From 8824afbbee638a87d9d05d50b6d4597a46f53fce Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Mon, 15 Dec 2014 01:32:48 +0000
Subject: [PATCH] Robustify xmp and pnm reader

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17240 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin: http://trac.imagemagick.org/changeset/17245 and http://trac.imagemagick.org/changeset/17240 and  http://trac.imagemagick.org/changeset/17248
---
 coders/pnm.c |  8 +++-----
 coders/xbm.c | 48 +++++++++++++++++++++++++++---------------------
 2 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/coders/pnm.c b/coders/pnm.c
index 2989393..e5922a2 100644
--- a/coders/pnm.c
+++ b/coders/pnm.c
@@ -209,7 +209,7 @@ static unsigned int PNMInteger(Image *image,const unsigned int base)
       return(0);
     if (c == (int) '#')
       PNMComment(image);
-  } while (isdigit(c) == MagickFalse);
+  } while (isdigit(c) == 0);
   if (base == 2)
     return((unsigned long) (c-(int) '0'));
   /*
@@ -221,13 +221,11 @@ static unsigned int PNMInteger(Image *image,const unsigned int base)
     if (value > (unsigned int) (INT_MAX/10))
       break;
     value*=10;
-    if (value > (INT_MAX-c))
+    if (value > (INT_MAX-(c-(int) '0')))
       break;
     value+=c-(int) '0';
     c=ReadBlobByte(image);
-    if (c == EOF)
-      return(value);
-  } while (isdigit(c) != MagickFalse);
+  } while (isdigit(c) != 0);
   return(value);
 }
 
diff --git a/coders/xbm.c b/coders/xbm.c
index 999fa9a..692eb2c 100644
--- a/coders/xbm.c
+++ b/coders/xbm.c
@@ -127,33 +127,38 @@ static MagickBooleanType IsXBM(const unsigned char *magick,const size_t length)
 %
 */
 
-static int XBMInteger(Image *image,short int *hex_digits)
-{
+static unsigned int XBMInteger(Image *image,short int *hex_digits)
+{ 
   int
-    c,
-    flag,
+    c;
+  
+  unsigned int
     value;
-
-  value=0;
-  flag=0;
-  for ( ; ; )
-  {
+  
+  /*
+    Skip any leading whitespace.
+  */
+  do
+  { 
     c=ReadBlobByte(image);
     if (c == EOF)
-      {
-        value=(-1);
-        break;
-      }
+      return(0);
+  } while (hex_digits[c] < 0);
+  /*
+    Evaluate number.
+  */
+  value=0;
+  do
+  { 
+    if (value > (unsigned int) (INT_MAX/10))
+      break;
+    value*=16;
     c&=0xff;
-    if (isxdigit(c) != MagickFalse)
-      {
-        value=(int) ((unsigned long) value << 4)+hex_digits[c];
-        flag++;
-        continue;
-      }
-    if ((hex_digits[c]) < 0 && (flag != 0))
+    if (value > (INT_MAX-hex_digits[c]))
       break;
-  }
+    value+=hex_digits[c];
+    c=ReadBlobByte(image);
+  } while (hex_digits[c] >= 0);
   return(value);
 }
 
@@ -188,6 +193,7 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
   short int
     hex_digits[256];
 
+
   size_t
     length;
 
-- 
2.1.4