)pp;
+ 	icc *icp = p->icp;
+ 
+@@ -5231,6 +5370,10 @@ static int icmLut_allocate(
+ 		return icp->errc = 1;
+ 	}
+ 
++	if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) {
++		sprintf(icp->err,"icmLut_alloc: too many entries");
++		return icp->errc = 1;
++	}
+ 	size = (p->inputChan * p->inputEnt);
+ 	if (size != p->inputTable_size) {
+ 		if (p->inputTable != NULL)
+@@ -5241,7 +5384,13 @@ static int icmLut_allocate(
+ 		}
+ 		p->inputTable_size = size;
+ 	}
+-	size = (p->outputChan * uipow(p->clutPoints,p->inputChan));
++	if (uipow(p->clutPoints,p->inputChan,&pw) ||
++	    (p->outputChan > 0 &&
++	     pw > UINT_MAX / p->outputChan)) {
++		sprintf(icp->err,"icmLut_alloc: overflow");
++		return icp->errc = 1;
++	}
++	size = (p->outputChan * pw);
+ 	if (size != p->clutTable_size) {
+ 		if (p->clutTable != NULL)
+ 			icp->al->free(icp->al, p->clutTable);
+@@ -5251,6 +5400,10 @@ static int icmLut_allocate(
+ 		}
+ 		p->clutTable_size = size;
+ 	}
++	if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) {
++		sprintf(icp->err,"icmLut_alloc: overflow");
++		return icp->errc = 1;
++	}
+ 	size = (p->outputChan * p->outputEnt);
+ 	if (size != p->outputTable_size) {
+ 		if (p->outputTable != NULL)
+@@ -5441,6 +5594,8 @@ static int icmMeasurement_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmMeasurement_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -5712,13 +5867,20 @@ static unsigned int icmNamedColor_get_si
+ 			len += p->nDeviceCoords * 1;	/* bytes for each named color */
+ 		}
+ 	} else {	/* Named Color 2 */
++		unsigned int col;
+ 		len += 8;			/* 8 bytes for tag and padding */
+ 		len += 4;			/* 4 for vendor specific flags */
+ 		len += 4;			/* 4 for count of named colors */
+ 		len += 4;			/* 4 for number of device coords */
+ 		len += 32;			/* 32 for prefix of color names */
+ 		len += 32;			/* 32 for suffix of color names */
+-		len += p->count * (32 + 6 + p->nDeviceCoords * 2);	/* bytes for each named color */
++		col = 32 + 6 + p->nDeviceCoords * 2;
++		if (p->nDeviceCoords > (UINT_MAX - (32 + 6)) / 2 ||
++		    (p->count > 0 && col > (UINT_MAX - len) / p->count)) {
++			p->icp->errc = 1;
++			return (unsigned int) -1;
++		}
++		len += p->count * col;	/* bytes for each named color */
+ 	}
+ 	return len;
+ }
+@@ -5882,6 +6044,8 @@ static int icmNamedColor_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmNamedColor_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -6109,9 +6273,22 @@ static unsigned int icmTextDescription_g
+ ) {
+ 	icmTextDescription *p = (icmTextDescription *)pp;
+ 	unsigned int len = 0;
++	if (p->size > UINT_MAX - (8 + 4 + 8)) {
++		p->icp->errc = 1;
++		return (unsigned int) -1;
++	}
+ 	len += 8;			/* 8 bytes for tag and padding */
+ 	len += 4 + p->size;	/* Ascii string length + ascii string */
+-	len += 8 + 2 * p->ucSize;	/* Unicode language code + length + string */
++	len += 8;               /* Unicode language code + length */
++	if (p->ucSize > (UINT_MAX - len) / 2) {
++		p->icp->errc = 1;
++		return (unsigned int) -1;
++	}
++	len += 2 * p->ucSize;    /* Unicode string */
++	if (len > (UINT_MAX - (3 + 67))) {
++		p->icp->errc = 1;
++		return (unsigned int) -1;
++	}
+ 	len += 3 + 67;		/* ScriptCode code, length string */
+ 	return len;
+ }
+@@ -6294,6 +6471,8 @@ static int icmTextDescription_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmTextDescription_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -6544,7 +6723,7 @@ static int icmTextDescription_allocate(
+ 	if (p->ucSize != p->uc_size) {
+ 		if (p->ucDesc != NULL)
+ 			icp->al->free(icp->al, p->ucDesc);
+-		if ((p->ucDesc = (ORD16 *) icp->al->malloc(icp->al, p->ucSize * sizeof(ORD16))) == NULL) {
++		if ((p->ucDesc = (ORD16 *) icp->al->calloc(icp->al, p->ucSize, sizeof(ORD16))) == NULL) {
+ 			sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -6820,6 +6999,12 @@ static int icmProfileSequenceDesc_read(
+ 	bp += 8;	/* Skip padding */
+ 
+ 	p->count = read_UInt32Number(bp);	/* Number of sequence descriptions */
++	if (p->count > 1000) {
++		sprintf(icp->err,"icmProfileSequenceDesc_read: too many sequence descriptions");
++		icp->al->free(icp->al, buf);
++		return icp->errc = 1;
++	}
++
+ 	bp += 4;
+ 
+ 	/* Read all the sequence descriptions */
+@@ -6852,6 +7037,8 @@ static int icmProfileSequenceDesc_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -6922,7 +7109,7 @@ static int icmProfileSequenceDesc_alloca
+ 	if (p->count != p->_count) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (icmDescStruct *) icp->al->malloc(icp->al, p->count * sizeof(icmDescStruct))) == NULL) {
++		if ((p->data = (icmDescStruct *) icp->al->calloc(icp->al, p->count, sizeof(icmDescStruct))) == NULL) {
+ 			sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -7041,6 +7228,8 @@ static int icmSignature_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmSignature_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -7156,6 +7345,10 @@ static unsigned int icmScreening_get_siz
+ 	icmScreening *p = (icmScreening *)pp;
+ 	unsigned int len = 0;
+ 	len += 16;				/* 16 bytes for tag, padding, flag & channeles */
++	if (p->channels > (UINT_MAX - len) / 12) {
++		p->icp->errc = 1;
++		return (unsigned int) -1;
++	}
+ 	len += p->channels * 12;	/* 12 bytes for each channel */
+ 	return len;
+ }
+@@ -7235,6 +7428,8 @@ static int icmScreening_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmScreening_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -7315,7 +7510,7 @@ static int icmScreening_allocate(
+ 	if (p->channels != p->_channels) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (icmScreeningData *) icp->al->malloc(icp->al, p->channels * sizeof(icmScreeningData))) == NULL) {
++		if ((p->data = (icmScreeningData *) icp->al->calloc(icp->al, p->channels, sizeof(icmScreeningData))) == NULL) {
+ 			sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -7366,10 +7561,20 @@ static unsigned int icmUcrBg_get_size(
+ 	icmUcrBg *p = (icmUcrBg *)pp;
+ 	unsigned int len = 0;
+ 	len += 8;			/* 8 bytes for tag and padding */
++	if (p->UCRcount > (UINT_MAX - len - 4) / 2)
++		goto overflow;
++
+ 	len += 4 + p->UCRcount * 2;	/* Undercolor Removal */
++	if (p->BGcount > (UINT_MAX - len - 4 - p->size) / 2)
++		goto overflow;
++
+ 	len += 4 + p->BGcount * 2;	/* Black Generation */
+ 	len += p->size;				/* Description string */
+ 	return len;
++
++ overflow:
++	p->icp->errc = 1;
++	return (unsigned int) -1;
+ }
+ 
+ /* read the object, return 0 on success, error code on fail */
+@@ -7498,6 +7703,8 @@ static int icmUcrBg_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmUcrBg_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -7663,7 +7870,7 @@ static int icmUcrBg_allocate(
+ 	if (p->UCRcount != p->UCR_count) {
+ 		if (p->UCRcurve != NULL)
+ 			icp->al->free(icp->al, p->UCRcurve);
+-		if ((p->UCRcurve = (double *) icp->al->malloc(icp->al, p->UCRcount * sizeof(double))) == NULL) {
++		if ((p->UCRcurve = (double *) icp->al->calloc(icp->al, p->UCRcount, sizeof(double))) == NULL) {
+ 			sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -7672,7 +7879,7 @@ static int icmUcrBg_allocate(
+ 	if (p->BGcount != p->BG_count) {
+ 		if (p->BGcurve != NULL)
+ 			icp->al->free(icp->al, p->BGcurve);
+-		if ((p->BGcurve = (double *) icp->al->malloc(icp->al, p->BGcount * sizeof(double))) == NULL) {
++		if ((p->BGcurve = (double *) icp->al->calloc(icp->al, p->BGcount, sizeof(double))) == NULL) {
+ 			sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -7743,6 +7950,15 @@ static unsigned int icmVideoCardGamma_ge
+ 		len += 2;       /* 2 bytes for channels */
+ 		len += 2;       /* 2 for entry count */
+ 		len += 2;       /* 2 for entry size */
++		if (p->u.table.entryCount > 0 &&
++		    p->u.table.entrySize > 0 &&
++		    p->u.table.channels >
