Integer overflow in XBM file loader

Bug #681150 reported by Sergey Nizovtsev
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Fix Released
gdk-pixbuf (Ubuntu)
Fix Released

Bug Description

It's possible to crash any application with memory allocation error, or potentially corrupt heap because width/height parameters isn't properly verified.

#define width 1
#define height -1
static char bits[] = {

Open directory containing this file with nautilus. Nautilus should crash on file thumbnailing.
Try to attach this file using Firefox. Firefox gtk-file-chooser dialog breaks firefox when it trying to show picture preview.

Affected source: gdk-pixbuf/io-xbm.c
230 bytes_per_line = (ww+7)/8 + padding;
232 size = bytes_per_line * hh; // Overflow
233 bits = g_malloc (size);

Potential heap corruption:
326 ptr = data;
327 for (y = 0; y < h; y++) {
328 bits = 0;
329 for (x = 0; x < w; x++) {

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libgdk-pixbuf2.0-0 2.22.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Thu Nov 25 00:27:06 2010
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406.1)
SourcePackage: gdk-pixbuf

Revision history for this message
Sergey Nizovtsev (snizovtsev) wrote :
visibility: private → public
Revision history for this message
Kees Cook (kees) wrote :

Thanks for this report! Since the w and h variables are unsigned, this is actually "just" a denial of service crash, since the loop that copies out the data will run until it segfaults, so the results aren't controllable.

Changed in gdk-pixbuf (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
security vulnerability: yes → no
Revision history for this message
Denis Pauk (pauk-denis) wrote :

Additional check for values width and height.

Also look as this bug also specific to libXmu: but for Xorg exist check for allocation result and works without crash.

Revision history for this message
Denis Pauk (pauk-denis) wrote :

Patch with checks

Revision history for this message
Denis Pauk (pauk-denis) wrote :

I previously attach wrong file. This correct.

Revision history for this message
Denis Pauk (pauk-denis) wrote :

With limit to G_MAXINT16

Revision history for this message
Denis Pauk (pauk-denis) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "681150.diff" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Changed in gdk-pixbuf:
importance: Unknown → Medium
status: Unknown → New
Revision history for this message
Denis Pauk (pauk-denis) wrote :

Fixes after CR

Changed in gdk-pixbuf:
status: New → Fix Released
Changed in gdk-pixbuf (Ubuntu):
status: Confirmed → Fix Committed
Martin Pitt (pitti)
Changed in gdk-pixbuf (Ubuntu):
importance: Low → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdk-pixbuf - 2.26.1-1

gdk-pixbuf (2.26.1-1) unstable; urgency=low

  * New upstream bug fix release:
    - Fix srcdir != builddir build.
    - Avoid an integer overflow in the xbm loader. (LP: #681150)
    - Translation updates.
  * debian/ Prefer building against libpng-dev over libpng12-dev,
    to be prepared for the libpng 1.5 transition. (Closes: #662344)
  * debian/ Bump Standards-Version to 3.9.3 (no changes necessary).

gdk-pixbuf (2.26.0-2) unstable; urgency=low

  * Upload to unstable.
 -- Martin Pitt <email address hidden> Mon, 16 Apr 2012 07:21:41 +0200

Changed in gdk-pixbuf (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.