Headline
CVE-2022-27114: Fix a potential integer overflow bug in the JPEG and PNG loaders (Iss… · michaelrsweet/htmldoc@31f7804
There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,’img->width’ and ‘img->height’ they are large enough to cause an integer overflow. So, the malloc function may return a heap blosmaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.
@@ -26,6 +26,13 @@ extern “C” { /* Workaround for JPEG header problems… */
#endif // HAVE_LIBPNG
/*
* Limits…
*/
#define IMAGE_MAX_DIM 37837 // Maximum dimension - sqrt(4GiB / 3)
/*
* GIF definitions…
*/
@@ -926,7 +933,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
colors_used = (int)read_dword(fp);
read_dword(fp);
if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192 || info_size < 0)
if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM || info_size < 0)
return (-1);
if (info_size > 40)
@@ -1278,7 +1285,7 @@ image_load_gif(image_t *img, /* I - Image pointer */
img->height = (buf[9] << 8) | buf[8];
ncolors = 2 << (buf[10] & 0x07);
if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
return (-1);
// If we are writing an encrypted PDF file, bump the use count so we create
@@ -1326,7 +1333,7 @@ image_load_gif(image_t *img, /* I - Image pointer */
img->height = (buf[7] << 8) | buf[6];
img->depth = gray ? 1 : 3;
if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
return (-1);
if (transparent >= 0)
@@ -1443,6 +1450,12 @@ JSAMPROW row; /* Sample row pointer */
img->height = (int)cinfo.output_height;
img->depth = (int)cinfo.output_components;
if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
{
jpeg_destroy_decompress(&cinfo);
return (-1);
}
if (!load_data)
{
jpeg_destroy_decompress(&cinfo);
@@ -1598,6 +1611,12 @@ image_load_png(image_t *img, /* I - Image pointer */
img->width = (int)png_get_image_width(pp, info);
img->height = (int)png_get_image_height(pp, info);
if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
{
png_destroy_read_struct(&pp, &info, NULL);
return (-1);
}
if (color_type & PNG_COLOR_MASK_ALPHA)
{
if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)
Related news
Gentoo Linux Security Advisory 202405-7 - Multiple vulnerabilities have been discovered in HTMLDOC, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 1.9.16 are affected.
There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,'img->width' and 'img->height' they are large enough to cause an integer overflow. So, the malloc function may return a heap blosmaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.