search

michaelrsweet / htmldoc

HTML Conversion Software
https://www.msweet.org/htmldoc
GNU General Public License v2.0
208 stars 47 forks source link

Stack buffer overflow in image_load_bmp() #453

Closed 00xc closed 2 years ago

00xc commented 2 years ago

In image_load_bmp(), the colors_used variable is read from the BMP file header and directly used to read into a fixed-size buffer.

static int          /* O - 0 = success, -1 = fail */
image_load_bmp(image_t *img,    /* I - Image to load into */
               FILE    *fp, /* I - File to read from */
           int     gray,    /* I - Grayscale image? */
               int     load_data)/* I - 1 = load image data, 0 = just info */
{
  ...
  uchar     colormap[256][4];
  ...
  colors_used      = read_dword(fp);
  ...
  fread(colormap, colors_used, 4, fp);
  ...
}

A maliciously crafted BMP file could set the colors_used variable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with: ./htmldoc --webpage -f out.pdf ./poc.html

poc.zip

michaelrsweet commented 2 years ago

[master 27d0898] Fix potential BMP stack overflow (Issue #453)

00xc commented 2 years ago

I have requested a CVE for this issue.

00xc commented 2 years ago

This issue has been assigned CVE-2021-43579.