From 1e7ad88b856b009dcfdbdc773a80d8dc3263949d Mon Sep 17 00:00:00 2001
From: Pascal Massimino <pascal.massimino@gmail.com>
Date: Wed, 1 Feb 2017 15:03:11 +0100
Subject: [PATCH] PNM header decoder: add some basic numerical validation

see spec: http://netpbm.sourceforge.net/doc/ppm.html

Change-Id: I55e01f8cec79f9124e72d5f3d05be4ad0deae315
---
 imageio/pnmdec.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/imageio/pnmdec.c b/imageio/pnmdec.c
index dcb7b37d..830f194d 100644
--- a/imageio/pnmdec.c
+++ b/imageio/pnmdec.c
@@ -63,6 +63,12 @@ static size_t ReadHeader(const uint8_t* const data, size_t data_size,
   if (off == 0 || sscanf(out, "%d %d", width, height) != 2) return 0;
   off = ReadLine(data, off, data_size, out, &out_size);
   if (off == 0 || sscanf(out, "%d", max_value) != 1) return 0;
+  // perform some basic numerical validation
+  if (*width <= 0 || *height <= 0 ||
+      *type <= 0 || *type >= 9 ||
+      *max_value <= 0 || *max_value >= 65536) {
+    return 0;
+  }
   return off;
 }
 
@@ -86,8 +92,7 @@ int ReadPNM(const uint8_t* const data, size_t data_size,
 
   // Some basic validations.
   if (pic == NULL) goto End;
-  if (width <= 0 || height <= 0 ||
-      width > WEBP_MAX_DIMENSION || height > WEBP_MAX_DIMENSION) {
+  if (width > WEBP_MAX_DIMENSION || height > WEBP_MAX_DIMENSION) {
     fprintf(stderr, "Invalid %dx%d dimension for PNM\n", width, height);
     goto End;
   }