Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack buffer overflow in image_load_bmp() #453

Closed
00xc opened this issue Nov 4, 2021 · 3 comments
Closed

Stack buffer overflow in image_load_bmp() #453

00xc opened this issue Nov 4, 2021 · 3 comments
Assignees
Labels
bug Something isn't working priority-high security Security issue
Milestone

Comments

@00xc
Copy link

00xc commented Nov 4, 2021

In image_load_bmp(), the colors_used variable is read from the BMP file header and directly used to read into a fixed-size buffer.

static int			/* O - 0 = success, -1 = fail */
image_load_bmp(image_t *img,	/* I - Image to load into */
               FILE    *fp,	/* I - File to read from */
	       int     gray,	/* I - Grayscale image? */
               int     load_data)/* I - 1 = load image data, 0 = just info */
{
  ...
  uchar		colormap[256][4];
  ...
  colors_used      = read_dword(fp);
  ...
  fread(colormap, colors_used, 4, fp);
  ...
}

A maliciously crafted BMP file could set the colors_used variable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with: ./htmldoc --webpage -f out.pdf ./poc.html

poc.zip

@michaelrsweet
Copy link
Owner

[master 27d0898] Fix potential BMP stack overflow (Issue #453)

@michaelrsweet michaelrsweet self-assigned this Nov 5, 2021
@michaelrsweet michaelrsweet added bug Something isn't working priority-high security Security issue labels Nov 5, 2021
@michaelrsweet michaelrsweet added this to the Stable milestone Nov 5, 2021
@00xc
Copy link
Author

00xc commented Nov 12, 2021

I have requested a CVE for this issue.

@00xc
Copy link
Author

00xc commented Nov 15, 2021

This issue has been assigned CVE-2021-43579.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working priority-high security Security issue
Projects
None yet
Development

No branches or pull requests

2 participants