++		    (UINT_MAX - len) /
++		    p->u.table.entryCount /
++		    p->u.table.entrySize) {
++			p->icp->errc = 1;
++			return (unsigned int) -1;
++		}
+ 		len += ( p->u.table.channels *     /* compute table size */
+ 				 p->u.table.entryCount *
+ 				 p->u.table.entrySize );
+@@ -7762,10 +7978,11 @@ static int icmVideoCardGamma_read(
+ ) {
+ 	icmVideoCardGamma *p = (icmVideoCardGamma *)pp;
+ 	icc *icp = p->icp;
+-	int rv, c;
++	int rv;
+ 	char *bp, *buf;
+ 	unsigned char *pchar;
+ 	unsigned short *pshort;
++	unsigned long c;
+ 
+ 	if (len < 18) {
+ 		sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");
+@@ -7803,6 +8020,16 @@ static int icmVideoCardGamma_read(
+ 		p->u.table.channels   = read_UInt16Number(bp+12);
+ 		p->u.table.entryCount = read_UInt16Number(bp+14);
+ 		p->u.table.entrySize  = read_UInt16Number(bp+16);
++		if (p->u.table.entrySize > 65530 || p->u.table.entrySize == 0) {
++			sprintf(icp->err,"icmVideoCardGamma_read: Too many entries (or none)");
++			return icp->errc = 1;
++		}
++		if (p->u.table.entryCount > 0 && p->u.table.entrySize > 0 &&
++		    p->u.table.channels >
++		    UINT_MAX / p->u.table.entryCount / p->u.table.entrySize) {
++			sprintf(icp->err,"icmVideoCardGamma_read: Overflow reading tag");
++			return icp->errc = 1;
++		}
+ 		if (len-18 < p->u.table.channels*p->u.table.entryCount*p->u.table.entrySize) {
+ 			sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");
+ 			return icp->errc = 1;
+@@ -7871,6 +8098,8 @@ static int icmVideoCardGamma_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmViewingConditions_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -8049,7 +8278,7 @@ static int icmVideoCardGamma_allocate(
+ ) {
+ 	icmVideoCardGamma *p = (icmVideoCardGamma *)pp;
+ 	icc *icp = p->icp;
+-	int size;
++	unsigned int size;
+ 
+ 	/* note: allocation is only relevant for table type
+ 	 * and in that case the channels, entryCount, and entrySize
+@@ -8059,6 +8288,11 @@ static int icmVideoCardGamma_allocate(
+ 	if (p->tagType == icmVideoCardGammaTableType) {
+ 		if (p->u.table.data != NULL)
+ 			icp->al->free(icp->al, p->u.table.data);
++		if (p->u.table.entryCount > 0 &&
++		    p->u.table.channels > UINT_MAX / p->u.table.entryCount) {
++			sprintf(icp->err,"icmVideoCardGamma_alloc: table too large");
++			return icp->errc = 1;
++		}
+ 		size = (p->u.table.channels *
+ 				p->u.table.entryCount);
+ 		switch (p->u.table.entrySize) {
+@@ -8066,6 +8300,10 @@ static int icmVideoCardGamma_allocate(
+ 			size *= sizeof(unsigned char);
+ 			break;
+ 		case 2:
++			if (size > UINT_MAX / sizeof(unsigned short)) {
++				sprintf(icp->err,"icmVideoCardGamma_alloc: table too large");
++				return icp->errc = 1;
++			}
+ 			size *= sizeof(unsigned short);
+ 			break;
+ 		default:
+@@ -8201,6 +8439,8 @@ static int icmViewingConditions_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmViewingConditions_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -8433,6 +8673,8 @@ static int icmCrdInfo_write(
+ 
+ 	/* Allocate a file write buffer */
+ 	len = p->get_size((icmBase *)p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ 		sprintf(icp->err,"icmCrdInfo_write malloc() failed");
+ 		return icp->errc = 2;
+@@ -8736,6 +8978,8 @@ static int icmHeader_write(
+ 	int rv = 0;
+ 
+ 	len = p->get_size(p);
++	if (icp->errc)
++		return icp->errc;
+ 	if ((buf = (char *) icp->al->calloc(icp->al,1,len)) == NULL) {			/* Zero it - some CMS are fussy */
+ 		sprintf(icp->err,"icmHeader_write calloc() failed");
+ 		return icp->errc = 2;
+@@ -9245,13 +9489,23 @@ static int icc_read(
+ 	}
+ 
+ 	p->count = read_UInt32Number(tcbuf);		/* Tag count */
++	if (p->count > 100) {
++		sprintf(p->err,"icc_read: too many table tags");
++		return p->errc = 1;
++	}
+ 	if (p->count > 0) {
+ 		char *bp, *buf;
+-		if ((p->data = (icmTag *) p->al->malloc(p->al, p->count * sizeof(icmTag))) == NULL) {
