Skip to content

Missing checks for header_info.height and header_info.width in function pnmtoimage in src/bin/jpwl/convert.c, which can lead to heap buffer overflow #1126

Closed
@YangY-Xiao

Description

@YangY-Xiao

Function pnmtoimage in src/bin/jpwl/convert.c misses checks for header_info.height and header_info.width, which can lead to heap buffer overflow. (see #861 )

1856    memset(&header_info, 0, sizeof(struct pnm_header));
1857
1858    read_pnm_header(fp, &header_info);
1859
1860    if (!header_info.ok) {
1861        fclose(fp);
1862        return NULL;
1863    }
1864
1865    format = header_info.format;

Below is the proposal patch.

    memset(&header_info, 0, sizeof(struct pnm_header));

    read_pnm_header(fp, &header_info);

    if (!header_info.ok) {
        fclose(fp);
        return NULL;
    }
 +    /* This limitation could be removed by making sure to use size_t below */
 +    if (header_info.height != 0 &&
 +            header_info.width > INT_MAX / header_info.height) {
 +        fprintf(stderr, "pnmtoimage:Image %dx%d too big!\n",
 +                header_info.width, header_info.height);
 +        fclose(fp);
 +        return NULL;
 +    }
 +
    format = header_info.format;

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions