Bug 747605 – crash in libpixbufloader-bmp

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 747605 - crash in libpixbufloader-bmp


Summary:	crash in libpixbufloader-bmp


Status:	RESOLVED FIXED

Product:	gdk-pixbuf
Classification:	Platform
Component:	loaders
Version:	2.30.x
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	gdk-pixbuf-maint
QA Contact:	gdk-pixbuf-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-04-10 08:21 UTC by Dmitry Vyukov
Modified:	2015-12-05 21:11 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Problematic BMP file (380 bytes, image/x-ms-bmp) 2015-12-03 07:49 UTC, Julian Smythe	Details

Description Dmitry Vyukov 2015-04-10 08:21:49 UTC

I have the following file on my hard drive:
https://drive.google.com/file/d/0B20Uwp8Hs1oCTzFrMndWMjNtTHM/view?usp=sharing
I go to drive.google.com in Chromium browser and try to upload the file.
In the "Open Files" dialog I go the directory that contains the file.
At this point browser crashes.

gdk_pixbuf tries to allocate 0x001000000300 bytes when trying to open this 300 byte file:

==10500==WARNING: AddressSanitizer failed to allocate 0x001000000300 bytes
==10500==AddressSanitizer's allocator is terminating the process instead of returning 0
==10500==If you don't like this behavior set allocator_may_return_null=1
==10500==AddressSanitizer CHECK failed: /work/chromium/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f69571dbef4  (/opt/google/chrome-asan/chrome+0x20f5ef4)
    #1 0x7f69571df731  (/opt/google/chrome-asan/chrome+0x20f9731)
    #2 0x7f69571de174  (/opt/google/chrome-asan/chrome+0x20f8174)
    #3 0x7f69571d3cb5  (/opt/google/chrome-asan/chrome+0x20edcb5)
    #4 0x7f694d9a69cc  (/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0+0x69cc)
    #5 0x7f6903496811  (/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so+0x2811)
    #6 0x7f694d9aca44  (/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0+0xca44)
    #7 0x7f694d9ad2b7  (/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0+0xd2b7)
    #8 0x7f694d9aae29  (/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0+0xae29)
    #9 0x7f696065c8ee  (/opt/google/chrome-asan/chrome+0xb5768ee)
    #10 0x7f69546703b7  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x103b7)
    #11 0x7f6954681d3c  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x21d3c)
    #12 0x7f6954689a28  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29a28)
    #13 0x7f695468a211  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a211)
    #14 0x7f69546703b7  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x103b7)
    #15 0x7f6954681d3c  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x21d3c)
    #16 0x7f6954689a28  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29a28)
    #17 0x7f695468a211  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a211)
    #18 0x7f69546703b7  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x103b7)
    #19 0x7f6954681d3c  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x21d3c)
    #20 0x7f6954689a28  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29a28)
    #21 0x7f695468a211  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a211)
    #22 0x7f694e16b0e6  (/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0+0xd60e6)
    #23 0x7f694e16e3ef  (/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0+0xd93ef)
    #24 0x7f69546705e6  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x105e6)
    #25 0x7f6954689087  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29087)
    #26 0x7f6954689ce1  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29ce1)
    #27 0x7f694e2b635d  (/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0+0x22135d)
    #28 0x7f694e2ba907  (/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0+0x225907)
    #29 0x7f694e1c2814  (/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0+0x12d814)
    #30 0x7f69546703b7  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x103b7)
    #31 0x7f6954681afa  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x21afa)
    #32 0x7f69546896f8  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x296f8)
    #33 0x7f6954689ce1  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29ce1)
    #34 0x7f694e2d2723  (/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0+0x23d723)
    #35 0x7f694e1c0fc3  (/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0+0x12bfc3)
    #36 0x7f694e1c137a  (/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0+0x12c37a)
    #37 0x7f6960670442  (/opt/google/chrome-asan/chrome+0xb58a442)
    #38 0x7f694de3c1eb  (/usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0+0x591eb)
    #39 0x7f695419ee03  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48e03)
    #40 0x7f695419f047  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49047)
    #41 0x7f695419f0eb  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x490eb)
    #42 0x7f695813976f  (/opt/google/chrome-asan/chrome+0x305376f)
    #43 0x7f69580c866a  (/opt/google/chrome-asan/chrome+0x2fe266a)
    #44 0x7f695798a7b6  (/opt/google/chrome-asan/chrome+0x28a47b6)
    #45 0x7f695f4a7b1e  (/opt/google/chrome-asan/chrome+0xa3c1b1e)
    #46 0x7f695efae6d5  (/opt/google/chrome-asan/chrome+0x9ec86d5)
    #47 0x7f695efada83  (/opt/google/chrome-asan/chrome+0x9ec7a83)
    #48 0x7f6958013818  (/opt/google/chrome-asan/chrome+0x2f2d818)
    #49 0x7f695801108a  (/opt/google/chrome-asan/chrome+0x2f2b08a)
    #50 0x7f69571f1ef6  (/opt/google/chrome-asan/chrome+0x210bef6)
    #51 0x7f694cf7eec4  (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #52 0x7f69571708a4  (/opt/google/chrome-asan/chrome+0x208a8a4)

