Out-of-bounds Read in michaelrsweet/htmldoc


Reported on

Dec 20th 2021


In gif_read_image, in image.cxx, gif_read_lzw might return a value greater than 255, which results in an out of bounds read, leading to denial of service.

typedef uchar   gif_cmap_t[256][3];

/* ... */

static int              /* I - 0 = success, -1 = failure */
gif_read_image(FILE       *fp,      /* I - Input file */
           image_t    *img,     /* I - Image pointer */
           gif_cmap_t cmap,     /* I - Colormap */
           int        interlace,    /* I - Non-zero = interlaced image */
           int        transparent)  /* I - Transparent color */
/* ... */
  while ((pixel = gif_read_lzw(fp, 0, code_size)) >= 0)
    temp[0] = cmap[pixel][0];  // <------- this overflows when pixel >= 256
/* ... */

Proof of Concept

  1. git clone https://github.com/michaelrsweet/htmldoc && cd htmldoc
  2. ./configure && make -j(nproc)
  3. ./htmldoc/htmldoc --webpage -f out.pdf ./poc.html

The previous steps cause a segmentation fault. Tested at commit 753c71b.

Download PoC here.


This vulnerability is capable of crashing the application when parsing a GIF image embedded in an HTML document.

We are processing your report and will contact the michaelrsweet/htmldoc team within 24 hours. 2 years ago
We have contacted a member of the michaelrsweet/htmldoc team and are waiting to hear back 2 years ago
Michael R Sweet
2 years ago


Please report HTMLDOC bugs using the Github issue tracker.

Michael R Sweet validated this vulnerability 2 years ago
00xc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Michael R Sweet
2 years ago


[master e4a335e] Fix a potential stack overflow bug with GIF images.

Michael R Sweet marked this as fixed in master with commit e4a335 2 years ago
Michael R Sweet has been awarded the fix bounty
Carlos López
2 years ago


Thanks for the prompt response Michael. I am not sure if I can report a vulnerability both through here and through the upstream issue tracker, as it is a public source; @admin is this allowed? If it is not, I can always open an issue after the fact, just for tracking purposes.

Jamie Slome
2 years ago

@00xc - the maintainer has opted their repositories out of our disclosure program.

Please follow the processes expressed in their repositories.

to join this conversation