From 42efa67c47521596088768d82f5665b15d03d6bf Mon Sep 17 00:00:00 2001
From: giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>
Date: Sun, 7 Nov 2021 01:33:26 +0000
Subject: fix arithmetic overflows

git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@4177 9d0c8265-081b-0410-96cb-a4ca84ce46f8
---
 lib/libpbm2.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'lib/libpbm2.c')

diff --git a/lib/libpbm2.c b/lib/libpbm2.c
index 1ad93534..2a2e2aac 100644
--- a/lib/libpbm2.c
+++ b/lib/libpbm2.c
@@ -216,6 +216,9 @@ pbm_readpbmrow_bitoffset(FILE *          const ifP,
    Read it into packedBits[], preserving surrounding image data.
 
    Logic not tested for negative offsets.
+
+   Because we are reading in packed mode large cols and offset values are
+   acceptable; dividing by 8 prevents overflows.
 -----------------------------------------------------------------------------*/
     unsigned int const rsh = offset % 8;
     unsigned int const lsh = (8 - rsh) % 8;
@@ -224,13 +227,15 @@ pbm_readpbmrow_bitoffset(FILE *          const ifP,
            Aligned to nearest byte boundary to the left, so the first
            few bits might contain original data, not output.
         */
-    unsigned int const last = pbm_packed_bytes(cols+rsh) - 1;
+    unsigned int const last = pbm_packed_bytes((unsigned int)cols + rsh) - 1;
         /* Position within window of rightmost byte after shift */
 
     /* The original leftmost and rightmost chars. */
     unsigned char const origHead = window[0];
     unsigned char const origEnd  = window[last];
 
+    assert(cols > 0 && pbm_packed_bytes(cols) > 0);
+
     pbm_readpbmrow_packed(ifP, window, cols, format);
 
     if (rsh > 0) {
-- 
cgit 1.4.1