++		if ((p->data = (icmTag *) p->al->calloc(p->al, p->count, sizeof(icmTag))) == NULL) {
+ 			sprintf(p->err,"icc_read: Tag table malloc() failed");
+ 			return p->errc = 2;
+ 		}
+ 	
++		if (p->count > (UINT_MAX - 4) / 12) {
++			sprintf(p->err,"icc_read: overflow");
++			p->al->free(p->al, p->data);
++			p->data = NULL;
++			return p->errc = 1;
++		}
+ 		len = 4 + p->count * 12;
+ 		if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) {
+ 			sprintf(p->err,"icc_read: Tag table read buffer malloc() failed");
+@@ -9281,6 +9535,14 @@ static int icc_read(
+ 	    	    return p->errc = 1;
+ 	    	}
+ 	    	p->data[i].size = read_UInt32Number(bp + 8);	
++			if (p->data[i].offset + p->data[i].size >
++			    p->header->size) {
++				sprintf(p->err,"icc_read: tag out of bounds");
++				p->al->free(p->al, p->data);
++				p->data = NULL;
++				p->al->free(p->al, buf);
++				return p->errc = 1;
++			}
+ 			if (   p->fp->seek(p->fp, of + p->data[i].offset) != 0
+ 			    || p->fp->read(p->fp, tcbuf, 1, 4) != 4) {
+ 				sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers");
+@@ -9321,8 +9583,14 @@ static unsigned int icc_get_size(
+ 	}
+ 
+ 	size += p->header->get_size(p->header);
++	if (p->errc)
++		return (unsigned int) -1;
+ 
+ 	size = DO_ALIGN(size);
++	if (size == 0 || p->count > (UINT_MAX - 4 - size) / 12) {
++		p->errc = 1;
++		return (unsigned int) -1;
++	}
+ 	size += 4 + p->count * 12;	/* Tag table length */
+ 	
+ 	/* Reset touched flag for each tag type */
+@@ -9337,8 +9605,13 @@ static unsigned int icc_get_size(
+ 	/* Get size for each tag type, skipping links */
+ 	for (i = 0; i < p->count; i++) {
+ 		if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */
++			unsigned int obj_size;
+ 			size = DO_ALIGN(size);
+-			size += p->data[i].objp->get_size(p->data[i].objp);
++			obj_size = p->data[i].objp->get_size(p->data[i].objp);
++			if (size == 0 || p->errc ||
++			    obj_size > UINT_MAX - size)
++				return (unsigned int) -1;
++			size += obj_size;
+ 			p->data[i].objp->touched = 1;	/* Don't account for this again */
+ 		}
+ 	}
+@@ -9373,9 +9646,19 @@ static int icc_write(
+ 	}
+ 
+ 	size += p->header->get_size(p->header);
++	if (p->errc)
++		return p->errc;
+ 
++	if (p->count > (UINT_MAX - 4 - len) / 12) {
++		sprintf(p->err,"icc_write: too many tags");
++		return p->errc = 1;
++	}
+ 	len = 4 + p->count * 12;	/* Tag table length */
+ 	size = DO_ALIGN(size);
++	if (size == 0 || size > UINT_MAX - len) {
++		sprintf(p->err,"icc_write: overflow writing tag table");
++		return p->errc = 1;
++	}
+ 	size += len;
+ 	
+ 	/* Allocate memory buffer for tag table */
+@@ -9406,6 +9689,12 @@ static int icc_write(
+ 			size = DO_ALIGN(size);
+ 			p->data[i].offset = size;			/* Profile relative target */
+ 			p->data[i].size = p->data[i].objp->get_size(p->data[i].objp);
++			if (size == 0 ||
++			    p->errc || p->data[i].size > UINT_MAX - size) {
++				sprintf(p->err,"icc_write: internal error - overflow?");
++				p->al->free(p->al, buf);
++				return p->errc;
++			}
+ 			size += p->data[i].size;
+ 			p->data[i].objp->touched = 1;	/* Allocated space for it */
+ 		} else { /* must be linked - copy allocation */
+@@ -9529,6 +9818,11 @@ static icmBase *icc_add_tag(
+ 	}
+ 
+ 	/* Make space in tag table for new tag item */
++	if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) {
++		sprintf(p->err,"icc_add_tag: overflow");
++		p->errc = 1;
++		return NULL;
++	}
+ 	if (p->data == NULL)
+ 		tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));
+ 	else
+@@ -9612,6 +9906,11 @@ static icmBase *icc_link_tag(
+ 	}
+ 
+ 	/* Make space in tag table for new tag item */
++	if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) {
++		sprintf(p->err,"icc_link_tag: overflow");
++		p->errc = 1;
++		return NULL;
++	}
+ 	if (p->data == NULL)
+ 		tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));
+ 	else

