GNOME Bugzilla – Bug 768738
Integer overflow in DecodeHeader
Last modified: 2019-03-06 17:10:21 UTC
We received the report on security@gnome.org from Hanno Boeck: A BMP image with a large image width can cause an overflow in the calculation of State->LineWidth in the function DecodeHeader(). This is the code: if (State->Type == 32) State->LineWidth = State->Header.width * 4; else if (State->Type == 24) State->LineWidth = State->Header.width * 3; [...] (more lines for other bits per pixel sizes) If State->Header.width * [whatever] is bigger than 2^32 this will cause an overflow, subsequently skipping sanity checks and causing invalid memory reads in Oneline32. I have attached a BMP sample file that will trigger this bug. gdk-pixbuf needs to be compiled with address sanitizer to show the bug. I'll also attack the address sanitizer error message. Also attached is a proposed patch to fix the issue. I have unified the if-block for all cases where the bits per pixel are one byte or more, introduce a temporary variable bytesPerPixel and will do an overflow check. If that fails an error is returned. This bug was discovered with the help of american fuzzy lop and address sanitizer.
Created attachment 331354 [details] log
Created attachment 331355 [details] [review] patch
Created attachment 331356 [details] poc