Headline
CVE-2021-43579: Stack buffer overflow in image_load_bmp() · Issue #453 · michaelrsweet/htmldoc
A stack-based buffer overflow in image_load_bmp() in HTMLDOC <= 1.9.13 results in remote code execution if the victim converts an HTML document linking to a crafted BMP file.
In image_load_bmp()
, the colors_used
variable is read from the BMP file header and directly used to read into a fixed-size buffer.
static int /* O - 0 = success, -1 = fail */ image_load_bmp(image_t *img, /* I - Image to load into */ FILE *fp, /* I - File to read from */ int gray, /* I - Grayscale image? */ int load_data)/* I - 1 = load image data, 0 = just info */ { … uchar colormap[256][4]; … colors_used = read_dword(fp); … fread(colormap, colors_used, 4, fp); … }
A maliciously crafted BMP file could set the colors_used
variable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with: ./htmldoc --webpage -f out.pdf ./poc.html
poc.zip