After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 561669 - Not enough memory is allocated for AND-mask when a pixbuf is being saved in "ico" format
Not enough memory is allocated for AND-mask when a pixbuf is being saved in "...
Status: RESOLVED DUPLICATE of bug 585383
Product: gdk-pixbuf
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: gdk-pixbuf-maint
Depends on:
Reported: 2008-11-20 12:21 UTC by Andrey Tsyvarev
Modified: 2014-10-22 16:44 UTC
See Also:
GNOME target: ---
GNOME version: ---

Description Andrey Tsyvarev 2008-11-20 12:21:57 UTC
An "ico" file contains both a pixmap with colors of pixels (XOR-mask) and also another pixmap (AND-mask) with pixels' transparency data. In the latter pixmap 1 bit is allocated for each pixel of pixbuf.

According to the source code of the function (file: gtk+-2.14.4/gdk-pixbuf/io-ico.c)
static gboolean fill_entry (IconEntry *icon,
GdkPixbuf *pixbuf, gint hot_x, gint hot_y, GError **error)

rowstride of AND-mask is set up equal to (width / 8), where width is the width of the pixbuf. It is only aligned at 4 bytes boundary:

icon->and_rowstride = icon->width / 8;
if ((icon->and_rowstride % 4) != 0) 		
    icon->and_rowstride = 4 * ((icon->and_rowstride / 4) + 1);
icon->and = g_new0 (guchar, icon->and_rowstride * icon->height);

When the width of the pixbuf is not a multiple of 8, writing past the end of the line occurs. For the last line it can result in writing outside of the allocated memory buffer for the AND-mask.

Because gdk_pixbuf_save() and gdk_pixbuf_savev() are implemented via this function, call of them in some cases may lead to unpredictable results, up to sigfault.

The detailed bug description can be found at:
Comment 2 Bastien Nocera 2014-10-22 16:44:33 UTC
Marking as duplicate as per comment 1.

*** This bug has been marked as a duplicate of bug 585383 ***