GNOME Bugzilla – Bug 150601
Bad BMP files can cause gdk-pixbuf loader to sit in an infinite loop
Last modified: 2010-07-10 04:05:21 UTC
http://scary.beasts.org/security/CESA-2004-004.txt details some bugs in the qt bmp parser. The referenced bad.bmp sends the gdk-pixbuf bmp loader into an infinite loop. It looks like 1c is also a problem in the loader, but I'm not sure.
Created attachment 30767 [details] Problem bmp file
Created attachment 30768 [details] [review] Simple patch to make the bad bmp file not cause an infinite loop This lets the file load normally for me, but I really don't know much about the bmp format, so I have no idea if this is correct.
As this is a different flaw to Qt it needs a separate CVE name (even though it shares the same trigger); CAN-2004-0753
Your patch looks correct to me, with the caveat that we perhaps should be picker than we are now (just filed bug 150648. Also bug 150664 that I noticed when looking at the code.) Added a big comment: /* context->compr.y might be past the last line because we are * on padding past the end of a valid data, or we might have hit * out-of-bounds data. Either way we just eat-and-ignore the * rest of the file. Doing the check only here and not when * we change y below is fine since BufferSize is always 2 here * and the BMP file format always starts new data on 16-bit * boundaries. */ Fri Aug 20 11:59:10 2004 Owen Taylor <otaylor@redhat.com> * io-bmp.c: Fix infinite loop that can occur for bad image data (#150601, Chris Evans, Manish Singh)