5ba7530688
- security update - added patches fix CVE-2021-40985 [bsc#1192357], buffer overflow may lead to DoS via a crafted BMP image + htmldoc-CVE-2021-40985.patch OBS-URL: https://build.opensuse.org/request/show/929571 OBS-URL: https://build.opensuse.org/package/show/Publishing/htmldoc?expand=0&rev=29
34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
|
|
index 337c0cc5..d44d1ba3 100644
|
|
--- a/htmldoc/image.cxx
|
|
+++ b/htmldoc/image.cxx
|
|
@@ -915,6 +915,9 @@ image_load_bmp(image_t *img, /* I - Image to load into */
|
|
colors_used = (int)read_dword(fp);
|
|
read_dword(fp);
|
|
|
|
+ if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
|
|
+ return (-1);
|
|
+
|
|
if (info_size > 40)
|
|
for (info_size -= 40; info_size > 0; info_size --)
|
|
getc(fp);
|
|
@@ -926,7 +929,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
|
|
fread(colormap, (size_t)colors_used, 4, fp);
|
|
|
|
// Setup image and buffers...
|
|
- img->depth = gray ? 1 : 3;
|
|
+ img->depth = gray ? 1 : 3;
|
|
|
|
// If this image is indexed and we are writing an encrypted PDF file, bump the use count so
|
|
// we create an image object (Acrobat 6 bug workaround)
|
|
@@ -1076,7 +1079,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
|
|
if (bit == 0xf0)
|
|
{
|
|
if (color < 0)
|
|
- temp = getc(fp);
|
|
+ temp = getc(fp) & 255;
|
|
else
|
|
temp = color;
|
|
|
|
|