Closed
Description
In image_load_bmp(), the colors_used variable is read from the BMP file header and directly used to read into a fixed-size buffer.
static int /* O - 0 = success, -1 = fail */
image_load_bmp(image_t *img, /* I - Image to load into */
FILE *fp, /* I - File to read from */
int gray, /* I - Grayscale image? */
int load_data)/* I - 1 = load image data, 0 = just info */
{
...
uchar colormap[256][4];
...
colors_used = read_dword(fp);
...
fread(colormap, colors_used, 4, fp);
...
}A maliciously crafted BMP file could set the colors_used variable to a number big enough to overflow the stack and thus the return address. I am attaching a proof of concept below. It can be tested with: ./htmldoc --webpage -f out.pdf ./poc.html