Stack buffer overflow in image_load_bmp()
00xc opened this issue · 3 comments
00xc commented
In image_load_bmp()
, the colors_used
variable is read from the BMP file header and directly used to read into a fixed-size buffer.
static int /* O - 0 = success, -1 = fail */
image_load_bmp(image_t *img, /* I - Image to load into */
FILE *fp, /* I - File to read from */
int gray, /* I - Grayscale image? */
int load_data)/* I - 1 = load image data, 0 = just info */
{
...
uchar colormap[256][4];
...
colors_used = read_dword(fp);
...
fread(colormap, colors_used, 4, fp);
...
}
A maliciously crafted BMP file could set the colors_used
variable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with: ./htmldoc --webpage -f out.pdf ./poc.html
michaelrsweet commented
00xc commented
I have requested a CVE for this issue.
00xc commented
This issue has been assigned CVE-2021-43579.