Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-27114: Fix a potential integer overflow bug in the JPEG and PNG loaders (Iss… · michaelrsweet/htmldoc@31f7804

There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,’img->width’ and ‘img->height’ they are large enough to cause an integer overflow. So, the malloc function may return a heap blosmaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.

CVE
#vulnerability#js#pdf#buffer_overflow

@@ -26,6 +26,13 @@ extern “C” { /* Workaround for JPEG header problems… */

#endif // HAVE_LIBPNG

/*

* Limits…

*/

#define IMAGE_MAX_DIM 37837 // Maximum dimension - sqrt(4GiB / 3)

/*

* GIF definitions…

*/

@@ -926,7 +933,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */

colors_used = (int)read_dword(fp);

read_dword(fp);

if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192 || info_size < 0)

if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM || info_size < 0)

return (-1);

if (info_size > 40)

@@ -1278,7 +1285,7 @@ image_load_gif(image_t *img, /* I - Image pointer */

img->height = (buf[9] << 8) | buf[8];

ncolors = 2 << (buf[10] & 0x07);

if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)

if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)

return (-1);

// If we are writing an encrypted PDF file, bump the use count so we create

@@ -1326,7 +1333,7 @@ image_load_gif(image_t *img, /* I - Image pointer */

img->height = (buf[7] << 8) | buf[6];

img->depth = gray ? 1 : 3;

if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)

if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)

return (-1);

if (transparent >= 0)

@@ -1443,6 +1450,12 @@ JSAMPROW row; /* Sample row pointer */

img->height = (int)cinfo.output_height;

img->depth = (int)cinfo.output_components;

if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)

{

jpeg_destroy_decompress(&cinfo);

return (-1);

}

if (!load_data)

{

jpeg_destroy_decompress(&cinfo);

@@ -1598,6 +1611,12 @@ image_load_png(image_t *img, /* I - Image pointer */

img->width = (int)png_get_image_width(pp, info);

img->height = (int)png_get_image_height(pp, info);

if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)

{

png_destroy_read_struct(&pp, &info, NULL);

return (-1);

}

if (color_type & PNG_COLOR_MASK_ALPHA)

{

if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)

Related news

Gentoo Linux Security Advisory 202405-07

Gentoo Linux Security Advisory 202405-7 - Multiple vulnerabilities have been discovered in HTMLDOC, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 1.9.16 are affected.

CVE-2022-27114: Fix a potential integer overflow bug in the JPEG and PNG loaders (Iss… · michaelrsweet/htmldoc@31f7804

There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,'img->width' and 'img->height' they are large enough to cause an integer overflow. So, the malloc function may return a heap blosmaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907