Bug#795277: libgdk-pixbuf2.0-0: Unhandled integer-overflow leads to segmentation fault

Virgil Grigoras vigri_bugreport at arcor.de
Wed Aug 12 14:37:42 UTC 2015

Package: libgdk-pixbuf2.0-0
Version: 2.31.1
Severity: important

Dear Maintainer,

I would like to report a bug where a large image can 
cause an overflow which is unhandled. This results in a segmentation fault.

The bug affects the gdk_pixbuf_add_alpha() - function in gdk-pixbuf-util.c
when using a grayscale image with a resolution of 27k x 27k pixels.

Both y and pixbuf->rowstride are int-vars. Therefore the result of the multiplication is an int-var too.
A rowstride of 108000 and y > than approx. 18000 doesn't fit in this var.

The patch could be to change those two lines from
src = src_pixels + y * pixbuf->rowstride;
dest = ret_pixels + y * new_pixbuf->rowstride;


src = src_pixels + (unsigned long)y * pixbuf->rowstride;
dest = ret_pixels + (unsigned long)y * new_pixbuf->rowstride;

Furthermore there should be a check added to ensure the multiplication doesn't exceed 

Please see attached the backtrace.

This bug has been reported some days ago by me to Inkscape without knowing that this package here was the real problem:

Best regards
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: inkscape_open3.txt
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20150812/89a9f9be/attachment.txt>

More information about the pkg-gnome-maintainers mailing list