File: CVE-2021-26259.patch

package info (click to toggle)
htmldoc 1.9.3-1%2Bdeb10u4
  • links: PTS
  • area: main
  • in suites: buster
  • size: 15,224 kB
  • sloc: ansic: 67,846; cpp: 24,380; makefile: 352; sh: 149; java: 59; php: 36; xml: 10; perl: 7
file content (69 lines) | stat: -rw-r--r-- 2,291 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Thu, 1 Apr 2021 08:14:29 -0400
Subject: CVE-2021-26259

Fix a crash bug with bogus table attributes (Issue #417)

Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/0ddab26a542c74770317b622e985c52430092ba5
Bug: https://github.com/michaelrsweet/htmldoc/issues/417
Bug-Debian: https://bugs.debian.org/989437
---
 htmldoc/ps-pdf.cxx | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

--- a/htmldoc/ps-pdf.cxx
+++ b/htmldoc/ps-pdf.cxx
@@ -6276,6 +6276,9 @@
       table_width = (float)(atof((char *)var) * (right - left) / 100.0f);
     else
       table_width = (float)(atoi((char *)var) * PagePrintWidth / _htmlBrowserWidth);
+
+    if (table_width < 0.0f || table_width > PagePrintWidth)
+      table_width = right - left;
   }
   else
     table_width = right - left;
@@ -6293,19 +6296,31 @@
   DEBUG_printf(("table_width = %.1f\n", table_width));
 
   if ((var = htmlGetVariable(t, (uchar *)"CELLPADDING")) != NULL)
-    table.cellpadding = atoi((char *)var);
+  {
+    if ((table.cellpadding = atoi((char *)var)) < 0.0f)
+      table.cellpadding = 0.0f;
+    else if (table.cellpadding > 20.0f)
+      table.cellpadding = 20.0f;
+  }
   else
     table.cellpadding = 1.0f;
 
   if ((var = htmlGetVariable(t, (uchar *)"CELLSPACING")) != NULL)
-    cellspacing = atoi((char *)var);
+  {
+    if ((cellspacing = atoi((char *)var)) < 0.0f)
+      cellspacing = 0.0f;
+    else if (cellspacing > 20.0f)
+      cellspacing = 20.0f;
+  }
   else
     cellspacing = 0.0f;
 
   if ((var = htmlGetVariable(t, (uchar *)"BORDER")) != NULL)
   {
-    if ((table.border = (float)atof((char *)var)) == 0.0 && var[0] != '0')
+    if ((table.border = (float)atof((char *)var)) <= 0.0 && var[0] != '0')
       table.border = 1.0f;
+    else if (table.border > 20.0f)
+      table.border = 20.0f;
 
     table.cellpadding += table.border;
   }
@@ -6335,7 +6350,7 @@
 
   table.border_size = table.border - 1.0f;
 
-  cellspacing *= PagePrintWidth / _htmlBrowserWidth;
+  cellspacing       *= PagePrintWidth / _htmlBrowserWidth;
   table.cellpadding *= PagePrintWidth / _htmlBrowserWidth;
   table.border      *= PagePrintWidth / _htmlBrowserWidth;
   table.border_size *= PagePrintWidth / _htmlBrowserWidth;