GNOME Bugzilla – Bug 768688
Integer overflow in DecodeColormap
Last modified: 2019-03-06 17:10:03 UTC
foo
We received the following report from Hanno Boeck: I want to report a potential security issue in gdk-pixbuf. It's an integer overflow in the function DecodeColormap leading to a large number of invalid memory reads. The attached bmp image will trigger this bug. Just clicking on it in a gtk file open dialog may lead to a crash (I haven't exactly figured out when this happens, in some applications this does not crash, one where it reliably does is firefox). Here's the problematic code: if (State->BufferSize < State->Header.n_colors * samples) { If n_colors is set to a very large value then State->Header.n_colors * samples can become larger than 2^32, thus leading to an integer overflow. In this case this check will be false. However later down there is a loop iterating State->Header.n_colors times, which will then lead to invalid memory reads. I have attached a bmp image triggering the bug and a proposed patch that checks the overflow and also sets a correct error. (This is strictly speaking another bug - if DecodeColormap fails there is currently no error set and it will lead to a warning.)
Created attachment 331246 [details] [review] patch
Created attachment 331247 [details] reproducer
Benjamin is looking at this