I am interested in using NETPBM to resize images "on-the-fly" for my dynamic web pages.
According to its documentation, Netpbm is full of arithmetic overflows.
As is common in C programming, many Netpbm programs were written with the assumption that inputs aren't such that they cause the program to attempt to compute values that cannot be represented in the data structure the program uses. For example, you might supply an input image that is 1 million columns wide by 1 million rows tall. The program might naively attempt to multiply those values together and represent the result in a 32 bit integer structure. Since the real product is too large to represent in 32 bits, the naive C code actually computes a different number, without recognizing any kind of error.
Such an overflow can cause an untold variety of program failures. A typical example is that the program uses the bogus number as the amount of storage that needs to be allocated for an array. It thus allocates too little storage for the array. A subsequent reference to an element in the array thus references arbitrary storage that has nothing to do with that array.
*****This could conceivably be a security exposure. *******
My question is this: what is the REAL risk of using this package? Could it be a memory hog? Could it make things slow over time? Could it open my system up to hackers? Or is this a theoretical problem that would have no practical implications for me?
Please explain the real risk of using a package with "arithmetic overflows"