bug#72245: [PATCH] Fix integer overflow when reading XPM

[Po Lu]

Stefan Kangas <stefankangas@gmail.com> writes:

> Po Lu <luangruo@yahoo.com> writes:
>
>> Stefan Kangas <stefankangas@gmail.com> writes:
>>
>>> Severity: minor
>>>
>>> Since XPM files are untrusted input, I think we'd better handle
>>> integer
>>> overflow when parsing it, in case the file is malformed.
>>>
>>> Proposed patch attached.
>>
>> What are the security implications of accepting whatever scanf produces
>> in the event of an overflow?
>
> There is a good summary here:
>
>     https://cwe.mitre.org/data/definitions/190.html

I'm asking which component of xpm_load_image is not adequately prepared
to reject excessive values of these image dimension fields, for the
immediately adjacent statements verify that width, height, num_colors,
and chars_per_pixel are not invalid.  Otherwise I can find no reason to
substantially reinvent the wheel and complicate image.c with a pedantic
10-line function for reading numbers with overflow checking,
implementations of which already abound in that file in one shape or
another.