From 42efa67c47521596088768d82f5665b15d03d6bf Mon Sep 17 00:00:00 2001 From: giraffedata Date: Sun, 7 Nov 2021 01:33:26 +0000 Subject: fix arithmetic overflows git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@4177 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- lib/libpbm2.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'lib/libpbm2.c') diff --git a/lib/libpbm2.c b/lib/libpbm2.c index 1ad93534..2a2e2aac 100644 --- a/lib/libpbm2.c +++ b/lib/libpbm2.c @@ -216,6 +216,9 @@ pbm_readpbmrow_bitoffset(FILE * const ifP, Read it into packedBits[], preserving surrounding image data. Logic not tested for negative offsets. + + Because we are reading in packed mode large cols and offset values are + acceptable; dividing by 8 prevents overflows. -----------------------------------------------------------------------------*/ unsigned int const rsh = offset % 8; unsigned int const lsh = (8 - rsh) % 8; @@ -224,13 +227,15 @@ pbm_readpbmrow_bitoffset(FILE * const ifP, Aligned to nearest byte boundary to the left, so the first few bits might contain original data, not output. */ - unsigned int const last = pbm_packed_bytes(cols+rsh) - 1; + unsigned int const last = pbm_packed_bytes((unsigned int)cols + rsh) - 1; /* Position within window of rightmost byte after shift */ /* The original leftmost and rightmost chars. */ unsigned char const origHead = window[0]; unsigned char const origEnd = window[last]; + assert(cols > 0 && pbm_packed_bytes(cols) > 0); + pbm_readpbmrow_packed(ifP, window, cols, format); if (rsh > 0) { -- cgit 1.4.1