Integer overflow in XBM file loader
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gdk-pixbuf |
Fix Released
|
Medium
|
|||
gdk-pixbuf (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
It's possible to crash any application with memory allocation error, or potentially corrupt heap because width/height parameters isn't properly verified.
TEST FILE:
#define width 1
#define height -1
static char bits[] = {
HOW TO REPRODUCE:
Open directory containing this file with nautilus. Nautilus should crash on file thumbnailing.
Try to attach this file using Firefox. Firefox gtk-file-chooser dialog breaks firefox when it trying to show picture preview.
Affected source: gdk-pixbuf/io-xbm.c
230 bytes_per_line = (ww+7)/8 + padding;
231
232 size = bytes_per_line * hh; // Overflow
233 bits = g_malloc (size);
Potential heap corruption:
326 ptr = data;
327 for (y = 0; y < h; y++) {
328 bits = 0;
329 for (x = 0; x < w; x++) {
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libgdk-pixbuf2.0-0 2.22.0-0ubuntu1
ProcVersionSign
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Thu Nov 25 00:27:06 2010
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406.1)
ProcEnviron:
LANG=ru_RU.utf8
SHELL=/bin/bash
SourcePackage: gdk-pixbuf
visibility: | private → public |
Changed in gdk-pixbuf: | |
importance: | Unknown → Medium |
status: | Unknown → New |
Changed in gdk-pixbuf: | |
status: | New → Fix Released |
Changed in gdk-pixbuf (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in gdk-pixbuf (Ubuntu): | |
importance: | Low → Medium |
Thanks for this report! Since the w and h variables are unsigned, this is actually "just" a denial of service crash, since the loop that copies out the data will run until it segfaults, so the results aren't controllable.