From 813995a42b884fe725d0ce8dff52a18ed3dabe6e Mon Sep 17 00:00:00 2001 From: giraffedata Date: Sat, 6 Oct 2018 16:24:40 +0000 Subject: Fix arithmetic overflow git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@3380 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- converter/pbm/pbmtoppa/pbm.c | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/converter/pbm/pbmtoppa/pbm.c b/converter/pbm/pbmtoppa/pbm.c index 370f1a92..ae36e0d2 100644 --- a/converter/pbm/pbmtoppa/pbm.c +++ b/converter/pbm/pbmtoppa/pbm.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "pm.h" #include "nstring.h" @@ -41,7 +42,7 @@ make_pbm_stat(pbm_stat * const pbmStatP, pbmStatP->version=P4; if (pbmStatP->version == none) { - pm_message("pbm_readheader(): unknown PBM magic '%s'", line); + pm_message("unknown PBM magic '%s'", line); retval = 0; } else { do { @@ -50,12 +51,31 @@ make_pbm_stat(pbm_stat * const pbmStatP, if (rc == NULL) return 0; } while (line[0] == '#'); - - if (sscanf (line, "%d %d", &pbmStatP->width, &pbmStatP->height) - != 2) - retval = 0; - else - retval = 1; + { + int rc; + rc = sscanf(line, "%d %d", + &pbmStatP->width, &pbmStatP->height); + if (rc != 2) + retval = 0; + else { + if (pbmStatP->width < 0) { + pm_message("Image has negative width"); + retval = 0; + } else if (pbmStatP->width > INT_MAX/2) { + pm_message("Uncomputeably large width: %d", + pbmStatP->width); + retval = 0; + } else if (pbmStatP->height < 0) { + pm_message("Image has negative height"); + retval = 0; + } else if (pbmStatP->height > INT_MAX/2) { + pm_message("Uncomputeably large height: %d", + pbmStatP->height); + retval = 0; + } else + retval = 1; + } + } } } return retval; -- cgit 1.4.1