ghostscript-CVE-2009-0792.patch

@@ -0,0 +1,166 @@
+diff -up ghostscript-8.63/icclib/icc.c.CVE-2009-0792 ghostscript-8.63/icclib/icc.c
+--- ghostscript-8.63/icclib/icc.c.CVE-2009-0792	2009-04-15 16:48:05.000000000 +0100
++++ ghostscript-8.63/icclib/icc.c	2009-04-15 16:50:18.000000000 +0100
+@@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd(
+ 			rv |= 1;
+ 		}
+ 		ix = (int)floor(val);		/* Coordinate */
+-		if (ix > (p->size-2))
++		if (ix < 0 || ix > (p->size-2))
+ 			ix = (p->size-2);
+ 		w = val - (double)ix;		/* weight */
+ 		val = p->data[ix];
+@@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd(
+ ) {
+ 	int i;
+ 
++	if (size > INT_MAX - 2)
++		/* Although rt->size is unsigned long, the rt data
++		 * structure uses int data types to store indices. */
++		return 2;
++
+ 	rt->size = size;		/* Stash pointers to these away */
+ 	rt->data = data;
+ 	
+@@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd(
+ 	rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin);	/* Scale factor to quantize to */
+ 	
+ 	/* Initialize the reverse lookup structures, and get overall min/max */
+-	if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) {
++	if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) {
+ 		return 2;
+ 	}
+ 
+@@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd(
+ 			int t;
+ 			t = s; s = e; e = t;
+ 		}
++		/* s and e should both be in the range [0,rt->rsize]
++		 * now, but let's not rely on floating point
++		 * calculations -- double-check. */
++		if (s < 0)
++			s = 0;
++		if (e < 0)
++			e = 0;
++		if (s >= rt->rsize)
++			s = rt->rsize-1;
+ 		if (e >= rt->rsize)
+ 			e = rt->rsize-1;
+ 
+@@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd(
+ 				as = rt->rlists[j][0];	/* Allocate space for this list */
+ 				nf = rt->rlists[j][1];	/* Next free location in list */
+ 				if (nf >= as) {			/* need to expand space */
++					if (as > INT_MAX / 2 / sizeof (int))
++						return 2;
++
+ 					as *= 2;
+ 					rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as);
+ 					if (rt->rlists[j] == NULL) {
+@@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd(
+ 		val = rsize_1;
+ 	ix = (int)floor(val);		/* Coordinate */
+ 
+-	if (ix > (rt->size-2))
++	if (ix < 0 || ix > (rt->size-2))
+ 		ix = (rt->size-2);
+ 	if (rt->rlists[ix] != NULL)  {		/* There is a list of fwd candidates */
+ 		/* For each candidate forward range */
+@@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd(
+ 	/* We have failed to find an exact value, so return the nearest value */
+ 	/* (This is slow !) */
+ 	val = fabs(ival - rt->data[0]);
++	/* rt->size is known to be < INT_MAX */
+ 	for (k = 0, i = 1; i < rt->size; i++) {
+ 		double er;
+ 		er = fabs(ival - rt->data[i]);
+@@ -3671,7 +3689,7 @@ static int icmData_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) {
++		if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) {
+ 			sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -3887,7 +3905,7 @@ static int icmText_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
++		if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -4301,7 +4319,7 @@ double *in		/* Input array[inputChan] */
+ 			rv |= 1;
+ 		}
+ 		ix = (int)floor(val);		/* Grid coordinate */
+-		if (ix > (p->inputEnt-2))
++		if (ix < 0 || ix > (p->inputEnt-2))
+ 			ix = (p->inputEnt-2);
+ 		w = val - (double)ix;		/* weight */
+ 		val = table[ix];
+@@ -4360,7 +4378,7 @@ double *in		/* Input array[outputChan] *
+ 				rv |= 1;
+ 			}
+ 			x = (int)floor(val);		/* Grid coordinate */
+-			if (x > clutPoints_2)
++			if (x < 0 || x > clutPoints_2)
+ 				x = clutPoints_2;
+ 			co[e] = val - (double)x;	/* 1.0 - weight */
+ 			gp += x * p->dinc[e];		/* Add index offset for base of cube */
+@@ -4433,7 +4451,7 @@ double *in		/* Input array[outputChan] *
+ 				rv |= 1;
+ 			}
+ 			x = (int)floor(val);		/* Grid coordinate */
+-			if (x > clutPoints_2)
++			if (x < 0 || x > clutPoints_2)
+ 				x = clutPoints_2;
+ 			co[e] = val - (double)x;	/* 1.0 - weight */
+ 			gp += x * p->dinc[e];		/* Add index offset for base of cube */
+@@ -4506,7 +4524,7 @@ double *in		/* Input array[outputChan] *
+ 			rv |= 1;
+ 		}
+ 		ix = (int)floor(val);		/* Grid coordinate */
+-		if (ix > (p->outputEnt-2))
++		if (ix < 0 || ix > (p->outputEnt-2))
+ 			ix = (p->outputEnt-2);
+ 		w = val - (double)ix;		/* weight */
+ 		val = table[ix];
+@@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->desc != NULL)
+ 			icp->al->free(icp->al, p->desc);
+-		if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
++		if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->string != NULL)
+ 			icp->al->free(icp->al, p->string);
+-		if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
++		if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate(
+ 	if (p->ppsize != p->_ppsize) {
+ 		if (p->ppname != NULL)
+ 			icp->al->free(icp->al, p->ppname);
+-		if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) {
++		if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate(
+ 		if (p->crdsize[t] != p->_crdsize[t]) {
+ 			if (p->crdname[t] != NULL)
+ 				icp->al->free(icp->al, p->crdname[t]);
+-			if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) {
++			if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) {
+ 				sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t);
+ 				return icp->errc = 2;
+ 			}

