Closed
Description
Function pnmtoimage in src/bin/jpwl/convert.c misses checks for header_info.height and header_info.width, which can lead to heap buffer overflow. (see #861 )
1856 memset(&header_info, 0, sizeof(struct pnm_header));
1857
1858 read_pnm_header(fp, &header_info);
1859
1860 if (!header_info.ok) {
1861 fclose(fp);
1862 return NULL;
1863 }
1864
1865 format = header_info.format;
Below is the proposal patch.
memset(&header_info, 0, sizeof(struct pnm_header));
read_pnm_header(fp, &header_info);
if (!header_info.ok) {
fclose(fp);
return NULL;
}
+ /* This limitation could be removed by making sure to use size_t below */
+ if (header_info.height != 0 &&
+ header_info.width > INT_MAX / header_info.height) {
+ fprintf(stderr, "pnmtoimage:Image %dx%d too big!\n",
+ header_info.width, header_info.height);
+ fclose(fp);
+ return NULL;
+ }
+
format = header_info.format;
Metadata
Metadata
Assignees
Labels
No labels