Overview

File htmldoc-CVE-2022-27114.patch of Package htmldoc.17490

Index: htmldoc-1.9.12/htmldoc/image.cxx
===================================================================
--- htmldoc-1.9.12.orig/htmldoc/image.cxx
+++ htmldoc-1.9.12/htmldoc/image.cxx
@@ -26,6 +26,13 @@ extern "C" {		/* Workaround for JPEG hea
 
 
 /*
+ * Limits...
+ */
+
+#define IMAGE_MAX_DIM	37837		// Maximum dimension - sqrt(4GiB / 3)
+
+
+/*
  * GIF definitions...
  */
 
@@ -926,7 +933,7 @@ image_load_bmp(image_t *img,	/* I - Imag
   colors_used      = (int)read_dword(fp);
   read_dword(fp);
 
-  if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192 || info_size < 0)
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM || info_size < 0)
     return (-1);
 
   if (info_size > 40)
@@ -1278,7 +1285,7 @@ image_load_gif(image_t *img,	/* I - Imag
   img->height = (buf[9] << 8) | buf[8];
   ncolors     = 2 << (buf[10] & 0x07);
 
-  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
     return (-1);
 
   // If we are writing an encrypted PDF file, bump the use count so we create
@@ -1359,6 +1366,9 @@ image_load_gif(image_t *img,	/* I - Imag
 	  if (!load_data)
 	    return (0);
 
+	  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+            return (-1);
+
           img->pixels = (uchar *)malloc((size_t)(img->width * img->height * img->depth));
           if (img->pixels == NULL)
             return (-1);
@@ -1439,6 +1449,12 @@ JSAMPROW			row;		/* Sample row pointer *
   img->height = (int)cinfo.output_height;
   img->depth  = (int)cinfo.output_components;
 
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+  {
+    jpeg_destroy_decompress(&cinfo);
+    return (-1);
+  }
+
   if (!load_data)
   {
     jpeg_destroy_decompress(&cinfo);
@@ -1593,6 +1609,12 @@ image_load_png(image_t *img,	/* I - Imag
   img->width  = (int)png_get_image_width(pp, info);
   img->height = (int)png_get_image_height(pp, info);
 
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+  {
+    png_destroy_read_struct(&pp, &info, NULL);
+    return (-1);
+  }
+
   if (color_type & PNG_COLOR_MASK_ALPHA)
   {
     if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)
openSUSE Build Service is sponsored by
Places