summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2020-06-06 23:08:27 +0200
committerEmmanuele Bassi <ebassi@gmail.com>2020-06-26 10:28:32 +0000
commitc22494b40fc80c49bc5480538f9a4bffe3a84b33 (patch)
tree97d582431719401785855fa293b72a02db0a9eb7
parent7ebedf37abfed653a5b6dcf4d9210270c3e99e46 (diff)
downloadgdk-pixbuf-c22494b40fc80c49bc5480538f9a4bffe3a84b33.tar.gz
XPM: Fix undefined behaviour
Pixel data in XPM files consists of color characters. XPM allows up to 31 characters per pixel (cpp). If the file defines a width larger than G_MAXINT / cpp, the calculated memory required to parse a single line (wbytes) leads to a signed integer overflow. On common systems, a signed integer overflow works as expected on a bit level. Properly crafted files can overflow the variable wbytes in a way that it is positive again, which leads to a "successful" parsing of the XPM file. The pixel values itself are not assigned by gdk-pixbuf code, therefore leaking raw memory returned by malloc. This might leak sensitive information through pixel values, depending on the actual application. Proof of Concept: /* XPM */ static char * poc_xpm[] = { "138547333 1 1 31", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx c None", "---------------------------"};
-rw-r--r--gdk-pixbuf/io-xpm.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/gdk-pixbuf/io-xpm.c b/gdk-pixbuf/io-xpm.c
index 0756a43d8..9b0a9ab01 100644
--- a/gdk-pixbuf/io-xpm.c
+++ b/gdk-pixbuf/io-xpm.c
@@ -507,7 +507,7 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
_("Invalid XPM header"));
return NULL;
}
- if (cpp <= 0 || cpp >= 32) {
+ if (cpp <= 0 || cpp >= 32 || w >= G_MAXINT / cpp) {
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,