You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In image_load_bmp(), the colors_used variable is read from the BMP file header and directly used to read into a fixed-size buffer.
staticint/* O - 0 = success, -1 = fail */image_load_bmp(image_t*img, /* I - Image to load into */FILE*fp, /* I - File to read from */intgray, /* I - Grayscale image? */intload_data)/* I - 1 = load image data, 0 = just info */
{
...
ucharcolormap[256][4];
...
colors_used=read_dword(fp);
...
fread(colormap, colors_used, 4, fp);
...
}
A maliciously crafted BMP file could set the colors_used variable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with: ./htmldoc --webpage -f out.pdf ./poc.html
In
image_load_bmp()
, thecolors_used
variable is read from the BMP file header and directly used to read into a fixed-size buffer.A maliciously crafted BMP file could set the
colors_used
variable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with:./htmldoc --webpage -f out.pdf ./poc.html
poc.zip
The text was updated successfully, but these errors were encountered: