Potential Integer Overflow vulnerability

Hello,

here are a the forwarded bug from Debian[1]:

Dear Maintainer,

It seems that there is a potential integer overflow in src/preview.c In line 1020 - 1022, if (fscanf (in, "P6\n# surface: %g %g %g %g %u %u\n%d %d\n255%*[\n]", psurface + 0, psurface + 1, psurface + 2, psurface + 3, &psurface_type, &psurface_unit, &width, &height) != 8)

width and height is read from external source.

In line 1037,
p->image_data = malloc (3 * width * height);

width and height is multiplied. If width and height is large enough, this multiplication may cause integer overflow and allocate unwanted value.

CU Jörg

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993580