Here is a symbolized stack trace:

Program received signal SIGTRAP, Trace/breakpoint trap.
base::debug::(anonymous namespace)::DebugBreak () at ../../base/debug/debugger_posix.cc:228
228	}
(gdb) bt
#0  base::debug::(anonymous namespace)::DebugBreak () at ../../base/debug/debugger_posix.cc:228

+ Trace 234953

#1 base::debug::BreakDebugger
at ../../base/debug/debugger_posix.cc line 241
#2 logging::LogMessage::~LogMessage
at ../../base/logging.cc line 639
#3 base::(anonymous namespace)::OnNoMemorySize
at ../../base/process/memory_linux.cc line 43
#4 base::(anonymous namespace)::OnNoMemory
at ../../base/process/memory_linux.cc line 47
#5 debug_cpp_alloc
at ../../third_party/tcmalloc/chromium/src/debugallocation.cc line 1132
#6 do_debug_malloc_or_debug_cpp_alloc
at ../../third_party/tcmalloc/chromium/src/debugallocation.cc line 1160
#7 tc_malloc
at ../../third_party/tcmalloc/chromium/src/debugallocation.cc line 1167
#8 gdk_pixbuf_new
from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#9 ??
from /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so
#10 ??
from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#11 gdk_pixbuf_loader_close
from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#12 gdk_pixbuf_new_from_file_at_scale
from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#13 libgtk2ui::SelectFileDialogImplGTK::OnUpdatePreview
at ../../chrome/browser/ui/libgtk2ui/select_file_dialog_impl_gtk2.cc line 625
#14 libgtk2ui::SelectFileDialogImplGTK::OnUpdatePreviewThunk
at ../../chrome/browser/ui/libgtk2ui/select_file_dialog_impl_gtk2.cc line 146
#15 g_closure_invoke
at /build/buildd/glib2.0-2.40.2/./gobject/gclosure.c line 768
#16 signal_emit_unlocked_R
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3551
#17 g_signal_emit_valist
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3307
#18 g_signal_emit_by_name
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3403
#19 g_closure_invoke
at /build/buildd/glib2.0-2.40.2/./gobject/gclosure.c line 768
#20 signal_emit_unlocked_R
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3551
#21 g_signal_emit_valist
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3307
#22 g_signal_emit_by_name
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3403
#23 g_closure_invoke
at /build/buildd/glib2.0-2.40.2/./gobject/gclosure.c line 768
#24 signal_emit_unlocked_R
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3551
#25 g_signal_emit_valist
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3307
#26 g_signal_emit_by_name
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3403
#27 check_preview_change
at /build/buildd/gtk+2.0-2.24.23/gtk/gtkfilechooserdefault.c line 9587
#28 list_selection_changed
at /build/buildd/gtk+2.0-2.24.23/gtk/gtkfilechooserdefault.c line 9949
#29 _g_closure_invoke_va
at /build/buildd/glib2.0-2.40.2/./gobject/gclosure.c line 831
#30 g_signal_emit_valist
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3215
#31 g_signal_emit
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3363
#32 _gtk_tree_selection_internal_select_node
at /build/buildd/gtk+2.0-2.24.23/gtk/gtktreeselection.c line 1427
#33 gtk_tree_view_real_set_cursor
at /build/buildd/gtk+2.0-2.24.23/gtk/gtktreeview.c line 12620
#34 gtk_tree_view_button_press
at /build/buildd/gtk+2.0-2.24.23/gtk/gtktreeview.c line 2811
#35 _gtk_marshal_BOOLEAN__BOXED
#36 g_closure_invoke
at /build/buildd/glib2.0-2.40.2/./gobject/gclosure.c line 768
#37 signal_emit_unlocked_R
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3589
#38 g_signal_emit_valist
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3317
#39 g_signal_emit
at /build/buildd/glib2.0-2.40.2/./gobject/gsignal.c line 3363
#40 gtk_widget_event_internal
at /build/buildd/gtk+2.0-2.24.23/gtk/gtkwidget.c line 5010
#41 IA__gtk_widget_event
at /build/buildd/gtk+2.0-2.24.23/gtk/gtkwidget.c line 4807
#42 IA__gtk_propagate_event
at /build/buildd/gtk+2.0-2.24.23/gtk/gtkmain.c line 2509
#43 IA__gtk_main_do_event
at /build/buildd/gtk+2.0-2.24.23/gtk/gtkmain.c line 1699
#44 libgtk2ui::Gtk2EventLoop::DispatchGdkEvent
at ../../chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc line 42
#45 gdk_event_dispatch
at /build/buildd/gtk+2.0-2.24.23/gdk/x11/gdkevents-x11.c line 2403
#46 g_main_dispatch
at /build/buildd/glib2.0-2.40.2/./glib/gmain.c line 3064
#47 g_main_context_dispatch
at /build/buildd/glib2.0-2.40.2/./glib/gmain.c line 3663
#48 g_main_context_iterate
at /build/buildd/glib2.0-2.40.2/./glib/gmain.c line 3734
#49 g_main_context_iteration
at /build/buildd/glib2.0-2.40.2/./glib/gmain.c line 3795
#50 base::MessagePumpGlib::Run
at ../../base/message_loop/message_pump_glib.cc line 309
#51 base::MessageLoop::RunHandler
at ../../base/message_loop/message_loop.cc line 410
#52 base::RunLoop::Run
at ../../base/run_loop.cc line 55
#53 ChromeBrowserMainParts::MainMessageLoopRun
at ../../chrome/browser/chrome_browser_main.cc line 1681
#54 content::BrowserMainLoop::RunMainMessageLoopParts
at ../../content/browser/browser_main_loop.cc line 801
#55 content::BrowserMainRunnerImpl::Run
at ../../content/browser/browser_main_runner.cc line 209
#56 content::BrowserMain
at ../../content/browser/browser_main.cc line 26
#57 content::RunNamedProcessTypeMain
at ../../content/app/content_main_runner.cc line 383
#58 content::ContentMainRunnerImpl::Run
at ../../content/app/content_main_runner.cc line 775
#59 content::ContentMain
at ../../content/app/content_main.cc line 19
#60 ChromeMain
at ../../chrome/app/chrome_main.cc line 66
#61 main
at ../../chrome/app/chrome_exe_main_aura.cc line 17

