CVE-2021-43579: 
NixOS vulnerability analysis and mitigation

A stack-based buffer overflow vulnerability (CVE-2021-43579) was discovered in HTMLDOC versions 1.9.13 and earlier. The vulnerability exists in the image_load_bmp() function and can be triggered when a victim converts an HTML document that links to a specially crafted BMP file (NVD, Debian Security).

The vulnerability resides in the image_load_bmp() function where the colors_used variable, read from the BMP file header, is directly used to read into a fixed-size buffer without proper bounds checking. The CVSS v3.1 base score is 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (NVD, GitHub Issue).

If successfully exploited, this vulnerability could lead to remote code execution by modifying the instruction pointer through buffer overflow. The attacker could potentially execute arbitrary code with the privileges of the application processing the malicious BMP file (GitHub Issue).

The vulnerability was patched in HTMLDOC version 1.9.13 by adding a check to validate that colors_used does not exceed 256 (GitHub Commit). Users are advised to upgrade to the latest version of HTMLDOC. Debian has also released security updates for affected versions in their distributions (Debian LTS).