GNOME Bugzilla – Bug 768738
Integer overflow in DecodeHeader
Last modified: 2019-03-06 17:10:21 UTC
We received the report on firstname.lastname@example.org from Hanno Boeck:
A BMP image with a large image width can cause an overflow in the
calculation of State->LineWidth in the function DecodeHeader().
This is the code:
if (State->Type == 32)
State->LineWidth = State->Header.width * 4;
else if (State->Type == 24)
State->LineWidth = State->Header.width * 3;
[...] (more lines for other bits per pixel sizes)
If State->Header.width * [whatever] is bigger than 2^32 this will cause
an overflow, subsequently skipping sanity checks and causing invalid
memory reads in Oneline32.
I have attached a BMP sample file that will trigger this bug.
gdk-pixbuf needs to be compiled with address sanitizer to show the bug.
I'll also attack the address sanitizer error message.
Also attached is a proposed patch to fix the issue. I have unified the
if-block for all cases where the bits per pixel are one byte or more,
introduce a temporary variable bytesPerPixel and will do an overflow
check. If that fails an error is returned.
This bug was discovered with the help of american fuzzy lop and address
Created attachment 331354 [details]
Created attachment 331355 [details] [review]
Created attachment 331356 [details]