Comment 1 André Klapper 2015-04-10 18:01:45 UTC

Thanks for reporting this.

Any chance to install debug packages / provide symbols for the following lines?:

+ Trace 234957

#8 gdk_pixbuf_new
from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#9 ??
from /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so
#10 ??
from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#11 gdk_pixbuf_loader_close
from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#12 gdk_pixbuf_new_from_file_at_scale
from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0

Comment 2 Dmitry Vyukov 2015-04-10 18:28:50 UTC

I don't know how to do it.
But I think it should be pretty easy to reproduce by loading the file.

Comment 3 Matthias Clasen 2015-06-22 17:50:19 UTC

Can you attach the problematic image ?

Comment 4 Dmitry Vyukov 2015-06-22 19:35:04 UTC

I guess I did not attach a repro because my browser crashed every time I tried to attach the image.
I think I tried to upload reproduced for this issue:
https://github.com/golang/go/issues/10399
(you can see that it also crashes trying to allocate 0x1000000300 bytes).
So try repro for that issue, there is a link.

Comment 5 Julian Smythe 2015-12-03 07:49:33 UTC

Created attachment 316698 [details]
Problematic BMP file

Attaching the bitmap linked to in the bug report. It has a bit depth of 65524 specified.

Comment 6 Julian Smythe 2015-12-03 08:04:00 UTC

This crash is caused by a lack of validation on the bit depth of a bitmap file / bad integer conversion.

65524 is reinterpreted as -12 (headerpair::depth, a guint, is assigned directly to bmp_progressive_state::Type, a gint, at io-bmp.c:331). This causes the check for (Type <= 8) to pass and attempt to load a palette by calling DecodeColormap. DecodeColormap attempts to allocate (1 << 65524) * 3 bytes of memory, which is a platform dependant value, potentially big enough to cause the original crash.

There is a very related bug for BMP files with overspecified color depth to do heap overflow which I will create a separate report for, as it is not caused by this signed integer conversion.