From b839a7b0c628446113d53c19d6bff8140fc59c66 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Wed, 8 Jun 2005 20:57:16 +0000
Subject: [PATCH] Check for overflow. (#306394, Morten Welinder)

2005-06-08  Matthias Clasen  <mclasen@redhat.com>

	* io-pnm.c (pnm_read_next_value): Check for overflow.
	(#306394, Morten Welinder)
---
 gdk-pixbuf/ChangeLog | 5 +++++
 gdk-pixbuf/io-pnm.c  | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 2a0d75a8fd..8972c30d9f 100644
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+2005-06-08  Matthias Clasen  <mclasen@redhat.com>
+
+	* io-pnm.c (pnm_read_next_value): Check for overflow.
+	(#306394, Morten Welinder)
+
 2005-05-27  Matthias Clasen  <mclasen@redhat.com>
 
 	* io-bmp.c: Accept the 108 byte header of BMP v4.  (#168799)
diff --git a/gdk-pixbuf/io-pnm.c b/gdk-pixbuf/io-pnm.c
index b568b4bccc..81e50a7f79 100644
--- a/gdk-pixbuf/io-pnm.c
+++ b/gdk-pixbuf/io-pnm.c
@@ -245,7 +245,7 @@ pnm_read_next_value (PnmIOBuffer *inbuf, gint max_length, guint *value, GError *
 	
 	/* get the value */
 	result = strtol (buf, &endptr, 10);
-	if (*endptr != '\0' || result < 0) {
+	if (*endptr != '\0' || result < 0 || result > G_MAXUINT) {
 		g_set_error (error,
 			     GDK_PIXBUF_ERROR,
 			     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
-- 
2.30.2