Bug#795277: libgdk-pixbuf2.0-0: Unhandled integer-overflow leads to segmentation fault
Virgil Grigoras
vigri_bugreport at arcor.de
Wed Aug 12 14:37:42 UTC 2015
Package: libgdk-pixbuf2.0-0
Version: 2.31.1
Severity: important
Dear Maintainer,
I would like to report a bug where a large image can
cause an overflow which is unhandled. This results in a segmentation fault.
The bug affects the gdk_pixbuf_add_alpha() - function in gdk-pixbuf-util.c
when using a grayscale image with a resolution of 27k x 27k pixels.
Both y and pixbuf->rowstride are int-vars. Therefore the result of the multiplication is an int-var too.
A rowstride of 108000 and y > than approx. 18000 doesn't fit in this var.
The patch could be to change those two lines from
src = src_pixels + y * pixbuf->rowstride;
dest = ret_pixels + y * new_pixbuf->rowstride;
to
src = src_pixels + (unsigned long)y * pixbuf->rowstride;
dest = ret_pixels + (unsigned long)y * new_pixbuf->rowstride;
Furthermore there should be a check added to ensure the multiplication doesn't exceed
ULONG_MAX.
Please see attached the backtrace.
This bug has been reported some days ago by me to Inkscape without knowing that this package here was the real problem:
https://bugs.launchpad.net/inkscape/+bug/1483061
Best regards
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: inkscape_open3.txt
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20150812/89a9f9be/attachment.txt>
More information about the pkg-gnome-maintainers
mailing list