fd465e8f75
- security update - added patches fix CVE-2022-27114 [bsc#1199370], image_load_jpeg can cause integer overflow + htmldoc-CVE-2022-27114.patch OBS-URL: https://build.opensuse.org/request/show/976218 OBS-URL: https://build.opensuse.org/package/show/Publishing/htmldoc?expand=0&rev=34
73 lines
2.5 KiB
Diff
73 lines
2.5 KiB
Diff
diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
|
|
index 8aeccced..9b4d11de 100644
|
|
--- a/htmldoc/image.cxx
|
|
+++ b/htmldoc/image.cxx
|
|
@@ -26,6 +26,13 @@ extern "C" { /* Workaround for JPEG header problems... */
|
|
#endif // HAVE_LIBPNG
|
|
|
|
|
|
+/*
|
|
+ * Limits...
|
|
+ */
|
|
+
|
|
+#define IMAGE_MAX_DIM 37837 // Maximum dimension - sqrt(4GiB / 3)
|
|
+
|
|
+
|
|
/*
|
|
* GIF definitions...
|
|
*/
|
|
@@ -926,7 +933,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
|
|
colors_used = (int)read_dword(fp);
|
|
read_dword(fp);
|
|
|
|
- if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192 || info_size < 0)
|
|
+ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM || info_size < 0)
|
|
return (-1);
|
|
|
|
if (info_size > 40)
|
|
@@ -1278,7 +1285,7 @@ image_load_gif(image_t *img, /* I - Image pointer */
|
|
img->height = (buf[9] << 8) | buf[8];
|
|
ncolors = 2 << (buf[10] & 0x07);
|
|
|
|
- if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
|
|
+ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
|
|
return (-1);
|
|
|
|
// If we are writing an encrypted PDF file, bump the use count so we create
|
|
@@ -1326,7 +1333,7 @@ image_load_gif(image_t *img, /* I - Image pointer */
|
|
img->height = (buf[7] << 8) | buf[6];
|
|
img->depth = gray ? 1 : 3;
|
|
|
|
- if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
|
|
+ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
|
|
return (-1);
|
|
|
|
if (transparent >= 0)
|
|
@@ -1443,6 +1450,12 @@ JSAMPROW row; /* Sample row pointer */
|
|
img->height = (int)cinfo.output_height;
|
|
img->depth = (int)cinfo.output_components;
|
|
|
|
+ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
|
|
+ {
|
|
+ jpeg_destroy_decompress(&cinfo);
|
|
+ return (-1);
|
|
+ }
|
|
+
|
|
if (!load_data)
|
|
{
|
|
jpeg_destroy_decompress(&cinfo);
|
|
@@ -1598,6 +1611,12 @@ image_load_png(image_t *img, /* I - Image pointer */
|
|
img->width = (int)png_get_image_width(pp, info);
|
|
img->height = (int)png_get_image_height(pp, info);
|
|
|
|
+ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
|
|
+ {
|
|
+ png_destroy_read_struct(&pp, &info, NULL);
|
|
+ return (-1);
|
|
+ }
|
|
+
|
|
if (color_type & PNG_COLOR_MASK_ALPHA)
|
|
{
|
|
if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)
|
|
|