Bug 753908 – cve-2015-4491 test seems broken, uses all available memory on the system

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 753908 - cve-2015-4491 test seems broken, uses all available memory on the system


Summary:	cve-2015-4491 test seems broken, uses all available memory on the system


Status:	RESOLVED FIXED

Product:	gdk-pixbuf
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gdk-pixbuf-maint
QA Contact:	gdk-pixbuf-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-08-21 06:34 UTC by Alexandre Rostovtsev
Modified:	2015-08-22 16:03 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
test-suite.log (863 bytes, text/plain) 2015-08-21 06:34 UTC, Alexandre Rostovtsev	Details

Description Alexandre Rostovtsev 2015-08-21 06:34:10 UTC

Created attachment 309787 [details]
test-suite.log

download gdk-pixbuf-2.31.6 tarball.
./configure
make
cd tests
make check
make[3]: Entering directory '/home/tetromino/tmpfs/gdk-pixbuf-2.31.6/tests'
PASS: animation 1 /animation/gif
PASS: animation 2 /animation/ani
PASS: cve-2015-4491 1 /pixbuf/cve-2015-4491/original
PASS: cve-2015-4491 2 /pixbuf/cve-2015-4491/scale-overflow

At this point, after a few seconds, ./cve-2015-4491 exhausts all memory on the machine and needs to be taken out via kill -9.

This happens even when gdk-pixbuf-2.31.6 is already installed systemwide (so it's not an issue of build-directory vs. systemwide plugins).

Comment 1 Benjamin Otte (Company) 2015-08-22 16:03:14 UTC

commit 3df91dc6c6f8d1421e9c8756959280de792af77a
Author: Benjamin Otte <otte@redhat.com>
Date:   Sat Aug 22 17:57:23 2015 +0200

    pixops: Chane variable type
        
    n_weights is used to do overflow checks. So by reducing the size to 32
    bits signed we overflow earlier. This is necessary because further down
    the code lots of code uses int variables to iterate over this variable
    and we don't want those to overflow.
    
    The correct fix would be to make all those variables gsize too, but
    that's way more invasive and requires different checks in different
    places so I'm not gonna do that now.
    And as long as scale factors are not expected to reach G_MAXINT it's not
    really necessary to do this change anyway.