From c22494b40fc80c49bc5480538f9a4bffe3a84b33 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sat, 6 Jun 2020 23:08:27 +0200
Subject: XPM: Fix undefined behaviour

Pixel data in XPM files consists of color characters.

XPM allows up to 31 characters per pixel (cpp). If the file defines
a width larger than G_MAXINT / cpp, the calculated memory required
to parse a single line (wbytes) leads to a signed integer overflow.

On common systems, a signed integer overflow works as expected on
a bit level. Properly crafted files can overflow the variable
wbytes in a way that it is positive again, which leads to a
"successful" parsing of the XPM file. The pixel values itself are
not assigned by gdk-pixbuf code, therefore leaking raw memory
returned by malloc.

This might leak sensitive information through pixel values,
depending on the actual application.

Proof of Concept:

/* XPM */
static char * poc_xpm[] = {
"138547333 1 1 31",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  	c None",
"---------------------------"};
---
 gdk-pixbuf/io-xpm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'gdk-pixbuf')

diff --git a/gdk-pixbuf/io-xpm.c b/gdk-pixbuf/io-xpm.c
index 0756a43d8..9b0a9ab01 100644
--- a/gdk-pixbuf/io-xpm.c
+++ b/gdk-pixbuf/io-xpm.c
@@ -507,7 +507,7 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
                                      _("Invalid XPM header"));
 		return NULL;
 	}
-	if (cpp <= 0 || cpp >= 32) {
+	if (cpp <= 0 || cpp >= 32 || w >= G_MAXINT / cpp) {
                 g_set_error_literal (error,
                                      GDK_PIXBUF_ERROR,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
-- 
cgit v1.2.1