Bug#795277: libgdk-pixbuf2.0-0: Unhandled integer-overflow leads to segmentation fault
vigri_bugreport at arcor.de
Wed Aug 12 14:37:42 UTC 2015
I would like to report a bug where a large image can
cause an overflow which is unhandled. This results in a segmentation fault.
The bug affects the gdk_pixbuf_add_alpha() - function in gdk-pixbuf-util.c
when using a grayscale image with a resolution of 27k x 27k pixels.
Both y and pixbuf->rowstride are int-vars. Therefore the result of the multiplication is an int-var too.
A rowstride of 108000 and y > than approx. 18000 doesn't fit in this var.
The patch could be to change those two lines from
src = src_pixels + y * pixbuf->rowstride;
dest = ret_pixels + y * new_pixbuf->rowstride;
src = src_pixels + (unsigned long)y * pixbuf->rowstride;
dest = ret_pixels + (unsigned long)y * new_pixbuf->rowstride;
Furthermore there should be a check added to ensure the multiplication doesn't exceed
Please see attached the backtrace.
This bug has been reported some days ago by me to Inkscape without knowing that this package here was the real problem:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the pkg-gnome-maintainers