1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
|
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Wed, 31 Mar 2021 20:18:00 -0400
Subject: Fix crash bug with bad GIFs (Issue #423)
CVE-2021-20308
Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6a8322a718b2ba5c440bd33e6f26d9e281c39654
Bug: https://github.com/michaelrsweet/htmldoc/issues/423
Bug-Debian: https://bugs.debian.org/#984765
---
htmldoc/image.cxx | 3 +++
1 file changed, 3 insertions(+)
diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
index 68d6b92..8f53050 100644
--- a/htmldoc/image.cxx
+++ b/htmldoc/image.cxx
@@ -1245,6 +1245,9 @@ image_load_gif(image_t *img, /* I - Image pointer */
img->height = (buf[9] << 8) | buf[8];
ncolors = 2 << (buf[10] & 0x07);
+ if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
+ return (-1);
+
// If we are writing an encrypted PDF file, bump the use count so we create
// an image object (Acrobat 6 bug workaround)
if (Encryption)
|