From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Thu, 1 Apr 2021 08:14:29 -0400
Subject: CVE-2021-26259

Fix a crash bug with bogus table attributes (Issue #417)

Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/0ddab26a542c74770317b622e985c52430092ba5
Bug: https://github.com/michaelrsweet/htmldoc/issues/417
Bug-Debian: https://bugs.debian.org/989437
---
 htmldoc/ps-pdf.cxx | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
index bb8a5b9..8804df4 100644
--- a/htmldoc/ps-pdf.cxx
+++ b/htmldoc/ps-pdf.cxx
@@ -6379,6 +6379,9 @@ parse_table(tree_t *t,			// I - Tree to parse
       table_width = (float)(atof((char *)var) * (right - left) / 100.0f);
     else
       table_width = (float)(atoi((char *)var) * PagePrintWidth / _htmlBrowserWidth);
+
+    if (table_width < 0.0f || table_width > PagePrintWidth)
+      table_width = right - left;
   }
   else
     table_width = right - left;
@@ -6396,19 +6399,31 @@ parse_table(tree_t *t,			// I - Tree to parse
   DEBUG_printf(("table_width = %.1f\n", table_width));
 
   if ((var = htmlGetVariable(t, (uchar *)"CELLPADDING")) != NULL)
-    table.cellpadding = atoi((char *)var);
+  {
+    if ((table.cellpadding = atoi((char *)var)) < 0.0f)
+      table.cellpadding = 0.0f;
+    else if (table.cellpadding > 20.0f)
+      table.cellpadding = 20.0f;
+  }
   else
     table.cellpadding = 1.0f;
 
   if ((var = htmlGetVariable(t, (uchar *)"CELLSPACING")) != NULL)
-    cellspacing = atoi((char *)var);
+  {
+    if ((cellspacing = atoi((char *)var)) < 0.0f)
+      cellspacing = 0.0f;
+    else if (cellspacing > 20.0f)
+      cellspacing = 20.0f;
+  }
   else
     cellspacing = 0.0f;
 
   if ((var = htmlGetVariable(t, (uchar *)"BORDER")) != NULL)
   {
-    if ((table.border = (float)atof((char *)var)) == 0.0 && var[0] != '0')
+    if ((table.border = (float)atof((char *)var)) <= 0.0 && var[0] != '0')
       table.border = 1.0f;
+    else if (table.border > 20.0f)
+      table.border = 20.0f;
 
     table.cellpadding += table.border;
   }
@@ -6438,7 +6453,7 @@ parse_table(tree_t *t,			// I - Tree to parse
 
   table.border_size = table.border - 1.0f;
 
-  cellspacing *= PagePrintWidth / _htmlBrowserWidth;
+  cellspacing       *= PagePrintWidth / _htmlBrowserWidth;
   table.cellpadding *= PagePrintWidth / _htmlBrowserWidth;
   table.border      *= PagePrintWidth / _htmlBrowserWidth;
   table.border_size *= PagePrintWidth / _htmlBrowserWidth;