After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 775232 - pnm loader loads images with height=-2072745076
pnm loader loads images with height=-2072745076
Status: RESOLVED FIXED
Product: gdk-pixbuf
Classification: Platform
Component: loaders
git master
Other Linux
: Normal minor
: ---
Assigned To: gdk-pixbuf-maint
gdk-pixbuf-maint
Depends on:
Blocks:
 
 
Reported: 2016-11-28 14:08 UTC by Tobias Mueller
Modified: 2016-12-13 17:13 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
crashing file, password "crash" (461 bytes, application/pgp-encrypted)
2016-11-28 14:08 UTC, Tobias Mueller 		  Details
patch (2.45 KB, patch)
2016-11-28 14:09 UTC, Tobias Mueller 		rejected Details | Review
pnm: Fix crash opening images with overly large dimensions (1.85 KB, patch)
2016-12-13 17:12 UTC, Bastien Nocera 		committed Details | Review
tests: Add test for bug 775232 (1.25 KB, patch)
2016-12-13 17:12 UTC, Bastien Nocera 		committed Details | Review

Description Tobias Mueller 2016-11-28 14:08:21 UTC 
Created attachment 340908 [details]
crashing file, password "crash"

It seems that a pathological PNM file can cause the following crash:

(process:26213): GdkPixbuf-CRITICAL **: gdk_pixbuf_new: assertion 'height > 0' failed

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff6881a6b in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0

+ Trace 236890

Thread 1 (Thread 0x7ffff7fc3880 (LWP 26213))

  • #0 g_logv
    from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  • #1 g_log
    from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  • #2 gdk_pixbuf_new
    at gdk-pixbuf.c line 453
  • #3 gdk_pixbuf__pnm_image_load_increment
    at io-pnm.c line 983
  • #4 gdk_pixbuf_loader_load_module
    at gdk-pixbuf-loader.c line 443
  • #5 gdk_pixbuf_loader_close
    at gdk-pixbuf-loader.c line 808
  • #6 test_loader
    at pixbuf-read.c line 35
  • #7 main
    at pixbuf-read.c line 75 






Comment 1


Tobias Mueller





          2016-11-28 14:09:57 UTC
        



Created attachment 340909 [details] [review]
patch

Potential patch. It makes pixbuf-read not crash, but I don't know whether checking for <=0 has other unwanted implications.






Comment 2


Bastien Nocera





          2016-12-13 17:12:02 UTC
        



Created attachment 341895 [details] [review]
pnm: Fix crash opening images with overly large dimensions

Internally, the PNM loader stores the width and height as unsigned
integers, but the external callback to the application,
GdkPixbufModuleSizeFunc, uses integers. So the maximum width and height
really are MAXINT, not MAXUINT.






Comment 3


Bastien Nocera





          2016-12-13 17:12:08 UTC
        



Created attachment 341896 [details] [review]
tests: Add test for bug 775232






Comment 4


Bastien Nocera





          2016-12-13 17:12:50 UTC
        



Attachment 341895 [details] pushed as 8d54caa - pnm: Fix crash opening images with overly large dimensions
Attachment 341896 [details] pushed as afdff2c - tests: Add test for bug 775232