After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 768688 - Integer overflow in DecodeColormap
Integer overflow in DecodeColormap
Product: gdk-pixbuf
Classification: Platform
Component: loaders
Other Linux
: Normal normal
: ---
Assigned To: gdk-pixbuf-maint
Depends on:
Reported: 2016-07-11 16:59 UTC by Tobias Mueller
Modified: 2019-03-06 17:10 UTC
See Also:
GNOME target: ---
GNOME version: ---

patch (1.16 KB, patch)
2016-07-11 17:01 UTC, Tobias Mueller
committed Details | Review
reproducer (238 bytes, application/x-zip)
2016-07-11 17:01 UTC, Tobias Mueller

Description Tobias Mueller 2016-07-11 16:59:56 UTC
Comment 1 Tobias Mueller 2016-07-11 17:00:53 UTC
We received the following report from Hanno Boeck:

I want to report a potential security issue in gdk-pixbuf. It's an
integer overflow in the function DecodeColormap leading to a large
number of invalid memory reads.

The attached bmp image will trigger this bug. Just clicking on it in a
gtk file open dialog may lead to a crash (I haven't exactly figured out
when this happens, in some applications this does not crash, one where
it reliably does is firefox).

Here's the problematic code:
        if (State->BufferSize < State->Header.n_colors * samples) {

If n_colors is set to a very large value then State->Header.n_colors *
samples can become larger than 2^32, thus leading to an integer
overflow. In this case this check will be false. However later down
there is a loop iterating State->Header.n_colors times, which will then
lead to invalid memory reads.

I have attached a bmp image triggering the bug and a proposed patch
that checks the overflow and also sets a correct error. (This is
strictly speaking another bug - if DecodeColormap fails there is
currently no error set and it will lead to a warning.)
Comment 2 Tobias Mueller 2016-07-11 17:01:26 UTC
Created attachment 331246 [details] [review]
Comment 3 Tobias Mueller 2016-07-11 17:01:49 UTC
Created attachment 331247 [details]
Comment 4 Matthias Clasen 2016-07-13 11:29:46 UTC
Benjamin is looking at this