1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Sat, 11 Sep 2021 18:12:33 -0400
Subject: CVE-2021-40985
Fix BMP crash bug (Issue #444)
---
htmldoc/image.cxx | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
index 74abfac..caa764d 100644
--- a/htmldoc/image.cxx
+++ b/htmldoc/image.cxx
@@ -900,6 +900,9 @@ image_load_bmp(image_t *img, /* I - Image to load into */
colors_used = (int)read_dword(fp);
read_dword(fp);
+ if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
+ return (-1);
+
if (info_size > 40)
for (info_size -= 40; info_size > 0; info_size --)
getc(fp);
@@ -911,7 +914,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
fread(colormap, (size_t)colors_used, 4, fp);
// Setup image and buffers...
- img->depth = gray ? 1 : 3;
+ img->depth = gray ? 1 : 3;
// If this image is indexed and we are writing an encrypted PDF file, bump the use count so
// we create an image object (Acrobat 6 bug workaround)
@@ -1061,7 +1064,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
if (bit == 0xf0)
{
if (color < 0)
- temp = getc(fp);
+ temp = getc(fp) & 255;
else
temp = color;
|