ghostscript-jbig2dec-nullderef.patch

@@ -0,0 +1,81 @@
+diff -up ghostscript-8.63/jbig2dec/jbig2_generic.c.jbig2dec-nullderef ghostscript-8.63/jbig2dec/jbig2_generic.c
+--- ghostscript-8.63/jbig2dec/jbig2_generic.c.jbig2dec-nullderef	2007-10-25 23:14:22.000000000 +0100
++++ ghostscript-8.63/jbig2dec/jbig2_generic.c	2009-06-04 12:19:28.538632743 +0100
+@@ -599,6 +599,10 @@ jbig2_immediate_generic_region(Jbig2Ctx 
+   memcpy (params.gbat, gbat, gbat_bytes);
+ 
+   image = jbig2_image_new(ctx, rsi.width, rsi.height);
++  if (image == NULL)
++    return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++		       "failed to allocate buffer for image");
++
+   jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
+     "allocated %d x %d image buffer for region decode results",
+         rsi.width, rsi.height);
+diff -up ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c
+--- ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef	2009-06-04 12:19:22.875757165 +0100
++++ ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c	2009-06-04 12:19:28.539632281 +0100
+@@ -370,6 +370,11 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ 		  memcpy(region_params.gbat, params->sdat, sdat_bytes);
+ 
+ 		  image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT);
++		  if (image == NULL) {
++		      jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++				  "failed to allocate image storage");
++		      return NULL;
++		  }
+ 
+ 		  code = jbig2_decode_generic_region(ctx, segment, &region_params,
+ 						     as, image, GB_stats);
+@@ -520,6 +525,11 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ 			ID, RDX, RDY);
+ 
+ 		      image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT);
++		      if (image == NULL) {
++			  jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++				      "failed to allocate image storage");
++			  return NULL;
++		      }
+ 
+ 		      /* Table 18 */
+ 		      rparams.GRTEMPLATE = params->SDRTEMPLATE;
+@@ -638,6 +648,16 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ 	for (j = HCFIRSTSYM; j < NSYMSDECODED; j++) {
+ 	  Jbig2Image *glyph;
+ 	  glyph = jbig2_image_new(ctx, SDNEWSYMWIDTHS[j], HCHEIGHT);
++	  if (glyph == NULL) {
++	      jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++			  "error allocating image storage for glyph");
++	      while (--j >= HCFIRSTSYM) {
++		  jbig2_image_release(ctx, SDNEWSYMS->glyphs[j]);
++		  SDNEWSYMS->glyphs[j] = NULL;
++	      }
++	      jbig2_image_release(ctx, image);
++	      return NULL;
++	  }
+ 	  jbig2_image_compose(ctx, glyph, image, 
+ 		-x, 0, JBIG2_COMPOSE_REPLACE);
+ 	  x += SDNEWSYMWIDTHS[j];
+diff -up ghostscript-8.63/jbig2dec/jbig2_text.c.jbig2dec-nullderef ghostscript-8.63/jbig2dec/jbig2_text.c
+--- ghostscript-8.63/jbig2dec/jbig2_text.c.jbig2dec-nullderef	2008-05-09 15:00:44.000000000 +0100
++++ ghostscript-8.63/jbig2dec/jbig2_text.c	2009-06-04 12:19:28.549632768 +0100
+@@ -315,6 +315,9 @@ jbig2_decode_text_region(Jbig2Ctx *ctx, 
+ 		IBO = IB;
+ 		image = jbig2_image_new(ctx, IBO->width + RDW,
+ 					     IBO->height + RDH);
++		if (image == NULL)
++		    return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++				       "could not allocate image storage");
+ 
+ 		/* Table 12 */
+ 		rparams.GRTEMPLATE = params->SBRTEMPLATE;
+@@ -676,6 +679,9 @@ jbig2_parse_text_region(Jbig2Ctx *ctx, J
+     }
+ 
+     image = jbig2_image_new(ctx, region_info.width, region_info.height);
++    if (image == NULL)
++	return jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
++			   "unable to allocate image storage");
+ 
+     ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset);
+     if (!params.SBHUFF) {

