After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 779020 - (CVE-2017-6314) Infinite loop in io-tiff.c with large size
(CVE-2017-6314)
Infinite loop in io-tiff.c with large size
Status: RESOLVED FIXED
Product: gdk-pixbuf
Classification: Platform
Component: loaders
git master
Other All
: Normal critical
: ---
Assigned To: gdk-pixbuf-maint
gdk-pixbuf-maint
Depends on:
Blocks:
 
 
Reported: 2017-02-21 13:23 UTC by Ariel Zelivansky
Modified: 2017-12-05 12:24 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
fix for the infinite loop issue (750 bytes, patch)
2017-04-21 14:09 UTC, Thiruvadi Rajaraman 		none Details | Review
tiff: Avoid overflowing buffer size computation (1.32 KB, patch)
2017-12-05 10:39 UTC, Bastien Nocera 		committed Details | Review

Description Ariel Zelivansky 2017-02-21 13:23:25 UTC 
The bug is in the function make_available_at_least (line 499).
See the following lines:

if (need_alloc > context->allocated) {
    guint new_size = 1;
    while (new_size < need_alloc)
        new_size *= 2;
...

new_size starts with 1 and multiplies until it is larger or equal to need_alloc. If need_alloc is larger than 2^31, new_size will become 2^31 and multiply itself in 2, and become 0. This would lead to an infinite loop.
Comment 1 Thiruvadi Rajaraman 2017-04-21 14:09:40 UTC 
Created attachment 350204 [details] [review]
fix for the infinite loop issue

Hi Ariel,

I have created the fix patch to resolve the infinite loop issue in io-tiff.

Please kindly review and suggest your comments.

Thanks,
Thiruvadi rajaraman
Comment 2 Bastien Nocera 2017-12-05 10:39:22 UTC 
Created attachment 365013 [details] [review]
tiff: Avoid overflowing buffer size computation

Use g_uint_checked_mul() to avoid overflowing the guint used for buffer
size calculation.
Comment 3 Bastien Nocera 2017-12-05 10:42:27 UTC 
Attachment 365013 [details] pushed as 1e513ab - tiff: Avoid overflowing buffer size computation
Comment 4 Thiruvadi Rajaraman 2017-12-05 11:23:46 UTC 
Hi Bastien,

Following is the vulnerable hunk causes the infinite loop issue,

from io-tiff.c file,
 
while (new_size < need_alloc) 
       new_size *= 2;

Test application: ( similar like above condition in io-tiff.c)
-----------------

#include <stdio.h>
#include <limits.h>

int main() {
	unsigned int x, y;
	y=UINT_MAX;
	x=( (UINT_MAX/2) +1);

	printf("\n x= %ld", x);
	printf("\n y= %ld", y);

/* Resolve infinite loop issue .... */
/* ---	while(x && (x<y) ) {     ----*/ 

	while( x<y) {
		x*=2;
		printf(" x = %ld", x);
	};
	return 0;
	
}
 
logs:
=====
x = 0
 x = 0
 x = 0
 x = 0
 x = 0

This condition causes the infinite tight loop.

From the attached fix in comment#1,

 while (new_size && (new_size < need_alloc)) resolves this infinite loop issue.
 

Please correct me if my understanding above the issue is wrong and the fix which i attached in comment#1 is not resolving the infinite loop problem.

Please kindly review and suggest comments.

Thanks,
Thiruvadi Rajaraman
Comment 5 Bastien Nocera 2017-12-05 12:24:54 UTC 
(In reply to Thiruvadi Rajaraman from comment #4)
> Hi Bastien,
> 
> Following is the vulnerable hunk causes the infinite loop issue,
> 
> from io-tiff.c file,
>  
> while (new_size < need_alloc) 
>        new_size *= 2;
<snip>
> Please correct me if my understanding above the issue is wrong and the fix
> which i attached in comment#1 is not resolving the infinite loop problem.

Which is why we didn't use it. The one in comment 2 is what we used.