1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71
|
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Thu, 1 Apr 2021 08:14:29 -0400
Subject: CVE-2021-26259
Fix a crash bug with bogus table attributes (Issue #417)
Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/0ddab26a542c74770317b622e985c52430092ba5
Bug: https://github.com/michaelrsweet/htmldoc/issues/417
Bug-Debian: https://bugs.debian.org/989437
---
htmldoc/ps-pdf.cxx | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
index bb8a5b9..8804df4 100644
--- a/htmldoc/ps-pdf.cxx
+++ b/htmldoc/ps-pdf.cxx
@@ -6379,6 +6379,9 @@ parse_table(tree_t *t, // I - Tree to parse
table_width = (float)(atof((char *)var) * (right - left) / 100.0f);
else
table_width = (float)(atoi((char *)var) * PagePrintWidth / _htmlBrowserWidth);
+
+ if (table_width < 0.0f || table_width > PagePrintWidth)
+ table_width = right - left;
}
else
table_width = right - left;
@@ -6396,19 +6399,31 @@ parse_table(tree_t *t, // I - Tree to parse
DEBUG_printf(("table_width = %.1f\n", table_width));
if ((var = htmlGetVariable(t, (uchar *)"CELLPADDING")) != NULL)
- table.cellpadding = atoi((char *)var);
+ {
+ if ((table.cellpadding = atoi((char *)var)) < 0.0f)
+ table.cellpadding = 0.0f;
+ else if (table.cellpadding > 20.0f)
+ table.cellpadding = 20.0f;
+ }
else
table.cellpadding = 1.0f;
if ((var = htmlGetVariable(t, (uchar *)"CELLSPACING")) != NULL)
- cellspacing = atoi((char *)var);
+ {
+ if ((cellspacing = atoi((char *)var)) < 0.0f)
+ cellspacing = 0.0f;
+ else if (cellspacing > 20.0f)
+ cellspacing = 20.0f;
+ }
else
cellspacing = 0.0f;
if ((var = htmlGetVariable(t, (uchar *)"BORDER")) != NULL)
{
- if ((table.border = (float)atof((char *)var)) == 0.0 && var[0] != '0')
+ if ((table.border = (float)atof((char *)var)) <= 0.0 && var[0] != '0')
table.border = 1.0f;
+ else if (table.border > 20.0f)
+ table.border = 20.0f;
table.cellpadding += table.border;
}
@@ -6438,7 +6453,7 @@ parse_table(tree_t *t, // I - Tree to parse
table.border_size = table.border - 1.0f;
- cellspacing *= PagePrintWidth / _htmlBrowserWidth;
+ cellspacing *= PagePrintWidth / _htmlBrowserWidth;
table.cellpadding *= PagePrintWidth / _htmlBrowserWidth;
table.border *= PagePrintWidth / _htmlBrowserWidth;
table.border_size *= PagePrintWidth / _htmlBrowserWidth;
|