From 1521736d42c031d6e2f48a1ba0f22d694400118d Mon Sep 17 00:00:00 2001
From: giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>
Date: Sat, 6 Nov 2021 00:56:52 +0000
Subject: Add comment

git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@4169 9d0c8265-081b-0410-96cb-a4ca84ce46f8
---
 lib/pbm.h | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'lib/pbm.h')

diff --git a/lib/pbm.h b/lib/pbm.h
index 27fd1163..57ab3812 100644
--- a/lib/pbm.h
+++ b/lib/pbm.h
@@ -47,6 +47,19 @@ pbm_allocrow(unsigned int const cols);
   ((bit**) pm_allocarray(cols, rows, sizeof(bit)))
 #define pbm_freearray(bits, rows) pm_freearray((char**) bits, rows)
 #define pbm_freerow(bitrow) pm_freerow((char*) bitrow)
+
+/* Beware of arithmetic overflows when using pbm_packed_bytes(),
+   pbm_allocrow_packed() and pbm_allocarray_packed().
+
+   When cols is signed int, pbm_packed_bytes(cols + 8) overflows
+   with large values.   Same with pamP->width which is always signed int.
+
+   Function validateComputableSize() called by pbm_readpbminit()
+   provides a margin of 10, but the "+7" uses much of it.
+
+   To prevent overflows, cast cols or pamP->width to unsigned int
+   like this: pbm_packed_bytes((unsigned int) cols +8))
+*/
 #define pbm_packed_bytes(cols) (((cols)+7)/8)
 #define pbm_allocrow_packed(cols) \
     ((unsigned char *) pm_allocrow(pbm_packed_bytes(cols), \
-- 
cgit 1.4.1