Bug: buffer-overflow caused by integer-overflow in image_load_gif()
Closed this issue · 6 comments
Hi, I found some integer overflow vulnerability that is similar to CVE-2017-9181 in htmldoc.
- os : Debian GNU/Linux bullseye/sid
- version : 1.9.11
htmldoc-poc.zip
In htmldoc-poc, there are maliciously crafted gif and html file which crashes htmldoc like below.
$ htmldoc --webpage -f out.pdf htmldoc-poc.html
PAGES: 2
[1] 17884 segmentation fault htmldoc --webpage -f out.pdf htmldoc-poc.html
The vulnerability resides in image_load_gif() function in htmldoc/image.cxx file.
In line 1279, the program reads data from given gif file using fread.
1279 fread(buf, 9, 1, fp);
Then, it stores value to 'img->width' and 'img->height' in line 1320,
and 'img->depth' is determined by whether given image is grayscale.
1320 img->width = (buf[5] << 8) | buf[4];
1321 img->height = (buf[7] << 8) | buf[6];
1322 img->depth = gray ? 1 : 3;
If load_data is equal to 1 and,
'img->width' and 'img->height' are enough large to cause an integer overflow,
the small heap block is allocated in line 1326.
It leads to buffer overrun when reads data to this buffer in gif_read_image().
1323 if (!load_data)
1324 return (0);
1325
1326 img->pixels = (uchar *)malloc((size_t)(img->width * img->height * img->depth));
Hmm, 65535 * 65535 should not cause an integer overflow on modern systems, but I'll happily limit GIF files to smaller sizes.
This isse was assigned CVE-2021-20308
p.s.: is the CVE reference in the initial item correct? CVE-2017-9181 does not seem to be associated with htmldoc.
This isse was assigned CVE-2021-20308
p.s.: is the CVE reference in the initial item correct? CVE-2017-9181 does not seem to be associated with htmldoc.
I noticed it may confuse.
It means the bug type of this vulnerability and CVE-2017-9181 are similar.
Because they both cause integer overflow while multiplying the width and height of the input image, then lead to small heap block allocation & buffer overrun.
@kangwoosukeq thanks for clarification. I indeem might just have been confused about the wording "similar to CVE-2017-9181 in htmldoc". But now it's clear, you meant the class of issue/bug type.
@carnil @kangwoosukeq Well, the important thing is that it is fixed! :) As soon as I finish my final QA pass I'll be releasing an update of HTMLDOC...