Overview

File htmldoc.openSUSE_Backports_SLE-12-SP1-CVE-2021-40985.patch of Package htmldoc.17396

From f12b9666e582a8e7b70f11b28e5ffc49ad625d43 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Sat, 11 Sep 2021 18:12:33 -0400
Subject: [PATCH] Fix BMP crash bug (Issue #444)
Index: htmldoc-1.8.28/htmldoc/image.cxx
===================================================================
--- htmldoc-1.8.28.orig/htmldoc/image.cxx	2021-11-05 10:09:39.627468966 +0100
+++ htmldoc-1.8.28/htmldoc/image.cxx	2021-11-05 10:09:39.635469013 +0100
@@ -926,6 +926,9 @@ image_load_bmp(image_t *img,	/* I - Imag
   colors_used      = read_dword(fp);
   read_dword(fp);
 
+  if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
+    return (-1);
+
   if (info_size > 40)
     for (info_size -= 40; info_size > 0; info_size --)
       getc(fp);
@@ -937,7 +940,7 @@ image_load_bmp(image_t *img,	/* I - Imag
   fread(colormap, colors_used, 4, fp);
 
   // Setup image and buffers...
-  img->depth  = gray ? 1 : 3;
+  img->depth = gray ? 1 : 3;
 
   // If this image is indexed and we are writing an encrypted PDF file, bump the use count so
   // we create an image object (Acrobat 6 bug workaround)
@@ -1087,7 +1090,7 @@ image_load_bmp(image_t *img,	/* I - Imag
             if (bit == 0xf0)
 	    {
               if (color < 0)
-		temp = getc(fp);
+		temp = getc(fp) & 255;
 	      else
 		temp = color;
openSUSE Build Service is sponsored by
Places