Headline
CVE-2022-24191: Stack Buffer Overflow in gif_read_lzw · Issue #470 · michaelrsweet/htmldoc
In HTMLDOC 1.9.14, an infinite loop in the gif_read_lzw function can lead to a pointer arbitrarily pointing to heap memory and resulting in a buffer overflow.
Due to an infinite loop in the gif_read_lzw
function, the sp
variable which belongs heap memory can be arbitrarily modified.
The crash happens in this loop:
while (code >= clear_code)
{
*sp++ = table[1][code];
if (code == table[0][code])
return (255);
code = table[0][code];
}
As sp
is consistently incremented, it reaches out of heap memory which causes the crash:
sp
towards the start of execution:
sp
once the crash happened:
You can download and attempt the following POC:
htmldoc --webpage -f out.pdf ./crash.html
poc.zip