Bug 793470 – Security: PNG crashing Chrome on Linux due to file picker bug

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 793470 - Security: PNG crashing Chrome on Linux due to file picker bug


Summary:	Security: PNG crashing Chrome on Linux due to file picker bug


Status:	RESOLVED OBSOLETE

Product:	gdk-pixbuf
Classification:	Platform
Component:	general
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	gdk-pixbuf-maint
QA Contact:	gdk-pixbuf-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2018-02-14 21:07 UTC by awhalley
Modified:	2019-02-27 17:32 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
proof of concept (125 bytes, application/x-bzip2) 2018-02-14 21:07 UTC, awhalley	Details

Description awhalley 2018-02-14 21:07:13 UTC

Created attachment 368354 [details]
proof of concept

Greetings from Chrome Security!

We're cleaning up some of our old security bugs, and I came across crbug.com/469937 (restricted, but I can give anybody who requests access) that had the following information.  It was submitted in 2015 so might well no longer be relevant, but passing on just in case:

VULNERABILITY DETAILS

An invalid PNG file causes Chrome to crash on attempting to open a file using Linux file picker.

File picker probably tries to render a preview and crashes. If the file is opened without giving the file picker a chance to try to render a preview (by supplying its full path in the file picker location input or by using the Chrome location bar to open it), Chrome properly shows a broken image icon.

While I understand that technically this is a bug in the upstream library, I'm not sure if that could be exploited in any way, hence filing this bug.

VERSION
Chrome Version: 42.0.2311.50 beta
Operating System: Ubuntu 14.04.2 LTS, Trusty Tahr.

REPRODUCTION CASE

1. Download the attached file.
2. bunzip2 the downloaded file.
3. On Linux Chrome, open File->Open File... dialog, navigate to the png file and click on the filename once.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State: N/A
Client ID (if relevant): 2c2091099d84defa

