A biWidth*biBitCnt integer overflow in input-bmp.c in autotrace 0.31.1 allows attackers to provide an unexpected input value to malloc via a malformed bitmap image. References: https://github.com/autotrace/autotrace/commits/master https://github.com/autotrace/autotrace/commits/master/src/input-bmp.c https://github.com/autotrace/autotrace/pull/40
Created autotrace tracking bugs for this issue: Affects: fedora-all [bug 1945034]
There's no upstream fix for that, although the pull request was created it was never committed.
A crafted image with big width or bit counting can cause the bytes per row counting in input_bmp_header() to overflow. This value is further used in ReadImage() as parameter for the malloc() function through XMALLOC wrapper macro. As malloc's size parameter is handled as unsigned always, an eventual overflow on bytes per row variable will be handled as close to MAX_SIZE_T and probably failing the memory allocation, leading malloc() to return a NULL pointer. The XMALLOC macro assert's the malloc's returned pointer and finishes the process in such scenario, causing a DoS for the application consuming autotrace library.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4519 https://access.redhat.com/errata/RHSA-2021:4519
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19004