After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 672811 - Integer overflow in XBM file loader
Integer overflow in XBM file loader
Status: RESOLVED FIXED
Product: gdk-pixbuf
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: gdk-pixbuf-maint
gdk-pixbuf-maint
Depends on:
Blocks:
 
 
Reported: 2012-03-25 18:04 UTC by Denis Pauk
Modified: 2012-04-14 18:22 UTC
See Also:
GNOME target: 3.4
GNOME version: ---

Attachments
test case: eog test.xbm (148 bytes, text/plain)
2012-03-25 18:33 UTC, Denis Pauk 		  Details
limit size to G_MAXINT16 x G_MAXINT16 (777 bytes, patch)
2012-03-25 18:34 UTC, Denis Pauk 		needs-work Details | Review
Add additional checks (7.03 KB, patch)
2012-03-31 18:49 UTC, Denis Pauk 		none Details | Review
Sorry, this patch (3.50 KB, patch)
2012-03-31 18:53 UTC, Denis Pauk 		none Details | Review
Avoid an integer overflow in the xbm loader (1.49 KB, patch)
2012-04-14 18:22 UTC, Matthias Clasen 		committed Details | Review

Description Denis Pauk 2012-03-25 18:04:18 UTC 
Bug from ubuntu: https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/681150
--------
It's possible to crash any application with memory allocation error, or potentially corrupt heap because width/height parameters isn't properly verified.

TEST FILE:
#define width 1
#define height -1
static char bits[] = {

HOW TO REPRODUCE:
Open directory containing this file with nautilus. Nautilus should crash on file thumbnailing.
Try to attach this file using Firefox. Firefox gtk-file-chooser dialog breaks firefox when it trying to show picture preview.

Affected source: gdk-pixbuf/io-xbm.c
230 bytes_per_line = (ww+7)/8 + padding;
231
232 size = bytes_per_line * hh; // Overflow
233 bits = g_malloc (size);

Potential heap corruption:
326 ptr = data;
327 for (y = 0; y < h; y++) {
328 bits = 0;
329 for (x = 0; x < w; x++) {

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libgdk-pixbuf2.0-0 2.22.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Thu Nov 25 00:27:06 2010
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406.1)
ProcEnviron:
 LANG=ru_RU.utf8
 SHELL=/bin/bash
SourcePackage: gdk-pixbuf
Comment 1 Denis Pauk 2012-03-25 18:33:13 UTC 
Created attachment 210585 [details]
test case: eog test.xbm
Comment 2 Denis Pauk 2012-03-25 18:34:00 UTC 
Created attachment 210586 [details] [review]
limit size to G_MAXINT16 x G_MAXINT16
Comment 3 Matthias Clasen 2012-03-27 15:48:37 UTC 
The fix doesn't quite look as I would expect.

First, we should simply change the sscanf to use %u - that would already make your testcase not parse anymore.

Second, the overflow check should look more like what is done in other loaders, e.g. the tiff loader:

        bytes = height * rowstride;
        if (bytes / rowstride != height) { /* overflow */
Comment 4 Matthias Clasen 2012-03-27 15:48:56 UTC 
Review of attachment 210586 [details] [review]:

see previous comments
Comment 5 Denis Pauk 2012-03-28 06:36:13 UTC 
Thanks, i will fix it on weekend.
Comment 6 Denis Pauk 2012-03-31 18:49:32 UTC 
Created attachment 211039 [details] [review]
Add additional checks

I add additional checks and different errors for all type errors(before used only one message for all).
Comment 7 Denis Pauk 2012-03-31 18:53:10 UTC 
Created attachment 211040 [details] [review]
Sorry, this patch
Comment 8 Matthias Clasen 2012-04-14 18:22:12 UTC 
The following fix has been pushed:
4f0f465 Avoid an integer overflow in the xbm loader

If taken the overflow fix and the negative width/height checks,
but left out the string additions.
Comment 9 Matthias Clasen 2012-04-14 18:22:15 UTC 
Created attachment 212053 [details] [review]
Avoid an integer overflow in the xbm loader

At the same time, reject some silly input, such as negative
width or height.