This is Debian bug https://bugs.debian.org/406371 reported by Aravind Sundaresan.
The affected code seems to be still present. He attached a diff to the bug report but unfortunately no test case.
I find that the loader_pnm.c file in the source package has bugs which
manifest themselves while reading ascii PNM files. To be specific the
data is read using a char buffer and fgets(). When the buffer ends in
the middle of a number which is more than 1 character long, the parser
splits that number into two.
I have corrected two instances f this mistake in loader_pnm.c.mine
I have attached the output of
This is an important bug as applications like feh use this to load
images and PNM format images are used extensively in research.