ghostscript.spec

@@ -1,11 +1,11 @@
-%define gs_ver 8.62
-%define gs_dot_ver 8.62
+%define gs_ver 8.63
+%define gs_dot_ver 8.63
 %{expand: %%define build_with_freetype %{?_with_freetype:1}%{!?_with_freetype:0}}
 Summary: A PostScript(TM) interpreter and renderer.
 Name: ghostscript
 Version: %{gs_ver}
 
-Release: 3%{?dist}
+Release: 4%{?dist}
 
 License: GPLv2
 URL: http://www.ghostscript.com/
@@ -21,6 +21,11 @@ Patch4: ghostscript-fPIC.patch
 Patch5: ghostscript-runlibfileifexists.patch
 Patch6: ghostscript-system-jasper.patch
 Patch7: ghostscript-pksmraw.patch
+Patch8: ghostscript-CVE-2009-0583,0584.patch
+Patch9: ghostscript-CVE-2009-0792.patch
+Patch10: ghostscript-CVE-2009-0196.patch
+Patch11: ghostscript-CVE-2008-6679.patch
+Patch12: ghostscript-jbig2dec-nullderef.patch
 
 Requires: urw-fonts >= 1.1, ghostscript-fonts
 BuildRequires: libjpeg-devel, libXt-devel
@@ -93,9 +98,25 @@ rm -rf libpng zlib jpeg jasper
 
 %patch6 -p1 -b .system-jasper
 
-# Fix pksmraw output (bug #308211).
+# Fix pksmraw output (bug #308211).  Still needed in 8.63.
 %patch7 -p1 -b .pksmraw
 
+# Applied patch to fix CVE-2009-0583 (bug #487742) and CVE-2009-0584
+# (bug #487744).
+%patch8 -p1 -b .CVE-2009-0583,0584
+
+# Applied patch to fix CVE-2009-0792 (bug #491853).
+%patch9 -p1 -b .CVE-2009-0792
+
+# Applied patch to fix CVE-2009-0196 (bug #493379).
+%patch10 -p1 -b .CVE-2009-0196
+
+# Applied patch to fix CVE-2008-6679 (bug #493445).
+%patch11 -p1 -b .CVE-2008-6679
+
+# Applied patch to fix NULL dereference in jbig2dec (bug #503994).
+%patch12 -p1 -b .CVE-2008-6679
+
 # Convert manual pages to UTF-8
 from8859_1() {
 	iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -103,14 +124,18 @@ from8859_1() {
 }
 for i in man/de/*.1; do from8859_1 "$i"; done
 
