After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 753569 - Unhandled integer-overflow leads to segmentation fault
Unhandled integer-overflow leads to segmentation fault
Status: RESOLVED FIXED
Product: gdk-pixbuf
Classification: Platform
Component: general
unspecified
Other Linux
: Normal major
: ---
Assigned To: gdk-pixbuf-maint
gdk-pixbuf-maint
Depends on:
Blocks:
 
 
Reported: 2015-08-12 18:47 UTC by vigri
Modified: 2015-08-25 19:27 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Inkscape GDB-backtrace (7.36 KB, text/plain)
2015-08-12 18:47 UTC, vigri
Details

Description vigri 2015-08-12 18:47:58 UTC
Created attachment 309171 [details]
Inkscape GDB-backtrace

Package: libgdk-pixbuf2.0-0
Version: 2.31.1
OS: Debian 8.1 x64


Dear Maintainer,

I would like to report a bug where a large image can 
cause an overflow which is unhandled. This results in a segmentation fault.

The bug affects the gdk_pixbuf_add_alpha() - function in gdk-pixbuf-util.c
when using a grayscale image with a resolution of 27k x 27k pixels.

Both y and pixbuf->rowstride are int-vars. Therefore the result of the multiplication is an int-var too.
A rowstride of 108000 and y > than approx. 18000 doesn't fit in this var.

The patch could be to change those two lines from
src = src_pixels + y * pixbuf->rowstride;
dest = ret_pixels + y * new_pixbuf->rowstride;

to

src = src_pixels + (unsigned long)y * pixbuf->rowstride;
dest = ret_pixels + (unsigned long)y * new_pixbuf->rowstride;

Furthermore there should be a check added to ensure the multiplication doesn't exceed ULONG_MAX.

Please see attached the backtrace.

This bug has been reported some days ago by me to Inkscape without knowing that this package here was the real problem:
https://bugs.launchpad.net/inkscape/+bug/1483061

Best regards
Comment 1 Matthias Clasen 2015-08-25 19:27:43 UTC
should be fixed in commit ca3c56421c075e729750cf80c3438b283232cce8