Bug: buffer-overflow caused by integer-overflow in image_load_gif()

Question

Bug: buffer-overflow caused by integer-overflow in image_load_gif()

Closed this issue 3 years ago · 6 comments

Hi, I found some integer overflow vulnerability that is similar to CVE-2017-9181 in htmldoc.

os : Debian GNU/Linux bullseye/sid
version : 1.9.11

htmldoc-poc.zip
In htmldoc-poc, there are maliciously crafted gif and html file which crashes htmldoc like below.

$ htmldoc --webpage -f out.pdf htmldoc-poc.html
PAGES: 2
[1]    17884 segmentation fault  htmldoc --webpage -f out.pdf htmldoc-poc.html

The vulnerability resides in image_load_gif() function in htmldoc/image.cxx file.
In line 1279, the program reads data from given gif file using fread.

1279 fread(buf, 9, 1, fp);

Then, it stores value to 'img->width' and 'img->height' in line 1320,
and 'img->depth' is determined by whether given image is grayscale.

1320 img->width = (buf[5] << 8) | buf[4];
1321 img->height = (buf[7] << 8) | buf[6];
1322 img->depth = gray ? 1 : 3;

If load_data is equal to 1 and,
'img->width' and 'img->height' are enough large to cause an integer overflow,
the small heap block is allocated in line 1326.
It leads to buffer overrun when reads data to this buffer in gif_read_image().

1323 if (!load_data)
1324 return (0);
1325
1326 img->pixels = (uchar *)malloc((size_t)(img->width * img->height * img->depth));

Answer 1 · 2021-03-22T12:49:22.000Z

Hmm, 65535 * 65535 should not cause an integer overflow on modern systems, but I'll happily limit GIF files to smaller sizes.

Answer 2 · 2021-04-01T00:18:39.000Z

[master 6a8322a] Fix crash bug with bad GIFs (Issue #423)

I added a range check to limit the width and height to 1-32767.

Answer 3 · 2021-04-06T06:57:25.000Z

This isse was assigned CVE-2021-20308

p.s.: is the CVE reference in the initial item correct? CVE-2017-9181 does not seem to be associated with htmldoc.

Answer 4 · 2021-04-06T07:47:28.000Z

This isse was assigned CVE-2021-20308

p.s.: is the CVE reference in the initial item correct? CVE-2017-9181 does not seem to be associated with htmldoc.

I noticed it may confuse.

It means the bug type of this vulnerability and CVE-2017-9181 are similar.

Because they both cause integer overflow while multiplying the width and height of the input image, then lead to small heap block allocation & buffer overrun.

Answer 5 · 2021-04-06T07:54:18.000Z

@kangwoosukeq thanks for clarification. I indeem might just have been confused about the wording "similar to CVE-2017-9181 in htmldoc". But now it's clear, you meant the class of issue/bug type.

Answer 6 · 2021-04-06T12:29:34.000Z

@carnil @kangwoosukeq Well, the important thing is that it is fixed! :) As soon as I finish my final QA pass I'll be releasing an update of HTMLDOC...