-if [ -x autogen.sh ]; then
-  ./autogen.sh
-  pushd ijs
-  ./autogen.sh
-  popd
-fi
-
 %build
+# Compile without strict aliasing opts due to these files:
+# gdevescv.c gdevl4v.c gdevopvp.c gdevbbox.c gdevdbit.c gdevddrw.c 
+# gdevp14.c gdevpdfd.c gdevpdfi.c gdevpdfo.c gdevpdft.c gdevpdfv.c 
+# gdevpdte.c gdevpdtt.c gdevps.c gdevpx.c gscoord.c gscparam.c gscrd.c 
+# gsdps1.c gsimage.c gspath1.c gsptype1.c gsptype2.c gstype2.c 
+# gstype42.c gxccache.c gxchar.c gxclimag.c gxclpath.c gxfcopy.c 
+# gximag3x.c gximage3.c gxipixel.c gxshade1.c gxstroke.c gxtype1.c 
+# ibnum.c iscanbin.c zchar1.c zchar.c zcharx.c zfapi.c zfont32.c 
+# zfunc0.c zfunc3.c zfunc4.c zpcolor.c zshade.c
+EXTRACFLAGS="-fno-strict-aliasing"
+
 FONTPATH=
 for path in \
 	%{_datadir}/fonts/default/%{name} \
@@ -125,24 +150,25 @@ do
   FONTPATH="$FONTPATH${FONTPATH:+:}$path"
 done
 %configure --with-ijs --enable-dynamic --with-fontpath="$FONTPATH" \
-	--with-drivers=ALL --disable-compile-inits
+	--with-drivers=ALL --disable-compile-inits \
+	CFLAGS="$CFLAGS $EXTRACFLAGS"
 
 # Build IJS
 cd ijs
-automake --add-missing --copy || : # Ships with broken symlinks
+./autogen.sh
 %configure --enable-shared --enable-static
 make
 cd ..
 
 %if %{build_with_freetype}
 FT_CFLAGS=$(pkg-config --cflags freetype2)
-make so RPM_OPT_FLAGS="$RPM_OPT_FLAGS" prefix=%{_prefix} \
+make so RPM_OPT_FLAGS="$RPM_OPT_FLAGS $EXTRAFLAGS" prefix=%{_prefix} \
 	FT_BRIDGE=1 FT_CFLAGS="$FT_CFLAGS" FT_LIB=freetype
-make RPM_OPT_FLAGS="$RPM_OPT_FLAGS" prefix=%{_prefix} \
+make RPM_OPT_FLAGS="$RPM_OPT_FLAGS $EXTRAFLAGS" prefix=%{_prefix} \
 	FT_BRIDGE=1 FT_CFLAGS="$FT_CFLAGS" FT_LIB=freetype
 %else
-make so RPM_OPT_FLAGS="$RPM_OPT_FLAGS" prefix=%{_prefix}
-make RPM_OPT_FLAGS="$RPM_OPT_FLAGS" prefix=%{_prefix}
+make so RPM_OPT_FLAGS="$RPM_OPT_FLAGS $EXTRAFLAGS" prefix=%{_prefix}
+make RPM_OPT_FLAGS="$RPM_OPT_FLAGS $EXTRAFLAGS" prefix=%{_prefix}
 %endif
 
 %install
@@ -269,6 +295,29 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so
 
 %changelog
+* Thu Jun  4 2009 Tim Waugh <twaugh@redhat.com> 8.63-4
+- Applied patch to fix NULL dereference in jbig2dec (bug #503994).
+
+* Wed Apr 15 2009 Tim Waugh <twaugh@redhat.com> 8.63-3
+- Applied patch to fix CVE-2009-0792 (bug #491853).
+- Applied patch to fix CVE-2009-0196 (bug #493379).
+- Applied patch to fix CVE-2008-6679 (bug #493445).
+
+* Fri Mar 20 2009 Tim Waugh <twaugh@redhat.com> 8.63-2
+- Applied patch to fix CVE-2009-0583 (bug #487742) and CVE-2009-0584
+  (bug #487744).
+
+* Mon Aug  4 2008 Tim Waugh <twaugh@redhat.com> 8.63-1
+- 8.63.  No longer need r8591 or incomplete-ccittfax patches.
+- Compile without strict aliasing opts due to warnings across several
+  files.
+- Don't run autogen.sh for main package, just for ijs which doesn't
+  ship with a configure script.
+
+* Mon Jun 23 2008 Tim Waugh <twaugh@redhat.com> 8.62-4
+- Applied patch to work around bug #229174.
+- Applied patch from upstream to fix box_fill_path for shfill (bug #452348).
+
 * Mon Mar 31 2008 Tim Waugh <twaugh@redhat.com> 8.62-3
 - Fix pksmraw output (bug #308211).
 

sources

@@ -1,3 +1,3 @@
 2fbae60417d42779f6488ab897dcaaf6  acro5-cmaps-2001.tar.gz
 dfc93dd2aaaf2b86d2fd55f654c13261  adobe-cmaps-200406.tar.gz
-40d673a3c6e11d2bf14f972b84551104  ghostscript-8.62.tar.bz2
+c770eedfdd846a53e211e3ba5339de21  ghostscript-8.63.tar.bz2