--

With asan: 
==6582==WARNING: AddressSanitizer failed to allocate 0x022e971034a8 bytes
==6582==AddressSanitizer's allocator is terminating the process instead of returning 0
==6582==If you don't like this behavior set allocator_may_return_null=1
==6582==AddressSanitizer CHECK failed: /work/chromium/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:146 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f01d32fafbd in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/local/google/home/kcc/chromium/src/out-asan/Release/chrome+0x2428fbd)
    #1 0x7f01d32fea31 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/local/google/home/kcc/chromium/src/out-asan/Release/chrome+0x242ca31)
    #2 0x7f01d32fd583 in __sanitizer::ReportAllocatorCannotReturnNull() (/usr/local/google/home/kcc/chromium/src/out-asan/Release/chrome+0x242b583)
    #3 0x7f01d326b404 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/usr/local/google/home/kcc/chromium/src/out-asan/Release/chrome+0x2399404)
    #4 0x7f01d32f3464 in __interceptor_malloc (/usr/local/google/home/kcc/chromium/src/out-asan/Release/chrome+0x2421464)
    #5 0x7f01c93399cc in gdk_pixbuf_new (/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0+0x69cc)
    #6 0x7f01616b3f7a in _init (/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so+0x2f7a)
    #7 0x7f01c8076ed0  (/lib/x86_64-linux-gnu/libpng12.so.0+0x1bed0)
    #8 0x7f01c8077eb2 in png_process_data (/lib/x86_64-linux-gnu/libpng12.so.0+0x1ceb2)
    #9 0x7f01616b3799 in _init (/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so+0x2799)
    #10 0x7f01c933fa44  (/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0+0xca44)
    #11 0x7f01c93402b7 in gdk_pixbuf_loader_close (/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0+0xd2b7)
    #12 0x7f01c933de29 in gdk_pixbuf_new_from_file_at_scale (/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0+0xae29)
    #13 0x7f01dd33d72e in libgtk2ui::SelectFileDialogImplGTK::OnUpdatePreview(_GtkWidget*) chrome/browser/ui/libgtk2ui/select_file_dialog_impl_gtk2.cc:625:23
    #14 0x7f01d045c3b7 in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x103b7)
    #15 0x7f01d046dd3c  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x21d3c)
    #16 0x7f01d0475a28 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29a28)
    #17 0x7f01d0476211 in g_signal_emit_by_name (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a211)
    #18 0x7f01d045c3b7 in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x103b7)
    #19 0x7f01d046dd3c  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x21d3c)
    #20 0x7f01d0475a28 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29a28)
    #21 0x7f01d0476211 in g_signal_emit_by_name (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a211)
    #22 0x7f01d045c3b7 in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x103b7)
    #23 0x7f01d046dd3c  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x21d3c)
    #24 0x7f01d0475a28 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29a28)
    #25 0x7f01d0476211 in g_signal_emit_by_name (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a211)
    #26 0x7f01c9afe0e6 in check_preview_change /build/buildd/gtk+2.0-2.24.23/gtk/gtkfilechooserdefault.c:9587
    #27 0x7f01c9b013ef in list_selection_changed /build/buildd/gtk+2.0-2.24.23/gtk/gtkfilechooserdefault.c:9949
    #28 0x7f01d045c5e6  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x105e6)
    #29 0x7f01d0475087 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29087)
    #30 0x7f01d0475ce1 in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29ce1)
    #31 0x7f01c9c4935d in gtk_tree_view_real_set_cursor /build/buildd/gtk+2.0-2.24.23/gtk/gtktreeview.c:12620
    #32 0x7f01c9c4d907 in gtk_tree_view_button_press /build/buildd/gtk+2.0-2.24.23/gtk/gtktreeview.c:2811
    #33 0x7f01c9b55814 in _gtk_marshal_BOOLEAN__BOXED /build/buildd/gtk+2.0-2.24.23/gtk/gtkmarshalers.c:86
    #34 0x7f01d045c3b7 in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x103b7)
    #35 0x7f01d046dafa  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x21afa)
    #36 0x7f01d04756f8 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x296f8)
    #37 0x7f01d0475ce1 in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29ce1)
    #38 0x7f01c9c65723 in gtk_widget_event_internal /build/buildd/gtk+2.0-2.24.23/gtk/gtkwidget.c:5010
    #39 0x7f01c9b53fc3 in gtk_propagate_event /build/buildd/gtk+2.0-2.24.23/gtk/gtkmain.c:2509
    #40 0x7f01c9b5437a in gtk_main_do_event /build/buildd/gtk+2.0-2.24.23/gtk/gtkmain.c:1699
    #41 0x7f01dd350a9f in libgtk2ui::Gtk2EventLoop::DispatchGdkEvent(_GdkEvent*, void*) chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc:42:3
    #42 0x7f01c97cf1eb in gdk_event_dispatch /build/buildd/gtk+2.0-2.24.23/gdk/x11/gdkevents-x11.c:2403
    #43 0x7f01cff8ae03 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48e03)
    #44 0x7f01cff8b047  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49047)
    #45 0x7f01cff8b0eb in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x490eb)
    #46 0x7f01d42d154f in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:309:30
    #47 0x7f01d42314b8 in base::RunLoop::Run() base/run_loop.cc:55:3
    #48 0x7f01d3a80ae1 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1662:3
    #49 0x7f01db7c194e in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:805:21
    #50 0x7f01db24add5 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:200:5
    #51 0x7f01db24a148 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:26:15
    #52 0x7f01d40ffe0f in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:768:12
    #53 0x7f01d40fd26a in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15
    #54 0x7f01d33122f2 in ChromeMain chrome/app/chrome_main.cc:66:12

Comment 1 André Klapper 2018-06-30 14:28:42 UTC

Thanks for reporting this!

I can reproduce the crash in Chromium 67 on Fedora 28.

I cannot reproduce the crash in eog-3.28.2-1.fc28.x86_64 or Firefox 60 on Fedora 28 - they use the GTK File chooser but simply do not display a preview for that specific file. (Also wondering if there might be some gtk2 vs gtk3 stuff.)

Comment 2 Bastien Nocera 2019-02-27 17:32:25 UTC

When opening this file, I now get:
Insufficient memory to store a 935820 by 854554 image; try exiting some applications to reduce memory usage

I'm pretty sure it's something I fixed in commit c1a969045c056f0180b108a0abeff8b0febce960

I've added the test case to the repository in:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/merge_requests/36

Closing as obsolete. Thanks for the test case!