Bug#832496: gdk-pixbuf: ico loader crashes when loading crafted file ico loader crashes when loading crafted file

[Salvatore Bonaccorso]

Source: gdk-pixbuf
Version: 2.31.1-1
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=769170

>From upstream bug report, and since there is no CVE assigned, for
better trackability:

> There's a crash when loading specially crafted ico files.
> 
> See http://seclists.org/oss-sec/2016/q3/61
> 
> I have reproduced this with 2.30.7, 2.31.1 and 2.35.2. It doesn't
> happen with 2.26.1. It's easily reproducible with tests/pixbuf-read.
> 
> Here's the backtrace for 2.35.2:
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff54ea414 in OneLine32 (context=0x611f50) at io-ico.c:596
> 596                Pixels[X * 4 + 0] = context->LineBuf[X * 4 + 2];
> (gdb) bt
> #0  0x00007ffff54ea414 in gdk_pixbuf__ico_image_load_increment (context=0x611f50) at io-ico.c:596
> #1  0x00007ffff54ea414 in gdk_pixbuf__ico_image_load_increment (context=0x611f50) at io-ico.c:807
> #2  0x00007ffff54ea414 in gdk_pixbuf__ico_image_load_increment (data=0x611f50, buf=0x60fc52 "", size=0, error=0x7fffffffe438) at io-ico.c:898
> #3  0x00007ffff7bc4695 in gdk_pixbuf_loader_load_module (loader=loader at entry=0x60f400 [GdkPixbufLoader], image_type=image_type at entry=0x0, error=error at entry=0x7fffffffe438) at gdk-pixbuf-loader.c:443
> #4  0x00007ffff7bc4f20 in gdk_pixbuf_loader_close (loader=loader at entry=0x60f400 [GdkPixbufLoader], error=error at entry=0x7fffffffe488)
>     at gdk-pixbuf-loader.c:808
> #5  0x0000000000400ac6 in main (err=0x7fffffffe488, len=70, bytes=0x60cdf0 "") at pixbuf-read.c:35
> #6  0x0000000000400ac6 in main (argc=<optimized out>, argv=<optimized out>) at pixbuf-read.c:75

Regards,
Salvatore