From 7a7119c6fe19324ee17b8f756dae60c16e470ab2 Mon Sep 17 00:00:00 2001 From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74> Date: Sat, 13 Dec 2014 22:14:04 +0000 Subject: Additional PNM sanity checks bug: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26682 git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17200 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 origin: http://trac.imagemagick.org/changeset/17200 and http://trac.imagemagick.org/changeset/17202 and http://trac.imagemagick.org/changeset/17237 diff --git a/coders/pnm.c b/coders/pnm.c index 3fe0dec..505a37f 100644 --- a/coders/pnm.c +++ b/coders/pnm.c @@ -181,12 +181,12 @@ static void PNMComment(Image *image) comment=DestroyString(comment); } -static size_t PNMInteger(Image *image,const unsigned int base) +static unsigned int PNMInteger(Image *image,const unsigned int base) { int c; - size_t + unsigned int value; /* @@ -201,14 +201,18 @@ static size_t PNMInteger(Image *image,const unsigned int base) PNMComment(image); } while (isdigit(c) == MagickFalse); if (base == 2) - return((size_t) (c-(int) '0')); + return((unsigned int) (c-(int) '0')); /* Evaluate number. */ value=0; do { + if (value > (unsigned int) (INT_MAX/10)) + break; value*=10; + if (value > (INT_MAX-c)) + break; value+=c-(int) '0'; c=ReadBlobByte(image); if (c == EOF) -- cgit v0.10.2