Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix BMP crash bug (Issue #444)
  • Loading branch information
michaelrsweet committed Sep 11, 2021
1 parent 30ce445 commit f12b966
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGES.md
Expand Up @@ -5,6 +5,7 @@
(Issue #433)
- Fixed a crash bug when a HTML comment contains an invalid nul character
(Issue #439)
- Fixed a crash bug with bogus BMP images (Issue #444)


# Changes in HTMLDOC v1.9.12
Expand Down
7 changes: 5 additions & 2 deletions htmldoc/image.cxx
Expand Up @@ -915,6 +915,9 @@ image_load_bmp(image_t *img, /* I - Image to load into */
colors_used = (int)read_dword(fp);
read_dword(fp);

if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
return (-1);

if (info_size > 40)
for (info_size -= 40; info_size > 0; info_size --)
getc(fp);
Expand All @@ -926,7 +929,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
fread(colormap, (size_t)colors_used, 4, fp);

// Setup image and buffers...
img->depth = gray ? 1 : 3;
img->depth = gray ? 1 : 3;

// If this image is indexed and we are writing an encrypted PDF file, bump the use count so
// we create an image object (Acrobat 6 bug workaround)
Expand Down Expand Up @@ -1076,7 +1079,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
if (bit == 0xf0)
{
if (color < 0)
temp = getc(fp);
temp = getc(fp) & 255;
else
temp = color;

Expand Down

0 comments on commit f12b966

Please sign in to comment.