An "ico" file contains both a pixmap with colors of pixels (XOR-mask) and also another pixmap (AND-mask) with pixels' transparency data. In the latter pixmap 1 bit is allocated for each pixel of pixbuf.

According to the source code of the function (file: gtk+-2.14.4/gdk-pixbuf/io-ico.c)
static gboolean fill_entry (IconEntry *icon,
GdkPixbuf *pixbuf, gint hot_x, gint hot_y, GError **error)

rowstride of AND-mask is set up equal to (width / 8), where width is the width of the pixbuf. It is only aligned at 4 bytes boundary:

icon->and_rowstride = icon->width / 8;
if ((icon->and_rowstride % 4) != 0) 		
    icon->and_rowstride = 4 * ((icon->and_rowstride / 4) + 1);
icon->and = g_new0 (guchar, icon->and_rowstride * icon->height);

When the width of the pixbuf is not a multiple of 8, writing past the end of the line occurs. For the last line it can result in writing outside of the allocated memory buffer for the AND-mask.

Because gdk_pixbuf_save() and gdk_pixbuf_savev() are implemented via this function, call of them in some cases may lead to unpredictable results, up to sigfault.

The detailed bug description can be found at: 

http://linuxtesting.org/results/report?num=S0683