2 files changed, 20 insertions, 3 deletions

diff --git a/doc/HISTORY b/doc/HISTORY
index 10ad691f..006b5d80 100644
--- a/doc/HISTORY
+++ b/doc/HISTORY
@@ -28,6 +28,13 @@ not yet  BJH  Release 10.41.00
               pnmcrop: fix -verbose message about background color with
               -white.
 
+              pbmmake: handle ridiculously large height, width arguments.
+
+              pnmcat: fix arithmetic overflow.
+
+              libnetpbm: Add arithmetic overflow protection to PBM
+              routines, like PGM/PPM/PNM have had for a long time.
+
               libnetpbm: make all row free operations go through
               pm_freerow(); change row buffer type from char * to void *
               for pm_allocrow(), pm_freerow().
diff --git a/editor/pnmcat.c b/editor/pnmcat.c
index 20dbf34d..cc86520f 100644
--- a/editor/pnmcat.c
+++ b/editor/pnmcat.c
@@ -155,7 +155,7 @@ computeOutputParms(unsigned int     const nfiles,
                    xelval *         const newmaxvalP,
                    int *            const newformatP) {
 
-    int newcols, newrows;
+    double newcols, newrows;
     int newformat;
     xelval newmaxval;
 
@@ -187,8 +187,18 @@ computeOutputParms(unsigned int     const nfiles,
             break;
 	    }
 	}
-    *newrowsP   = newrows;
-    *newcolsP   = newcols;
+
+    /* Note that while 'double' is not in general a precise numerical type,
+       in the case of a sum of integers which is less than INT_MAX, it
+       is exact, because double's precision is greater than int's.
+    */
+    if (newcols > INT_MAX)
+       pm_error("Output width too large: %.0f.", newcols);
+    if (newrows > INT_MAX)
+       pm_error("Output height too large: %.0f.", newrows);
+	
+    *newrowsP   = (int) newrows;
+    *newcolsP   = (int) newcols;
     *newmaxvalP = newmaxval;
     *newformatP = newformat;
 }