In image_load_bmp(), the colors_used variable is read from the BMP file header and directly used to read into a fixed-size buffer.
staticint/* O - 0 = success, -1 = fail */image_load_bmp(image_t *img, /* I - Image to load into */
FILE *fp, /* I - File to read from */int gray, /* I - Grayscale image? */int load_data)/* I - 1 = load image data, 0 = just info */
{
...
uchar colormap[256][4];
...
colors_used = read_dword(fp);
...
fread(colormap, colors_used, 4, fp);
...
}
A maliciously crafted BMP file could set the colors_used variable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with: ./htmldoc --webpage -f out.pdf ./poc.html
In
image_load_bmp(), thecolors_usedvariable is read from the BMP file header and directly used to read into a fixed-size buffer.A maliciously crafted BMP file could set the
colors_usedvariable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with:./htmldoc --webpage -f out.pdf ./poc.htmlpoc.zip
The text was updated successfully, but these errors were encountered: