Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Due to an infinite loop in the gif_read_lzw function, the sp variable which belongs heap memory can be arbitrarily modified.
gif_read_lzw
sp
The crash happens in this loop:
while (code >= clear_code) { *sp++ = table[1][code]; if (code == table[0][code]) return (255); code = table[0][code]; }
As sp is consistently incremented, it reaches out of heap memory which causes the crash:
sp towards the start of execution:
sp once the crash happened:
You can download and attempt the following POC: htmldoc --webpage -f out.pdf ./crash.html
htmldoc --webpage -f out.pdf ./crash.html
poc.zip
The text was updated successfully, but these errors were encountered:
Fix a potential stack overflow bug with GIF images (Issue #470)
fb0334a
[master fb0334a] Fix a potential stack overflow bug with GIF images (Issue #470)
Sorry, something went wrong.
michaelrsweet
No branches or pull requests
Due to an infinite loop in the
gif_read_lzwfunction, thespvariable which belongs heap memory can be arbitrarily modified.The crash happens in this loop:
As
spis consistently incremented, it reaches out of heap memory which causes the crash:sptowards the start of execution:sponce the crash happened:You can download and attempt the following POC:
htmldoc --webpage -f out.pdf ./crash.htmlpoc.zip
The text was updated successfully, but these errors were encountered: