Stack overflow in image_load_bmp()

[Jorgecmartins]

Even though BMP support is deprecated, it is still in the codebase and so I think it is worth addressing.

In image_load_bmp(), in image.cxx, there is a stack buffer overflow:

1194        if (color < 0)
1195            temp = getc(fp);
1196        else
1197            temp = color;
...
1205        if (!gray)
1206	    {
1207	      *ptr++ = colormap[temp][2];
1208	      *ptr++ = colormap[temp][1];
1209	    }
1210
1211	    *ptr++ = colormap[temp][0];

The vulnerabilities is triggered when temp = getc(fp), since temp has type int, it can have the value -1 = 0xffffffff and go out of bounds in the next lines.

Possible Fix

This issue can be fixed by changing line 1195 to the following:

1195        temp = getc(fp) & 255;

I've attached poc.zip that can trigger the stack overflow.

Steps to reproduce

$ unzip poc.zip
$ # Compiling htmldoc with -fsanitize=address,bounds
$ htmldoc --webpage -f output.pdf poc.html

image.cxx:1207:30: runtime error: index -1 out of bounds for type 'unsigned char [256][4]'
=================================================================
==39858==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcc20edb5e at pc 0x561ca104692f bp 0x7ffcc20ed690 sp 0x7ffcc20ed680
READ of size 1 at 0x7ffcc20edb5e thread T0
    #0 0x561ca104692e in image_load_bmp /home/fuzz/fuzzing/htmldoc/htmldoc/image.cxx:1207
    #1 0x561ca104692e in image_load /home/fuzz/fuzzing/htmldoc/htmldoc/image.cxx:837
    #2 0x561ca0f79bf1 in write_image /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:10298
    #3 0x561ca0f84842 in pdf_write_page /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2693
    #4 0x561ca0fbe91e in pdf_write_outpage /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2605
    #5 0x561ca0fbe91e in pdf_write_document /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2319
    #6 0x561ca0fc8e4b in pspdf_export /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:910
    #7 0x561ca0ef9067 in main /home/fuzz/fuzzing/htmldoc/htmldoc/htmldoc.cxx:1291
    #8 0x7f8a4ab520b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x561ca0ef984d in _start (/home/fuzz/fuzzing/htmldoc/fuzzing/analysis/htmldoc_asan+0x6784d)

Address 0x7ffcc20edb5e is located in stack of thread T0 at offset 1022 in frame
    #0 0x561ca103f5b2 in image_load /home/fuzz/fuzzing/htmldoc/htmldoc/image.cxx:696

  This frame has 9 object(s):
    [48, 52) 'gray' (line 693)
    [64, 72) 'keyptr' (line 704)
    [96, 108) 'rgb' (line 1335)
    [128, 896) 'cmap' (line 1261)
    [1024, 2048) 'colormap' (line 900) <== Memory access at offset 1022 underflows this variable
    [2176, 3248) 'key' (line 703)
    [3376, 3392) 'header' (line 701)
    [3408, 3668) 'buf' (line 466)
    [3744, 4768) 'buf' (line 1260)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/fuzzing/htmldoc/htmldoc/image.cxx:1207 in image_load_bmp

[michaelrsweet]

[master 11ca394] Fix potential stack overflow bug in BMP loader (Issue #466)