Merge pull request #19118 from atm-florianm/FIX_12.0_tcpdf_issue_315_roman_numeral_bomb_vulnerability

FIX tcpdf roman numeral rendering bomb, cf. tecnickom/TCPDF PR 315

dev/dolibarr_changes.txt

@@ -175,6 +175,18 @@ In htdocs/includes/tecnickcom/tcpdf/tcpdf.php
 -       protected $default_monospaced_font = 'courier';
 +       protected $default_monospaced_font = 'freemono';
 
+* In tecnickcom/tcpdf/include/tcpdf_static, in function intToRoman, right at the beginning
+  of the function, replace:
+
+		$roman = '';
+
+with:
+
+		$roman = '';
+		if ($number >= 4000) {
+			// do not represent numbers above 4000 in Roman numerals
+			return strval($number);
+		}
 
 
 

htdocs/includes/tecnickcom/tcpdf/include/tcpdf_static.php

@@ -1440,6 +1440,10 @@ class TCPDF_STATIC {
 	 */
 	public static function intToRoman($number) {
 		$roman = '';
+		if ($number >= 4000) {
+			// do not represent numbers above 4000 in Roman numerals
+			return strval($number);
+		}
 		while ($number >= 1000) {
 			$roman .= 'M';
 			$number -= 1000;