diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2020-06-06 23:08:27 +0200 |
|---|---|---|
| committer | Emmanuele Bassi <ebassi@gmail.com> | 2020-06-26 10:28:32 +0000 |
| commit | c22494b40fc80c49bc5480538f9a4bffe3a84b33 (patch) | |
| tree | 97d582431719401785855fa293b72a02db0a9eb7 | |
| parent | 7ebedf37abfed653a5b6dcf4d9210270c3e99e46 (diff) | |
| download | gdk-pixbuf-c22494b40fc80c49bc5480538f9a4bffe3a84b33.tar.gz | |
XPM: Fix undefined behaviour
Pixel data in XPM files consists of color characters.
XPM allows up to 31 characters per pixel (cpp). If the file defines
a width larger than G_MAXINT / cpp, the calculated memory required
to parse a single line (wbytes) leads to a signed integer overflow.
On common systems, a signed integer overflow works as expected on
a bit level. Properly crafted files can overflow the variable
wbytes in a way that it is positive again, which leads to a
"successful" parsing of the XPM file. The pixel values itself are
not assigned by gdk-pixbuf code, therefore leaking raw memory
returned by malloc.
This might leak sensitive information through pixel values,
depending on the actual application.
Proof of Concept:
/* XPM */
static char * poc_xpm[] = {
"138547333 1 1 31",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx c None",
"---------------------------"};
| -rw-r--r-- | gdk-pixbuf/io-xpm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gdk-pixbuf/io-xpm.c b/gdk-pixbuf/io-xpm.c index 0756a43d8..9b0a9ab01 100644 --- a/gdk-pixbuf/io-xpm.c +++ b/gdk-pixbuf/io-xpm.c @@ -507,7 +507,7 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl _("Invalid XPM header")); return NULL; } - if (cpp <= 0 || cpp >= 32) { + if (cpp <= 0 || cpp >= 32 || w >= G_MAXINT / cpp) { g_set_error_literal (error, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, |