From 6f46bc6bc1154208cc4b2122669b259f1259f25a Mon Sep 17 00:00:00 2001
From: giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>
Date: Sat, 21 Oct 2023 20:13:26 +0000
Subject: Fix arithmetic overflow

git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@4772 9d0c8265-081b-0410-96cb-a4ca84ce46f8
---
 doc/HISTORY     | 3 +++
 lib/libpammap.c | 7 +++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/doc/HISTORY b/doc/HISTORY
index 16d540ba..9269ef8e 100644
--- a/doc/HISTORY
+++ b/doc/HISTORY
@@ -23,6 +23,9 @@ not yet  BJH  Release 11.05.00
               ppmdither: fix buffer overrun with insanely large dithering
               matrix.
 
+              libnetpbm, programs that use color maps: fix buffer overrun
+              with insanely deep images.
+
               Build: Fix compile error on systems without 'asprintf'.
               Introduced in Netpbm 11.04 (September 2023).
 
diff --git a/lib/libpammap.c b/lib/libpammap.c
index 569156fe..a0e7fb55 100644
--- a/lib/libpammap.c
+++ b/lib/libpammap.c
@@ -102,12 +102,15 @@ static struct tupleint_list_item *
 allocTupleIntListItem(struct pam * const pamP) {
 
 
-    /* This is complicated by the fact that the last element of a
-       tupleint_list_item is of variable length, because the last element
+    /* This is complicated by the fact that the last member of a
+       tupleint_list_item is of variable length, because the last member
        of _it_ is of variable length
     */
     struct tupleint_list_item * retval;
 
+    if (pamP->depth > (UINT_MAX - sizeof(*retval)) / sizeof(sample))
+        pm_error("Depth %u is too large for computation", pamP->depth);
+
     unsigned int const size =
         sizeof(*retval) - sizeof(retval->tupleint.tuple)
         + pamP->depth * sizeof(sample);
-- 
cgit 1.4.1