Ubuntu

Integer overflow in XBM file loader

Reported by Sergey Nizovtsev on 2010-11-24
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
gdk-pixbuf
Fix Released
Medium
gdk-pixbuf (Ubuntu)
Medium
Unassigned

Bug Description

It's possible to crash any application with memory allocation error, or potentially corrupt heap because width/height parameters isn't properly verified.

TEST FILE:
#define width 1
#define height -1
static char bits[] = {

HOW TO REPRODUCE:
Open directory containing this file with nautilus. Nautilus should crash on file thumbnailing.
Try to attach this file using Firefox. Firefox gtk-file-chooser dialog breaks firefox when it trying to show picture preview.

Affected source: gdk-pixbuf/io-xbm.c
230 bytes_per_line = (ww+7)/8 + padding;
231
232 size = bytes_per_line * hh; // Overflow
233 bits = g_malloc (size);

Potential heap corruption:
326 ptr = data;
327 for (y = 0; y < h; y++) {
328 bits = 0;
329 for (x = 0; x < w; x++) {

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libgdk-pixbuf2.0-0 2.22.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Thu Nov 25 00:27:06 2010
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406.1)
ProcEnviron:
 LANG=ru_RU.utf8
 SHELL=/bin/bash
SourcePackage: gdk-pixbuf

Sergey Nizovtsev (snizovtsev) wrote :
visibility: private → public
Kees Cook (kees) wrote :

Thanks for this report! Since the w and h variables are unsigned, this is actually "just" a denial of service crash, since the loop that copies out the data will run until it segfaults, so the results aren't controllable.

Changed in gdk-pixbuf (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
security vulnerability: yes → no
Denis Pauk (pauk-denis) wrote :

Additional check for values width and height.

Also look as this bug also specific to libXmu: http://cgit.freedesktop.org/xorg/lib/libXmu/tree/src/RdBitF.c but for Xorg exist check for allocation result and works without crash.

Denis Pauk (pauk-denis) wrote :

Patch with checks

Denis Pauk (pauk-denis) wrote :

I previously attach wrong file. This correct.

Denis Pauk (pauk-denis) wrote :

With limit to G_MAXINT16

The attachment "681150.diff" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Changed in gdk-pixbuf:
importance: Unknown → Medium
status: Unknown → New
Denis Pauk (pauk-denis) wrote :

Fixes after CR

Changed in gdk-pixbuf:
status: New → Fix Released
Changed in gdk-pixbuf (Ubuntu):
status: Confirmed → Fix Committed
Martin Pitt (pitti) on 2012-04-16
Changed in gdk-pixbuf (Ubuntu):
importance: Low → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdk-pixbuf - 2.26.1-1

---------------
gdk-pixbuf (2.26.1-1) unstable; urgency=low

  * New upstream bug fix release:
    - Fix srcdir != builddir build.
    - Avoid an integer overflow in the xbm loader. (LP: #681150)
    - Translation updates.
  * debian/control.in: Prefer building against libpng-dev over libpng12-dev,
    to be prepared for the libpng 1.5 transition. (Closes: #662344)
  * debian/control.in: Bump Standards-Version to 3.9.3 (no changes necessary).

gdk-pixbuf (2.26.0-2) unstable; urgency=low

  * Upload to unstable.
 -- Martin Pitt <email address hidden> Mon, 16 Apr 2012 07:21:41 +0200

Changed in gdk-pixbuf (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.