Fix arithmetic overflow

git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@3380 9d0c8265-081b-0410-96cb-a4ca84ce46f8
author: giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> 2018-10-06 16:24:40 +0000
committer: giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> 2018-10-06 16:24:40 +0000
commit: 813995a42b884fe725d0ce8dff52a18ed3dabe6e (patch)
tree: a4262876326d4231ab893aa54781c66f01888743 /converter/pbm
parent: 17dd3e9e54f615feaf5354609eddc64af4b4002e (diff)
download: netpbm-mirror-813995a42b884fe725d0ce8dff52a18ed3dabe6e.tar.gz
netpbm-mirror-813995a42b884fe725d0ce8dff52a18ed3dabe6e.tar.xz
netpbm-mirror-813995a42b884fe725d0ce8dff52a18ed3dabe6e.zip
1 files changed, 27 insertions, 7 deletions
diff --git a/converter/pbm/pbmtoppa/pbm.c b/converter/pbm/pbmtoppa/pbm.c
index 370f1a92..ae36e0d2 100644
--- a/converter/pbm/pbmtoppa/pbm.c
+++ b/converter/pbm/pbmtoppa/pbm.c
@@ -11,6 +11,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 #include "pm.h"
 #include "nstring.h"
@@ -41,7 +42,7 @@ make_pbm_stat(pbm_stat * const pbmStatP,
             pbmStatP->version=P4;
 
         if (pbmStatP->version == none) {
-            pm_message("pbm_readheader(): unknown PBM magic '%s'", line);
+            pm_message("unknown PBM magic '%s'", line);
             retval = 0;
         } else {
             do {
@@ -50,12 +51,31 @@ make_pbm_stat(pbm_stat * const pbmStatP,
                 if (rc == NULL)
                     return 0;
             } while (line[0] == '#');
-
-            if (sscanf (line, "%d %d", &pbmStatP->width, &pbmStatP->height)
-                != 2)
-                retval = 0;
-            else
-                retval = 1;
+            {
+                int rc;
+                rc = sscanf(line, "%d %d",
+                            &pbmStatP->width, &pbmStatP->height);
+                if (rc != 2)
+                    retval = 0;
+                else {
+                    if (pbmStatP->width < 0) {
+                        pm_message("Image has negative width");
+                        retval = 0;
+                    } else if (pbmStatP->width > INT_MAX/2) {
+                        pm_message("Uncomputeably large width: %d",
+                                   pbmStatP->width);
+                        retval = 0;
+                    } else if (pbmStatP->height < 0) {
+                        pm_message("Image has negative height");
+                        retval = 0;
+                    } else if (pbmStatP->height > INT_MAX/2) {
+                        pm_message("Uncomputeably large height: %d",
+                                   pbmStatP->height);
+                        retval = 0;
+                    } else
+                        retval = 1;
+                }
+            }
         }
     }
     return retval;
author	giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>	2018-10-06 16:24:40 +0000
committer	giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>	2018-10-06 16:24:40 +0000
commit	813995a42b884fe725d0ce8dff52a18ed3dabe6e (patch)
tree	a4262876326d4231ab893aa54781c66f01888743 /converter/pbm
parent	17dd3e9e54f615feaf5354609eddc64af4b4002e (diff)
download	netpbm-mirror-813995a42b884fe725d0ce8dff52a18ed3dabe6e.tar.gz netpbm-mirror-813995a42b884fe725d0ce8dff52a18ed3dabe6e.tar.xz netpbm-mirror-813995a42b884fe725d0ce8dff52a18ed3dabe6e.zip