Missing checks for header_info.height and header_info.width in function pnmtoimage in src/bin/jpwl/convert.c, which can lead to heap buffer overflow

[YangY-Xiao]

Function pnmtoimage in src/bin/jpwl/convert.c misses checks for header_info.height and header_info.width, which can lead to heap buffer overflow. (see #861 )

1856    memset(&header_info, 0, sizeof(struct pnm_header));
1857
1858    read_pnm_header(fp, &header_info);
1859
1860    if (!header_info.ok) {
1861        fclose(fp);
1862        return NULL;
1863    }
1864
1865    format = header_info.format;

Below is the proposal patch.

    memset(&header_info, 0, sizeof(struct pnm_header));

    read_pnm_header(fp, &header_info);

    if (!header_info.ok) {
        fclose(fp);
        return NULL;
    }
 +    /* This limitation could be removed by making sure to use size_t below */
 +    if (header_info.height != 0 &&
 +            header_info.width > INT_MAX / header_info.height) {
 +        fprintf(stderr, "pnmtoimage:Image %dx%d too big!\n",
 +                header_info.width, header_info.height);
 +        fclose(fp);
 +        return NULL;
 +    }
 +
    format = header_info.format;

[fcolista]

Any update on this?

[Necklaces]

The update is that the patch has been applied: 619e1b0

But there has yet to be a release so most if not all package repositories are still affected.

[fcolista]

Thanks.
Sorry, but really it took 8 months to apply a security patch?

[Necklaces]

This issue was made Jul 26, 2018, and the patch was applied Nov 23, 2018, so 'bout five months? Over 8 months if you count the fact that a new release hasn't been made. Don't see any coming soon, either.

[jubalh]

CVE-2018-16375 got assigned to this.
Since 619e1b0 is applied I assume this can be closed?