Stack buffer overflow in image_load_bmp()

Question

Stack buffer overflow in image_load_bmp()

00xc opened this issue 3 years ago · 3 comments

In image_load_bmp(), the colors_used variable is read from the BMP file header and directly used to read into a fixed-size buffer.

static int			/* O - 0 = success, -1 = fail */
image_load_bmp(image_t *img,	/* I - Image to load into */
               FILE    *fp,	/* I - File to read from */
	       int     gray,	/* I - Grayscale image? */
               int     load_data)/* I - 1 = load image data, 0 = just info */
{
  ...
  uchar		colormap[256][4];
  ...
  colors_used      = read_dword(fp);
  ...
  fread(colormap, colors_used, 4, fp);
  ...
}

A maliciously crafted BMP file could set the colors_used variable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with: ./htmldoc --webpage -f out.pdf ./poc.html

poc.zip

Answer 1 · 2021-11-05T13:35:49.000Z

[master 27d0898] Fix potential BMP stack overflow (Issue #453)

Answer 2 · 2021-11-12T09:10:29.000Z

I have requested a CVE for this issue.

Answer 3 · 2021-11-15T08:04:53.000Z

This issue has been assigned CVE-2021-43579.